Solved: Not specifying traffic volume in SA, what happens?

richard.dean · ‎04-16-2012

I fI do not specify a security-association lifetime in kilobytes, but do set one up for seconds, what happens? According to this link http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsaidle.html it states:

A security association expires after the first of these lifetimes is reached.

What if I do not set one for volume? I would assume that prior to reaching the default amount, it will negotiate a new SA and kick in as the original SA timesout. I also assume the end user would never know it reset. Guidance please.

Marcin Latosiewicz · ‎04-16-2012

Richard,

We do recommand to use seconds as the factor for exiry, reaching the end of kilobytes will most likely cause a short gap in forwarding.

With kilobyte lifetime disabled we should wait for the seconds lifetime to come close to expiery and new SA will be negotiated.

"crypto ipsec security-association lifetime kilobytes disa"

Indeed we do have defaults for both.

But we will always renogotiate based on whichever is reached first.

Does that answer your question?

M.

View solution in original post

Marcin Latosiewicz · ‎04-16-2012