Solved: ASA 5506 drops site to site connections intermittently, setting vpn-idle-timeout to none, is this ok...

btramer29 · ‎04-30-2017

So I've got three ASA 5506's set up in three physical locations, all connected to each other via site to site VPN's.

What users were noticing in one office (behind one of the ASA's), especially in the morning, is that once connected to the VPN they were unable to reach any of the other sites (they require office folks to connect to the internal network via VPN after connecting to the office wifi).

I'm remote, and found that if I connected to one of the other site via remote VPN, and then pinged one of the server resources in that office, the tunnel would come back up - as a workaround the last couple of weeks I've been running a nohup ping from a server internal to that network to servers in the other sites, and as expected the issue hasn't resurfaced.

Now that I've had some time to troubleshoot, I think the problem is the vpn-idle-timeout setting on the DfltGrpPolicy, which is 30 minutes by default.

My question is if I set vpn-idle-timeout to none in the DfltGrpPolicy, would this most likely fix the issue, and is/are there any negatives to this approach? I

Georg Pauwen · ‎04-30-2017

Hello,

the 'vpn-idle timout none' setting is actually the recommended way to keep the VPN from disonnecting. On a side note, as far as I recalll, it doesn't work when you have 'tunnel-all' configured...

View solution in original post

Georg Pauwen · ‎04-30-2017

Hello,

the 'vpn-idle timout none' setting is actually the recommended way to keep the VPN from disonnecting. On a side note, as far as I recalll, it doesn't work when you have 'tunnel-all' configured...

btramer29 · ‎05-01-2017

Ok thanks, I'll give it a try this evening when I can test it without people in the office.

ASA 5506 drops site to site connections intermittently, setting vpn-idle-timeout to none, is this ok?