Cisco 897 router VPN

Asymmetrik · ‎04-25-2017

Hey not sure if anyone can help with this but I have a cisco 897 that I am using as a VPN gateway and I can't seem to find documentation on how to change the VPN session timeout. My router seems to be set to 59 minutes and I can seem to change it; I have seen a bunch of post on how to do it on an ASA but those commands don't seem to work on my router. I believe the iOS code I am using is 15.4.

any help would be appreciated

josh

Philip D'Ath · ‎04-25-2017

Are you referring to the AnyConnect SSL VPN timeout?

Asymmetrik · ‎04-26-2017

It isn't the webvpn it is the ipsec vpn.

Philip D'Ath · ‎04-26-2017

You might be tripping the idle timeout.

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dplane/configuration/15-1s/sec-ipsec-idle-tmrs.html

You can configure it globally with something like this:

crypto ipsec security-association idle-time 86400

Or per crypto map with something like:

crypto map cm-cryptomap ...
 set security-association idle-time 86400

Philip D'Ath · ‎04-26-2017

I don't think it is likely to be the maximum lifetime, but you could also trying seeing if this has any impact.

Actually the default value for this one is 3600 seconds - 1 hour. So this could be your culprit.

crypto ipsec security-association lifetime seconds 86400

Asymmetrik · ‎04-26-2017

I tried the first 2 last night but will try the crypto ipsec tonight and see.

thanks

josh

Asymmetrik · ‎04-26-2017

So I just checked my config and here is what I had:

(config)#do sho crypto ipsec security-association lifetime

Security association lifetime: 4608000 kilobytes/86400 seconds

(config)# do sho crypto ipsec security-association idle-time

Security association idletime: 14400 seconds

For the crypto map is doesn't let me change the setting, when I try to get in I get this:

crypto map XXXXXXX 1 ipsec-isakmp

Attempt to change dynamic map tag for existing crypto map is ignored.

Not sure where else I can go to make this change.

josh