cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4209
Views
0
Helpful
4
Replies

VPN tunnel drops due to inactivity.

whitemike
Level 1
Level 1

I am using a Cisco ASA 5510. Our tunnels always drop due to inactivity, which is a security issue I understand, and it only takes some "interesting traffic" to bring it back up. My problem is that it looks like the interesting traffic has to originate from my side of the tunnel, when our clients send traffic and the tunnel is down due to inactivity it does not come back up. Is there a setting that I am overlooking that will make it come back up no matter who sends traffic? Or, is there a way to make it stay up through inactivity?

4 Replies 4

andrew.prince
Level 10
Level 10

check you have not configured the tunnel to be "initiate" only?

Sent from Cisco Technical Support iPad App

Thanks for the reply, the only place I could find something like that was on the crypto map connection-type for the tunnel I have a choice of bidirectional, answer-only, and originate-only. Is that what you are talking about? because all of my site-to-site vpn's are set to bidirectional.

Mohammad Alhyari
Cisco Employee
Cisco Employee

Hi ,

what may control the initiation :

1-NAT

2-Dynamic MAPs

3-crypto map originate options.

4-if one of the peer is behined a dynamic NAT device.

could you please share the config and point to the map that you are using , and also you can change the idle time using group policy and apply that one to the crypto map.

HTH

Mohammad.

Almost everything you mentioned there is on this paticular tunnel. Here is the config for that tunnel:

name 175.124.120.55 ACME_01 description Cedars Sinai

name 175.124.120.56 ACME_02 description Cedars Sinai

name 175.124.120.57 ACME_03 description Cedars Sinai

name 175.124.120.58 ACME_04 description Cedars Sinai

name 175.124.120.59 ACME_05 description Cedars Sinai

name 175.124.120.60 ACME_06 description Cedars Sinai

object-group network ACME_GRP

description ACME

network-object host 175.124.120.55

network-object host 175.124.120.56

network-object host 175.124.120.57

network-object host 175.124.120.58

network-object host 175.124.120.59

network-object host 175.124.120.60

access-list private_nat0_outbound extended permit ip host 71.175.218.169 object-group ACME_GRP

access-list Outside_24_cryptomap extended permit ip host 71.175.218.169 object-group ACME_GRP

group-policy ACME internal

group-policy ACME attributes

vpn-idle-timeout none

vpn-tunnel-protocol IPSec svc

crypto map Outside_map 24 match address Outside_24_cryptomap

crypto map Outside_map 24 set peer 192.175.86.12

crypto map Outside_map 24 set transform-set ESP-3DES-SHA

crypto map Outside_map 24 set security-association lifetime seconds 86400

tunnel-group 192.175.86.12 type ipsec-l2l

tunnel-group 192.175.86.12 general-attributes

default-group-policy ACME

tunnel-group 192.175.86.12 ipsec-attributes

pre-shared-key *********

and also the the box on my local side is behind a dynamic NAT

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: