Connection terminated for peer Reason: IPSec SA Idle Timeout

If your VPN is suffering from IPSec SA Idle Timeout there are two places where that can be remediated.

Snippet of IKEv1 debug error log:

Nov 21 15:31:05 [IKEv1]Group =, IP =, Connection terminated for peer Reason: IPSec SA Idle Timeout Remote Proxy, Local Proxy
Nov 21 15:34:01 [IKEv1 DECODE]Group =, IP =, ID_IPV4_ADDR_SUBNET ID received––
Nov 21 15:34:01 [IKEv1]Group =, IP =, Received remote IP Proxy Subnet data in ID Payload: Address, Mask, Protocol 0, Port 0

Nov 21 15:34:01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x7D4451E2) between and (user= has been deleted.

To verify your default timeout perform the following command and check IPSec attribute for this particular traffic:

sh vpn-sessiondb detail l2l

Tunnel ID : 3.601
Local Addr :
Remote Addr :
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28679 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607918 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Bytes Tx : 9666764 Bytes Rx : 32546784
Pkts Tx : 107899 Pkts Rx : 77008

Now if you want to adjust the default idle timeout please update your group-policy attributes with vpn-idle-timout as follow:

group-policy nameOfYourPolicy attributes
vpn-idle-timeout none

Value is for you to choose. ┬áIf you don’t manage your own group-policy than firewall will be using default group policy in which case you will need to modify it:

group-policy DfltGrpPolicy attributes
vpn-idle-timeout none

Give it a try and see if the error log comes back again. If you have any questions please share it under the comments.

I hope this has been informative to you and thanks for stopping by.


Tags:, ,

Add a Comment

Your email address will not be published.