Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1670
Views
0
Helpful
1
Replies

IPSEc - SA lifetime operation behavior

Go to solution
cjrchoi11
Level 1
Level 1

‎06-30-2004 04:09 AM - edited ‎02-21-2020 01:13 PM

I want to clarify the sa lifetime.

If configure seconds and kilobytes both, how it works the lifetime? Is it works based on the early hit? If then, is the SA re-negotiate when the following condition?

1) 24hr and 500K traffic,

2) 4hr and 2M traffic

set security-association lifetime seconds 86399

set security-association lifetime kilobytes 2000

Another question.

Is the following sample will be re-negotiated when 120 seconds or 2M traffic?

RouterA

set security-association lifetime seconds 240

set security-association lifetime kilobytes 10000

RouterB

set security-association lifetime seconds 120

set security-association lifetime kilobytes 2000

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎06-30-2004 08:09 PM

The first one to run out, either time or kbytes, will cause new SA's to be built. In your question, both 1) and 2) will cause new SA's to be built, one set in 24hours, and one set after 2Meg of traffic has passed.

Keep in mind that the router will build new SA's when either 30 seconds are left on the seconds lifetime, or 256Kbytes are left on the kilobytes lifetime, this is so there's no traffic dropped while new SA's are being built. The new SA's are used as soon as they're up, and the old ones just disappear silently.

For your second question, parameters are negotiated by both ends during the tunnel negotiation. The LOWER values are always used by both peers, so RouterB's parameters would be used.

Read this (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#wp1026972), it answers every question you asked.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎06-30-2004 08:09 PM

The first one to run out, either time or kbytes, will cause new SA's to be built. In your question, both 1) and 2) will cause new SA's to be built, one set in 24hours, and one set after 2Meg of traffic has passed.

Keep in mind that the router will build new SA's when either 30 seconds are left on the seconds lifetime, or 256Kbytes are left on the kilobytes lifetime, this is so there's no traffic dropped while new SA's are being built. The new SA's are used as soon as they're up, and the old ones just disappear silently.

For your second question, parameters are negotiated by both ends during the tunnel negotiation. The LOWER values are always used by both peers, so RouterB's parameters would be used.

Read this (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#wp1026972), it answers every question you asked.

0 Helpful
Customers Also Viewed These Support Documents