RA VPN keepalives and timouts

RA VPN timeouts

1. Session timeouts
2. IPSec SA lifetimes
3. ISAKMP lifetimes and Nat-T keepalive interval
4. Timeout in the group policy
5. DPD timeouts.

1. Session timeouts

As the VPN may go through many Firewall till it reaches the VPN gateway it can happen that the session is broken before the timouts here is reached. All firewall have its own session timeout settings, actually it can be modified on the ASA as well.

timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

2. IPSec SA lifetimes

crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 ! crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000

3. ISAKMP lifetimes

crypto isakmp policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 43200 crypto isakmp policy 2 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 200

If you have more than one isakmp policy and you want to know which policy and which timeout is used, you can use the ‘show crypto isakmp sa detail‘ command. In the output you see the matching policy settings.
In the output you can see the time remained time from the defined time as well.

# sh cry isakmp sa detailActive SA: 2 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 2 1 IKE Peer: 2.2.2.2 Type : user Role : responder Rekey : no State : MM_ACTIVE Encrypt : 3des Hash : SHA Auth : rsa Lifetime: 3600 Lifetime Remaining: 2550 2 IKE Peer: 3.3.3.3 Type : user Role : responder Rekey : no State : MM_ACTIVE Encrypt : 3des Hash : SHA Auth : rsa Lifetime: 3600 Lifetime Remaining: 3599

4. Timeout in the group policy

group-policy MyGrpPolicy attributes vpn-idle-timeout 30 vpn-session-timeout none

If you do not explicitly setup the timeouts for your group-policy, then the properties of default group policy will be used (inherited).

group-policy DfltGrpPolicy attributes vpn-idle-timeout 30 vpn-session-timeout none

5. DPD timeouts

tunnel-group MyRAGroup ipsec-attributes isakmp keepalive threshold 500 retry 10

If you do not explicitly setup the timeouts for your tunnel group, then the properties of default tunnel group will be used (inherited).

tunnel-group DefaultRAGroup ipsec-attributes isakmp keepalive threshold 3600 retry 5