Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
394
Views
0
Helpful
4
Replies

L2L VPN problem

somnath21
Level 1
Level 1

‎02-15-2008 04:10 AM - edited ‎02-21-2020 03:33 PM

hi,

I have configured L2L vpn between ASA5520 and PIX525.The probelm is whenever I try to ping from my end i.e ASA5520,at that time only tunnel is established but after 30min automatically its get down.we are unable to ping peer ip address and inside host from both end.I ASDM it's showing 0 Rx packet.what might be the issue. pls help me in this regard.

Thanx,

som

Labels:
0 Helpful
4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

‎02-15-2008 08:52 PM

Som,

Try in asa5520 enable ISAKMP Keepalives, this command helps prevents sporadically dropped tunnels due to inactivity thus monitoring the peer end point.

to enable it go to the tunnel group name for your l2l configuration.

e.g.

For code 7.x

asa(config)#tunnel-group

ipsec-attributes

asa(config-tunnel-ipsec)#isakmp keepalive

threshold 15 retry 10

for code 6.x

pix(config)#isakmp keepalive 15

post results

Rgds

Jorge

Jorge Rodriguez
0 Helpful

somnath21
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎02-16-2008 03:21 AM

Hi jorge,

I have given this comman at both end and still no improvement.

I have checked peer ip,pre shared key,transform set,..but no resolved yet.

kindly help me to solve this isssue..

thanks,

som

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to somnath21

‎02-16-2008 10:25 AM

Som,

Check two things, Security-association lifetime setings and isak policy lifetime must much at both ends.

crypto map outside_map 10 set security-association lifetime seconds kilobytes

crypto map outside_map interface outside

where x is seconds and y kilobytes , default sa lifetime is 86400 seconds or 24 hours

also check isakmp policy lifetime e.g

isakmp policy 10 lifetime xxxx , see Verify isakmp lifetime , default is 24 hours or 86400 seconds

On this link see sa lifetime info , you may need to check the gkobal policy in vpn ra as asa/pix l2l may have inherit the default ra global policy vpn lifetime of 30 minutes, see Verify Idle / Session Timeout,this settings can be change to unlimited.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#isalife

Rgds

Jorge

Jorge Rodriguez
0 Helpful

somnath21
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎02-19-2008 04:51 AM

hi jorge,

many many thanx,now i am able to reach other end by pinging but now i am facing a new porb after 30min the tunnel goes down.in the remote end(pix) vpngroup x.x.x.x vpngroup x.x.x.x idle-time 1800 command is given.

i think this is the reason but i am not sure.how to resolve this issue ..

thanx,

som

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents