Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
IPsec traffic, it is desirable to clear only the portion of the security association database that would be
affected by the configuration changes (that is, clear only the security associations established by a given
crypto map set). Clearing the full security association database should be reserved for large-scale
changes, or when the router is processing very little other IPsec traffic.
Using the clear crypto sa command without parameters will clear out the full SA database, which will
clear out active security sessions. You may also specify the peer, map, or entry keywords to clear out
only a subset of the SA database.
You can obtain the SA index from the output of the show crypto sa domain interface gigabitethernet
Use the clear crypto sa command to clear all or part of the SA database.
switch# clear crypto sa domain ipsec interface gigabitethernet 2/1 inbound sa 1
Global Lifetime Values
If you have not configured a lifetime in the crypto map entry, the global lifetime values are used when
negotiating new IPsec SAs.
You can configure two lifetimes: timed or traffic-volume. An SA expires after the first of these lifetimes
is reached. The default lifetimes are 3,600 seconds (one hour) and 450 GB.
If you change a global lifetime, the new lifetime value will not be applied to currently existing SAs, but
will be used in the negotiation of subsequently established SAs. If you wish to use the new values
immediately, you can clear all or part of the SA database.
Assuming that the particular crypto map entry does not have lifetime values configured, when the switch
requests new SAs it will specify its global lifetime values in the request to the peer; it will use this value
as the lifetime of the new SAs. When the switch receives a negotiation request from the peer, it uses the
value determined by the IKE version in use:
The SA (and corresponding keys) will expire according to whichever comes sooner, either after the
specified amount of time (in seconds) has passed or after the specified amount of traffic (in bytes) has
A new SA is negotiated before the lifetime threshold of the existing SA is reached to ensure that
negotiation completes before the existing SA expires.
The new SA is negotiated when one of the following thresholds is reached (whichever comes first):
If no traffic has passed through when the lifetime expires, a new SA is not negotiated. Instead, a new SA
will be negotiated only when IPsec sees another packet that should be protected.
OL-16184-01, Cisco MDS SAN-OS Release 3.x
If you use IKEv1 to set up IPsec SAs, the SA lifetime values are chosen to be the smaller of the two
proposals. The same values are programmed on both the ends of the tunnel.
If you use IKEv2 to set up IPsec SAs, the SAs on each end have their own lifetime values and thus
the SAs on both sides expire independently.
30 seconds before the lifetime expires or
Approximately 10% of the lifetime in bytes remain
Cisco MDS 9000 Family CLI Configuration Guide
Global Lifetime Values