Monday, July 6, 2009

Removing crypto map set security-association lifetime from Cisco ASA

When you create a crypto map in an ASA, you will notice that most versions of IOS will create two addition lines to your crypto map:
crypto map map_name seq_no set security-association lifetime seconds 28800
crypto map map_name seq_no set security-association lifetime kilobytes 4608000

which defines when to discard the current shared key and to use a new shared key. Its either 28800 seconds after the tunnel has been established or after 4MB of data has been transferred through the tunnel.

The problem is that when you try to remove the crypto map from the ASA using no command, these two lines still remain. The method to completely remove an existing crypto map is to use the following command.

ASA(config)# clear configure crypto map map_name seq_no
or if you want to clear a dynamic-map
ASA(config)# clear configure crypto map dynamic_map_name seq_no
Posted by at No comments:
Subscribe to: Posts (Atom)