Showing results for 
Search instead for 
Did you mean: 

Lifetime VPN



Can you please tell me is that this is normal, when I put the value lifetime on crypto policy to 86400 (24 hours), but when I show the detail

I have only 2 hours:

SDSL-RTR # sh cry session detail

Crypto session current status

Code: C - IKE configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal X - IKE Extended Authentication

Interface FastEthernet0 / 0

Session status: UP-ACTIVE

Peer: X.X.X.X port 500 fvrf: (none) ivrf: (none)

       Phase1_id: X.X.X.X

       Desc: (none)

   IKE SA: local YYYY/500 remote XXXX/500 Active

           Capabilities: (none) connid: 134217735 lifetime: 1:59:31 (2 hours)

Best regards,

4 Replies 4

Jouni Forss


I guess this might depend if the device is actually using the Policy that you have modified the time for.

You should probably the all the Crypto ISAKMP Policys and check which one of them has the value of 2 hours

You connection might be using a ISAKMP Policy that is on higher priority than the one you are doing changes for

show crypto isakmp sa detail

Might also show something about the other parameters on the active connection

- Jouni

may be you are right

RTR-SDSL#show crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection

       K - Keepalives, N - NAT-traversal

       X - IKE Extended Authentication

       psk - Preshared key, rsig - RSA signature

       renc - RSA encryption

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

9     X.X.X.X         Y.Y.Y.Y                       ACTIVE 3des md5  psk  2  00:38:52    

       Connection-id:Engine-id =  9:1(software)


crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 46800

crypto isakmp key ********* address X.X.X.X



crypto ipsec transform-set VPNSet esp-3des esp-md5-hmac


crypto map CryptoVPN 1 ipsec-isakmp

set peer X.X.X.X

set transform-set VPNSet

match address 110





interface FastEthernet0/0

ip address Y.Y.Y.Y

ip mtu 1400

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map CryptoVPN


interface FastEthernet0/1

ip address Z.Z.Z.Z

ip nat inside

ip virtual-reassembly

duplex auto

speed auto


Can you please reply ?


I guess you should ask the remote end of this L2L VPN connection to also check their configuration with regards to the lifetime value.

Since yours is not defining that it would be 2h

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers