cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6958
Views
35
Helpful
12
Replies

Unable to set VPN idle timeout to NONE on cisco FTD

shinerner
Level 1
Level 1

Does anyone know how to change the default value of  vpn-idle-timeout 30 on Cisco FMC or Cisco FTD CLI. I have just configured a site-to-site VPN and it goes down every 30 mins on Cisco FMC.

 

I have checked almost everywhere on the Internet, don't know why it's so difficult on Cisco FTD but easy on Cisco ASA.

12 Replies 12

Abheesh Kumar
VIP Alumni
VIP Alumni

Hi,
Are you facing this issue continuously even when the L2L session is active...???

I couldn't find any direct way to change the idle timeout value in FTD. Did you try by changing this with FLEX CONFIG.

Thanks Abheesh, It happens every time, the tunnel only stays UP for 30mins, and when I check "show crypto ikev2 sa or show crypto ipsec sa", it says NO active Ikev2 or NO active ipsec. I tried the FLEX CONFIG, No difference. I don't know why Cisco made it that way.

First, vpn-idle-timeout should only take effect if there is no traffic on the site-site VPN for the specified period.

Flexconfig is the correct place to change this parameter (as of 6.5 at least).

If you've verified that you have it set (double check that you are using the expected group-policy) and you are still seeing timeouts even though you have not met your specified idle timeout value, it may be happening due to a setting on the remote end.

Hi Marvin, Thanks for shedding more light. The vpn-idle-timeout was set to 30 (default from Cisco), and there is NO traffic, I only did a PING trace over the tunnel, among the three Cisco FTDs, all having same settings, and found out the tunnel is down after 30 mins. My Cisco FTD run 6.2.3 version, and I couldn't find anything related to vpn idle time on the Flexconfig. Hopefully works when traffics are migrated to these FTDs. Thanks so much for your time.

With no traffic we would expect the tunnel to tear down after 30 minutes. That's normal behavior and by design.

As long as there is traffic, it would normally rekey before the lifetime expires and stay up effectively forever.

>With no traffic we would expect the tunnel to tear down after 30 minutes. That's normal behavior and by design.

 

I have a TAC case open as we speak on this subject, and Cisco informs me to change the behavior with some advanced configuration. That means changing the timeout values.

 

The reason I think people are getting frustrated by this is the error handling in FMC. Almost all events that are related to IPsec timeout or peer disconnect and so on, are all comming up as "critical" errors in red boxes. Why normal behavior are marked this way I dont understand. When having a lot of IPsec tunnels the FTD is marked with critial error 24/7.

 

I will get back to this post after hearing more from the TAC people.

Please rate as helpful, if that would be the case. Thanx

Thanks for the update.

Response from TAC:

 

Yes, this message is displayed as ‘critical’. However we cannot change the log/alerts settings for VPN idle time-out message from “Critical” to “Informational”.
This is the limitation of the FTD. This limitation may be fixed in future software code. But cannot confirm the ETA.
Please rate as helpful, if that would be the case. Thanx

For vpn-idle-timeout none I had to add a group policy via Flex Config. DO NOT add the access-list but in the group policy I had to add the  user-authentication-idle-timeout none

group-polic Group-Policy-X.X.X.X internal

 

group-polic Group-Policy-X.X.X.X attributes

 vpn-idle-timeout none

vpn-idle-timeout alert-interval 1

vpn-session-timeout none

vpn-session-timeout alert-interval 1

vpn-filter none

vpn-tunnel-protocol ikev1 ikev2

user-authentication-idle-timeout none

 

https://www.cisco.com/c/dam/en/us/td/docs/security/firepower/migration-tool/migration-guide/s2s_ikev1_psk.pdf

In order for not the tunnel get down. why dont you sent up a continuous ping from your defined interested traffic from your end to other end defined interested traffic. this is one of the way to keep the tunnel up and running. 

please do not forget to rate.

I'm running 6.5.0.4 (build 57).

 

I was able to go to Objects > VPN > Group Policy > DftGrpPolicy > Advanced > Session Settings > Idle Timeout > erase the "30" and it will fill the black with "none" by default.

i think you are referring to RAVPN and not S2S?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: