Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

831 to PIX 515 IPSec tunnel timeouts

We have a 515 PIX configured with IPSec tunnels that allows an 831 router to connect. We are having issues where the 831 thinks the tunnel is still up but the 515 seems to drop the connection when there is no traffic on the tunnel. Is there a way to set the the timouts on the firewall so that it never times out? Or is there a keepalive that can be set on the 831 so that the tunnel is never terminated?

1 REPLY
Silver

Re: 831 to PIX 515 IPSec tunnel timeouts

IPSec and IKE SA's. By default, it is 24 hours and 8 hours for IKE and IPSec respectively. These could be made longer but from a security perspective it is advisable to set lifetimes which are not too long. However, even if a tunnel times out, a new tunnel should be built automatically when interesting traffic needs to be sent across. So, there should be no problems with the tunnel timing out. The thing you should probably be concerned about is the state where the 831 thinks the tunnel is still up but the 515 does not. The 831 will continue forwarding traffic to a peer which does not exist. To remidy that, ie to enable remote endpoint failure detection, you could enable IKE keepalives. For more information on that, please refer to http://www.cisco.com/warp/public/cc/so/neso/vpn/vpne/vpne_an.htm

108
Views
0
Helpful
1
Replies
CreatePlease to create content