Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2477
Views
5
Helpful
2
Replies

What does this mean : Overriding Initiator's IPSec rekeying duration from 0 to 4608000 Kbs

Go to solution
PacketSpartan
Level 1
Level 1

‎06-23-2020 02:44 AM

Hi Guys

Can someone tell me what this message from the ASA means 

 

What does this mean : Overriding Initiator's IPSec rekeying duration from 0 to 4608000 Kbs

 

I've seen the messages with Overriding Initiator's IPSec rekeying duration from 28800 to 3600 seconds, which clear and obvious as its showing in seconds. 

 

Could some elaborate on the above message?

CCNA R&S
1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎06-23-2020 05:17 AM

Hi,
The IPSec SA has 2 lifetime values; time in seconds (default 28,800) and data/traffic volume in kilobytes (default 4,608,000). When a peer receives a negotiation request, it uses the smaller of either the lifetime value the peer proposes or the locally configured lifetime value as the lifetime of the new SA. The SA expires after the first of these lifetimes is reached.

 

Your error indicates your devices have a different value configured for data volume. The other device was initiator of the tunnel is probably set to "unlimited" for lifetime kilobytes. Nowadays it is recommended to not use a data volume lifetime, as if a VPN is heavily used it could be rekeying often. Just using a lifetime in seconds is acceptable.

 

Disable data volume lifetime using the following command, set on both peers:

 

crypto map CRYPTO-MAP 1 set security-association lifetime kilobytes unlimited

HTH

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎06-23-2020 05:17 AM

Hi,
The IPSec SA has 2 lifetime values; time in seconds (default 28,800) and data/traffic volume in kilobytes (default 4,608,000). When a peer receives a negotiation request, it uses the smaller of either the lifetime value the peer proposes or the locally configured lifetime value as the lifetime of the new SA. The SA expires after the first of these lifetimes is reached.

 

Your error indicates your devices have a different value configured for data volume. The other device was initiator of the tunnel is probably set to "unlimited" for lifetime kilobytes. Nowadays it is recommended to not use a data volume lifetime, as if a VPN is heavily used it could be rekeying often. Just using a lifetime in seconds is acceptable.

 

Disable data volume lifetime using the following command, set on both peers:

 

crypto map CRYPTO-MAP 1 set security-association lifetime kilobytes unlimited

HTH

Go to solution
PacketSpartan
Level 1
Level 1
In response to Rob Ingram

‎06-23-2020 06:49 AM - edited ‎06-23-2020 06:50 AM

Thank you very much,  just the answer I was looking for 

 

CCNA R&S
0 Helpful
Customers Also Viewed These Support Documents