When does the firewall clear an IPSec SA in normal cases

15

Both IKE SAs and IPSec SAs have lifetimes. SA lifetimes include hard lifetime and soft lifetime. The soft lifetime is about 9/10 of the hard lifetime. When the IKE SA soft lifetime expires, a new IKE SA is negotiated to replace the original IKE SA. When the hard lifetime of the original IKE SA expires, the original IKE SA is deleted, regardless of whether the replacement IKE SA is established. If the IPSec SA is established, the IPSec SA is also deleted. If the IPSec SA hard lifetime expires, both the IKE SA and the IPSec SA are deleted.

Besides, if the IKE SA keepalive or DPD function is enabled, the IKE SA and IPSec SA are deleted if the keepalive packets or DPD packets time out.

Other related questions:
Time at which the USG2000 clears an IPSec SA
Both IKE SAs and IPSec SAs have lifetimes. SA lifetimes include hard lifetime and soft lifetime. The soft lifetime is about 9/10 of the hard lifetime. When the IKE SA soft lifetime expires, a new IKE SA is negotiated to replace the original IKE SA. When the hard lifetime of the original IKE SA expires, the original IKE SA is deleted, regardless of whether the replacement IKE SA is established. If the IPSec SA is established, the IPSec SA is also deleted.

Time at which the USG6000 clears an IPSec SA
Both IKE SAs and IPSec SAs have lifetimes. SA lifetimes include hard lifetime and soft lifetime. The soft lifetime is about 9/10 of the hard lifetime. When the IKE SA soft lifetime expires, a new IKE SA is negotiated to replace the original IKE SA. When the hard lifetime of the original IKE SA expires, the original IKE SA is deleted, regardless of whether the replacement IKE SA is established. If the IPSec SA is established, the IPSec SA is also deleted.

Time at which the USG5000 clears an IPSec SA
Both IKE SAs and IPSec SAs have lifetimes. SA lifetimes include hard lifetime and soft lifetime. The soft lifetime is about 9/10 of the hard lifetime. When the IKE SA soft lifetime expires, a new IKE SA is negotiated to replace the original IKE SA. When the hard lifetime of the original IKE SA expires, the original IKE SA is deleted, regardless of whether the replacement IKE SA is established. If the IPSec SA is established, the IPSec SA is also deleted.

Time at which the USG9000 clears an IPSec SA
Both IKE SAs and IPSec SAs have lifetimes. SA lifetimes include hard lifetime and soft lifetime. The soft lifetime is about 9/10 of the hard lifetime. When the IKE SA soft lifetime expires, a new IKE SA is negotiated to replace the original IKE SA. When the hard lifetime of the original IKE SA expires, the original IKE SA is deleted, regardless of whether the replacement IKE SA is established. If the IPSec SA is established, the IPSec SA is also deleted.

Configuring the IPSec SA lifetime on the firewall
Configure the IPSec SA lifetime on the USG. Configure the IPSec VPN SA lifetime. 1. Configure IKE SA hard lifetime. You can configure per-SA IKE lifetime, but cannot configure a global IKE lifetime. system-view //Access the system view. ike proposal proposal-number //Access the IKE proposal view. sa duration seconds //Configure the IKE SA hard lifetime. Notes for configuring IKE SA lifetime: a) If the hard lifetime expires, the IKE SA will be deleted and re-negotiated. The IKE negotiation involves DH calculation and may take a long time. To ensure the secure communications, you are advised to set the lifetime to a value larger than 600 seconds. b) When the soft lifetime expires, a new SA is negotiated to replace the original SA. Before the new SA is negotiated, the original SA is still in use. After the new SA is established, the new SA is used, and the original SA will be automatically deleted when the hard lifetime expires. The default IKE SA hard lifetime is 86,400 seconds (a day). 2. Configure IKE SA soft lifetime. system-view //Access the system view. ike peer peer-name //Access the IKE peer view. sa soft-duration time-based buffer seconds //Configure the IKE SA soft lifetime. The configuration applies only to IKEv1. a) By default, the soft lifetime is 9/10 of the hard lifetime. When the soft lifetime expires, a new SA is negotiated to replace the original SA. b) If the soft lifetime is specified and the hard lifetime is greater than the soft lifetime by more than 10s, the specified soft lifetime applies; otherwise, the default soft lifetime applies. display ike proposal //Display the configured IKE SA hard lifetime. [USG] display ike proposal priority authentication authentication encryption Diffie-Hellman duration method algorithm algorithm group (seconds) --- 10 PRE_SHARED MD5 DES_CBC MODP_768 5000 default PRE_SHARED SHA1 AES_CBC MODP_1024 86400 display ike peer [ brief | name peer-name ] //Display the configured IKE SA soft lifetime. [USG] display ike peer name b -- IKE peer: b Exchange mode: main on phase 1 Pre-shared key: %$%$biLQ*117FHI`Qe&-VY`>l%yp%$%$ Local certificate file name: Proposal: 10 Local ID type: IP Peer IP address: 202.38.169.1 VPN instance: Authentic IP address: IP address pool: Peer name: Peer domain name: VPN instance bound to the SA: NAT traversal: enable SA soft timeout buffer time: 22 seconds OCSP check: disable OCSP server URL: Applied to 1 policy: ppp1-1-isakmp

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top