topic Re: IPsec Phase 2 Lifesize Coutdown in General Topics

IPsec Phase 2 Lifesize Coutdown

cosx — Fri, 15 Feb 2013 18:08:44 GMT

On an Phase 2 IPsec SA with a non-zero lifesize, I see the proposed initial lifesize in the "show vpn ipsec-sa" output,

crclark@<redacted>-pa5050b(active)> show vpn ipsec-sa tunnel <redacted>-cisco-gw

GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB)

--------------- ---- ------------ --------------- --------- ------- -------- ------------

16 190 <redacted>.4 <redacted>-cisco-gw:csx-net-192.168.0.0(<reda ESP/3DES/SHA1 AE3A4D8C 46E57EF1 1549/4608000

16 191 <redacted>.4 <redacted>-cisco-gw:csx-net-192.168.6.0(<reda ESP/3DES/SHA1 CB4FE221 8B5EF149 1557/4608000

16 194 <redacted>.4 <redacted>-cisco-gw:csx-net-192.168.1.0(<reda ESP/3DES/SHA1 911952E8 F67725C5 1535/4608000

16 195 <redacted>.4 <redacted>-cisco-gw:csx-net-192.168.108.0(<re ESP/3DES/SHA1 DF7DA529 2899C3B7 1011/4608000

Show IPSec SA: Total 6 tunnels found. 4 ipsec sa found.

Unlike the lifetime, the lifesize is not decrementing as data goes over the tunnel. So I have two questions,

1) Where can I find the actual lifesize remaining on a tunnel?

2) Or does PAN-OS not actually track lifesize?

Re: IPsec Phase 2 Lifesize Coutdown

GLastra — Thu, 28 Nov 2013 19:11:58 GMT

Try using this kb CLI Commands to Status, Clear, Restore, and Monitor an IPSEC VPN Tunnel show vpn flow tunnel-id X, but I'm not sure

Re: IPsec Phase 2 Lifesize Coutdown

achalla — Mon, 27 Oct 2014 21:35:42 GMT

show vpn flow tunnel-id will show the lifetime remaining

Re: IPsec Phase 2 Lifesize Coutdown

cosx — Mon, 27 Oct 2014 21:55:18 GMT

Yes, it does show lifetime. I was looking for the lifesize. There is a mention of it in the flow output,

packets received

when lifetime expired:0

when lifesize expired:0

But that's not about what the current lifesize counter is at. I guess you can use the encapsulated and decapsupated byte counts to figure it out.

Re: IPsec Phase 2 Lifesize Coutdown

tshiv — Tue, 28 Oct 2014 00:33:30 GMT

Hello cosx,

Agree with you. Life-size is the amount of data that the key can use for encryption and we do keep track of it being decremented so as to re-key once the lifesize limit is reached.

But just that it is not displayed unlike Life-time. Since it appears under IPsec crypto profiles, It can monitored through the ">show vpn ipsec-sa" command that you are already aware of.

I believe the only way for us to track it live would be through "encap bytes" under show vpn flow command.

Thanks

Re: IPsec Phase 2 Lifesize Coutdown

TheRealDiz — Fri, 17 Jun 2016 10:50:51 GMT

Hi @tshiv,

Your explanation it's clear about life-size.

I have problem with a VPN Tunnel, for some reason peers involved are taking long time to re-establish it.

What does it means this one:

"lifetime 3600 Sec lifesize unlimited"

I can see this message in system logs; Can it cause issue when both peers are trying to re-negotiate VPN tunnel?

I need to configure a specific parameter for life-size?

Is that possible?

Thanks in advance

Best Regards

Luca

PS. Your image is the best that I ever seen on this community .. I'm Naruto's fan too haha 🙂