09-07-2018 04:49 AM
Hi all,
what happens when the idle timeout of Phase 2 runs out?
I thought that maybe Phase1 (Mgmt tunnel) would stay connected while IPSec SA would get torn down.
Then once traffic hits the VPN GW for the respective tunnel a new IPSec SA would get established.
On my ASA the idle timeout ran out, the tunnel got completely torn down and even though there is no traffic new SAs have been established!?
Is that correct?
Thanks for any help!
09-12-2018 07:38 AM
It sounds like you might be best to implement DPD:
https://community.cisco.com/t5/security-documents/dead-peer-detection/ta-p/3111324
Hope this helps
09-13-2018 12:43 AM
Hi Pete,
thanks for your Reply.
I think you pushed me in the right direction.
DPD is enabled for the respective tunnel and thus after 10 sec of being idle the DPD feature sent a keepalive packet and the tunnel was newly set up. At least thats my understanding. Thus even though there was no traffic the tunnel was up again.
Thanks
Florian
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: