Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco to Netgear IPSC VPN dropping when no activity

Posted on 2011-02-10
5
Medium Priority
?
810 Views
Last Modified: 2012-06-27
I have recently setup a gateway to gateway VPN between a client site and their medical billing service.  They use a telnet client to access the billing server and basically leave it up and connected all day long.  This wasn't an issue on the old netgear to netgear setup but with the cisco to netgear setup the telnet connection is dropping after some period of inactivity.

1.  No changes have been made at the billing company's server..
2.  No changes have been made at the billing company's router.
3.  The Cisco ASA 5505 was implemented and the G2G VPN was setup up by copying the settings from the old Netgear router.
4.  No we can not simply switch back to the old Netgear router.
5.  Is there any reason why a G2G VPN would disconnect due to some kind of stale key or inactivity?

Thanks in advance.
0
Comment
Question by:raventechjeff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 9

Accepted Solution

by:
gavving earned 2000 total points
ID: 34868389
My guess is that the issue is related to the timeouts built into the ASA.  By default it will timeout 'inactive' connections, once that connection is timed out, then there would be no VPN traffic and the tunnel would go down as well.   It's normal for VPN tunnels to not be present if there is no interesting traffic for them.  Once there is interesting traffic the tunnel should automatically be re-established with little to no impact on the traffic.  

Try this command:

timeout conn 8:00:00

That would set the inactivity timeout for connections to 8 hours.  
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34870358
Try the following command:

group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none


That should get rid of the timeout.
0
 
LVL 1

Author Closing Comment

by:raventechjeff
ID: 34870712
Exactly the case.  I am no good with the command line but found the setting in ASDM.  I actually set it to 0 so it never times out.  Resource usage is not an issue since the router is totally over powered for it's current usage.  Love it though. So much better than the Watchguards I deal with.  Thanks.
0
 
LVL 9

Expert Comment

by:gavving
ID: 34874533
FYI I wouldn't recommend setting the timeout to 0.  The ASA does have limited connection resources and over time those connections will all get used if it never times out any inactive connections.  I would set it to something, anything, even 7 days, but not disable the timeout function all together.

Use the "show connection all" command and it will show you how many connections are in use in the first line of the output.
0
 
LVL 1

Author Comment

by:raventechjeff
ID: 34882991
Ok.  Good idea.  So I checked it out and there are only 4 connections at the current time and it's been what?  two days?  

This is the result I got from the command you suggested:

ciscoasa# show conn all
4 in use, 126 most used

It appears that the VPN has been connected for over two days now which is what I was hoping to accomplish.  So, thanks for the helpful advice and I will keep an eye on it over the next week to see if it gets crazy.
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question