Downtime in the L2L VPN tunnel

is there a way to reduce the timeout on a L2L tunnel, so that it disconnects after a specific period of no traffic intresting?

Thank you

Here's a URL that describes how to adjust life IPSEC security association.  The default value is 1 hour.   HTH

http://www.Cisco.com/en/us/docs/iOS/12_2/Security/command/reference/srfipsec.html#wp1017619

Tags: Cisco Security

Similar Questions

  • The L2L VPN Tunnels on several external Interfaces ISP

    Due to special circumstances, we have 2 links on an ASA5510 ISP. I'm trying to put an end to some VPN L2L tunnels on a link and others on the second link of Internet service provider, for example below:

    LOCAL FIREWALL

    card crypto outside-map_isp1 20 corresponds to the address VPN_ACL_A
    set outside-map_isp1 20 crypto map peer 1.1.1.1
    outside-map_isp1 20 game card crypto transform-set TS-generic

    card crypto outside-map_isp2 30 corresponds to the address VPN_ACL_B
    peer set card crypto outside-map_isp2 30 3.3.3.3
    card crypto outside-map_isp2 30 value transform-set TS-generic

    crypto map interface outside-map-isps1 ISP_1
    outside-map-isp2 interface card crypto ISP_2

    ISAKMP crypto enable ISP_1
    ISAKMP crypto enable ISP_2

    Route 0.0.0.0 ISP_1 0.0.0.0 1.1.1.254
    Route ISP_2 3.3.3.3 255.255.255.255 2.2.2.254

    Establishing the VPN tunnels in both directions when using ISP_1 works very well establshing in both directions of remote access users and several tunnels L2L (only showing a for example).

    On ISP_2

    1. peer device 3.3.3.3 establishes a VPN tunnel, but the return traffic does NOT get back to devices 3.3.3.3 tunnel.

    2. the local firewall does NOT establish a VPN tunnel to 3.3.3.3

    It suggests that the problems lies with this firewall multihomed do not direct traffic properly on back down and VPN tunnel of workbenches (point1) or to trigger a tunnel if there is (point 2).

    Reconfiguration of the VPN tunnel to 3.3.3.3 counterpart to be on the local firewall, all the springs in the life ISP_1! All ideas, there are enough license etc...

    Another way you need is the subnet of destination on VPN_ACL_B to be routed to ISP_2 as well.

    So you must send the address of peers (in your case 3.3.3.3) and the remote subnet (in your destination subnet case VPN_ACL_B) at 2.2.2.254

  • L2l VPN tunnel is reset during the generate a new IPSec key

    I have a tunnel VPN L2L that resets completely, start with Phase 1, at the expiration of the timer of the IPSec Security Association.  Although there are several SAs, it always resets all of the tunnel.

    I see the following in the log errors when this happens:

    03/06/2013 12:54:41 Local7.Notice ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % 713050-5-ASA: Group = ipRemoved, IP = ipRemoved, completed for the ipRemoved peer connection.  Reason: Peer terminate Proxy remote n/a, Proxy Local n/a

    03/06/2013 12:54:41 Local7.Notice ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % 713259-5-ASA: Group = ipRemoved, IP = ipRemoved, Session is be demolished. Reason: The user has requested

    03/06/2013 12:54:41 Local7.Warning ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % ASA-4-113019: Group = ipRemoved username = ipRemoved, IP = ipRemoved, disconnected Session. Session type: IKE, duration: 4 h: 00 m: 06 s, xmt bytes: 260129, RRs bytes: 223018, reason: the user has requested

    03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713041-5-ASA: IP = ipRemoved, IKE initiator: New Phase 1, Intf inside, IKE Peer ipRemoved local Proxy 204.139.127.24 address, address remote Proxy 156.30.21.200, Card Crypto (L2LVPN)

    03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713119-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 1 COMPLETED

    Local7.Notice ipRemoved June 3, 2013 03/06/2013-12:55:33 12:55:33 LKM-NVP-L2L-01: % 713049-5-ASA: Group = ipRemoved, IP = ipRemoved, the security negotiation is complete for LAN - to - LAN Group (ipRemoved) initiator, Inbound SPI = 0x9213bdc9, outbound SPI = 0x1799a099

    03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713120-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 2 COMPLETED (msgid = b8a47603)

    03/06/2013 13:02:11 Local7.Notice ipRemoved June 3, 2013 13:02:11 LKM-NVP-L2L-01: % 713041-5-ASA: Group = ipRemoved, IP = ipRemoved, IKE initiator: New Phase 2, Intf inside, IKE Peer ipRemoved local Proxy 204.139.127.71 address, address remote Proxy 156.30.21.200, Card Crypto (L2LVPN)

    Local7.Notice ipRemoved June 3, 2013 03/06/2013-13:02:11 13:02:11 LKM-NVP-L2L-01: % 713049-5-ASA: Group = ipRemoved, IP = ipRemoved, the security negotiation is complete for LAN - to - LAN Group (ipRemoved) initiator, Inbound SPI = 0x93f9be6c, outbound SPI = 0x1799a16d

    03/06/2013 13:02:11 Local7.Notice ipRemoved June 3, 2013 13:02:11 LKM-NVP-L2L-01: % 713120-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 2 COMPLETED (msgid = 1f6c9acd)

    Any thoughts on why she would do that?

    Thank you.

    Jason

    Hello

    Both the log messages seems to suggest that the remote end is closed/compensation connection.

    Is this a new connection that suffer from this problem or has it started on an existing connection?

    The Cisco documentation associated with the Syslog messages does really not all useful information about these log messages.

    I guess that your problem is that TCP by L2L VPN connections suffer from the complete renegotiations of the L2L VPN.

    I wonder if the following configuration can help even if this situation persists

    Sysopt preserve-vpn-flow of connection

    Here is a link to the order of the ASA reference (8, 4-8, 6 software) with a better explanation of this configuration.

    http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/S8.html#wp1538395

    It is not enabled by default on the SAA.

    Hope this helps

    -Jouni

  • WCCP and ASA L2L VPN Tunnel

    How L2L WCCP vpn tunnel? If there is a Web page on the otherside of the tunnel that I need access on ports 80 and 443, it goes through the process of WCCP. How will I know the traffic through the tunnel for 80 and 443 to ignore the WCCP?

    Hello

    I have not had to deal with WCCP on the SAA configurations as it, but to my knowledge, this could be done in the ACL that is used in configuring WCCP on the SAA.

    I mean a single montage we have has an ACL that simply bypasses the WCCP for some destination addresses.

    The ACL was originally for example

    WCCP ip access list allow a whole

    Then we had to stop it for some destination network and we would add a Deny statement at the top of the ACL

    access-list 1 deny ip WCCP line any 10.10.10.0 255.255.255.0

    -Jouni

  • Use the client VPN tunnel to cross the LAN-to-LAN tunnel

    I have been troubleshooting an issue and cannot cross an obstacle. The ASA is running ASA running 1,0000 code 24. I am using a client VPN tunnel to connect to the ASA. The ASA has already a LAN-to-LAN tunnel, set up and operating and I need the VPN client to access the remote site over the LAN-to-LAN tunnel.

    The internal IP address of the local part is 192.168.0.0/24 and the IP address of the Remote LAN-to-LAN tunnel is 172.20.1.0/24. The clients are distributed 192.168.200.0/24 IPs. I have attached the relevant configuration for the SAA.

    When the VPN client on the network, I can access resources on the ASA network internal. On the internal network of the SAA, users can access resources through the LAN-to-LAN tunnel. Client VPN cannot access resources on the LAN-to-LAN tunnel. For the latter, there are no hits on the C-TEST access list.

    Thank you for your help.

    try adding...

    permit same-security-traffic intra-interface

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_guide_chapter09186a00806370f2.html#wp1042114

  • Question of access list for Cisco 1710 performing the 3DES VPN tunnel

    I have a question about the use of access lists in the configuration of a router Cisco 1710 that uses access lists to control traffic through the VPN tunnel.

    For example the following lines in a configuration on the remote router. My question is whether or not the traffic that matches the definition of list access-130 (something other than 192.168.100.0/24), cross the VPN tunnel or go directly to the Ethernet0 interface.

    My understanding is that traffic that matches the access list 120 would be encrypted and sent through the IPSec tunnel. If there was "ban" set out in the statements of 120 access-list, the traffic for those would be sent through the IPSec tunnel but not encrypted (if possible). And finally, given that the definition of crypto card reference only "adapt to 120", any traffic that matches 130 access list would be sent Ethernet0 but not associated with the card encryption and thus not sent through the IPSec tunnel. "

    Any input or assistance would be greatly appreciated.

    Map Test 11 ipsec-isakmp crypto

    ..

    match address 120

    Interface Ethernet0

    ..

    card crypto Test

    IP nat inside source overload map route sheep interface Ethernet0

    access-list 120 allow ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

    access-list 130 refuse ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

    access-list 130 allow ip 192.168.100.0 0.0.0.255 any

    sheep allowed 10 route map

    corresponds to the IP 130

    He would go through the interface e0 to the Internet in clear text without going above the tunnel

    Jean Marc

  • How to start the initialization of the l2l VPN?

    Hey there!

    I have two PIX501e and trying to implement a LAN2LAN. I have all the settings in place, but for some reason, this isn't negotioating the connection. Y at - it an enable command to negotiate? I enabled on both external interfaces of crypto

    You need to open the traffic from one end to another in order for the tunnel to be built. The traffic that you generate is defined in the field of encryption. So, if you are tunneling traffic RFC1918 IPs (IE. 192.168.x.x), don't forget to do a ping that IP and not the public (or vice versa).

    The field of encryption defines 'interesting traffic', or traffic that the firewall determines must be passed over the tunnel, and not by the bias of the Internet (or any other interface).

    James

  • ASA5505 with 2 VPN tunnels failing to implement the 2nd tunnel

    Hello

    I have an ASA5505 that currently connects a desktop remotely for voip and data.  I added a 2nd site VPN tunnel to a vendor site.  It's this 2nd VPN tunnel that I have problems with.  It seems that the PHASE 1 negotiates well.  However, I'm not a VPN expert!  So, any help would be greatly appreciated.  I have attached the running_config on my box, debug (ipsec & isakmp) information and information about the provider they gave me today.  They use an ASA5510.

    My existing VPN tunnel (which works) is marked 'outside_1_cryptomap '.  It has the following as interesting traffic:

    192.168.1.0/24-> 192.168.3.0/24

    192.168.2.0/24-> 192.168.3.0/24

    10.1.1.0/24-> 192.168.3.0/24

    -> 192.168.3.0/24 10.1.2.0/24

    10.1.10.0/24-> 192.168.3.0/24

    10.2.10.0/24-> 192.168.3.0/24

    The new VPN tunnel (does not work) is labeled "eInfomatics_1_cryptomap".  It has the following as interesting traffic:

    192.168.1.25/32-> 10.10.10.83/32

    192.168.1.25/32-> 10.10.10.47/32

    192.168.1.26/32-> 10.10.10.83/32

    192.168.1.26/32-> 10.10.10.47/32

    Here's the info to other VPN (copy & pasted from the config)

    permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.83

    permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.83

    permit access ip host 192.168.1.25 extended list eInfomatics_1_cryptomap 10.10.10.47

    permit access list extended ip 192.168.1.26 eInfomatics_1_cryptomap host 10.10.10.47

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    card crypto outside_map 1 match address outside_1_cryptomap

    peer set card crypto outside_map 1 24.180.14.50

    card crypto outside_map 1 set of transformation-ESP-3DES-SHA

    card crypto outside_map 2 match address eInfomatics_1_cryptomap

    peer set card crypto outside_map 2 66.193.183.170

    card crypto outside_map 2 game of transformation-ESP-3DES-SHA

    outside_map interface card crypto outside

    crypto isakmp identity address

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    tunnel-group 24.180.14.50 type ipsec-l2l

    IPSec-attributes tunnel-group 24.180.14.50

    pre-shared key *.

    tunnel-group 66.193.183.170 type ipsec-l2l

    IPSec-attributes tunnel-group 66.193.183.170

    pre-shared key *.

    Thanks in advance

    -Matt

    Hello

    The seller put a parameter group2 PFS (Perfect Forward Secrecy) of Phase 2, so that you don't have it.

    So you can probalby try adding the following

    card crypto outside_map 2 pfs group2 set

    I think he'll simply enter as

    card crypto outside_map 2 set pfs

    Given that the 'group 2' is the default

    -Jouni

  • How to limit the bandwidth in the VPN Tunnels in RV082?

    Hello

    It is possible to limit the bandwidth of the IPSEC VPN Tunnels or the traffic that goes through the tunnels?

    Use IP addresses or port numbers the same way and clients when limiting bandwidth to clients in the local network?

    Thank you very much

    Oliver

    There is a way to solve internal IP addresses, protocols or ports and specify the bandwidth

    I send you the links to access information on how to set it up.

    http://www6.nohold.NET/Cisco2/GetArticle.aspx?docid=3c09b393e3744ffd98330fd0031a4aa2_4228.XML&PID=80&converted=0

  • On Pix VPN tunnel to the same subnet

    I have a customer who want to set up a the PIX VPN tunnel located on each site. For some reason, each side has the same subnet number, for example. 10.10.10.x/32. I'm sure we must run NAT, but is it possible.

    This can help

    http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800949f1.shtml

  • Unable to pass traffic between ASA Site to Site VPN Tunnel

    Hello

    I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

    I've also attached the ASA5505 config and the ASA5510.

    This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

    Thank you

    Adam

    Hello

    Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.

     access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.*

    Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

    So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

    I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

    THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

    -Jouni

  • Site to Site VPN tunnel between two ASA

    I use the Site Wizard to Site on an ASA 5520, and ASA 5505 of the ADSM. Both are using 8.4 (5). When you create configurations. You follow the wizard configurations with manual what ACL s to allow the traffic of every subnet connected to talk to each other? Or they are automatically generated in the configuration file? Have not been to school yet to understand how to create the CLI VPN tunnels and what to look for.

    Thank you

    Carlos

    Hello

    First, I would like to say that I don't personally use ASDM for the configuration.

    But you should be able to configure all the necessary elements for a connection VPN L2L base through the wizard.

    I guess that typical problems to do so could relate to the lack of configuration NAT exempt or might not choose the setting "Bypass Interface Access List" that would mean you would allow traffic from the remote site in the 'external' ACL of ASA local interface. Like all other traffic coming from behind the 'outer' interface

    If you share format CLI configurations and say what networks must be able to connect via VPN L2L then I could give the required CLI format configurations.

    -Jouni

  • Question of access VPN Tunnel

    I was wondering if there is a way to allow only one side of a vpn tunnel to create connections?

    Example I have a vpn tunnel going to a site with servers that I manage. I want to be able to get on the servers (via rdp, ssh, etc.) and allow the return of traffic but I don't want the servers to be able to reach me (via rdp, ssh, etc.).

    Any ideas?

    I use a cisco ASA5540

    Hello

    You have alteast 2 possibilities

    • You can configure a filter ACL on the L2L VPN connection VPN

      • Long-term a solution a little messier. Mainly due to the ACL filter of VPN L2L having a slightly different configuration than the usual ACL interface format
    • You can turn off (if not already disabled) feature that allows to bypass your 'outer' interface ACL all traffic entering from a VPN connection. In this way, you can control incoming VPN L2L with ACL 'outside' interface traffic.
      • connections are allowed as any other Internet connection in the "outside" interface ACL if its fairly simple to manage.

    If this is something you are looking for I can tell you how to get to one of them.

    -Jouni

  • ISPS double and two redundant ASA 5520 VPN tunnels

    Hi all

    I have a requirement that looks like this:

    -with two ISPs (of course public IP of different subnets), I have two firewalls that we have to do 2 l2l VPN tunnels.

    Virtual private networks will be redundant to each other and in the case where one of the links is congested, traffic should pass through the other tunnel.

    Did someone do something like that?

    Thank you

    Vlad

    Hi Vlad,

    To have redundant connections, I suggest the following link:

    ASA/PIX 7.x: example of redundant Configuration or backup ISP links

    To find out when the link is congested? I don't think it could be possible at all on the SAA, with a UDP IP SLA jitter, but I think that it is supported only on IOS routers.

    Analysis of IP Service levels using the UDP IP SLA jitter operation

    Thank you.

    Portu.

    Please note all messages that will be useful.

  • Routing access to Internet through an IPSec VPN Tunnel

    Hello

    I installed a VPN IPSec tunnel for a friend's business. At his desk at home, I installed a Cisco SA520 and at it is remote from the site I have a Cisco RVS4000. The IPSec VPN tunnel works very well. The remote site, it can hit all of its workstations and peripheral. I configured the RVS4000 working in router mode as opposed to the bridge. In the Home Office subnet is 192.168.1.0/24 while the subnet to the remote site is 192.168.2.0/24. The SA520 is configured as Internet gateway for the headquarters to 192.168.1.1. The remote desktop has a gateway 192.168.2.1.

    I need to configure the remote site so that all Internet traffic will be routed via the Home Office. I have to make sure that whatever it is plugged into the Ethernet on the RVS4000 port will have its Internet traffic routed through the Internet connection on the SA520. Currently I can ping any device on the headquarters of the remote desktop, but I can't ping anything beyond the gateway (192.168.1.1) in the Home Office.

    Any help would be greatly appreciated.

    Thank you.

    Hi William, the rvs4000 does not support the tunnel or esp transfer wild-card.

Maybe you are looking for