IPSec Tunnel: Idle timeout

Unanswered Question
Feb 3rd, 2008
User Badges:


I gonna configure ipsec tunnel between to sites. I want that tunnel remain up almost all the time. For this if i configure "crypto ipsec security-association idle-time" to its maximum value, is there any issue doing this. Means i want to not, if it has any disadvange. Will it kill my router resources? As you know when ipsec tunnel come up, it drops few packets and also add delay in communication that i want to mitigate. Need your comments please.

Best Regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
m.sir Mon, 02/04/2008 - 00:58
User Badges:
  • Gold, 750 points or more

There are few ways to keep tunnel open

-Periodic isakmp keepalives

crypto isakmp keepalive

-How you suggest increasing ipsec idle-timer and also ike/ipsec lifetime

isakmp policy 20 lifetime

crypto ipsec security-association lifetime

-Running NTP between the 2 routers thru the ipsec tunnel

I think there are no big issue.. we used this when IP sec between Cisco and non-Cisco device had problem to come up from non-Cisco side so we decided keep tunnel up


DKanzler Tue, 02/05/2008 - 07:11
User Badges:

I have a quick question. I have an ipsec tunnel between a pix515 and pix501 and have encounter this many times where the tunnel gets torn down after so many minutes (idle time).

Does the crypto isakmp keepalive need to be configured on both devices or just the side initiating the vpn connect (in this case the pix501 is at our remote site and the pix515 is at our corporate office).



rameezsardar Tue, 02/05/2008 - 23:52
User Badges:


Can someone tell me any cisco website link or any configuration that can help me to create a permanent tunnel.


Best Regards


This Discussion