08-14-2002 12:50 PM - edited 02-21-2020 12:00 PM
I've setup a VPN between two Cisco routers. The question I have concerns timing out an "unused" VPN. Once a VPN tunnel is setup, at what point will it be deleted if there is no more traffic?
08-14-2002 09:53 PM
You can adjust the lifetime on both the crypto-map and the isakmp policy. In addition, the newer versions of IOS have an option called "crypto isakmp keepalive" with a configurable timer so that the routers router poll to ensure the far-end is still reachable.
08-15-2002 05:28 AM
I have tested using short isakmp and ipsec SA lifetimes. This is what I get after I initiate the VPN and then send no more traffic:
After Initial Lifetime Expiry:
- isakmp SA goes into "MM_NO_STATE" mode and shows "(deleted)"
- ipsec SA gets renegotiated and the expiry gets reset to the lifetime amount
After Second Lifetime Expiry:
- isakmp SA no longer shows
- ipsec SA gets deleted
I did these tests using a 300 second lifetime. If I were to set the lifetime to let's say 2 hours, does this mean that it will take 4 hours for the ipsec SA to timeout? Is this a big deal (will it use up router resources)? Also, should I set the lifetimes for the isakmp SA and ipsec SA to be the same? Since isakmp is used to setup the VPN, could I make the isakmp lifetime short and leave the ipsec SA long? Does all this make any difference to the router performance?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide