Time at which the USG2000 clears an IPSec SA

0

Both IKE SAs and IPSec SAs have lifetimes. SA lifetimes include hard lifetime and soft lifetime. The soft lifetime is about 9/10 of the hard lifetime. When the IKE SA soft lifetime expires, a new IKE SA is negotiated to replace the original IKE SA. When the hard lifetime of the original IKE SA expires, the original IKE SA is deleted, regardless of whether the replacement IKE SA is established. If the IPSec SA is established, the IPSec SA is also deleted.

Other related questions:
Time at which the USG9000 clears an IPSec SA
Both IKE SAs and IPSec SAs have lifetimes. SA lifetimes include hard lifetime and soft lifetime. The soft lifetime is about 9/10 of the hard lifetime. When the IKE SA soft lifetime expires, a new IKE SA is negotiated to replace the original IKE SA. When the hard lifetime of the original IKE SA expires, the original IKE SA is deleted, regardless of whether the replacement IKE SA is established. If the IPSec SA is established, the IPSec SA is also deleted.

Time at which the USG6000 clears an IPSec SA
Both IKE SAs and IPSec SAs have lifetimes. SA lifetimes include hard lifetime and soft lifetime. The soft lifetime is about 9/10 of the hard lifetime. When the IKE SA soft lifetime expires, a new IKE SA is negotiated to replace the original IKE SA. When the hard lifetime of the original IKE SA expires, the original IKE SA is deleted, regardless of whether the replacement IKE SA is established. If the IPSec SA is established, the IPSec SA is also deleted.

Time at which the USG5000 clears an IPSec SA
Both IKE SAs and IPSec SAs have lifetimes. SA lifetimes include hard lifetime and soft lifetime. The soft lifetime is about 9/10 of the hard lifetime. When the IKE SA soft lifetime expires, a new IKE SA is negotiated to replace the original IKE SA. When the hard lifetime of the original IKE SA expires, the original IKE SA is deleted, regardless of whether the replacement IKE SA is established. If the IPSec SA is established, the IPSec SA is also deleted.

When does the firewall clear an IPSec SA in normal cases
Both IKE SAs and IPSec SAs have lifetimes. SA lifetimes include hard lifetime and soft lifetime. The soft lifetime is about 9/10 of the hard lifetime. When the IKE SA soft lifetime expires, a new IKE SA is negotiated to replace the original IKE SA. When the hard lifetime of the original IKE SA expires, the original IKE SA is deleted, regardless of whether the replacement IKE SA is established. If the IPSec SA is established, the IPSec SA is also deleted. If the IPSec SA hard lifetime expires, both the IKE SA and the IPSec SA are deleted. Besides, if the IKE SA keepalive or DPD function is enabled, the IKE SA and IPSec SA are deleted if the keepalive packets or DPD packets time out.

USG firewall security association
USG firewall security association What is security association (SA)? The IPSec SA is a unidirectional logical connection created for security purposes. The SA is bidirectional and requires an IPSec SA in each direction. The number of SAs depends on the security protocol. If either the AH or ESP is used to protect traffic between peers, two SAs, one in each direction, exist between the peers. If both the AH and the ESP are used, four SAs, two in each direction corresponding to the AH and the ESP, exist between the peers. Therefore, an IPSec SA is not equivalent to a connection. The IPSec SA is uniquely identified by a triplet. The triplet includes the following elements: Security Parameter Index (SPI) The SPI is a 32-bit value that is generated to uniquely identify an SA. The SPI is carried in the AH and ESP headers. The SPI, destination IP address, and security protocol number uniquely identify an IPSec SA. Destination IP address Security protocol number (AH or ESP) Creation mode The IPSec SA is classified into two types: SA that is manually created and SA that is created by means of IKE automatic negotiation (isakmp). Major differences between two types of SAs are as follows: Different key generation modes In manual mode, all parameters required by the IPSec SA, including encryption and verification keys, are manually configured or manually updated. In IKE mode, encryption and verification keys required by the IPSec SA are generated by the DH algorithm and can be dynamically updated. The key management cost is low and the security is high. Different IPSec SA lifetime In manual mode, once an IPSec SA is created, it permanently exists. In IKE mode, the IPSec SA establishment is triggered by the data flow, and the SA lifetime is controlled by lifetime parameters configured on both ends.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top