06-09-2008 05:18 AM - edited 03-11-2019 05:56 AM
Hi Folks,
I have an ASA with several LAN to LAN IPSEC tunnels configured and having VPN drop outs if we leave our session idle for sometimes as little as 5 minutes.
Can this be increased to something more realistic, say 60 minutes +?
Thanks,
Chandru
06-09-2008 12:46 PM
Do you have crypto isakmp keepalives configured?
Also what is the idle time currently configured for phase 1 and phase 2?
Regards
Farrukh
06-09-2008 10:47 PM
Yes, I have configured crypto isakmp keepalives.
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
Thanks,
Chandru
06-09-2008 11:04 PM
Can you please post the output of the following:
show run crypto
show crypto protocol statistics ipsec
show crypto map detail
Also what values have you used in the crypto isakmp keepalive command?
Is there any firewall in the transit path?
Regards
Farrukh
06-09-2008 11:21 PM
Also I forgot the most important command
show run all group-policy
I'm just looking for the
vpn-idle-timeout and vpn-session-timeout commands in there. They are used to set the idle/absole timeouts for VPN connections. You can increase them and check.
Regards
Farrukh
06-10-2008 12:24 AM
06-10-2008 12:28 AM
Please configure the following and test:
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
Or set it to something higher? Default is 30 minutes of idle time.
Regards
Farrukh
06-10-2008 01:32 AM
Thanks, I will configure & test it.
Chandru
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide