Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Can you set an Idle TImeout for IOS Site-2-Site VPNs?

Is there some way to set an idle timeout for an IOS-2-IOS, site-2-site VPN such that when there is no 'interesting' traffic that meets the criteria specified in the crypto-map access-list for a specified period of time the tunnel is torn down?

The isakmp and ipsec lifetimes just define how often the SAs are re-negeotiated, but there must be a way to set an idle timeout but I can't find diddly about how to do it.

Thanks all

Cisco Employee

Re: Can you set an Idle TImeout for IOS Site-2-Site VPNs?

you can't set an idle time specifically. The lifetime you mention does determine how often the SA's for Phase 1 and 2 are renegotiated, but keep in mind that these are only built if the routers see interesting traffic.

For example, if you set the lifetime for Phase 2 to 30 minutes, then in 30 minutes the SA's will be negotiated IF there is traffic to send. If there's no traffic, the old SA's will simply expire but new ones will not be built until either router sees interesting traffic again. Only then will the new SA's be built.

CreatePlease to create content