PIX VPN site-site timeout

Posted on 2005-04-29
Last Modified: 2010-04-12
Looking at this config from the main site, there is no VPNGROUP stmt which I thought I would need to control / set the idle timeout. How does VPDN stmts tie together with the VPNGROUP so that I can ensure my Ipsec connections have a timeout of a couple hours? Hence where do I set the idle time for an Ipsec VPN?

crypto ipsec transform-set VPNTransform esp-des esp-md5-hmac
crypto map VPNmap 1 ipsec-isakmp
crypto map VPNmap 1 match address VPNsite1
crypto map VPNmap 1 set peer 64.253.63.x
crypto map VPNmap 1 set transform-set VPNTransform
crypto map VPNmap interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet inside
telnet timeout 5
ssh outside
ssh timeout 50
management-access inside
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username rohna password *********
vpdn enable outside

Thanks so much-
Question by:murphymail
    LVL 36

    Expert Comment

    > isakmp policy 1 lifetime 1000
    This sets the key lifetime
    Your only IPSEC VPN is the fixed one to

    The 'vpdn' commands are for a PPTP connection not IPSEC.

    Author Comment

    Does this mean after 1000 seconds of idle time the IpSec VPN tunnel will come down until interesting traffic forces it back up? Isn't there any heartbeat / keepalives that would keep this up even if the user traffic is idle? Is there any other idle timer that I need to address?

    Author Comment

    I read that before a SA expires, it renegociates a new one so that there is no dissruption of data flow. So I don't think its the SA lifetime thats causing the timeout. Although these 2 commands do show lifetime (are they referring to the same value?)

    show crypto ipsec security-association lifetime
    show crypto isakmp policy

    If this is the case where do you set the idle-time for an IPsec tunnel to disconnect?
    LVL 36

    Expert Comment

    There is no idle-timeout for this type of VPN as it is designed to stay up permantly.
    If the SA lifetime is set to different values each end it can cause VPN problems.

    Author Comment

    Does the TIMEOUT CONN:  timer act as an idle timer for IPsec VPNs? How is this value then impact the tunnel up time?

    What's the best way to SHOW that a IPSEC tunnel is CURRENTLY active without clearing counters on the "sh crypto ipsec sa" command? Apparently, the SH CRYPTO IS SA only shows QM_IDLE but I think since CREATED is 0 the tunnel is not up- is this correct?

    LVL 36

    Accepted Solution

    The TIMEOUT CONN is the idle timout for any individual TCP connection through the PIX. There are separate timeouts for UDP etc... These wont affect the VPN itself but will apply to traffic traveling through the VPN

    It would be better to use 'show crypto sa' as this provides more detail including the lifetime counters and how long to go in seconds and kilobits before they need to be renewed.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
    Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now