Site-to-site tunnel - Unix Users drop - Tunnel does not

Answered Question
Feb 6th, 2007

I have several site-to-site VPNs created with an ASA5520 at my office with Cisco 871s in the field. The remote sites connect through the VPN for email and connecting to a UNIX box using a terminal emulator. In many instances, these IPSEC tunnels terminate at the remote sites across a T1 internet circuit.

Users in the remote sites will lose connectivity to the unix box a few times a day but the VPN remains solid because not all users are kicked off. Only random users and usually those who walk away from their PC to get a product in the warehouse for the customer.

Cisco has had me add a sysopt connection tcpmss command on the ASA and appropriate commands on the routers. However, this did not resolve my issues.

Again, these are IPSEC tunnels and this problem only occurs in some locations. Other locations, with the same VPN configuration, have no problems. It appears to be an issue with certain ISPs only.

Any help would be appreciated. Thanks.

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 7 months ago

Make sure the lifetimes match on both ends.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
acomiskey Tue, 02/06/2007 - 13:50

Is this an ssh connection to unix boxes? Could just be an idle timeout on the ssh connection.

hajoca Tue, 02/06/2007 - 16:50

No, this is not an ssh connection. It is a telnet- based connection. And, the client has no timeout setting that can be configured.

acomiskey Tue, 02/06/2007 - 17:39

Ok, well same difference. Look for a timeout on the server side. The reason I suggest this is because you say it happens when people walk away into the warehouse, therefore leaving an idle session.

hajoca Wed, 02/07/2007 - 05:08

Looking for timeouts everywhere was the first thing we did. What compounds the problem is that many locations with tunnels are not affected. Only about 20 out ouf 160 locations have this problem. And, if we move the tunnels to terminate on our VPN3005 concentrator, we have no problem at all. But, we want to use the ASA (support for 750 tunnels).

ankit_parikh Wed, 02/07/2007 - 19:24

I had a similar problem with one of our site to site tunnels. I had to increase the SA lifetime from 2 hours to 12 hours and the Telnet sessions seemed to work fine after that. Initially we thought the issue was with session timeouts but clearing the tunnel always fixed it.

hope this helps.


hajoca Thu, 02/08/2007 - 05:06

I don't see where this can be configured on my router or on my ASA. If it is an IKE configuration, that command doesn't seem to be available on my Cisco 871 router.

ankit_parikh Thu, 02/08/2007 - 12:40

crypto map outside_map 60 set security-association lifetime seconds 43200

this command is available on ASA. you can also configure this using the ASDM.

hajoca Thu, 02/08/2007 - 12:48

Now that you mention the particular command, this is something that I have tried before without success. I actually ran the time up to 99+ hours. Still, although the tunnel stays up, individual telnet user sessions drop. That remains the problem. All this said, I'll try this command again on a few of my tunnels. I probably won't make the change now until over the weekend.

hajoca Thu, 02/08/2007 - 13:28

Good point! I didn't think of that. I'm working an odd shift tomorrow so I'll give that a try early tomorrow morning. Thanks.

hajoca Wed, 02/21/2007 - 07:47

FINALLY - This resolved my issue. I've moved several locations that were having problems back to the ASA with the synchronized SA lifetime seconds and I haven't have a complaint is several weeks. Thanks!


This Discussion