Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2419
Views
5
Helpful
4
Replies

crypto ipsec security-association lifetime

Eduard A.
Level 1
Level 1

‎05-26-2020 02:42 AM

Hi,

 

Where can I change the "crypto ipsec security-association lifetime" in a Cisco ASA5508-X Threat Defense and/or Cisco ASA5516-X Threat Defense? If it is possible at all. Or at least please help me find out what is default for those models. Thank you so much!

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-26-2020 06:15 AM

It's 28800 seconds, non-configurable if using FDM or CDO management.

With FMC you can change it under Objects > Object Management > VPN and IKEv1 Policy. Then associate the configured policy object within your VPN configuration.

Eduard A.
Level 1
Level 1
In response to Marvin Rhoads

‎05-26-2020 05:42 PM

You maybe right on this one but we can't be sure because this is what debug shows me:

As you know we have hub (asdm) and spoke (3 spokes,ftd) topology. HUB(5545), SPK1(5516), SPK2(5516), SPK3(5508). Now here's the thing:

HUB is set to:

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

 

With the help of debug logs I found that, if the traffic originated from:

HUB, the lifetime in seconds is 24480

SPK1, it is 24480

SPK2, it is 24480

but in SPK3, it is 27360

 

That's why I've concluded that I am bumping to ipsec lifetime mismatch. The problem with our network was "accurately" describe here by the Cisco employee:

https://community.cisco.com/t5/vpn/ipsec-security-association-sa-lifetime-mismatch/td-p/739288

 

Now I did try to change the lifietime on the HUB side (hopefully to force SPK3 to have match 24480, though I know that if there's a mismatch in the first place you can never be sure), but any lifetime I choose SPK3 always end up using a higher one. I do not know how come SPK1 and 2 matches with our HUB since they are FTD, I can only assume at this moment that I had a bad luck choosing 5508 on one of the spokes. Unless I am missing something here?

0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎05-26-2020 09:34 AM

Yes you can do this.

Devices > VPN > Site To Site. Then Add VPN > Firepower Threat Defense Device,
or edit a listed VPN Topology. Open the IKE tab.

Then under FTD VPN IPsec Options you can configure lifetime (seconds or
kilobytes)

**** please remember to rate useful posts
0 Helpful

Eduard A.
Level 1
Level 1
In response to Mohammed al Baqari

‎05-26-2020 05:44 PM - edited ‎05-26-2020 05:48 PM

You maybe describing a later versions of FTD with FDM? Ours are at least 6.4, as of the moment I do not see anywhere a setting about ipsec lifetimes.

 

Preview file
13 KB
0 Helpful
Customers Also Viewed These Support Documents