Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
186
Views
0
Helpful
1
Replies

Determing how long connection lasts.

Brian Green
Level 1
Level 1

‎09-01-2015 09:13 AM - edited ‎03-05-2019 02:12 AM

I have a Hub-and-Spoke system, and I am being asked a question I don't have an immediate answer to!  If I have 2 (or more) spokes connecting using DMVPN to a single Hub, I know that dynamicaly-created tunnels between the spokes are set up as they are needed. Once they are there, if Sopoke A is talking directly to Spoke B and the connection to the Hub drops for whatever reason, how long does the Spoke-to-Spoke connection stay alive?  Is there a way to check this?  And is this a configurable setting?

 

Thanks,

 

Brian

Labels:
0 Helpful
1 Reply 1

Peter Paluch
Cisco Employee
Cisco Employee

‎09-01-2015 09:57 AM

Brian,

In DMVPN, there is in fact no real connection because neither GRE, nor NHRP, nor IPsec are connection oriented protocols. However, some of the state data created by NHRP and IPsec may persist for some time (GRE is entirely stateless and does not maintain any state).

NHRP creates tunnel-to-internet IP address mappings. By default, the holdtime for these mappings is 2 hours. This holdtime can be modified using the ip nhrp holdtime seconds command on the tunnel interface.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book/ipaddr-i4.html#wp7868593100

The default lifetime of IPsec Phase 1 (ISAKMP) security associations is 1 day. This can be modified using the lifetime command in a crypto isakmp policy configuration mode.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-k1.html#wp6171330310

The default lifetime of IPsec Phase 2 (IPsec) security associations is 1 hour and 4500 MiB (i.e., 4608 MB) of data, whichever is reached sooner. This can be modified using the global crypto ipsec security-association lifetime command, or using the per-crypto-map or per-crypto-ipsec-profile command set security-association lifetime.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-c3.html#wp2944599527

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1549482593

Once again, neither of these protocols truly maintains a "connection" but they do maintain some state that can be readily reused when a new packet is being sent from one spoke to another (or between a hub and a spoke).

Best regards,
Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card