Showing results for 
Search instead for 
Did you mean: 

Site-to-Site VPN tunnel in ASA 5520

Hello everyone,

I've got a problem,We are having site-to-site VPN tunnel connected with our Client. Usuall the users connect  remote virtual desktop(may be Vmware) through the L2L tunnel. The problem is that the remote desktop gets disconnect intermittently(around 4 to 5 times a day) and automatically reconnects after around 40Seconds or so. I can't find any problem with the L2L tunnel as it is showing up for the last 6 hours or so.Also there is no packet drops(RTO) when I ping the peer IP.

If anyone have any idea whats going on please let me know.



Michael Schueler
Cisco Employee

Hello Rooland,

This is hard to tell without further data. One possibility might be, that the ASA connection timeout, which is 1 hour by default, kicks in, if the remote virtual desktop connections within the tunnel are idle for a long time (i.e. >1 hour).

Please find further information on default timeouts on ASA and how to modify them here:

As a first test, I would propose to increase the connection timeout for the remove virtual desktop connections only via MPF using the "set connection timeout idle" command as described here:

As new timeout, I would select a value larger the time after which you see connections dropping now.

Further useful commands to troubleshoot this would be "show conn" and "show local-host":

If the above doesn't help, I would recommend to open a TAC case, as we would need to look into simultaneous captures from the client, the client-side ASA and the server-side ASA plus syslogs from both ASAs next.



Reyad Safi


just i want to ask if you use static or dynamic public IP address

Hi Michael,

Thanks for the response. I may be wrong but I think there should be no problem with connection timeout value as the problem occurs even during active work is going on.When the remote desktop connectivity is lost, there is a slight pause (a frozen desktop or delay) then pop up message "connectivity lost trying to reconnect" .

@ Reyad we are using static IP address(for the Peer IP)



Hi Rooland,

I agree, if the issue occurs even while users are actively working on the remote desktop this is very unlikely a timeout issue.

As such, we would need to look into simultaneous packet captures and syslogs from both tunnel endpoints and the client now. I would thus recommend to open a TAC case regarding this. When opening the case, please upload the following data:

  • "show tech" output from both tunnel endpoints
  • Detailed topology diagram including the test client and server, both tunnel endpoints and IP addresses of all devices on all relevant interfaces
  • Simultaneous packet captures from the test client and the "inside" interface of both ASAs, collected while the issue occurs
  • Syslogs at debugging level from both ASAs from the same time period as the packet capture

Please find further information on packet captures on ASA here:

If you are unsure on how to collect the captures exactly, the TAC engineer will provide further guidance.



Recognize Your Peers
Content for Community-Ad