No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


FAQ-When does the firewall clear an IPSec SA in normal cases

Publication Date:  2015-07-01 Views:  700 Downloads:  0

Issue Description

When does the firewall clear an IPSec SA in normal cases?


Both IKE SAs and IPSec SAs have lifetimes. SA lifetimes include hard lifetime and soft lifetime. The soft lifetime is about 9/10 of the hard lifetime. When the IKE SA soft lifetime expires, a new IKE SA is negotiated to replace the original IKE SA. When the hard lifetime of the original IKE SA expires, the original IKE SA is deleted, regardless of whether the replacement IKE SA is established. If the IPSec SA is established, the IPSec SA is also deleted. If the IPSec SA hard lifetime expires, both the IKE SA and the IPSec SA are deleted.

Besides, if the IKE SA keepalive or DPD function is enabled, the IKE SA and IPSec SA are deleted if the keepalive packets or DPD packets time out.