The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
When a router running the Cisco IOS XE software creates an IPsec security association (SA) for a peer, resources must be allocated to maintain the SA. The SA requires both memory and several managed timers. For idle peers, these resources are wasted. If enough resources are wasted by idle peers, the router could be prevented from creating new SAs with other peers. The IPsec Security Association Idle Timers feature introduces a configurable idle timer to monitor SAs for activity, allowing SAs for idle peers to be deleted. Benefits of this feature include:
•Increased availability of resources
•Improved scalability of Cisco IOS XE IPsec deployments. Because this feature prevents the wasting of resources by idle peers, more resources will be available to create new SAs as required.
For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for IPsec Security Association Idle Timers" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
•Prerequisites for IPsec Security Association Idle Timers
•Information About IPsec Security Association Idle Timers
•How to Configure IPsec Security Association Idle Timers
•Configuration Examples for IPsec Security Association Idle Timers
•Feature Information for IPsec Security Association Idle Timers
You must configure Internet Key Exchange (IKE) as described in the "Configuring Internet Key Exchange Security Protocol" chapter of the Cisco IOS XE Security Configuration Guide.
To configure the IPsec Security Association Idle Timers feature, you must understand the following concepts:
•Lifetimes for IPsec Security Associations
•IPsec Security Association Idle Timers
The Cisco IOS XE software currently allows the configuration of lifetimes for IPsec SAs. Lifetimes can be configured globally or per crypto map. There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. A security association expires after the first of these lifetimes is reached.
The IPsec SA idle timers are different from the global lifetimes for IPsec SAs. The expiration of the global lifetime is independent of peer activity. The IPsec SA idle timer allows SAs associated with inactive peers to be deleted before the global lifetime has expired.
If the IPsec SA idle timers are not configured, only the global lifetimes for IPsec SAs are applied. SAs are maintained until the global timers expire, regardless of peer activity.
Note If the last IPsec SA to a given peer is deleted due to idle timer expiration, the Internet Key Exchange (IKE) SA to that peer will also be deleted.
This section contains the following procedures:
•Configuring the IPsec SA Idle Timer Globally
•Configuring the IPsec SA Idle Timer per Crypto Map
This task configures the IPsec SA idle timer globally. The idle timer configuration will be applied to all SAs.
1. enable
2. configure terminal
3. crypto ipsec security-association idle-time seconds
This task configures the IPsec SA idle timer for a specified crypto map. The idle timer configuration will be applied to all SAs under the specified crypto map.
1. enable
2. configure terminal
3. crypto map map-name seq-number ipsec-isakmp
4. set security-association idle-time seconds
This section provides the following configuration examples:
•Configuring the IPsec SA Idle Timer Globally: Example
•Configuring the IPsec SA Idle Timer per Crypto Map: Example
The following example globally configures the IPsec SA idle timer to drop SAs for inactive peers after 600 seconds:
crypto ipsec security-association idle-time 600
The following example configures the IPsec SA idle timer for the crypto map named test to drop SAs for inactive peers after 600 seconds:
crypto map test 1 ipsec-isakmp
set security-association idle-time 600
The following sections provide references related to the IPsec Security Association Idle Timers feature.
|
|
---|---|
Additional information about configuring IKE |
|
Additional information about configuring global lifetimes for IPsec SAs |
•Configuring Security for VPNs with IPsec |
Additional Security commands |
|
|
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
|
|
---|---|
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. |
-— |
Table 1 lists the release history for this feature.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.