cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1814
Views
0
Helpful
4
Replies

IPSec Tunnel: Idle timeout

rameezsardar
Level 1
Level 1

Friends,

I gonna configure ipsec tunnel between to sites. I want that tunnel remain up almost all the time. For this if i configure "crypto ipsec security-association idle-time" to its maximum value, is there any issue doing this. Means i want to not, if it has any disadvange. Will it kill my router resources? As you know when ipsec tunnel come up, it drops few packets and also add delay in communication that i want to mitigate. Need your comments please.

Best Regards

Rameez

4 Replies 4

m.sir
Level 7
Level 7

There are few ways to keep tunnel open

-Periodic isakmp keepalives

crypto isakmp keepalive

-How you suggest increasing ipsec idle-timer and also ike/ipsec lifetime

isakmp policy 20 lifetime

crypto ipsec security-association lifetime

-Running NTP between the 2 routers thru the ipsec tunnel

I think there are no big issue.. we used this when IP sec between Cisco and non-Cisco device had problem to come up from non-Cisco side so we decided keep tunnel up

M.

I have a quick question. I have an ipsec tunnel between a pix515 and pix501 and have encounter this many times where the tunnel gets torn down after so many minutes (idle time).

Does the crypto isakmp keepalive need to be configured on both devices or just the side initiating the vpn connect (in this case the pix501 is at our remote site and the pix515 is at our corporate office).

Thanks

DKanzler

Friends,

Can someone tell me any cisco website link or any configuration that can help me to create a permanent tunnel.

Waiting...........

Best Regards

Still Waiting.........

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: