ā10-22-2018 10:09 AM
We are trying to troubleshoot a very low traffic IPSEC site-to-site link between an ASA and a Sophos XG which uses strongSwan.
Traffic allowed across the tunnel is 443 only, and requests from the Sophos to the ASA are very infrequent - maybe 5 a week. The ASA is knocking the tunnel down every 30 minutes exactly. We suspect this is due to the default 30 minute idle timeout.
It's been suggested that there are 3 possible configuration changes that might prevent the ASA from knocking down the tunnel:
crypto ipsec security-association idle-time
vpn-idle-timeout none
vpn-session-timeout none
Are we on the right path? Are there any other configuration changes to the ASA that would prevent it from knocking the tunnel down?
Thanks.
ā10-22-2018 01:27 PM
Can you post both the side configuration.
Cisco ASA , Sophos.
ā10-24-2018 03:09 AM
Hi seanpetty1,
The timer is a negotiable parameter in VPN, that does not need to be the same on both ends. The one has a lower value set is negotiated and used. You need to set timers to infinite/unlimited on both ends.
The following command specifies the maximum amount of time for which the current peer can be idle before the default peer is used and the valid values are 60 to 86400. So you can't set to infinite/unlimited.
crypto ipsec security-association idle-time <seconds>
Yes, you can set the following to none which means the session time is infinite/unlimited.
vpn-idle-timeout none
vpn-session-timeout none
Another option you have is set HTTP(s) probe from the Sophos LAN to the ASA LAN.
ā08-18-2023 04:20 PM
Experiencing similar issues in 2023.
Running Sophos XG310 & XGS3100 at two locations that have ipsec tunnels back to cisco asa.
Continuously have weekly disconnect despite sophos showing tunnels green.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide