Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
519
Views
0
Helpful
2
Replies

VPN timeouts on IOS?

bourse
Level 1
Level 1

‎08-14-2002 12:50 PM - edited ‎02-21-2020 12:00 PM

I've setup a VPN between two Cisco routers. The question I have concerns timing out an "unused" VPN. Once a VPN tunnel is setup, at what point will it be deleted if there is no more traffic?

Labels:
0 Helpful
2 Replies 2

gmiiller
Level 1
Level 1

‎08-14-2002 09:53 PM

You can adjust the lifetime on both the crypto-map and the isakmp policy. In addition, the newer versions of IOS have an option called "crypto isakmp keepalive" with a configurable timer so that the routers router poll to ensure the far-end is still reachable.

0 Helpful

bourse
Level 1
Level 1
In response to gmiiller

‎08-15-2002 05:28 AM

I have tested using short isakmp and ipsec SA lifetimes. This is what I get after I initiate the VPN and then send no more traffic:

After Initial Lifetime Expiry:

- isakmp SA goes into "MM_NO_STATE" mode and shows "(deleted)"

- ipsec SA gets renegotiated and the expiry gets reset to the lifetime amount

After Second Lifetime Expiry:

- isakmp SA no longer shows

- ipsec SA gets deleted

I did these tests using a 300 second lifetime. If I were to set the lifetime to let's say 2 hours, does this mean that it will take 4 hours for the ipsec SA to timeout? Is this a big deal (will it use up router resources)? Also, should I set the lifetimes for the isakmp SA and ipsec SA to be the same? Since isakmp is used to setup the VPN, could I make the isakmp lifetime short and leave the ipsec SA long? Does all this make any difference to the router performance?

0 Helpful
Customers Also Viewed These Support Documents