[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3165
  • Last Modified:

IKE/IPSec tunnel is coming down - idle timeout?

Doe the IKE/IPsec VPN on a PIX site-site have an idle timout setting? I see what looks to be 3 timers, IKE SA lifetime, IPSec SA lifetime, and TIMEOUT CONN on the Pix 506. What is the resultant timeout value that would / could cause a tunnel to come down during idle times? Users are telneting over this tunnel and it looks like during idle times the tunnel is shutting down.

Any ideas? Thanks in advance for your help.

0
murphymail
Asked:
murphymail
  • 2
1 Solution
 
harbor235Commented:
IKE security association (SA) lifetime governs how long in seconds a particular association will stay up before it renegoitiates another SA. This enforces security for that particular association ensuring that the peer can renegoitiate with the proper configured VPN security parameters. The default is 24hrs (86400 seconds). Are you seeing it drop out once a day?
This should not be an issue, the VPN is quickly reestablished.

harbor235
0
 
murphymailAuthor Commented:
Client is claming it drops but whats the best way to tell for sure? Exactly what command can show the current status of the tunnel (how long its been up, when it came down, why it came down?). I have logging set to debug (if that helps).
0
 
harbor235Commented:
>  I have logging set to debug (if that helps).

Thats good for temporary logging, I would not leave it at this level, change it to informational.

>Exactly what command can show the current status of the tunnel (how long its been up)



show crypto ipsec sa
show crypto isakamp sa

Two great commands, you can view packets encapsulated and decapsulated to verify tunnel is running fine.
It also displays the current security association with the peer address.


harbor235
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now