On an Phase 2 IPsec SA with a non-zero lifesize, I see the proposed initial lifesize in the "show vpn ipsec-sa" output,
crclark@<redacted>-pa5050b(active)> show vpn ipsec-sa tunnel <redacted>-cisco-gw
GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB)
--------------- ---- ------------ --------------- --------- ------- -------- ------------
16 190 <redacted>.4 <redacted>-cisco-gw:csx-net-192.168.0.0(<reda ESP/3DES/SHA1 AE3A4D8C 46E57EF1 1549/4608000
16 191 <redacted>.4 <redacted>-cisco-gw:csx-net-192.168.6.0(<reda ESP/3DES/SHA1 CB4FE221 8B5EF149 1557/4608000
16 194 <redacted>.4 <redacted>-cisco-gw:csx-net-192.168.1.0(<reda ESP/3DES/SHA1 911952E8 F67725C5 1535/4608000
16 195 <redacted>.4 <redacted>-cisco-gw:csx-net-192.168.108.0(<re ESP/3DES/SHA1 DF7DA529 2899C3B7 1011/4608000
Show IPSec SA: Total 6 tunnels found. 4 ipsec sa found.
Unlike the lifetime, the lifesize is not decrementing as data goes over the tunnel. So I have two questions,
1) Where can I find the actual lifesize remaining on a tunnel?
2) Or does PAN-OS not actually track lifesize?
Yes, it does show lifetime. I was looking for the lifesize. There is a mention of it in the flow output,
when lifetime expired:0
when lifesize expired:0
But that's not about what the current lifesize counter is at. I guess you can use the encapsulated and decapsupated byte counts to figure it out.
Agree with you. Life-size is the amount of data that the key can use for encryption and we do keep track of it being decremented so as to re-key once the lifesize limit is reached.
But just that it is not displayed unlike Life-time. Since it appears under IPsec crypto profiles, It can monitored through the ">show vpn ipsec-sa" command that you are already aware of.
I believe the only way for us to track it live would be through "encap bytes" under show vpn flow command.
Your explanation it's clear about life-size.
I have problem with a VPN Tunnel, for some reason peers involved are taking long time to re-establish it.
What does it means this one:
"lifetime 3600 Sec lifesize unlimited"
I can see this message in system logs; Can it cause issue when both peers are trying to re-negotiate VPN tunnel?
I need to configure a specific parameter for life-size?
Is that possible?
Thanks in advance
PS. Your image is the best that I ever seen on this community .. I'm Naruto's fan too haha :)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!