Cisco ASA to PIX IPSec tunnels dropping problem


I have a single PIX to ASA (site-to-site) IKE tunnel with 2 IPSec tunnels,
Tunnels come up no problem after sending interesting traffic, but after around 30 minutes of no traffic - the tunnels drop.
Again after interesting traffic is sent they come back up.

Our other PIX to PIX VPN's are fine and seem to stay up for long periods of time, which leads me to believe that the "keep-alive" or similar is not working right.

Anyone have any ideas to fix this?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
Do both ends have

isakmp keepalive 30  <--- or another time in seconds

in the config?
chouckhamAuthor Commented:
Hi Pete,

Yeah they do.

i think ive actually found the problem
my tunnel group policy was set to inherit the "defaultgrouppolicy" "user authentication idle timout" of 30 minutes.

ive since changed this and testing... 15 minutes to go... :-)

chouckhamAuthor Commented:
Gone down again after exactly 30 minutes.
Any ideas?
MSSPs - Are you paying too much?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

Pete LongTechnical ConsultantCommented:
Is your ISP the culpritt Ive seen British Telecom force idle connections shut on site to site VPNS before?
chouckhamAuthor Commented:
I dont think this is the reason, as we have other tunnels on neighboring devices that stay up.

As a short term fix while i look for the problem... I'm going to set up a batch file with a simple PING - set in windows task scheduler for every 20 minutes.
chouckhamAuthor Commented:
finally solved this.. it was a mixture of a couple of Group policy settings which were set to time out after 30 minutes
Pete LongTechnical ConsultantCommented:
Good News  :) what was the GPO in question?
chouckhamAuthor Commented:
ill post the exact detail tomorrow, cant remember off the top of my head.

cheers for your help tho!
Pete LongTechnical ConsultantCommented:
I guessing this is what he would have replied back with:

Configure the user timeout period by entering the vpn-idle-timeout command in group-policy configuration mode or in username configuration mode:

hostname(config-group-policy)# vpn-idle-timeout {minutes | none}

The minimum time is 1 minute, and the maximum time is 35791394 minutes. The default is 30 minutes. If there is no communication activity on the connection in this period, the security appliance terminates the connection.

A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the none keyword instead of specifying a number of minutes with this command. The none keyword also permits an unlimited idle timeout period. It sets the idle timeout to a null value, thereby disallowing an idle timeout.


The following example shows how to set a VPN idle timeout of 15 minutes for the group policy named "FirstGroup":

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# vpn-idle-timeout 15

Configuring Tunnel Groups, Group Policies, and Userssource:


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.