topic Re: Unable to set VPN idle timeout to NONE on cisco FTD in Network Security

Unable to set VPN idle timeout to NONE on cisco FTD

shinerner — Fri, 21 Feb 2020 17:39:36 GMT

Does anyone know how to change the default value of vpn-idle-timeout 30 on Cisco FMC or Cisco FTD CLI. I have just configured a site-to-site VPN and it goes down every 30 mins on Cisco FMC.

I have checked almost everywhere on the Internet, don't know why it's so difficult on Cisco FTD but easy on Cisco ASA.

Re: Unable to set VPN idle timeout to NONE on cisco FTD

Abheesh Kumar — Mon, 04 Nov 2019 07:02:37 GMT

Hi,
Are you facing this issue continuously even when the L2L session is active...???

I couldn't find any direct way to change the idle timeout value in FTD. Did you try by changing this with FLEX CONFIG.

Re: Unable to set VPN idle timeout to NONE on cisco FTD

shinerner — Mon, 04 Nov 2019 13:26:12 GMT

Thanks Abheesh, It happens every time, the tunnel only stays UP for 30mins, and when I check "show crypto ikev2 sa or show crypto ipsec sa", it says NO active Ikev2 or NO active ipsec. I tried the FLEX CONFIG, No difference. I don't know why Cisco made it that way.

Re: Unable to set VPN idle timeout to NONE on cisco FTD

Marvin Rhoads — Mon, 04 Nov 2019 16:44:38 GMT

First, vpn-idle-timeout should only take effect if there is no traffic on the site-site VPN for the specified period.

Flexconfig is the correct place to change this parameter (as of 6.5 at least).

If you've verified that you have it set (double check that you are using the expected group-policy) and you are still seeing timeouts even though you have not met your specified idle timeout value, it may be happening due to a setting on the remote end.

Re: Unable to set VPN idle timeout to NONE on cisco FTD

shinerner — Mon, 04 Nov 2019 17:19:19 GMT

Hi Marvin, Thanks for shedding more light. The vpn-idle-timeout was set to 30 (default from Cisco), and there is NO traffic, I only did a PING trace over the tunnel, among the three Cisco FTDs, all having same settings, and found out the tunnel is down after 30 mins. My Cisco FTD run 6.2.3 version, and I couldn't find anything related to vpn idle time on the Flexconfig. Hopefully works when traffics are migrated to these FTDs. Thanks so much for your time.

Re: Unable to set VPN idle timeout to NONE on cisco FTD

Marvin Rhoads — Mon, 04 Nov 2019 17:50:22 GMT

With no traffic we would expect the tunnel to tear down after 30 minutes. That's normal behavior and by design.

As long as there is traffic, it would normally rekey before the lifetime expires and stay up effectively forever.

Re: Unable to set VPN idle timeout to NONE on cisco FTD

Jon Are Endrerud — Mon, 25 Nov 2019 11:05:46 GMT

>With no traffic we would expect the tunnel to tear down after 30 minutes. That's normal behavior and by design.

I have a TAC case open as we speak on this subject, and Cisco informs me to change the behavior with some advanced configuration. That means changing the timeout values.

The reason I think people are getting frustrated by this is the error handling in FMC. Almost all events that are related to IPsec timeout or peer disconnect and so on, are all comming up as "critical" errors in red boxes. Why normal behavior are marked this way I dont understand. When having a lot of IPsec tunnels the FTD is marked with critial error 24/7.

I will get back to this post after hearing more from the TAC people.

Re: Unable to set VPN idle timeout to NONE on cisco FTD

shinerner — Mon, 25 Nov 2019 12:09:48 GMT

Thanks for the update.

Re: Unable to set VPN idle timeout to NONE on cisco FTD

Jon Are Endrerud — Mon, 25 Nov 2019 13:09:53 GMT

Response from TAC:

Yes, this message is displayed as ‘critical’. However we cannot change the log/alerts settings for VPN idle time-out message from “Critical” to “Informational”.
This is the limitation of the FTD. This limitation may be fixed in future software code. But cannot confirm the ETA.

Re: Unable to set VPN idle timeout to NONE on cisco FTD

davidmendozajr — Tue, 10 Mar 2020 18:53:32 GMT

For vpn-idle-timeout none I had to add a group policy via Flex Config. DO NOT add the access-list but in the group policy I had to add the user-authentication-idle-timeout none

group-polic Group-Policy-X.X.X.X internal

group-polic Group-Policy-X.X.X.X attributes

vpn-idle-timeout none

vpn-idle-timeout alert-interval 1

vpn-session-timeout none

vpn-session-timeout alert-interval 1

vpn-filter none

vpn-tunnel-protocol ikev1 ikev2

user-authentication-idle-timeout none

https://www.cisco.com/c/dam/en/us/td/docs/security/firepower/migration-tool/migration-guide/s2s_ikev1_psk.pdf

Re: Unable to set VPN idle timeout to NONE on cisco FTD

Sheraz.Salim — Tue, 10 Mar 2020 18:57:55 GMT

In order for not the tunnel get down. why dont you sent up a continuous ping from your defined interested traffic from your end to other end defined interested traffic. this is one of the way to keep the tunnel up and running.

Re: Unable to set VPN idle timeout to NONE on cisco FTD

Hyperion0000 — Fri, 24 Apr 2020 21:36:51 GMT

I'm running 6.5.0.4 (build 57).

I was able to go to Objects > VPN > Group Policy > DftGrpPolicy > Advanced > Session Settings > Idle Timeout > erase the "30" and it will fill the black with "none" by default.

Re: Unable to set VPN idle timeout to NONE on cisco FTD

Herald Sison — Thu, 08 Sep 2022 02:29:35 GMT

i think you are referring to RAVPN and not S2S?

Re: Unable to set VPN idle timeout to NONE on cisco FTD

Marvin Rhoads — Fri, 27 Feb 2026 14:51:35 GMT

Updating this old thread:

In recent versions of FMC you can set the VPN Idle timeout per S2S VPN under the Advanced > Tunnel > Session Settings. You can also set it globally for the default group-policy under Object Management > VPN >Group Policy and edit DfltGrpPolicy.

If the VPN is established, you will need to clear the peer association and allow it to rebuild for the change to take effect.
Verification of the active setting can be done via cli using "show vpn-sessiondb detail l2l filter ipaddress <address of peer>" and check near the bottom for the value of "Idle Time Out".

You can also pull up the output via Insights & Reports > Site-to-Site VPN Dashboard (available in current FMC versions).

NOTE: The Cisco guidance in the following document is obsolete. I have provided feedback to them so hopefully it will be updated.

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/217436-disable-ftd-site-to-site-vpn-idle-timeou.html