Details
When a VPN gateway creates an IPsec Security Association (SA), resources must be allocated to maintain the SA. These resources are wasted during periods of IPsec endpoint inactivity, which could result in the gateway’s inability to create new SAs for other endpoints, thereby preventing new sessions from connecting. The Internet Key Exchange (IKE) idle timeout may also be set to allow SAs associated with inactive endpoints to be deleted before the SA lifetime has expired, although this setting is not recommended at this time. The value of one hour or less is a common best practice.
Solution
Configure the VPN gateway to renegotiate the IKE security association after 24 hours or less as shown in the example below.
ASA2(config)# crypto ikev2 policy 2
ASA2(config-ikev2-policy)# lifetime seconds 86400
ASA2(config-ikev2-policy)# end
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Cisco.
References
- 800-53|IA-11
- CAT|II
- CCI|CCI-002038
- Rule-ID|SV-239964r666298_rule
- STIG-ID|CASA-VN-000360
- Vuln-ID|V-239964