We have a 515 PIX configured with IPSec tunnels that allows an 831 router to connect. We are having issues where the 831 thinks the tunnel is still up but the 515 seems to drop the connection when there is no traffic on the tunnel. Is there a way to set the the timouts on the firewall so that it never times out? Or is there a keepalive that can be set on the 831 so that the tunnel is never terminated?
IPSec and IKE SA's. By default, it is 24 hours and 8 hours for IKE and IPSec respectively. These could be made longer but from a security perspective it is advisable to set lifetimes which are not too long. However, even if a tunnel times out, a new tunnel should be built automatically when interesting traffic needs to be sent across. So, there should be no problems with the tunnel timing out. The thing you should probably be concerned about is the state where the 831 thinks the tunnel is still up but the 515 does not. The 831 will continue forwarding traffic to a peer which does not exist. To remidy that, ie to enable remote endpoint failure detection, you could enable IKE keepalives. For more information on that, please refer to http://www.cisco.com/warp/public/cc/so/neso/vpn/vpne/vpne_an.htm
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...