如何维持ASA VPN持续连接？

badboycx

总部是固定IP，分部有ADSL也有固定IP，各分部与总部建立IPsec  L2L VPN，每次分部触发建立VPN以后，由于没有数据传输，过一会VPN隧道就down掉了，修改了isakmp 的lifetime和ipsec的lifetime，改成10天，但实际还是过一段时间就down掉了，是不是不管lifetime是多少，只要空闲就会自动down掉？如何能不让它自动down掉？

qq360870025

你show crypto ipsec sa的时候 上面显示为多少

qq360870025

路由器只支持86400 s ，如果你分部建立的是路由器的话，那么两边保持一致的好,不然以最小的为准了，最好把kilobytes也调大点

badboycx

qq360870025 发表于 2012-6-29 22:59
你show crypto ipsec sa的时候 上面显示为多少

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 864000
crypto ipsec security-association lifetime kilobytes 46080000
crypto dynamic-map dymap 1 set transform-set ESP-DES-MD5
crypto dynamic-map dymap 1 set reverse-route
crypto map mymap 10 ipsec-isakmp dynamic dymap
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 864000

这个是配置，show crypto ipsec sa detail 看到的剩余时间还有很多，但还是很快就down了，1个小时左右就down了，建立以后没有数据流量一直走vpn的。

badboycx

是ASA设备

badboycx

ASA-shTL# show crypto isakmp sa detail

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 58.247.76.XXX
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : des             Hash    : MD5      
    Auth    : preshared       Lifetime: 864000
    Lifetime Remaining: 863953
ASA-shTL#

badboycx

ASA-shTL# show crypto isakmp sa detail

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 58.247.76.XXX
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : des             Hash    : MD5      
    Auth    : preshared       Lifetime: 864000
    Lifetime Remaining: 863953
ASA-shTL#

两边lifetime都改为一致了。

qq360870025

badboycx 发表于 2012-6-29 23:28
ASA-shTL# show crypto isakmp sa detail

   Active SA: 1

我想因该是这么导致的，L2L的默认tunnel-group是DefaultL2Lgroup ，而这个组的默认策略是DfltGrpPolicy
里面有个vpn-idle-timeout默认为30分钟，超时就自动断开了  你可以修改下这个看看 把vpn-idle-timeout 修改为none 不超时

qq360870025

这个是默认策略，你crypto isakmp key  address 都换自动转换成tunnel-group address l2l，这个tunnel-group默认就继承这个策略
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
msie-proxy pac-url none
vlan none
nac-settings none
address-pools none
ipv6-address-pools none
client-firewall none
client-access-rule none

qq360870025

badboycx 发表于 2012-6-29 23:28
ASA-shTL# show crypto isakmp sa detail

   Active SA: 1

帮你测试过了，这个可行  ，第一次我没修改默认策略  半小时就自动断开了  现在一直持续没断开

group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none vpn-session-timeout none
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
msie-proxy pac-url none
vlan none
nac-settings none
address-pools none
ipv6-address-pools none
client-firewall none
client-access-rule none

badboycx

十分感谢你的积极回答，昨天夜里到cisco的官网上查询了一下，后来找到了，和你说的是一样的，默认策略有一个vpn-idle-timeout 是1800秒，在
ASA(config)# group-policy DfltGrpPolicy attributes
ASA(config-group-policy)# vpn-idle-timeout {1-35791394|none} 设置none就可以了，  能否解释一下这个策略是一个什么样的策略，ASA里有多少种这样的策略，我对默认一些策略还是没有概念，如果有时间能否解释一下，谢谢。
http://www.cisco.com/en/US/produ ... =bodynav#solution13
中间的一段：
Verify Idle/Session Timeout
If the idle timeout is set to 30 minutes (default), it means that it drops the tunnel after 30 minutes of no traffic passes through it. The VPN client gets disconnected after 30 minutes regardless of the setting of idle timeout and encounters the PEER_DELETE-IKE_DELETE_UNSPECIFIED error.

Configure idle timeout and session timeout as none in order to make the tunnel always up, and so that the tunnel is never dropped even when using third party devices.

PIX/ASA 7.x and later

Enter the vpn-idle-timeout command in group-policy configuration mode or in username configuration mode in order to configure the user timeout period:

hostname(config)#group-policy DfltGrpPolicy attributes
hostname(config-group-policy)#vpn-idle-timeout none
Configure a maximum amount of time for VPN connections with the vpn-session-timeout command in group-policy configuration mode or in username configuration mode:

hostname(config)#group-policy DfltGrpPolicy attributes
hostname(config-group-policy)#vpn-session-timeout none
Note: When you have tunnel-all configured, you do not need to configure idle-timeout because, even if you configure VPN-idle timeout, it will not work because all traffic is going through the tunnel (since tunnel-all is configured). Therefore, the interesting traffic (or even the traffic generated by the PC) will be interesting and will not let Idle-timeout come into action.

Cisco IOS Router

Use the crypto ipsec security-association idle-time command in global configuration mode or crypto map configuration mode in order to configure the IPsec SA idle timer. By default IPsec SA idle timers are disabled.

crypto ipsec security-association idle-time
seconds
Time is in seconds, which the idle timer allows an inactive peer to maintain an SA. Valid values for the seconds argument range from 60 to 86400.

badboycx

qq360870025 发表于 2012-6-30 19:50
帮你测试过了，这个可行  ，第一次我没修改默认策略  半小时就自动断开了  现在一直持续没断开

group- ...

谢谢，你说的很对，后来我到cisco官网上也查到了原因，和你说的一样，十分感谢你的热心回答。
http://www.cisco.com/en/US/produ ... =bodynav#solution13

qq360870025

badboycx 发表于 2012-7-1 00:27
谢谢，你说的很对，后来我到cisco官网上也查到了原因，和你说的一样，十分感谢你的热心回答。
http://ww ...

这个是ASA 7.0后引入的概念叫做隧道组 默认有 DefaultL2Lgroup   与 DefaultRAGroup 它们的默认策略都是DfltGrpPolicy 。 它的出现能更好的基于不同的用户做不同的策略。
比如用户A能够分配固定的IP，能够访问不同的资源，而用户B只能在什么时候访问，和规定的资源。这些策略都能关联到用户上。  默认不设置的话 都继承了默认策略，主要是为EZVPN 和SSL VPN提供强大的策略  在L2L VPN中体现不是很好

在路上

陈明乾