Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1143
Views
0
Helpful
5
Replies

VPN IPSEC is restarted

Go to solution
Anderson Ribeiro
Level 1
Level 1

‎10-15-2012 05:55 AM - edited ‎02-21-2020 06:24 PM

Hi,

I have a Cisco 2801 with flash: c2801-advipservicesk9-mz.124-16.bin where I use to doing VPN IPSEC.

My problem is where I do a connection with a client, if my VPN dont have a traffic, the tunnel are closed. If a receive or send any traffic, the tunnel get up again.

For example:

dst                 src                   state                  conn-id   slot     status

200.10.10.1    201.201.10.10   QM_IDLE            998          0       ACTIVE

If  don't have traffic, this tunnel is closed and after is opened other tunnel where is changed the conn-id to 999 for example.

This comportament is normal? Exist a form that my tunnel never close? I enabled the parameters below:

service tcp-keepalives-in

service tcp-keepalives-out

crypto isakmp keepalive 10 periodic

But the tunnel continues closing if a don't have traffic.

Thanks very much!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Harish Balakrishnan
Spotlight
Spotlight
In response to Anderson Ribeiro

‎10-15-2012 06:49 AM

Hello

If you are using ipsec profile for eazy vpn server, then you can set this under ipsec profile  as follows

set security-association idle-time 86400

If You are using dynamic map for eazy vpn server, the the same command should be set under dynamic map

Harish.

View solution in original post

0 Helpful

Go to solution
Rudy Sanjoko
Level 4
Level 4
In response to Anderson Ribeiro

‎10-15-2012 07:08 AM

On IOS, you can configure the user timeout period by entering the  "vpn-idle-timeout" command in "group-policy configuration" mode or in  "username configuration" mode:

     hostname(config-group-policy)# vpn-idle-timeout {minutes | none}

or use the crypto ipsec security-association       idle-time command in global configuration mode or crypto map       configuration mode in order to configure the IPsec SA idle timer. By  default       IPsec SA idle timers are disabled.

    crypto ipsec security-association idle-time seconds

Time is in seconds, which the idle timer allows an       inactive peer to maintain an SA. Valid values for the seconds argument  range       from 60 to 86400.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rudy Sanjoko
Level 4
Level 4

‎10-15-2012 06:01 AM

Try to configure the idle and session timeout to none using "vpn-idle-timeout none" and "vpn-session-timeout none" commands, this will make the tunnel always up and so that the tunnel is never dropped.

0 Helpful

Go to solution
Anderson Ribeiro
Level 1
Level 1
In response to Rudy Sanjoko

‎10-15-2012 06:11 AM

Sanjoko,

Thanks for answer.

Do you know where I apply these commands?

0 Helpful

Go to solution
Harish Balakrishnan
Spotlight
Spotlight
In response to Anderson Ribeiro

‎10-15-2012 06:49 AM

Hello

If you are using ipsec profile for eazy vpn server, then you can set this under ipsec profile  as follows

set security-association idle-time 86400

If You are using dynamic map for eazy vpn server, the the same command should be set under dynamic map

Harish.

0 Helpful

Go to solution
Rudy Sanjoko
Level 4
Level 4
In response to Anderson Ribeiro

‎10-15-2012 07:08 AM

On IOS, you can configure the user timeout period by entering the  "vpn-idle-timeout" command in "group-policy configuration" mode or in  "username configuration" mode:

     hostname(config-group-policy)# vpn-idle-timeout {minutes | none}

or use the crypto ipsec security-association       idle-time command in global configuration mode or crypto map       configuration mode in order to configure the IPsec SA idle timer. By  default       IPsec SA idle timers are disabled.

    crypto ipsec security-association idle-time seconds

Time is in seconds, which the idle timer allows an       inactive peer to maintain an SA. Valid values for the seconds argument  range       from 60 to 86400.

0 Helpful

Go to solution
Anderson Ribeiro
Level 1
Level 1
In response to Rudy Sanjoko

‎10-15-2012 07:18 AM

Guys,

Thank you for help-me.

I'll try use this commands.

0 Helpful
Customers Also Viewed These Support Documents