11-16-2020 08:51 AM
Hello,
I have a question which couldn't find in Cisco's guides or maybe is a miss of my knowledge. We have a ASA firewall with few site2site IPSEC tunnels that are configured on it. Currently only one tunnel is up - maybe the rest are not in use - noone could provide me such info.
I have the following policies on it. The ipsec that is UP and running - has been using policy 10 from what I've found out. Lifetime there is 86400
I have setup new IPSEC for our client and the problem is they can only support lifetime of 28800 which I think is causing me now the problem of below phase1 issues.
The question is how can I tweak the policy order (and made a policy with 2880 working) without breaking my existing IPSEC which is using 86400. I do not have management on the other side, neither can request someone to change it.
I think the policy in use is the one with number near the 1, so FW should be using policy 10 - is it correct?
2 IKE Peer: A.B.C.D
Type : L2L Role : responder
Rekey : yes State : MM_ACTIVE_REKEY
5 IKE Peer: A.B.C.D
Type : L2L Role : responder
Rekey : no State : MM_REKEY_DONE_H2
crypto map toIPSec interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 2880
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 100
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
Hope I managed to provide good info to understand my concerns.
thanks.
BR
Milen
11-16-2020 09:05 AM
Hi @M1LEN
Are you referring to policy 1 or 100, as the lifetime timer in policy 1 is 2880.
Because the other attributes are the same for policy 1 and 10 you risk the existing VPNs matching policy 1, as it's higher priority.
Unless you are referring to policy 100? In which case it is different encryption and DH group, so it would not match policy 1 or 10.
11-16-2020 01:03 PM
Use ISAKMP profile and config the lifetime on it.
11-16-2020 03:59 PM
Use ISAKMP profile and config the lifetime on it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide