If your VPN is suffering from IPSec SA Idle Timeout there are two places where that can be remediated.
Snippet of IKEv1 debug error log:
Nov 21 15:31:05 [IKEv1]Group = 18.104.22.168, IP = 22.214.171.124, Connection terminated for peer 126.96.36.199. Reason: IPSec SA Idle Timeout Remote Proxy 192.168.86.0, Local Proxy 192.168.60.0
Nov 21 15:34:01 [IKEv1 DECODE]Group = 188.8.131.52, IP = 184.108.40.206, ID_IPV4_ADDR_SUBNET ID received–192.168.60.0–255.255.255.0
Nov 21 15:34:01 [IKEv1]Group = 220.127.116.11, IP = 18.104.22.168, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.60.0, Mask 255.255.255.0, Protocol 0, Port 0
Nov 21 15:34:01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x7D4451E2) between 22.214.171.124 and 126.96.36.199 (user= 188.8.131.52) has been deleted.
To verify your default timeout perform the following command and check IPSec attribute for this particular traffic:
sh vpn-sessiondb detail l2l
Tunnel ID : 3.601
Local Addr : 192.168.60.0/255.255.255.255/0/0
Remote Addr : 192.168.86.0/255.255.255.255/0/0
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 28800 Seconds Rekey Left(T): 28679 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607918 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Bytes Tx : 9666764 Bytes Rx : 32546784
Pkts Tx : 107899 Pkts Rx : 77008
Now if you want to adjust the default idle timeout please update your group-policy attributes with vpn-idle-timout as follow:
group-policy nameOfYourPolicy attributes
Value is for you to choose. If you don’t manage your own group-policy than firewall will be using default group policy in which case you will need to modify it:
group-policy DfltGrpPolicy attributes
Give it a try and see if the error log comes back again. If you have any questions please share it under the comments.
I hope this has been informative to you and thanks for stopping by.