Skip to content

The Cisco ASA VPN gateway must be configured to renegotiate the IKE security association after 24 hours or less.

An XCCDF Rule

Description

<VulnDiscussion>When a VPN gateway creates an IPsec security association (SA), resources must be allocated to maintain the SA. These resources are wasted during periods of IPsec endpoint inactivity, which could result in the gateway’s inability to create new SAs for other endpoints, thereby preventing new sessions from connecting. The Internet Key Exchange (IKE) idle timeout may also be set to allow SAs associated with inactive endpoints to be deleted before the SA lifetime has expired, although this setting is not recommended at this time. The value of one hour or less is a common best practice.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-239964r1015264_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

Configure the VPN gateway to renegotiate the IKE security association after 24 hours or less as shown in the example below.

ASA2(config)# crypto ikev2 policy 2
ASA2(config-ikev2-policy)# lifetime seconds 86400
ASA2(config-ikev2-policy)# end