Connection terminated for peer 1.1.1.1. Reason: IPSec SA Idle Timeout

If your VPN is suffering from IPSec SA Idle Timeout there are two places where that can be remediated.

Snippet of IKEv1 debug error log:

Nov 21 15:31:05 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Connection terminated for peer 1.1.1.1. Reason: IPSec SA Idle Timeout Remote Proxy 192.168.86.0, Local Proxy 192.168.60.0
Nov 21 15:34:01 [IKEv1 DECODE]Group = 1.1.1.1, IP = 1.1.1.1, ID_IPV4_ADDR_SUBNET ID received–192.168.60.0–255.255.255.0
Nov 21 15:34:01 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.60.0, Mask 255.255.255.0, Protocol 0, Port 0

Nov 21 15:34:01: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x7D4451E2) between 1.1.1.1 and 2.2.2.2 (user= 2.2.2.2) has been deleted.

To verify your default timeout perform the following command and check IPSec attribute for this particular traffic:

sh vpn-sessiondb detail l2l

IPsec:
Tunnel ID : 3.601
Local Addr : 192.168.60.0/255.255.255.255/0/0
Remote Addr : 192.168.86.0/255.255.255.255/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 28679 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607918 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Bytes Tx : 9666764 Bytes Rx : 32546784
Pkts Tx : 107899 Pkts Rx : 77008

Now if you want to adjust the default idle timeout please update your group-policy attributes with vpn-idle-timout as follow:

group-policy nameOfYourPolicy attributes
vpn-idle-timeout none

Value is for you to choose. ┬áIf you don’t manage your own group-policy than firewall will be using default group policy in which case you will need to modify it:

group-policy DfltGrpPolicy attributes
vpn-idle-timeout none

Give it a try and see if the error log comes back again. If you have any questions please share it under the comments.

I hope this has been informative to you and thanks for stopping by.

Bart

Tags:, ,

Add a Comment

Your email address will not be published. Required fields are marked *