Solved: Re: I tried this option,

Daniel Mohammed · ‎12-08-2015

Hi all,

I am in the process of diagnosing a IPSEC problem, that i cant seem to understand. i have a tunnel that is constantly dropping connection, running a debug i see this message as the reason for the tunnel dropping:

Group = 1.1.1.1, IP = 1.1.1.1, Connection terminated for peer 1.1.1.1. Reason: IPSec SA Idle Timeout Remote Proxy 10.20.0.0, Local Proxy 10.10.252.0

Group = 1.1.1.1, Username = 1.1.1.1, IP = 1.1.1.1, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 1h:02m:38s, Bytes xmt: 2300, Bytes rcv: 0, Reason: Idle Timeout

Now i think that this is basically because there is no interesting traffic (correct me if im wrong).

I am a little confused however because after reading this document:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dplane/configuration/15-1s/sec-ipsec-idle-tmrs.html

It says.....

"If the IPsec SA idle timers are not configured, only the global lifetimes for IPsec SAs are applied. SAs are maintained until the global timers expire, regardless of peer activity."

It seems that the idle timer would only kick in if it specifically configured, if not then it will just wait till use the global timer but the global timer should not tear down connection but just re-new the keys.

I am trying to find out the reason why the tunnel is dropping, but how can it be idle sa timer - if one is not configured?

Any help on this would be great.

Thanks

Philip D'Ath · ‎12-08-2015

I am assuming this is an ASA. Try something like:

group-policy DfltGrpPolicy attributes
vpn-idle-timeout 1440

For a 24 hour idle timeout.

View solution in original post

Mark Malone · ‎12-08-2015

Just an option from the router/asa set ip sla coming from a source ip which is allowed on the vpn pinging the remote end every 10 seconds that will generate interesting traffic and stop it from failing if thats what is causing it , had an issue with vpn like that before gouing across a particular ISP kept droppuing off that fixed it for me anyway

If if there is no timer bny default knowing other cisco features i would say there is definitly a default applied even if not visible

Daniel Mohammed · ‎12-08-2015

Thanks for the response, and yes I did think of IPSLA as an option,

i just thought prior to doing this, maybe someone knew of a feature which is causing it or whether I'm completely wrong and the debug out means something else all together.

I think you are right though if It is just a mystery default behaviour then IPSLA may be the way to go

Daniel Mohammed · ‎12-09-2015

To top things off i dont have the sla monitor command available in my configuration.

Im not sure why i think it is because the ios version is pretty old.

Cisco Adaptive Security Appliance Software Version 7.0(6)
Device Manager Version 5.0(6)

This platform has an ASA 5520 VPN Plus license.

Philip D'Ath · ‎12-08-2015

I am assuming this is an ASA. Try something like:

group-policy DfltGrpPolicy attributes
vpn-idle-timeout 1440

For a 24 hour idle timeout.

Daniel Mohammed · ‎12-09-2015

I tried this option,

group-policy IPSEC-IDLE internal
group-policy IPSEC-IDLE attributes
vpn-idle-timeout none
webvpn <<<<<<<<<<<<<< for some reason this is always entered by default.

Even if i got into the config and no the webvpn, i still get an issue where this is present in the config.

I have still added to the attributes, but still no luck :(

tunnel-group 1.1.1.1 general-attributes
default-group-policy IPSEC-IDLE

CiscoPurpleBelt · ‎02-06-2019

Hi I know this thread is years old but do you remember what the actual fix was I don't see it on here?

IPSEC Idle timeout issues