12-08-2015 06:50 AM - edited 02-21-2020 08:34 PM
Hi all,
I am in the process of diagnosing a IPSEC problem, that i cant seem to understand. i have a tunnel that is constantly dropping connection, running a debug i see this message as the reason for the tunnel dropping:
Group = 1.1.1.1, IP = 1.1.1.1, Connection terminated for peer 1.1.1.1. Reason: IPSec SA Idle Timeout Remote Proxy 10.20.0.0, Local Proxy 10.10.252.0
Group = 1.1.1.1, Username = 1.1.1.1, IP = 1.1.1.1, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 1h:02m:38s, Bytes xmt: 2300, Bytes rcv: 0, Reason: Idle Timeout
Now i think that this is basically because there is no interesting traffic (correct me if im wrong).
I am a little confused however because after reading this document:
It says.....
"If the IPsec SA idle timers are not configured, only the global lifetimes for IPsec SAs are applied. SAs are maintained until the global timers expire, regardless of peer activity."
It seems that the idle timer would only kick in if it specifically configured, if not then it will just wait till use the global timer but the global timer should not tear down connection but just re-new the keys.
I am trying to find out the reason why the tunnel is dropping, but how can it be idle sa timer - if one is not configured?
Any help on this would be great.
Thanks
Solved! Go to Solution.
12-08-2015 04:48 PM
I am assuming this is an ASA. Try something like:
group-policy DfltGrpPolicy attributes
vpn-idle-timeout 1440
For a 24 hour idle timeout.
12-08-2015 08:44 AM
Just an option from the router/asa set ip sla coming from a source ip which is allowed on the vpn pinging the remote end every 10 seconds that will generate interesting traffic and stop it from failing if thats what is causing it , had an issue with vpn like that before gouing across a particular ISP kept droppuing off that fixed it for me anyway
If if there is no timer bny default knowing other cisco features i would say there is definitly a default applied even if not visible
12-08-2015 09:15 AM
Thanks for the response, and yes I did think of IPSLA as an option,
i just thought prior to doing this, maybe someone knew of a feature which is causing it or whether I'm completely wrong and the debug out means something else all together.
I think you are right though if It is just a mystery default behaviour then IPSLA may be the way to go
12-09-2015 04:17 AM
To top things off i dont have the sla monitor command available in my configuration.
Im not sure why i think it is because the ios version is pretty old.
Cisco Adaptive Security Appliance Software Version 7.0(6)
Device Manager Version 5.0(6)
This platform has an ASA 5520 VPN Plus license.
12-08-2015 04:48 PM
I am assuming this is an ASA. Try something like:
group-policy DfltGrpPolicy attributes
vpn-idle-timeout 1440
For a 24 hour idle timeout.
12-09-2015 04:16 AM
I tried this option,
group-policy IPSEC-IDLE internal
group-policy IPSEC-IDLE attributes
vpn-idle-timeout none
webvpn <<<<<<<<<<<<<< for some reason this is always entered by default.
Even if i got into the config and no the webvpn, i still get an issue where this is present in the config.
I have still added to the attributes, but still no luck :(
tunnel-group 1.1.1.1 general-attributes
default-group-policy IPSEC-IDLE
02-06-2019 06:06 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide