01-26-2019 03:45 AM - edited 03-05-2019 11:12 AM
Hi All,
I am having a few issues with one 800 series router keep disconnecting from VPN.
My ASA is set never to disconnect idle clients and I have four other routers that stay permanently connected.
The one in particular seems to be obeying the isakmp policy settings religiously:
rtr-h000448#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
How can I change this so that it is always on and never disconnects?
01-26-2019 04:42 AM
Hi,
Ideal Timeout is phase 2 settings and you had mentioned Phase1 configuration in the post.
Please try with below command:
crypto ipsec security-association idle-time 86400
Timing in the seconds and it is 24 hrs.
Regards,
Deepak Kumar
01-26-2019 05:31 AM
Hello,
I don't think you can set the lifetime to anything higher than 86400 seconds (24 hours). That said, if the vpn idle-timout on the ASA is set to none, the tunnel should stay up. What particular router and IOS is this ?
As a workaround, you could run something like NTP between the two sites, that should make sure there is always traffic, and the VPN will never disconnect...
01-26-2019 05:37 AM
Suggest to check the configuration and compare with working one and increase the time as suggested test and tweak as per the needs.
01-30-2019 04:49 AM
I'm still having issues with this. I have managed to get the timeout time so 2.5 hours but beyond that it disconnects.
Even if there is active traffic coming in or out of the router it still disconnects and takes roughly 20 minutes to reconnect and establish the VPN again.
This is what I still have but its ignoring it.
#sh crypto map
Interfaces using crypto map NiStTeSt1:
Crypto Map IPv4 "VPN-TO-HQ" 10 ipsec-isakmp
Peer = x.x.x.x
Extended IP access list VPN-TRAFFIC
access-list VPN-TRAFFIC permit ip 10.11.106.0 0.0.0.255 any
Current peer: 81.128.136.202
Security association lifetime: 5000000 kilobytes/86400 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
TS: { esp-aes esp-sha-hmac } ,
}
Interfaces using crypto map VPN-TO-HQ:
Cellular0
What logs can I view to see if its the router dropping the connection or the ASA and also how can I see if its the VPN session or the cellular connection?
01-30-2019 11:15 AM
You can not disable the timeout when using ipsec and isakmp because timing out and renegotiating the session is part of the security architecture. But as long as there is interesting traffic there should be negotiation of new session parameters that should keep the vpn running. If that is not happening I would start with debug crypto ipsec and debug crypto isakmp to investigate the issue.
20 minutes to renegotiate and bring the tunnel back up seems a long time. Based on the very little that we know I would suspect some issue with the cellular.
HTH
Rick
01-31-2019 12:32 AM
Thanks all that have replied. I think I have made some progress.
I applied the following:
crypto isakmp keepalive 10 periodic
My session has remained connected over night, its up to 14 hours and counting.
01-31-2019 06:30 AM
Thanks for the update. This is encouraging. Hope it continues to stay up.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: