cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4807
Views
0
Helpful
0
Replies

Security association Lifetime Kilobytes disable

victor_87
Level 1
Level 1

On the Cisco ASR's, there is an option to disable the security association Lifetime Kilobytes all together and just use the secs.

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c3.html#wp2944599527

My question is whether this needs to be disabled on both sides of the iPSEC tunnel for it to work correctly or will doing it just on one side work? We are seeing a potential issue due to this

Also,  see highlighted in below output that the Kb value on the remote end is different from the Kb value on the local Device. While the Lifetime secs is set manually on the policy map, the global value is being used for the Kilobytes value.

My question is whether the Kilobytes value is counted globally for all tunnels or for each tunnel independently? If it is counted independently for each tunnel, im not sure why the Kb value is different remotely and locally for the same traffic flowing onto the tunnel on each side.

     inbound esp sas:

      spi: 0xE7145CFD(3876871421)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3123, flow_id: :1123, sibling_flags 80000040, crypto map: Tunnel4-head-0

       sa timing: remaining key lifetime (k/sec): (3632046/77141)

        IV size: 16 bytes

        replay detection support: Y  replay window size: 512

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      xxxxxxxxxxxxx

        in use settings ={Tunnel, }

        conn id: 3124, flow_id: :1124, sibling_flags 80000040, crypto map: Tunnel4-head-0

        sa timing: remaining key lifetime (k/sec): (4586197/77141)

        IV size: 16 bytes

        replay detection support: Y  replay window size: 512

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

0 Replies 0
Review Cisco Networking for a $25 gift card