sa idle-time

Use sa idle-time to set the IPsec SA idle timeout. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted.

Use undo sa idle-time to restore the default.


sa idle-time seconds

undo sa idle-time


An IPsec policy, IPsec policy template, or IPsec profile uses the global IPsec SA idle timeout.


IPsec policy view

IPsec policy template view

IPsec profile view

Predefined user roles




seconds: Specifies the IPsec SA idle timeout in the range of 60 to 86400 seconds.

Usage guidelines

This feature applies only to IPsec SAs negotiated by IKE and takes effect after the ipsec sa idle-time command is configured.

The IPsec SA idle timeout configured by this command takes precedence over the global IPsec SA timeout configured by the ipsec sa idle-time command. If the IPsec policy, IPsec policy template, or IPsec profile is not configured with the SA idle timeout, IKE uses the global SA idle timeout.


# Set the IPsec SA idle timeout to 600 seconds for IPsec policy map.

<Sysname> system-view
[Sysname] ipsec policy map 100 isakmp
[Sysname-ipsec-policy-isakmp-map-100] sa idle-time 600

Related commands

display ipsec sa

ipsec sa idle-time