Cisco Support Community
Community Member

How to avoid Ipsec VPN Tunnel from dropping down connetion?

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

Hello everybody,

I've setup a PIX-to-PIX Tunnel using Ipsec to connect a remote office to the central site. It will be used mainly to give users access to an Exchange server and a iSeries as400 server. Nowadays I'm testing the connetion before implementing it and I've noticed that the tunnel drops the connetion very often and that's not good at all for client access screens because they need to have permanent connetion.

The point is, how can I avoid the Ipsec VPN Tunnel from dropping down the connetion? If it coudn't be done, I would like to now how to maintain the line up as long time as possible.

I'm putting the configuration down so you can help me. THANK YOU ALL in advance...

Firewall(config)# sh conf

: Saved

: Written by enable_15 at 09:04:31.242 CEDT Thu Jun 26 2003

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxx encrypted

hostname Firewall

domain-name NEOKEM.LAN

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no names


access-list outside_access_in permit gre any host

access-list outside_access_in permit tcp any host eq 1723

access-list outside_access_in permit tcp any host eq smtp

access-list outside_access_in permit tcp any host eq pop3

access-list outside_access_in permit icmp any any

access-list inside_access_in permit ip any any

access-list inside_access_in permit tcp any any

access-list inside_access_in permit icmp any any

access-list inside_access_in permit udp any any

access-list 101 permit ip

pager lines 24

logging on

logging buffered debugging

interface ethernet0 10full

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm location inside

pdm logging debugging 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0 0

static (inside,outside) netmask 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 1

timeout xlate 0:05:00

timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00

sip_media 0:02:00

timeout uauth 0:00:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

ntp authenticate

ntp server source outside

ntp server source outside prefer

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set COMUN_BCN esp-des esp-md5-hmac

crypto map polinya 1 ipsec-isakmp

crypto map polinya 1 match address 101

crypto map polinya 1 set peer XXX.XXX.XXX.XXX

crypto map polinya 1 set transform-set COMUN_BCN

crypto map polinya interface outside

isakmp enable outside

isakmp key ******** address XXX.XXX.XXX.XXX netmask

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 14400

telnet inside

telnet inside

telnet inside

telnet timeout 10

ssh timeout 5

username xxxxxxxxxx password xxxxxxxxxxxxxxx encrypted privilege 15

terminal width 80



Cisco Employee

Re: How to avoid Ipsec VPN Tunnel from dropping down connetion?

The PIX's shouldn't be dropping the tunnel out continuously. They will rebuild the tunnel every 8 hours by default, but if traffic is flowing then you shouldn't even notice it.

You might want to check and make sure you're not having connectivity issues between the two devices that is causing the tunnel to drop. Try pinging the outside interface on one PIX from a host behind the other constantly, when the tunnel drops out see if the pings stop as well, this will point you to where the problem lies.

Alternatively, you can run "debug cry ipsec" and "debug cry isa" on the PIX and it will show you when the tunnel drops out and should give you a good reason why (look for timeout messages).

You might want to enable keepalives over the tunnel so if one end does drop out the tunnel will be rebuilt quicker. The command is:

> isakmp keepalive

See for details.

CreatePlease to create content