sa soft-duration buffer (ISAKMP IPSec policy view)

Function

The sa soft-duration buffer command sets the soft timeout buffer time or traffic volume for an IPSec SA in an IPSec policy.

The undo sa soft-duration buffer command cancels the configuration.

By default, the soft timeout buffer time or traffic volume is not configured for an IPSec SA in an IPSec policy.

Format

sa soft-duration { time-based buffer seconds | traffic-based buffer kilobytes }

undo sa soft-duration { time-based buffer | traffic-based buffer }

Parameters

Parameter	Description	Value
time-based buffer seconds	Specifies the time-based soft timeout buffer for an IPSec SA.	The value is an integer that ranges from 10 to 36000, in seconds.
traffic-based buffer kilobytes	Specifies the traffic-based soft timeout buffer for an IPSec SA.	The value is an integer that ranges from 7200 to 4187103 KB.

Views

ISAKMP IPSec policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Before the IPSec SA hard lifetime expires, a new IPSec SA is negotiated to replace the original IPSec SA. The time from the establishment of the original IPSec SA till the negotiation of the new IPSec SA is the soft lifetime.

Table 1 lists the default soft lifetime values.

**Table 1** Soft lifetime values
Soft Lifetime Type	Description
Time-based soft lifetime (soft timeout period)	For IKEv1, the value is 90% of the actual hard lifetime (hard timeout period). For IKEv2, the value is 85% of the actual hard lifetime (hard timeout period) plus or minus a random value.
Traffic-based soft lifetime (soft timeout traffic)	For IKEv1, the value is 90% of the actual hard lifetime (hard timeout traffic). For IKEv2, the value is 85% of the actual hard lifetime (hard timeout traffic) plus or minus a random value.

An administrator can set the soft timeout buffer time or soft timeout buffer traffic to adjust the SA re-negotiation time. The soft timeout buffer time or soft timeout buffer traffic is set as follows:

If the configured soft timeout buffer time subtracted from the hard lifetime is larger than 10s, the system uses the soft timeout buffer time subtracted from the hard timeout as the soft lifetime. Otherwise, the default value is used.
If the configured soft timeout buffer traffic subtracted from the hard timeout traffic is larger than 7200 KB, the system uses the soft timeout buffer traffic subtracted from the hard timeout traffic as the software lifetime. Otherwise, the default value is used.

The soft timeout buffer time or traffic of an IPSec SA can be configured globally or in an IPSec policy. The soft timeout buffer time or traffic configured globally is valid for all IPSec policies, and the soft timeout buffer time or traffic configured in an IPSec policy is valid for only the IPSec policy.

Precautions

If the soft timeout buffer time or traffic of an IPSec SA is configured globally and in an IPSec policy, the soft timeout buffer time or traffic configured in the IPSec policy is valid.

During IKEv1 negotiation:

The responder cannot initiate IPSec SA renegotiation after the IPSec SA soft lifetime expires.
The initiator cannot initiate IPSec SA renegotiation when its IKE SA is deleted and the IPSec SA soft lifetime expires.

During IKEv2 negotiation:

If the responder runs the ike negotiate compatible command in the IKE peer view, it cannot initiate IPSec SA renegotiation after the IPSec SA soft lifetime expires.
If the responder runs the encapsulation-mode auto command in the IPSec proposal view, it cannot initiate IPSec SA renegotiation after the IPSec SA soft lifetime expires.
The initiator or responder cannot initiate IPSec SA renegotiation when the IKE SA is deleted and the IPSec SA soft lifetime expires.

Example

# Set the soft timeout buffer time of an IPSec SA to 600s in IPSec policy example.

<sysname> system-view
[sysname] ipsec policy example 1 isakmp
[sysname-ipsec-policy-isakmp-example-1] sa soft-duration time-based buffer 600

# Set the soft timeout buffer traffic of an IPSec SA to 10000 KB in IPSec policy example.

<sysname> system-view
[sysname] ipsec policy example 1 isakmp
[sysname-ipsec-policy-isakmp-example-1] sa soft-duration traffic-based buffer 10000