[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Cisco ASA to PIX IPSec tunnels dropping problem

Posted on 2008-02-04
11
Medium Priority
?
3,248 Views
Last Modified: 2011-10-03
Hello,

I have a single PIX to ASA (site-to-site) IKE tunnel with 2 IPSec tunnels,
Tunnels come up no problem after sending interesting traffic, but after around 30 minutes of no traffic - the tunnels drop.
Again after interesting traffic is sent they come back up.

Our other PIX to PIX VPN's are fine and seem to stay up for long periods of time, which leads me to believe that the "keep-alive" or similar is not working right.

Anyone have any ideas to fix this?


Thanks!
Craig
0
Comment
Question by:chouckham
  • 5
  • 4
10 Comments
 
LVL 58

Expert Comment

by:Pete Long
ID: 20813682
Do both ends have

isakmp keepalive 30  <--- or another time in seconds

in the config?
0
 
LVL 3

Author Comment

by:chouckham
ID: 20813725
Hi Pete,

Yeah they do.

i think ive actually found the problem
>>> 
my tunnel group policy was set to inherit the "defaultgrouppolicy" "user authentication idle timout" of 30 minutes.

ive since changed this and testing... 15 minutes to go... :-)

0
 
LVL 3

Author Comment

by:chouckham
ID: 20813817
:-(
Gone down again after exactly 30 minutes.
Any ideas?
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
LVL 58

Expert Comment

by:Pete Long
ID: 20825935
Is your ISP the culpritt Ive seen British Telecom force idle connections shut on site to site VPNS before?
0
 
LVL 3

Author Comment

by:chouckham
ID: 20826756
I dont think this is the reason, as we have other tunnels on neighboring devices that stay up.

As a short term fix while i look for the problem... I'm going to set up a batch file with a simple PING - set in windows task scheduler for every 20 minutes.
0
 
LVL 3

Author Comment

by:chouckham
ID: 20978848
finally solved this.. it was a mixture of a couple of Group policy settings which were set to time out after 30 minutes
0
 
LVL 58

Expert Comment

by:Pete Long
ID: 20979376
Good News  :) what was the GPO in question?
0
 
LVL 3

Author Comment

by:chouckham
ID: 20979445
ill post the exact detail tomorrow, cant remember off the top of my head.

cheers for your help tho!
0
 
LVL 58

Expert Comment

by:Pete Long
ID: 20979471
:)
0
 
LVL 1

Accepted Solution

by:
salesandservice earned 2000 total points
ID: 22874614
I guessing this is what he would have replied back with:

Configure the user timeout period by entering the vpn-idle-timeout command in group-policy configuration mode or in username configuration mode:

hostname(config-group-policy)# vpn-idle-timeout {minutes | none}

The minimum time is 1 minute, and the maximum time is 35791394 minutes. The default is 30 minutes. If there is no communication activity on the connection in this period, the security appliance terminates the connection.

A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the none keyword instead of specifying a number of minutes with this command. The none keyword also permits an unlimited idle timeout period. It sets the idle timeout to a null value, thereby disallowing an idle timeout.

--CONFIG EXAMPLE--

The following example shows how to set a VPN idle timeout of 15 minutes for the group policy named "FirstGroup":

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# vpn-idle-timeout 15

--
Configuring Tunnel Groups, Group Policies, and Userssource: http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpngrp.html

0

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question