Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
780
Views
0
Helpful
4
Replies

sa lifetimes

nhedhili
Level 1
Level 1

‎12-09-2004 02:37 AM - edited ‎03-09-2019 09:42 AM

hi,

can someone exaplain to me what happens in the negociations when different sa lifetimes are configured between two vpn peers, ( either the ipsec and ike lifetimes are not the same between peers )

thanks in advance

Labels:
0 Helpful
4 Replies 4

thisisshanky
Level 11
Level 11

‎12-09-2004 07:53 AM

If two peers are configured with different IKE lifetimes, the initiating peer's lifetime should be longer than responding peer's lifetime and the shorter lifetime is selected for that session.

For IPSEC SA Life time, even if they dont match up, the smaller of the two is used as the timer.

Hope that explains..

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

shjuneja
Level 1
Level 1
In response to thisisshanky

‎12-09-2004 07:58 AM

hi,

The sa lifetimes for phase 1 and phase 2 should match else either the tunnel does not get established or the tunnel would flap.

The phase 1 sa lifetime is same on all the devices: 86400 sec, The phase 2 sa lifetime is different on different devices, on pix and concentrator it is 28800 sec, on routers it is 3600 sec, we need to sync the sa lifetimes for the per devices so that the tunnel does not flap.

thanks,

Shweta Juneja,

TAC Engineer,VPN,

Cisco Systems Inc.

E-mail: shjuneja@cisco.com

Phone: (801) 703-2288 Extn: 57200

Working Hours : 06:00 - 15:00 hrs. (MST)

Off Days: (Saturdays and Sundays)

0 Helpful

thisisshanky
Level 11
Level 11
In response to shjuneja

‎12-09-2004 08:56 AM

Shweta..

Reading more on IKE and IPSEC Lifetimes from some of the documents at Cisco website, the tunnel should get established even if the lifetimes are different. They should negotiate and choose the shorter one. I agree its usually recommended to sync up the time, but what if one of the peer is a non-Cisco one and you cannot change the lifetime parameter (As of today most VPN boxes does support tweaking the Security association lifetimes). Here are the links I was reading

http://www.cisco.com/en/US/products/hw/vpndevc/ps333/products_configuration_guide_chapter09186a008007dcf1.html#1025002

http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113t/113t_3/ipsec.htm#xtocid19

So when the shorter of the two lifetime expires, renegotiations happen and the tunnel should be back up ?? What do you think ??

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

nhedhili
Level 1
Level 1
In response to thisisshanky

‎12-11-2004 01:46 PM

hi,

thanks for your help this explanation and the llinks you gave to me was very usufull.

0 Helpful
Customers Also Viewed These Support Documents