IPSEC VPN Tunnel keeps dropping after a few Hours

koogen_govender · ‎12-05-2016

IPSEC VPN Tunnel keeps dropping after a few Hours, we have 3 sites that are all connected via 3 Cisco 5512 ASA's. The tunnels are configured on the firewalls. Any ideas and how this can be fixed.

Any advice will be greatly appreciated.

cofee · ‎12-07-2016

you should configure idle/session timeout value to none. please see below for details.

Verify Idle/Session Timeout

If the idle timeout is set to 30 minutes (default), it means that it drops the tunnel after 30 minutes of no traffic passes through it. The VPN client gets disconnected after 30 minutes regardless of the setting of idle timeout and encounters the PEER_DELETE-IKE_DELETE_UNSPECIFIED error.

Configure idle timeout and session timeout as none in order to make the tunnel always up, and so that the tunnel is never dropped even when using third party devices.

PIX/ASA 7.x and later

Enter the vpn-idle-timeout command in group-policy configuration mode or in username configuration mode in order to configure the user timeout period:

hostname(config)#group-policy DfltGrpPolicy attributes
hostname(config-group-policy)#vpn-idle-timeout none

Configure a maximum amount of time for VPN connections with the vpn-session-timeout command in group-policy configuration mode or in username configuration mode:

hostname(config)#group-policy DfltGrpPolicy attributes
hostname(config-group-policy)#vpn-session-timeout none

koogen_govender · ‎12-12-2016

I did try this and still having the same problem.

Georg Pauwen · ‎12-13-2016

Hello,

not sure if this applies in your situation, but as stated before, by tunneling all traffic, there will always be interesting traffic, hence the tunnel will never be dropped:

ASA(config-group-policy)# split-tunnel-policy tunnelall

Georg Pauwen · ‎12-09-2016

On a side note, if you configure 'tunnel-all' under your group policy, there will always be interesting traffic, and the tunnel will never drop.