Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Modify idle timeout value for LAN to LAN IPSEC Tunnel

Hi Folks,

I have an ASA with several LAN to LAN IPSEC tunnels configured and having VPN drop outs if we leave our session idle for sometimes as little as 5 minutes.

Can this be increased to something more realistic, say 60 minutes +?

Thanks,

Chandru

7 REPLIES

Re: Modify idle timeout value for LAN to LAN IPSEC Tunnel

Do you have crypto isakmp keepalives configured?

Also what is the idle time currently configured for phase 1 and phase 2?

Regards

Farrukh

New Member

Re: Modify idle timeout value for LAN to LAN IPSEC Tunnel

Yes, I have configured crypto isakmp keepalives.

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

Thanks,

Chandru

Re: Modify idle timeout value for LAN to LAN IPSEC Tunnel

Can you please post the output of the following:

show run crypto

show crypto protocol statistics ipsec

show crypto map detail

Also what values have you used in the crypto isakmp keepalive command?

Is there any firewall in the transit path?

Regards

Farrukh

Re: Modify idle timeout value for LAN to LAN IPSEC Tunnel

Also I forgot the most important command

show run all group-policy

I'm just looking for the

vpn-idle-timeout and vpn-session-timeout commands in there. They are used to set the idle/absole timeouts for VPN connections. You can increase them and check.

Regards

Farrukh

New Member

Re: Modify idle timeout value for LAN to LAN IPSEC Tunnel

Thanks Farrukh,

I have attached the output in the file.

Chandru

Re: Modify idle timeout value for LAN to LAN IPSEC Tunnel

Please configure the following and test:

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

Or set it to something higher? Default is 30 minutes of idle time.

Regards

Farrukh

New Member

Re: Modify idle timeout value for LAN to LAN IPSEC Tunnel

Thanks, I will configure & test it.

Chandru

1002
Views
0
Helpful
7
Replies