Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1267
Views
5
Helpful
2
Replies

VPN idle timeout

flokki123
Level 3
Level 3

‎09-07-2018 04:49 AM

Hi all,

 

what happens when the idle timeout of Phase 2 runs out?

I thought that maybe Phase1 (Mgmt tunnel) would stay connected while IPSec SA would get torn down.

Then once traffic hits the VPN GW for the respective tunnel a new IPSec SA would get established.

On my ASA the idle timeout ran out, the tunnel got completely torn down and even though there is no traffic new SAs have been established!?

 

Is that correct?

 

Thanks for any help!

Labels:
0 Helpful
2 Replies 2

petehaaswws
Level 1
Level 1

‎09-12-2018 07:38 AM

It sounds like you might be best to implement DPD:

https://community.cisco.com/t5/security-documents/dead-peer-detection/ta-p/3111324

 

Hope this helps

 

flokki123
Level 3
Level 3
In response to petehaaswws

‎09-13-2018 12:43 AM

Hi Pete,

 

thanks for your Reply.

 

I think you pushed me in the right direction.

DPD is enabled for the respective tunnel and thus after 10 sec of being idle the DPD feature sent a keepalive packet and the tunnel was newly set up. At least thats my understanding. Thus even though there was no traffic the tunnel was up again.

 

Thanks

Florian

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents