Keep Site-to-Site Alive between ASA and Sophos XG

seanpetty1 · ‎10-22-2018

We are trying to troubleshoot a very low traffic IPSEC site-to-site link between an ASA and a Sophos XG which uses strongSwan.

Traffic allowed across the tunnel is 443 only, and requests from the Sophos to the ASA are very infrequent - maybe 5 a week. The ASA is knocking the tunnel down every 30 minutes exactly. We suspect this is due to the default 30 minute idle timeout.

It's been suggested that there are 3 possible configuration changes that might prevent the ASA from knocking down the tunnel:

crypto ipsec security-association idle-time
vpn-idle-timeout none
vpn-session-timeout none

Are we on the right path? Are there any other configuration changes to the ASA that would prevent it from knocking the tunnel down?

Thanks.

balaji.bandi · ‎10-22-2018

Can you post both the side configuration.

Cisco ASA , Sophos.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Spooster IT Services · ‎10-24-2018

Hi seanpetty1,

The timer is a negotiable parameter in VPN, that does not need to be the same on both ends. The one has a lower value set is negotiated and used. You need to set timers to infinite/unlimited on both ends.

The following command specifies the maximum amount of time for which the current peer can be idle before the default peer is used and the valid values are 60 to 86400. So you can't set to infinite/unlimited.

crypto ipsec security-association idle-time <seconds>

Yes, you can set the following to none which means the session time is infinite/unlimited.

vpn-idle-timeout none
vpn-session-timeout none

Another option you have is set HTTP(s) probe from the Sophos LAN to the ASA LAN.

Spooster IT Services Team

ras109 · ‎08-18-2023

Experiencing similar issues in 2023.
Running Sophos XG310 & XGS3100 at two locations that have ipsec tunnels back to cisco asa.
Continuously have weekly disconnect despite sophos showing tunnels green.