Showing results for 
Search instead for 
Did you mean: 

VPN tunnel drops due to inactivity.

I am using a Cisco ASA 5510. Our tunnels always drop due to inactivity, which is a security issue I understand, and it only takes some "interesting traffic" to bring it back up. My problem is that it looks like the interesting traffic has to originate from my side of the tunnel, when our clients send traffic and the tunnel is down due to inactivity it does not come back up. Is there a setting that I am overlooking that will make it come back up no matter who sends traffic? Or, is there a way to make it stay up through inactivity?


check you have not configured the tunnel to be "initiate" only?

Sent from Cisco Technical Support iPad App

Thanks for the reply, the only place I could find something like that was on the crypto map connection-type for the tunnel I have a choice of bidirectional, answer-only, and originate-only. Is that what you are talking about? because all of my site-to-site vpn's are set to bidirectional.

Mohammad Alhyari
Cisco Employee

Hi ,

what may control the initiation :


2-Dynamic MAPs

3-crypto map originate options.

4-if one of the peer is behined a dynamic NAT device.

could you please share the config and point to the map that you are using , and also you can change the idle time using group policy and apply that one to the crypto map.



Almost everything you mentioned there is on this paticular tunnel. Here is the config for that tunnel:

name ACME_01 description Cedars Sinai

name ACME_02 description Cedars Sinai

name ACME_03 description Cedars Sinai

name ACME_04 description Cedars Sinai

name ACME_05 description Cedars Sinai

name ACME_06 description Cedars Sinai

object-group network ACME_GRP

description ACME

network-object host

network-object host

network-object host

network-object host

network-object host

network-object host

access-list private_nat0_outbound extended permit ip host object-group ACME_GRP

access-list Outside_24_cryptomap extended permit ip host object-group ACME_GRP

group-policy ACME internal

group-policy ACME attributes

vpn-idle-timeout none

vpn-tunnel-protocol IPSec svc

crypto map Outside_map 24 match address Outside_24_cryptomap

crypto map Outside_map 24 set peer

crypto map Outside_map 24 set transform-set ESP-3DES-SHA

crypto map Outside_map 24 set security-association lifetime seconds 86400

tunnel-group type ipsec-l2l

tunnel-group general-attributes

default-group-policy ACME

tunnel-group ipsec-attributes

pre-shared-key *********

and also the the box on my local side is behind a dynamic NAT

Content for Community-Ad