Ike phase 1 rekey & timeout|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||||||||||||||||||||
|
Posted by fahad on March 18, 2008, 2:51 pm
Please log in for more thread options
I configured ike sa keepalive timeout as 60 seconds & phase 1 rekey interval as 60 seconds. Now this side is not getting any keepalives from anyother router, so will the phase 1 rekey, or due to keepalive timeout Phase 1 & phae 2 SAs should be deleted? I think since both features are not related & since I am not getting any keepalives Phase 1 & phase 2 SAs should be deleted irrespectve of successful rekey because keepalive timeout has occured. Thanks Fahad | ||||||||||||||||||||||||||||||||||
|
Posted by News Reader on March 18, 2008, 4:16 pm
Please log in for more thread options When you indicate a phase 1 rekey interval of 60 sec., I'm assuming you are referring to the ISAKMP policy command "lifetime". The default is likely once per day (86,400 sec.). You might want a lifetime of an hour (3600 sec.). Can't image why you would want such a short lifetime as 60 seconds. When do you plan to forward traffic, if all you are doing is building and tearing down SAs? Best regards, News Reader | ||||||||||||||||||||||||||||||||||
|
Posted by fahad on March 19, 2008, 1:57 pm
Please log in for more thread options > fahad wrote:
> > Hi
>
> > I configured ike sa keepalive timeout as 60 seconds & phase 1 rekey
> > interval as 60 seconds. Now this side is not getting any keepalives > > from anyother router, so will the phase 1 rekey, or due to keepalive > > timeout Phase 1 & phae 2 SAs should be deleted? I think since both > > features are not related & since I am not getting any keepalives Phase > > 1 & phase 2 SAs should be deleted irrespectve of successful rekey > > because keepalive timeout has occured. > > Thanks > > Fahad >
> When you indicate a phase 1 rekey interval of 60 sec., I'm assuming you > are referring to the ISAKMP policy command "lifetime". > > The default is likely once per day (86,400 sec.). > > You might want a lifetime of an hour (3600 sec.). > > Can't image why you would want such a short lifetime as 60 seconds. > > When do you plan to forward traffic, if all you are doing is building > and tearing down SAs? > > Best regards, > News Reader Hi Ya I am refering 60 seconds as isakmp SA lifetime. What I wanted to ask is if I configure isakmp SA lifetime & isakmp sa keepalive timeout duration as SAME then will the isakmp & ipsec SAs will be deleted or since rekey is happening so no need to delete the SAs as peer is reachable. Note that I am not getting any keepalives from any side. If there is any rfc or draft for keepalives or heartbeat then plz let me know. I know DPD but the behavior of keepalives is still not clear to me Thanks Fahad | ||||||||||||||||||||||||||||||||||
|
Posted by News Reader on March 19, 2008, 3:39 pm
Please log in for more thread options fahad wrote:
>> fahad wrote:
>>> Hi
>>> I configured ike sa keepalive timeout as 60 seconds & phase 1 rekey >>> interval as 60 seconds. Now this side is not getting any keepalives >>> from anyother router, so will the phase 1 rekey, or due to keepalive >>> timeout Phase 1 & phae 2 SAs should be deleted? I think since both >>> features are not related & since I am not getting any keepalives Phase >>> 1 & phase 2 SAs should be deleted irrespectve of successful rekey >>> because keepalive timeout has occured. >>> Thanks >>> Fahad >> When you indicate a phase 1 rekey interval of 60 sec., I'm assuming you
>> are referring to the ISAKMP policy command "lifetime". >> >> The default is likely once per day (86,400 sec.). >> >> You might want a lifetime of an hour (3600 sec.). >> >> Can't image why you would want such a short lifetime as 60 seconds. >> >> When do you plan to forward traffic, if all you are doing is building >> and tearing down SAs? >> >> Best regards, >> News Reader >
> Hi > > Ya I am refering 60 seconds as isakmp SA lifetime. What I wanted to > ask is if I configure isakmp SA lifetime & isakmp sa keepalive timeout > duration as SAME then will the isakmp & ipsec SAs will be deleted or > since rekey is happening so no need to delete the SAs as peer is > reachable. Note that I am not getting any keepalives from any side. If > there is any rfc or draft for keepalives or heartbeat then plz let me > know. I know DPD but the behavior of keepalives is still not clear to > me > Thanks > Fahad Assuming I am correct that there is no reasonable circumstance for setting "isakmp sa lifetime" to a value as small as 60 sec., why is it important to you to know what would happen with such a configuration? The "crypto isakmp keepalive" command specifies the number of seconds between DPD (Dead Peer Detection) messages. When a crypto endpoint does not receive "three" keepalives in a row (3 x isakmp keepalive interval), it tears down the SAs. You are tearing down the SAs due to the "isakmp sa lifetime" at, or around the time you would be receiving your first keepalive. You may want to consult the Cisco IOS Security Command Reference, Release 12.3 T http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_c2gt.html#wp1199835 If your next question is - what if I change the the "isakmp sa lifetime" to equal three times the "isakmp sa keepalive", I'm going to hang up on you. ;>)
Best regards, News Reader | ||||||||||||||||||||||||||||||||||
|
Posted by fahad on March 20, 2008, 2:53 pm
Please log in for more thread options Hi
Thanks for that link. By the way I gave 60 seconds SA duration just as an example :). Perhaps I was not able to phrase my statements properly. The question is if I get 3rd keepalive & at the same time my isakmp SA tears down will the ipsec SA should also tear down as I have received 3rd keepalive or it should continue with the new Isakmp SA & older ipsec sa. Of course now change isakmp duration to around 1500 sec :) Regards Fahad :) > fahad wrote:
> >> fahad wrote:
> >>> Hi > >>> I configured ike sa keepalive timeout as 60 seconds & phase 1 rekey > >>> interval as 60 seconds. Now this side is not getting any keepalives > >>> from anyother router, so will the phase 1 rekey, or due to keepalive > >>> timeout Phase 1 & phae 2 SAs should be deleted? I think since both > >>> features are not related & since I am not getting any keepalives Phase= > >>> 1 & phase 2 SAs should be deleted irrespectve of successful rekey
> >>> because keepalive timeout has occured. > >>> Thanks > >>> Fahad > >> When you indicate a phase 1 rekey interval of 60 sec., I'm assuming you= > >> are referring to the ISAKMP policy command "lifetime".
>
> >> The default is likely once per day (86,400 sec.).
>
> >> You might want a lifetime of an hour (3600 sec.).
>
> >> Can't image why you would want such a short lifetime as 60 seconds.
>
> >> When do you plan to forward traffic, if all you are doing is building
> >> and tearing down SAs? >
> >> Best regards,
> >> News Reader >
> > Hi
>
> > Ya I am refering 60 seconds as isakmp SA lifetime. What I wanted to
> > ask is if I configure isakmp SA lifetime & isakmp sa keepalive timeout > > duration as SAME then will the isakmp & ipsec SAs will be deleted or > > since rekey is happening so no need to delete the SAs as peer is > > reachable. Note that I am not getting any keepalives from any side. If > > there is any rfc or draft for keepalives or heartbeat then plz let me > > know. I know DPD but the behavior of keepalives is still not clear to > > me > > Thanks > > Fahad >
> Assuming I am correct that there is no reasonable circumstance for > setting "isakmp sa lifetime" to a value as small as 60 sec., why is it > important to you to know what would happen with such a configuration? > > The "crypto isakmp keepalive" command specifies the number of seconds > between DPD (Dead Peer Detection) messages. > > When a crypto endpoint does not receive "three" keepalives in a row (3 x > isakmp keepalive interval), it tears down the SAs. > > You are tearing down the SAs due to the "isakmp sa lifetime" at, or > around the time you would be receiving your first keepalive. > > You may want to consult the Cisco IOS Security Command Reference, > Release 12.3 T > > http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec... > > If your next question is - what if I change the the "isakmp sa lifetime" > to equal three times the "isakmp sa keepalive", I'm going to hang up on > you. ;>) > > Best regards, > News Reader- Hide quoted text - > > - Show quoted text - | ||||||||||||||||||||||||||||||||||
| Similar Threads | Posted |
| Ike phase 1 rekey & timeout | March 18, 2008, 2:51 pm |
| A little problem with phase 2. | January 6, 2006, 8:59 am |
| Re: phase 1 isakmp failing | November 4, 2008, 4:16 pm |
| ike phase 1 lifetime, asa with netscreen | June 9, 2009, 8:36 am |
| Rekey failure between Windows XP L2TP?IPSec and Cisco vpdn | July 27, 2006, 10:18 am |
| Rekey failure between Windows XP L2TP/IPSec and Cisco vpdn | July 27, 2006, 10:20 am |
| FIN Timeout | August 26, 2005, 1:18 pm |
| VPN Timeout | October 18, 2005, 1:57 pm |
| NAT timeout | June 6, 2006, 3:01 pm |
| Cisco SDM timeout | April 19, 2007, 2:09 pm |
| timeout xlate BCP | August 30, 2007, 11:28 am |
| FWSM - SAP timeout ? | April 7, 2008, 3:26 pm |
| tftp timeout | June 5, 2009, 9:58 pm |
| exec-timeout on line | November 29, 2005, 11:44 am |
| re:LOCK OBTAIN TIMEOUT | January 14, 2006, 10:15 pm |
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |
>
> I configured ike sa keepalive timeout as 60 seconds & phase 1 rekey
> interval as 60 seconds. Now this side is not getting any keepalives
> from anyother router, so will the phase 1 rekey, or due to keepalive
> timeout Phase 1 & phae 2 SAs should be deleted? I think since both
> features are not related & since I am not getting any keepalives Phase
> 1 & phase 2 SAs should be deleted irrespectve of successful rekey
> because keepalive timeout has occured.
> Thanks
> Fahad