Hello,

I have a question which couldn't find in Cisco's guides or maybe is a miss of my knowledge. We have a ASA  firewall with few site2site IPSEC tunnels that are configured on it. Currently only one tunnel is up - maybe the rest are not in use - noone could provide me such info. 

I have the following policies on it. The ipsec that is UP and running - has been using policy 10 from what I've found out. Lifetime there is 86400

I have setup new IPSEC for our client and the problem is they can only support  lifetime of 28800 which I think is causing me now the problem of below phase1 issues.

The question is how can I tweak the policy order (and made a policy with 2880 working) without breaking my existing IPSEC which is using 86400. I do not have management on the other side, neither can request someone to change it. 

I think the policy in use is the one with number near the 1, so FW should be using policy 10 - is it correct?

2 IKE Peer: A.B.C.D
Type : L2L Role : responder
Rekey : yes State : MM_ACTIVE_REKEY
 
5 IKE Peer: A.B.C.D
Type : L2L Role : responder
Rekey : no State : MM_REKEY_DONE_H2

crypto map toIPSec interface outside
crypto isakmp identity hostname
crypto isakmp enable outside

crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 2880

crypto isakmp policy 10

authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

crypto isakmp policy 100
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800

Hope I managed to provide good info to understand my concerns.

thanks.

BR 
Milen