Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Connection timeouts

We are connecting some clients to our AS400 via a VPN. They are experiencing a disconnect from the 400 just about every 15 minutes. What could be causing this?


Re: VPN Connection timeouts

Hi there,

you see disconnects every 15 minutes from the AS400 server . Do you know if your tunnel also goes down after every 15 mins ?

Also, if you have a continuous ping going to the AS400 server from the client machine while your AS400 session is up, do you also see the disconnects?



New Member

Re: VPN Connection timeouts

Here is the part of the debug that is sticking out, to me:

1d11h: ISAKMP (0:4): peer does not do paranoid keepalives.

1d11h: ISAKMP (0:4): deleting node 1735001000 error FALSE reason "informational (in) state 1"


1d11h: ISAKMP (0:4): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

1d11h: IPSEC(key_engine): got a queue event...

1d11h: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

1d11h: IPSEC(key_engine_delete_sas): delete SA with spi 1011521112/50 for

1d11h: IPSEC(delete_sa): deleting SA,


THe problem is that these people have about 3 different AS400 sessions active. One of their sessions will time out, while the other won't(thats what I am told). That is what has me confused.


Re: VPN Connection timeouts

hmm .. If the other sessions are not timing out, then I believe your VPN tunnel is not going down. Do you think the AS400 session could be getting disconnected because of latency or timing?


New Member

Re: VPN Connection timeouts

I am not the AS400 guru, but from what I am told, the timer is set at max.

New Member

Re: VPN Connection timeouts

This is what I observed in my case: For some reason, a user session starts with one IKE session, and two IPSec sessions. The first IPSec session has the local address of the external interface. The second IPSec session has the local address of No traffic is going through the first IPSec session; therefore the duration = (first IPSec session) idle time. All traffic seems to go through the second IPSec session; therefore idle time is very low. Once the duration = (first IPSec session) idle time = group's idle timeout, frequently, and not always, the session is disconnected. If not connected, basically, the first IPSec session disappear, and the idle time of the second IPSec session never reaches the group's idle timeout. (Concentrator v.3.6.3)

CreatePlease to create content