cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
283
Views
0
Helpful
7
Replies
Highlighted
Beginner

ISAKP or IPSEC lifetime config

Hi All,

 

I am having a few issues with one 800 series router keep disconnecting from VPN.

My ASA is set never to disconnect idle clients and I have four other routers that stay permanently connected.

 

The one in particular seems to be obeying the isakmp policy settings religiously:

 

rtr-h000448#show crypto isakmp policy

Global IKE policy
Protection suite of priority 1
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit

 

How can I change this so that it is always on and never disconnects?

Everyone's tags (3)
7 REPLIES 7
VIP Advocate

Re: ISAKP or IPSEC lifetime config

Hi,

Ideal Timeout is phase 2 settings and you had mentioned Phase1 configuration in the post. 

 

Please try with below command: 

crypto ipsec security-association idle-time 86400

Timing in the seconds and it is 24 hrs.

 

Regards,

Deepak Kumar 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution If this comment will make help you!
VIP Mentor

Re: ISAKP or IPSEC lifetime config

Hello,

 

I don't think you can set the lifetime to anything higher than 86400 seconds (24 hours). That said, if the vpn idle-timout on the ASA is set to none, the tunnel should stay up. What particular router and IOS is this ?

 

As a workaround, you could run something like NTP between the two sites, that should make sure there is always traffic, and the VPN will never disconnect...

VIP Advisor

Re: ISAKP or IPSEC lifetime config

Suggest to check the configuration and compare with working one and increase the time as suggested test and tweak as per the needs.

BB
*** Rate All Helpful Responses ***
Beginner

Re: ISAKP or IPSEC lifetime config

I'm still having issues with this. I have managed to get the timeout time so 2.5 hours but beyond that it disconnects.

 

Even if there is active traffic coming in or out of the router it still disconnects and takes roughly 20 minutes to reconnect and establish the VPN again.

 

This is what I still have but its ignoring it.

 

#sh crypto map
Interfaces using crypto map NiStTeSt1:

Crypto Map IPv4 "VPN-TO-HQ" 10 ipsec-isakmp
Peer = x.x.x.x
Extended IP access list VPN-TRAFFIC
access-list VPN-TRAFFIC permit ip 10.11.106.0 0.0.0.255 any
Current peer: 81.128.136.202
Security association lifetime: 5000000 kilobytes/86400 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
TS: { esp-aes esp-sha-hmac } ,
}
Interfaces using crypto map VPN-TO-HQ:
Cellular0

 

What logs can I view to see if its the router dropping the connection or the ASA and also how can I see if its the VPN session or the cellular connection?

Hall of Fame Master

Re: ISAKP or IPSEC lifetime config

You can not disable the timeout when using ipsec and isakmp because timing out and renegotiating the session is part of the security architecture. But as long as there is interesting traffic there should be negotiation of new session parameters that should keep the vpn running. If that is not happening I would start with debug crypto ipsec and debug crypto isakmp to investigate the issue.

 

20 minutes to renegotiate and bring the tunnel back up seems a long time. Based on the very little that we know I would suspect some issue with the cellular.

 

HTH

 

Rick

Beginner

Re: ISAKP or IPSEC lifetime config

Thanks all that have replied. I think I have made some progress.

I applied the following:

 

crypto isakmp keepalive 10 periodic

 

My session has remained connected over night, its up to 14 hours and counting. 

Hall of Fame Master

Re: ISAKP or IPSEC lifetime config

Thanks for the update. This is encouraging. Hope it continues to stay up.

 

HTH

 

Rick

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards