VPN resets every 5 minutes

Unanswered Question
Jun 4th, 2008

I have a point to point IPSEC VPN between an 1841 (12.4(17a))and an ASA 5540 (8.0(3)). The tunnel is using 3DES/SHA1/DH2 with a preshare.

The tunnel comes up and works just fine, I can ping accross it and access resources from the remote site (1841).

Problem is that every 5 minutes the session disconnects. It then runs through Phase 1 and reconnects. We only lose it for like a second or two (1 or two pings).

The remote site is using a telnet application over the VPN that is very sensative to disconnects like this, and when it resets they lose their data and have to start over.

What I've done: Verified the IKE key lifetime is 86400 seconds on both sides, increased the Nat-T keepalice is 3600 seconds on the ASA side, and the IKE Keepalive is set to monitor keepalives confidence interval is 10, and retry interval is 2.

If I run a constant ping over this tunnel, I still see it reset (I lose pings and the ASA logs a session disconnected).

Anyone have any ideas on this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Farrukh Haroon Wed, 06/04/2008 - 12:25

Is there any NAT-T even kicking in? Otherwise you should try the regular 'isakmp keepalives'.

Please note NAT-T is disabled on ASA by default (at least in 7.x) and enabled by default on IOS. So with the default configs, they wont even negotiate NAt-T.



Erik Wed, 06/04/2008 - 12:40

Yeah.. I got it figured out.. it was a group policy setting in the ASA for that specific connection that was set to expire after 5 minutes!

Thanks for the ideas!

Farrukh Haroon Wed, 06/04/2008 - 12:49

Ok great to know you have it solved, and thanks for sharing what worked out for you with all of us.




This Discussion