Idle Timeout

Idle Timeout When an IOS router creates an IPSec SA for a peer, it allocates a certain amount of resources to maintain the SA; the SA requires both memory and several managed timers. For idle peers, these resources are wasteful and consume expensive resources. Furthermore, these wasted resources could eventually prevent the router from creating new SAs with other active peers. The solution to this problem is to monitor the SAs for activity, removing idle SAs after a specified period of inactivity. The configuration of the SA idle timeout is shown in Example 3-3 along with the debug output. Example 3-3. Idle Timeout Configuration vpn-gw1-east version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname vpn-gw1-east ! logging queue-limit 100 ! ip subnet-zero ! ip domain name cisco.com ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco address 9.1.1.146 ! crypto ipsec security-association idle-time 120 ! crypto ipsec transform-set test esp-3des esp-sha-hmac crypto map vpn 1 ipsec-isakmp set peer 9.1.1.33 set transform-set test match address 100 ! ! ! interface FastEthernet0/0 ip address 9.1.1.35 255.255.255.248 speed 100 full-duplex no cdp enable crypto map vpn ! interface FastEthernet0/1 ip address 10.1.1.2 255.255.255.0 speed 100 full-duplex no cdp enable ! router ospf 1 log-adjacency-changes network 10.1.1.0 0.0.0.255 area 0 redistribute static ! ip http server no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 9.1.1.33 ! ! ! access-list 100 permit ip 10.1.1.0 0.0.0.255 10.0.68.0 0.0.0.255 ! line con 0 line aux 0 line vty 0 4 login ! ! end vpn-gw1-east#show cry isa sa Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption Conn id Local Remote Encr Hash Auth DH Lifetime Capabilities 1 9.1.1.35 9.1.1.146 des sha psk 1 23:59:20 vpn-gw1-east# debug crypto ipsec ipsec(create_sa): starting idle timer, 120 seconds ISAKMP: Created a peer struct for 9.1.1.146, peer port 500 ISAKMP: Locking peer struct 0x82A461D8, ipsec refcount 1 for from create_transfor ipsecipsecipsec(delete_sa): deleting SA, (sa) sa_dest= 9.1.1.35, sa_prot= 50, sa_spi= 0x2CA9A57F(749315455), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2000 ipsec(delete_sa): deleting SA, (sa) sa_dest= 9.1.1.146, sa_prot= 50, sa_spi= 0x7F4A6D6C(2135584108), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001 ipsec(lifetime_expiry): SA idletime reached; deleting ipsec SA ipsec(lifetime_expiry): notifying END_TUNNEL local: 9.1.1.35 / ivrf: 0 remote: 9.1.1.146 / fvrf: 0 / peer port: 500 spoke-1-east# debug crypto ipsec ISAKMP (0:1): received packet from 9.1.1.35 dport 500 sport 500 (I) QM_IDLE ISAKMP: set new node -329991077 to QM_IDLE ISAKMP (0:1): processing HASH payload. message ID = -329991077 ISAKMP (0:1): processing DELETE payload. message ID = -329991077 ipsec(key_engine): got a queue event... ipsec(key_engine_delete_sas): rec'd delete notify from ISAKMP ipsec(key_engine_delete_sas): delete SA with spi 749315455/50 for 9.1.1.35 ipsec(delete_sa): deleting SA, (sa) sa_dest= 9.1.1.146, sa_prot= 50, sa_spi= 0x7F4A6D6C(2135584108), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2000 ipsec(delete_sa): deleting SA, (sa) sa_dest= 9.1.1.35, sa_prot= 50, sa_spi= 0x2CA9A57F(749315455), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001 ISAKMP: received ke message (4/1) ISAKMP: Unlocking ipsec struct 0x82E0D92C notified by ipsec, count 0 Idle timeout is an important IPSec feature for IPSec scalability, especially on hub sites where there may be thousands of tunnel terminations, but only a few that are active. Note The default SA idle-timeout in older versions of IOS code that did not have support for the idle timeout feature used to be equivalent to the IPSec security association lifetime.