Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 328
  • Last Modified:

PIX VPN site-site timeout

Looking at this config from the main site, there is no VPNGROUP stmt which I thought I would need to control / set the idle timeout. How does VPDN stmts tie together with the VPNGROUP so that I can ensure my Ipsec connections have a timeout of a couple hours? Hence where do I set the idle time for an Ipsec VPN?

crypto ipsec transform-set VPNTransform esp-des esp-md5-hmac
crypto map VPNmap 1 ipsec-isakmp
crypto map VPNmap 1 match address VPNsite1
crypto map VPNmap 1 set peer 64.253.63.x
crypto map VPNmap 1 set transform-set VPNTransform
crypto map VPNmap interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet inside
telnet timeout 5
ssh outside
ssh timeout 50
management-access inside
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username rohna password *********
vpdn enable outside

Thanks so much-
  • 3
  • 3
1 Solution
> isakmp policy 1 lifetime 1000
This sets the key lifetime
Your only IPSEC VPN is the fixed one to

The 'vpdn' commands are for a PPTP connection not IPSEC.
murphymailAuthor Commented:
Does this mean after 1000 seconds of idle time the IpSec VPN tunnel will come down until interesting traffic forces it back up? Isn't there any heartbeat / keepalives that would keep this up even if the user traffic is idle? Is there any other idle timer that I need to address?
murphymailAuthor Commented:
I read that before a SA expires, it renegociates a new one so that there is no dissruption of data flow. So I don't think its the SA lifetime thats causing the timeout. Although these 2 commands do show lifetime (are they referring to the same value?)

show crypto ipsec security-association lifetime
show crypto isakmp policy

If this is the case where do you set the idle-time for an IPsec tunnel to disconnect?
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

There is no idle-timeout for this type of VPN as it is designed to stay up permantly.
If the SA lifetime is set to different values each end it can cause VPN problems.
murphymailAuthor Commented:
Does the TIMEOUT CONN:  timer act as an idle timer for IPsec VPNs? How is this value then impact the tunnel up time?

What's the best way to SHOW that a IPSEC tunnel is CURRENTLY active without clearing counters on the "sh crypto ipsec sa" command? Apparently, the SH CRYPTO IS SA only shows QM_IDLE but I think since CREATED is 0 the tunnel is not up- is this correct?

The TIMEOUT CONN is the idle timout for any individual TCP connection through the PIX. There are separate timeouts for UDP etc... These wont affect the VPN itself but will apply to traffic traveling through the VPN

It would be better to use 'show crypto sa' as this provides more detail including the lifetime counters and how long to go in seconds and kilobits before they need to be renewed.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now