• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 825
  • Last Modified:

Cisco to Netgear IPSC VPN dropping when no activity

I have recently setup a gateway to gateway VPN between a client site and their medical billing service.  They use a telnet client to access the billing server and basically leave it up and connected all day long.  This wasn't an issue on the old netgear to netgear setup but with the cisco to netgear setup the telnet connection is dropping after some period of inactivity.

1.  No changes have been made at the billing company's server..
2.  No changes have been made at the billing company's router.
3.  The Cisco ASA 5505 was implemented and the G2G VPN was setup up by copying the settings from the old Netgear router.
4.  No we can not simply switch back to the old Netgear router.
5.  Is there any reason why a G2G VPN would disconnect due to some kind of stale key or inactivity?

Thanks in advance.
0
raventechjeff
Asked:
raventechjeff
  • 2
  • 2
1 Solution
 
gavvingCommented:
My guess is that the issue is related to the timeouts built into the ASA.  By default it will timeout 'inactive' connections, once that connection is timed out, then there would be no VPN traffic and the tunnel would go down as well.   It's normal for VPN tunnels to not be present if there is no interesting traffic for them.  Once there is interesting traffic the tunnel should automatically be re-established with little to no impact on the traffic.  

Try this command:

timeout conn 8:00:00

That would set the inactivity timeout for connections to 8 hours.  
0
 
Ernie BeekExpertCommented:
Try the following command:

group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none


That should get rid of the timeout.
0
 
raventechjeffAuthor Commented:
Exactly the case.  I am no good with the command line but found the setting in ASDM.  I actually set it to 0 so it never times out.  Resource usage is not an issue since the router is totally over powered for it's current usage.  Love it though. So much better than the Watchguards I deal with.  Thanks.
0
 
gavvingCommented:
FYI I wouldn't recommend setting the timeout to 0.  The ASA does have limited connection resources and over time those connections will all get used if it never times out any inactive connections.  I would set it to something, anything, even 7 days, but not disable the timeout function all together.

Use the "show connection all" command and it will show you how many connections are in use in the first line of the output.
0
 
raventechjeffAuthor Commented:
Ok.  Good idea.  So I checked it out and there are only 4 connections at the current time and it's been what?  two days?  

This is the result I got from the command you suggested:

ciscoasa# show conn all
4 in use, 126 most used

It appears that the VPN has been connected for over two days now which is what I was hoping to accomplish.  So, thanks for the helpful advice and I will keep an eye on it over the next week to see if it gets crazy.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now