Re: Migrating from Old VPN Concentrator to a 5545 ASA(Dynamic tunnel Issue)

Jordan Taylor · ‎06-25-2018

I am currently trying to move some 5505 to 5506 ASA. My issues are that the 5505 that is currently pointed to the Old VPN concentrator using Ikev1 tunnels (Dynamic) when testing out dynamic tunnels that are connected to the 5545, My IPsec Sa's fail after 30 mins when no traffic is being passed. This is to be expected, but I am trying to correct this issue.

Is there a way to resolve this issue so that remote users are able to get to the remote subnets on the other side of the dynamic site? Please ask any questions if needed I will be available.

Thank you.

Divya Nair · ‎07-09-2018

hi Jordan,

If the L2L tunnel is getting torn down after 30 minutes of inactivity, you will have to tweak the VPN Idle timeout value under the group-policy being used by this tunnel:

ciscoasa(config)# group-policy FirstGroup attributes

ciscoasa(config-group-policy)# vpn-idle-timeout X

where X is either none (to disable timeout) or set to a higher value than 30 minutes.

More details on the command:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/T-Z/cmdref4/v.html#pgfId-1663941

HTH,

Divya

Jordan Taylor · ‎07-09-2018

I tested this out with no success. I was able to resolve this issue, so previously I had my access-list on the spoke end, for about 10 different addresses. I had to change this into one given address ie 10.0.0.0/8.

Divya Nair · ‎07-09-2018

Thanks for the update.

In that case the issue probably was caused by a crypto access-list mismatch between both the ASAs. In order to ensure tunnel stability, the crypto access-lists on L2L peers should be mirror images of each other.