04-16-2012 05:07 AM
I fI do not specify a security-association lifetime in kilobytes, but do set one up for seconds, what happens? According to this link http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsaidle.html it states:
A security association expires after the first of these lifetimes is reached.
What if I do not set one for volume? I would assume that prior to reaching the default amount, it will negotiate a new SA and kick in as the original SA timesout. I also assume the end user would never know it reset. Guidance please.
Solved! Go to Solution.
04-16-2012 01:39 PM
Richard,
We do recommand to use seconds as the factor for exiry, reaching the end of kilobytes will most likely cause a short gap in forwarding.
With kilobyte lifetime disabled we should wait for the seconds lifetime to come close to expiery and new SA will be negotiated.
"crypto ipsec security-association lifetime kilobytes disa"
Indeed we do have defaults for both.
But we will always renogotiate based on whichever is reached first.
Does that answer your question?
M.
04-16-2012 01:39 PM
Richard,
We do recommand to use seconds as the factor for exiry, reaching the end of kilobytes will most likely cause a short gap in forwarding.
With kilobyte lifetime disabled we should wait for the seconds lifetime to come close to expiery and new SA will be negotiated.
"crypto ipsec security-association lifetime kilobytes disa"
Indeed we do have defaults for both.
But we will always renogotiate based on whichever is reached first.
Does that answer your question?
M.
04-18-2012 07:54 AM
Thanks, it answers my question perfectly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide