Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
21559
Views
15
Helpful
3
Replies

what is the default lKE keepalive time in cisco ASA

samarjit.das
Level 1
Level 1

‎08-21-2012 01:22 AM - edited ‎03-11-2019 04:44 PM

Cisco says that by default IKE keepalive time is enabled in Cisco ASA. So what is the default lKE keepalive time in cisco ASA.

Labels:
0 Helpful
3 Replies 3

Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎08-21-2012 02:28 AM

Hi Bro

The default IKE (Phase1) SA lifetime value is 86,400 seconds (24 hours). This value can be changed with the command crypto isakmp policy 10 lifetime 50400. Note: 10 is merely a policy number.

Meanwhile, the default IPSEC (Phase 2) SA lifetime value is 28,800 seconds (8 hours) or 4,275,000 KB. The IPSec security association lifetimes can be set either globally or per crypto map instance. To configure it globally, the command syntax is

crypto ipsec-security association lifetime seconds 240.

For further details on this, you could refer to this Cisco URL http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_ike.html

P/S: if you think this comment is helpful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

samarjit.das
Level 1
Level 1
In response to Ramraj Sivagnanam Sivajanam

‎08-21-2012 03:17 AM

Thanks for your reply.

But I wanted to know about the keepalive timeout rather than lifetime.

What I understand is that the lifetime is a period a VPN gateway rekey just before the time expires.

I am interested to know if there is no traffic flow inside the tunnel for quite a long time  but the lifetime still valid for that peer, what will happen? Will the tunnel go down?

0 Helpful

Ramraj Sivagnanam Sivajanam
Level 4
Level 4
In response to samarjit.das

‎08-21-2012 06:49 AM

Hi Bro

Yes, you’re correct. Lifetime is a period when a VPN gateway rekeys just before the time expires. During the typical life of the IKE Security Association (SA), packets are only exchanged over this SA when an IPSec quick mode (QM) negotiation is required at the expiration of the IPSec SAs. The default lifetime of an IKE SA is 24 hours and that of an IPSec SA is one hour. Hence, if there’s no interesting network traffic that flows through the VPN tunnel for quite a while but the lifetime period is still valid, the VPN tunnel would not go down.

However, there is no standards-based mechanism for either types of SA to detect the loss of a VPN peer, except when the QM negotiation fails. Therefore, by implementing a keepalive feature over the IKE SA, Cisco has provided a simple and non-intrusive mechanism for detecting loss of connectivity between two IPSec peers. The keepalive packets are sent every 10 seconds by default. Once three packets are missed, an IPSec termination point concludes that it has lost connectivity with its peer.

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card