问题:/ ]0 r& ]5 j% v
同事反应两个小时sslvpn 会出现掉线问题发现是参数配置原因,设置了超时时间。. c3 \$ J) u3 I8 b
; [1 N9 p6 w/ ]/ V+ T$ R
: s; i7 j( S# B! `( f修改为none) S* Z1 |( T' S
vpn-idle-timeout nonevpn-session-timeout nonewr! l: C6 t% T* V# Q9 d
: P6 \4 S2 K+ ?, T7 u3 t4 d
, v+ Y ^% s& R. _9 e3 V6 o以下是官方解释:
, a M& B6 K0 q# _* l; jhttps://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html#solution138 i% U- S* @/ R! h$ W/ S @) n( W& o
, R" k$ u( C3 HVerify Idle/Session Timeout9 D) S- m" V( `
If the idle timeout is set to 30 minutes (default), it means that it drops the tunnel after 30 minutes of no traffic passes through it.
! X( r; J, o9 R$ z3 ?0 RThe VPN client gets disconnected after 30 minutes regardless of the idle timeout parameter and encounters thePEER_DELETE-IKE_DELETE_UNSPECIFIEDerror.- |% J) l0 G- N
Configureidle timeoutandsession timeoutasnonein order to make the tunnel alwaysup, and so that the tunnel is never dropped even when third party devices are used.
% b0 P2 B9 _5 ]1 b) ^& _+ o+ OASA
: {1 }+ [4 M0 M+ r4 i, G4 kEnter thevpn-idle-timeoutcommand in group-policy configuration mode or in username configuration mode in order to configure the user timeout period:$ E+ ^# f7 I) I9 g6 @
hostname(config)#group-policy DfltGrpPolicy attributeshostname(config-group-policy)#vpn-idle-timeout none
2 r8 `! `3 x6 c6 X+ {Configure a maximum amount of time for VPN connections with thevpn-session-timeoutcommand in group-policy configuration mode or in username configuration mode:$ L' l; H8 }( y0 T
hostname(config)#group-policy DfltGrpPolicy attributeshostname(config-group-policy)#vpn-session-timeout none; m4 x1 Y) K$ P0 _6 p7 i0 X- Q
When you havetunnel-allconfigured, you do not need to configureidle-timeoutbecause, even if you configure VPN-idle timeout, it does not work because all traffic goes through the tunnel (since tunnel-all is configured).
1 i( C" d: Q/ ~9 GTherefore, the interesting traffic (or even the traffic generated by the PC) is interesting and does not let Idle-timeout come into action.) u( D3 d% \2 K1 K; X& w# S
Cisco IOS® Router
! d* L* X; n2 s- I; Y2 T! |Use thecrypto ipsec security-association idle-timecommand in global configuration mode or crypto map configuration mode in order to configure the IPsec SA idle timer. g$ U& W( o* N# T6 B
By default IPsec SA idle timers are disabled.( P0 {4 f4 y8 \5 c4 o9 G; s
crypto ipsec security-association idle-time seconds ! J+ H4 p7 j% X( @! s
Time is measured in seconds, which the idle timer allows an inactive peer to maintain an SA. Valid values for the seconds argument range from 60 to 86400.3 V7 \1 N$ E7 Y9 m. j! T, C
( P3 [6 f) d4 S6 _6 U9 ]7 w- w
|
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
