Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8521
Views
35
Helpful
12
Replies

Unable to set VPN idle timeout to NONE on cisco FTD

shinerner
Level 1
Level 1

‎11-03-2019 07:53 AM - edited ‎02-21-2020 09:39 AM

Does anyone know how to change the default value of  vpn-idle-timeout 30 on Cisco FMC or Cisco FTD CLI. I have just configured a site-to-site VPN and it goes down every 30 mins on Cisco FMC.

 

I have checked almost everywhere on the Internet, don't know why it's so difficult on Cisco FTD but easy on Cisco ASA.

Labels:
0 Helpful
12 Replies 12

Abheesh Kumar
VIP Alumni
VIP Alumni

‎11-03-2019 10:57 PM - edited ‎11-03-2019 11:02 PM

Hi,
Are you facing this issue continuously even when the L2L session is active...???

I couldn't find any direct way to change the idle timeout value in FTD. Did you try by changing this with FLEX CONFIG.

0 Helpful

shinerner
Level 1
Level 1
In response to Abheesh Kumar

‎11-04-2019 05:26 AM

Thanks Abheesh, It happens every time, the tunnel only stays UP for 30mins, and when I check "show crypto ikev2 sa or show crypto ipsec sa", it says NO active Ikev2 or NO active ipsec. I tried the FLEX CONFIG, No difference. I don't know why Cisco made it that way.
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to shinerner

‎11-04-2019 08:44 AM

First, vpn-idle-timeout should only take effect if there is no traffic on the site-site VPN for the specified period.

Flexconfig is the correct place to change this parameter (as of 6.5 at least).

If you've verified that you have it set (double check that you are using the expected group-policy) and you are still seeing timeouts even though you have not met your specified idle timeout value, it may be happening due to a setting on the remote end.

0 Helpful

shinerner
Level 1
Level 1
In response to Marvin Rhoads

‎11-04-2019 09:19 AM

Hi Marvin, Thanks for shedding more light. The vpn-idle-timeout was set to 30 (default from Cisco), and there is NO traffic, I only did a PING trace over the tunnel, among the three Cisco FTDs, all having same settings, and found out the tunnel is down after 30 mins. My Cisco FTD run 6.2.3 version, and I couldn't find anything related to vpn idle time on the Flexconfig. Hopefully works when traffics are migrated to these FTDs. Thanks so much for your time.
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to shinerner

‎11-04-2019 09:50 AM

With no traffic we would expect the tunnel to tear down after 30 minutes. That's normal behavior and by design.

As long as there is traffic, it would normally rekey before the lifetime expires and stay up effectively forever.

Jon Are Endrerud
Level 3
Level 3
In response to Marvin Rhoads

‎11-25-2019 03:05 AM

>With no traffic we would expect the tunnel to tear down after 30 minutes. That's normal behavior and by design.

 

I have a TAC case open as we speak on this subject, and Cisco informs me to change the behavior with some advanced configuration. That means changing the timeout values.

 

The reason I think people are getting frustrated by this is the error handling in FMC. Almost all events that are related to IPsec timeout or peer disconnect and so on, are all comming up as "critical" errors in red boxes. Why normal behavior are marked this way I dont understand. When having a lot of IPsec tunnels the FTD is marked with critial error 24/7.

 

I will get back to this post after hearing more from the TAC people.

Please rate as helpful, if that would be the case. Thanx

shinerner
Level 1
Level 1
In response to Jon Are Endrerud

‎11-25-2019 04:09 AM

Thanks for the update.

0 Helpful

Jon Are Endrerud
Level 3
Level 3
In response to shinerner

‎11-25-2019 05:09 AM

Response from TAC:

 

Yes, this message is displayed as ‘critical’. However we cannot change the log/alerts settings for VPN idle time-out message from “Critical” to “Informational”.
This is the limitation of the FTD. This limitation may be fixed in future software code. But cannot confirm the ETA.
Please rate as helpful, if that would be the case. Thanx

davidmendozajr
Level 1
Level 1
In response to Jon Are Endrerud

‎03-10-2020 11:53 AM

For vpn-idle-timeout none I had to add a group policy via Flex Config. DO NOT add the access-list but in the group policy I had to add the  user-authentication-idle-timeout none

group-polic Group-Policy-X.X.X.X internal

 

group-polic Group-Policy-X.X.X.X attributes

 vpn-idle-timeout none

vpn-idle-timeout alert-interval 1

vpn-session-timeout none

vpn-session-timeout alert-interval 1

vpn-filter none

vpn-tunnel-protocol ikev1 ikev2

user-authentication-idle-timeout none

 

https://www.cisco.com/c/dam/en/us/td/docs/security/firepower/migration-tool/migration-guide/s2s_ikev1_psk.pdf

Sheraz.Salim
VIP
VIP
In response to davidmendozajr

‎03-10-2020 11:57 AM

In order for not the tunnel get down. why dont you sent up a continuous ping from your defined interested traffic from your end to other end defined interested traffic. this is one of the way to keep the tunnel up and running. 

please do not forget to rate.
0 Helpful

Hyperion0000
Level 1
Level 1
In response to Sheraz.Salim

‎04-24-2020 02:36 PM

I'm running 6.5.0.4 (build 57).

 

I was able to go to Objects > VPN > Group Policy > DftGrpPolicy > Advanced > Session Settings > Idle Timeout > erase the "30" and it will fill the black with "none" by default.

0 Helpful

Herald Sison
Level 3
Level 3
In response to Hyperion0000

‎09-07-2022 07:29 PM

i think you are referring to RAVPN and not S2S?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card