Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN tunnel drops due to inactivity.

I am using a Cisco ASA 5510. Our tunnels always drop due to inactivity, which is a security issue I understand, and it only takes some "interesting traffic" to bring it back up. My problem is that it looks like the interesting traffic has to originate from my side of the tunnel, when our clients send traffic and the tunnel is down due to inactivity it does not come back up. Is there a setting that I am overlooking that will make it come back up no matter who sends traffic? Or, is there a way to make it stay up through inactivity?

  • VPN
4 REPLIES

Re: VPN tunnel drops due to inactivity.

check you have not configured the tunnel to be "initiate" only?

Sent from Cisco Technical Support iPad App

New Member

VPN tunnel drops due to inactivity.

Thanks for the reply, the only place I could find something like that was on the crypto map connection-type for the tunnel I have a choice of bidirectional, answer-only, and originate-only. Is that what you are talking about? because all of my site-to-site vpn's are set to bidirectional.

Cisco Employee

VPN tunnel drops due to inactivity.

Hi ,

what may control the initiation :

1-NAT

2-Dynamic MAPs

3-crypto map originate options.

4-if one of the peer is behined a dynamic NAT device.

could you please share the config and point to the map that you are using , and also you can change the idle time using group policy and apply that one to the crypto map.

HTH

Mohammad.

New Member

VPN tunnel drops due to inactivity.

Almost everything you mentioned there is on this paticular tunnel. Here is the config for that tunnel:

name 175.124.120.55 ACME_01 description Cedars Sinai

name 175.124.120.56 ACME_02 description Cedars Sinai

name 175.124.120.57 ACME_03 description Cedars Sinai

name 175.124.120.58 ACME_04 description Cedars Sinai

name 175.124.120.59 ACME_05 description Cedars Sinai

name 175.124.120.60 ACME_06 description Cedars Sinai

object-group network ACME_GRP

description ACME

network-object host 175.124.120.55

network-object host 175.124.120.56

network-object host 175.124.120.57

network-object host 175.124.120.58

network-object host 175.124.120.59

network-object host 175.124.120.60

access-list private_nat0_outbound extended permit ip host 71.175.218.169 object-group ACME_GRP

access-list Outside_24_cryptomap extended permit ip host 71.175.218.169 object-group ACME_GRP

group-policy ACME internal

group-policy ACME attributes

vpn-idle-timeout none

vpn-tunnel-protocol IPSec svc

crypto map Outside_map 24 match address Outside_24_cryptomap

crypto map Outside_map 24 set peer 192.175.86.12

crypto map Outside_map 24 set transform-set ESP-3DES-SHA

crypto map Outside_map 24 set security-association lifetime seconds 86400

tunnel-group 192.175.86.12 type ipsec-l2l

tunnel-group 192.175.86.12 general-attributes

default-group-policy ACME

tunnel-group 192.175.86.12 ipsec-attributes

pre-shared-key *********

and also the the box on my local side is behind a dynamic NAT

1799
Views
0
Helpful
4
Replies
This widget could not be displayed.