Showing results for 
Search instead for 
Did you mean: 

Cisco ASA IPSEC (ISAKMP) Policies order


I have a question which couldn't find in Cisco's guides or maybe is a miss of my knowledge. We have a ASA  firewall with few site2site IPSEC tunnels that are configured on it. Currently only one tunnel is up - maybe the rest are not in use - noone could provide me such info. 

I have the following policies on it. The ipsec that is UP and running - has been using policy 10 from what I've found out. Lifetime there is 86400

I have setup new IPSEC for our client and the problem is they can only support  lifetime of 28800 which I think is causing me now the problem of below phase1 issues.

The question is how can I tweak the policy order (and made a policy with 2880 working) without breaking my existing IPSEC which is using 86400. I do not have management on the other side, neither can request someone to change it. 

I think the policy in use is the one with number near the 1, so FW should be using policy 10 - is it correct?




2 IKE Peer: A.B.C.D
Type : L2L Role : responder
Rekey : yes State : MM_ACTIVE_REKEY
5 IKE Peer: A.B.C.D
Type : L2L Role : responder
Rekey : no State : MM_REKEY_DONE_H2


crypto map toIPSec interface outside
crypto isakmp identity hostname
crypto isakmp enable outside

crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 2880

crypto isakmp policy 10

authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

crypto isakmp policy 100
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800


Hope I managed to provide good info to understand my concerns.



Rob Ingram
VIP Expert

Hi @M1LEN 

Are you referring to policy 1 or 100, as the lifetime timer in policy 1 is 2880.

Because the other attributes are the same for policy 1 and 10 you risk the existing VPNs matching policy 1, as it's higher priority.


Unless you are referring to policy 100? In which case it is different encryption and DH group, so it would not match policy 1 or 10.

MHM Cisco World

Use ISAKMP profile and config the lifetime on it.