Solved: Check IPsec Idle Timeout?

K-Grev · ‎11-12-2020

Hi,

Currently going through STIG checks.

How would I go about checking the idle timeouts on my ipsec connections?

In CLI I don't see one configured when I use "show run crypto ipsec"

Does that mean a Default of 1 hour is in place?

Thanks for your time.

Stig V-30961 - The VPN gateway must implement IPSec security associations that terminate after one hour or less of idle time.

"Review all IPSec Security Associations configured globally or within IPSec profiles on the VPN gateway and examine the configured idle time. The idle time value must be 1 hour or less. If idle time is not configured, determine the default used by the gateway. "

Rob Ingram · ‎11-12-2020

Hi @K-Grev

If you've got active tunnels, run the command "show crypto ipsec sa" and/or "show vpn-sessiondb detailed l2l" from there you can check the timers for those active SAs.

The default lifetimes are 28,800 seconds (eight hours) and 4,608,000 kilobytes (10 megabytes per second for one hour).

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/vpn/asa-99-vpn-config/vpn-ike.html#ID-2441-000005c9

Specify an SA lifetime for the crypto map if you want to override the global lifetime.

crypto map map-name seq-num set security-association lifetime {seconds number | kilobytes {number | unlimited}}

View solution in original post

Rob Ingram · ‎11-12-2020