Re: ISAKP or IPSEC lifetime config

BeckyBoo123 · ‎01-26-2019

Hi All,

I am having a few issues with one 800 series router keep disconnecting from VPN.

My ASA is set never to disconnect idle clients and I have four other routers that stay permanently connected.

The one in particular seems to be obeying the isakmp policy settings religiously:

rtr-h000448#show crypto isakmp policy

Global IKE policy
Protection suite of priority 1
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit

How can I change this so that it is always on and never disconnects?

Deepak Kumar · ‎01-26-2019

Hi,

Ideal Timeout is phase 2 settings and you had mentioned Phase1 configuration in the post.

Please try with below command:

crypto ipsec security-association idle-time 86400

Timing in the seconds and it is 24 hrs.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Georg Pauwen · ‎01-26-2019

Hello,

I don't think you can set the lifetime to anything higher than 86400 seconds (24 hours). That said, if the vpn idle-timout on the ASA is set to none, the tunnel should stay up. What particular router and IOS is this ?

As a workaround, you could run something like NTP between the two sites, that should make sure there is always traffic, and the VPN will never disconnect...

balaji.bandi · ‎01-26-2019

Suggest to check the configuration and compare with working one and increase the time as suggested test and tweak as per the needs.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

BeckyBoo123 · ‎01-30-2019

I'm still having issues with this. I have managed to get the timeout time so 2.5 hours but beyond that it disconnects.

Even if there is active traffic coming in or out of the router it still disconnects and takes roughly 20 minutes to reconnect and establish the VPN again.

This is what I still have but its ignoring it.

#sh crypto map
Interfaces using crypto map NiStTeSt1:

Crypto Map IPv4 "VPN-TO-HQ" 10 ipsec-isakmp
Peer = x.x.x.x
Extended IP access list VPN-TRAFFIC
access-list VPN-TRAFFIC permit ip 10.11.106.0 0.0.0.255 any
Current peer: 81.128.136.202
Security association lifetime: 5000000 kilobytes/86400 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
TS: { esp-aes esp-sha-hmac } ,
}
Interfaces using crypto map VPN-TO-HQ:
Cellular0

What logs can I view to see if its the router dropping the connection or the ASA and also how can I see if its the VPN session or the cellular connection?

Richard Burts · ‎01-30-2019

You can not disable the timeout when using ipsec and isakmp because timing out and renegotiating the session is part of the security architecture. But as long as there is interesting traffic there should be negotiation of new session parameters that should keep the vpn running. If that is not happening I would start with debug crypto ipsec and debug crypto isakmp to investigate the issue.

20 minutes to renegotiate and bring the tunnel back up seems a long time. Based on the very little that we know I would suspect some issue with the cellular.

HTH

Rick

HTH

Rick

BeckyBoo123 · ‎01-31-2019

Thanks all that have replied. I think I have made some progress.

I applied the following:

crypto isakmp keepalive 10 periodic

My session has remained connected over night, its up to 14 hours and counting.

Richard Burts · ‎01-31-2019

Thanks for the update. This is encouraging. Hope it continues to stay up.

HTH

Rick

HTH

Rick