- 积分
- 700
- 鸿鹄币
- 个
- 好评度
- 点
- 精华
- 最后登录
- 1970-1-1
- 阅读权限
- 40
- 听众
- 收听
中级工程师
   
|

楼主 |
发表于 2012-7-1 00:23:35
|
显示全部楼层
十分感谢你的积极回答,昨天夜里到cisco的官网上查询了一下,后来找到了,和你说的是一样的,默认策略有一个vpn-idle-timeout 是1800秒,在
ASA(config)# group-policy DfltGrpPolicy attributes
ASA(config-group-policy)# vpn-idle-timeout {1-35791394|none} 设置none就可以了, 能否解释一下这个策略是一个什么样的策略,ASA里有多少种这样的策略,我对默认一些策略还是没有概念,如果有时间能否解释一下,谢谢。
http://www.cisco.com/en/US/produ ... =bodynav#solution13
中间的一段:
Verify Idle/Session Timeout
If the idle timeout is set to 30 minutes (default), it means that it drops the tunnel after 30 minutes of no traffic passes through it. The VPN client gets disconnected after 30 minutes regardless of the setting of idle timeout and encounters the PEER_DELETE-IKE_DELETE_UNSPECIFIED error.
Configure idle timeout and session timeout as none in order to make the tunnel always up, and so that the tunnel is never dropped even when using third party devices.
PIX/ASA 7.x and later
Enter the vpn-idle-timeout command in group-policy configuration mode or in username configuration mode in order to configure the user timeout period:
hostname(config)#group-policy DfltGrpPolicy attributes
hostname(config-group-policy)#vpn-idle-timeout none
Configure a maximum amount of time for VPN connections with the vpn-session-timeout command in group-policy configuration mode or in username configuration mode:
hostname(config)#group-policy DfltGrpPolicy attributes
hostname(config-group-policy)#vpn-session-timeout none
Note: When you have tunnel-all configured, you do not need to configure idle-timeout because, even if you configure VPN-idle timeout, it will not work because all traffic is going through the tunnel (since tunnel-all is configured). Therefore, the interesting traffic (or even the traffic generated by the PC) will be interesting and will not let Idle-timeout come into action.
Cisco IOS Router
Use the crypto ipsec security-association idle-time command in global configuration mode or crypto map configuration mode in order to configure the IPsec SA idle timer. By default IPsec SA idle timers are disabled.
crypto ipsec security-association idle-time
seconds
Time is in seconds, which the idle timer allows an inactive peer to maintain an SA. Valid values for the seconds argument range from 60 to 86400.
|
11#
2012-7-1 00:23:35
回复(0)
收起回复
|