Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
354
Views
0
Helpful
4
Replies

Lifetime VPN

csco11579831
Beginner
Beginner

‎10-08-2013 02:48 AM

Hello,

Can you please tell me is that this is normal, when I put the value lifetime on crypto policy to 86400 (24 hours), but when I show the detail

I have only 2 hours:

SDSL-RTR # sh cry session detail

Crypto session current status

Code: C - IKE configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal X - IKE Extended Authentication

Interface FastEthernet0 / 0

Session status: UP-ACTIVE

Peer: X.X.X.X port 500 fvrf: (none) ivrf: (none)

       Phase1_id: X.X.X.X

       Desc: (none)

   IKE SA: local YYYY/500 remote XXXX/500 Active

           Capabilities: (none) connid: 134217735 lifetime: 1:59:31 (2 hours)

Best regards,

Labels:
0 Helpful
4 Replies 4

Jouni Forss
Mentor
Mentor

‎10-08-2013 05:02 AM

Hi,

I guess this might depend if the device is actually using the Policy that you have modified the time for.

You should probably the all the Crypto ISAKMP Policys and check which one of them has the value of 2 hours

You connection might be using a ISAKMP Policy that is on higher priority than the one you are doing changes for

show crypto isakmp sa detail

Might also show something about the other parameters on the active connection

- Jouni

0 Helpful

csco11579831
Beginner
Beginner
In response to Jouni Forss

‎10-08-2013 06:33 AM

may be you are right

RTR-SDSL#show crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection

       K - Keepalives, N - NAT-traversal

       X - IKE Extended Authentication

       psk - Preshared key, rsig - RSA signature

       renc - RSA encryption

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

9     X.X.X.X         Y.Y.Y.Y                       ACTIVE 3des md5  psk  2  00:38:52    

       Connection-id:Engine-id =  9:1(software)

=============================

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 46800

crypto isakmp key ********* address X.X.X.X

!

!

crypto ipsec transform-set VPNSet esp-3des esp-md5-hmac

!

crypto map CryptoVPN 1 ipsec-isakmp

set peer X.X.X.X

set transform-set VPNSet

match address 110

!

!

!

!

interface FastEthernet0/0

ip address Y.Y.Y.Y 255.255.255.252

ip mtu 1400

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map CryptoVPN

!

interface FastEthernet0/1

ip address Z.Z.Z.Z 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

0 Helpful

csco11579831
Beginner
Beginner

‎10-09-2013 02:09 AM

Can you please reply ?

0 Helpful

Jouni Forss
Mentor
Mentor
In response to csco11579831

‎10-09-2013 02:31 AM

Hi,

I guess you should ask the remote end of this L2L VPN connection to also check their configuration with regards to the lifetime value.

Since yours is not defining that it would be 2h

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents