IPsec Maintenance
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .
IPsec Maintenance
Certain configuration changes will only take effect when negotiating subsequent security associations.
If you want the new settings to take immediate effect, you must clear the existing security associations
so that they will be re-established with the changed configuration. If the switch is actively processing
IPsec traffic, it is desirable to clear only the portion of the security association database that would be
affected by the configuration changes (that is, clear only the security associations established by a given
crypto map set). Clearing the full security association database should be reserved for large-scale
changes, or when the router is processing very little other IPsec traffic.
Using the clear crypto sa command without parameters will clear out the full SA database, which will
Caution
clear out active security sessions. You may also specify the peer, map, or entry keywords to clear out
only a subset of the SAD.
Use the clear crypto sa command to clear all or part of the SAD.
switch# clear crypto sa domain ipsec interface gigabitethernet 2/1 inbound sa 1
You can obtain the SA index from the output of the show crypto sa domain interface gigabitethernet
Tip
slot/port command.
Global Lifetime Values
If you have not configured a lifetime in the crypto map entry, the global lifetime values are used when
negotiating new IPsec SAs.
You can configure two lifetimes: timed or traffic-volume. A SA expires after the first of these lifetimes
is reached. The default lifetimes are 3,600 seconds (one hour) and 450 GB.
If you change a global lifetime, the new lifetime value will not be applied to currently existing SAs, but
will be used in the negotiation of subsequently established SAs. If you wish to use the new values
immediately, you can clear all or part of the SA database.
Assuming that the particular crypto map entry does not have lifetime values configured, when the switch
requests new SAs it will specify its global lifetime values in the request to the peer; it will use this value
as the lifetime of the new SAs. When the switch receives a negotiation request from the peer, it uses the
value determined by the IKE version in use:
•
•
The SA (and corresponding keys) will expire according to whichever comes sooner, either after the
specified amount of time (in seconds) has passed or after the specified amount of traffic (in bytes) has
passed.
A new SA is negotiated before the lifetime threshold of the existing SA is reached, to ensure that
negotiation completes before the existing SA expires.
Cisco MDS 9000 Family Configuration Guide
30-22
If you use IKEv1 to setup IPsec SAs, the SA lifetime values are chosen to be the smaller of the two
proposals. The same values are programmed on both the ends of the tunnel.
If you use IKEv2 to setup IPsec SAs, SAs on each end has its own set up of lifetime values and thus
the SAs on both sides expire independently.
Chapter 30
Configuring IPsec Network Security
OL-6973-03, Cisco MDS SAN-OS Release 2.x