Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3225
Views
5
Helpful
3
Replies

VPN resets every 5 minutes

Erik
Level 1
Level 1

‎06-04-2008 07:25 AM - edited ‎02-21-2020 03:45 PM

I have a point to point IPSEC VPN between an 1841 (12.4(17a))and an ASA 5540 (8.0(3)). The tunnel is using 3DES/SHA1/DH2 with a preshare.

The tunnel comes up and works just fine, I can ping accross it and access resources from the remote site (1841).

Problem is that every 5 minutes the session disconnects. It then runs through Phase 1 and reconnects. We only lose it for like a second or two (1 or two pings).

The remote site is using a telnet application over the VPN that is very sensative to disconnects like this, and when it resets they lose their data and have to start over.

What I've done: Verified the IKE key lifetime is 86400 seconds on both sides, increased the Nat-T keepalice is 3600 seconds on the ASA side, and the IKE Keepalive is set to monitor keepalives confidence interval is 10, and retry interval is 2.

If I run a constant ping over this tunnel, I still see it reset (I lose pings and the ASA logs a session disconnected).

Anyone have any ideas on this?

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Farrukh Haroon
VIP Alumni
VIP Alumni

‎06-04-2008 12:25 PM

Is there any NAT-T even kicking in? Otherwise you should try the regular 'isakmp keepalives'.

Please note NAT-T is disabled on ASA by default (at least in 7.x) and enabled by default on IOS. So with the default configs, they wont even negotiate NAt-T.

Regards

Farrukh

0 Helpful

Erik
Level 1
Level 1
In response to Farrukh Haroon

‎06-04-2008 12:40 PM

Yeah.. I got it figured out.. it was a group policy setting in the ASA for that specific connection that was set to expire after 5 minutes!

Thanks for the ideas!

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to Erik

‎06-04-2008 12:49 PM

Ok great to know you have it solved, and thanks for sharing what worked out for you with all of us.

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents