Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6585
Views
0
Helpful
1
Replies

Cisco IPSEC phase 2 actual lifetime amount?

Benny Chong
Level 1
Level 1

‎12-03-2013 11:21 PM - edited ‎02-21-2020 07:22 PM

I've got VPN built sucessesfully over a few places and now i want to check what is the actualy total lifetime and lifesize of my phase 2 connection. I know the command we should use is "show crypto ipsec sa" but it only shows me the remaining lifetime

  inbound esp sas:

      spi: 0x96123AED (2517777133)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 19374080, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28282

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x2138F694 (557381268)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 19374080, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28282

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

I know if we don't define the lifetime on ASA, it will take 8 hours as the default. But what if i want to know what's the actual maximum lifetime and lifesize of my current vpn? Is it possible? Any feed back would be appreciated. Thanks.

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎12-03-2013 11:54 PM

Hi,

I would assume that typically the Phase2 lifetime values are configured identically on the VPN peer devices which should tell you what the value are. I can't remember at the moment without checking which value was chosen if the peers have different configurations.

So I guess this situation refers to ASA?

You could try the following command

show vpn-sessiondb detail l2l filter ip address

or

show vpn-sessiondb detail l2l | begin

I have expirienced some problems with the first command in some softwares which results in an error message that tells that no such connections are active on the ASA even though there are.

The second command is just an option to show the same with a different format of the command.

If we were looking into a situation with Cisco Router I think most commands would show the output like you mention above.

show crypto ipsec sa peer detail

show crypto session remote detail

The following command on a Cisco router seems to list the configured values on your device but again it might not be the ones used if there is difference between the VPN peers configurations. To my understanding atleast.

show crypto map

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents