RA VPN keepalives and timouts

Posted on December 13, 2010

0



RA VPN timeouts

1. Session timeouts
2. IPSec SA lifetimes
3. ISAKMP lifetimes and Nat-T keepalive interval
4. Timeout in the group policy
5. DPD timeouts.

1. Session timeouts

As the VPN may go through many Firewall till it reaches the VPN gateway it can happen that the session is broken before the timouts here is reached. All firewall have its own session timeout settings, actually it can be modified on the ASA as well.

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

2. IPSec SA lifetimes

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000

3. ISAKMP lifetimes

crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 2
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400

crypto isakmp nat-traversal 200

If you have more than one isakmp policy and you want to know which policy and which timeout is used, you can use the ‘show crypto isakmp sa detail‘ command. In the output you see the matching policy settings.
In the output you can see the time remained time from the defined time as well.

# sh cry isakmp sa detailActive SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: 2.2.2.2
Type : user Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : SHA
Auth : rsa Lifetime: 3600
Lifetime Remaining: 2550
2 IKE Peer: 3.3.3.3
Type : user Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : SHA
Auth : rsa Lifetime: 3600
Lifetime Remaining: 3599

4. Timeout in the group policy

group-policy MyGrpPolicy attributes
vpn-idle-timeout 30
vpn-session-timeout none

If you do not explicitly setup the timeouts for your group-policy, then the properties of default group policy will be used (inherited).

group-policy DfltGrpPolicy attributes
vpn-idle-timeout 30
vpn-session-timeout none

5. DPD timeouts

tunnel-group MyRAGroup ipsec-attributes
isakmp keepalive threshold 500 retry 10

If you do not explicitly setup the timeouts for your tunnel group, then the properties of default tunnel group will be used (inherited).

tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 3600 retry 5
Posted in: ASA, Cisco, Security, VPN