Skip to main content
A
Anonymous_User
Contributor
April 4, 2008
Question

IPSEC VPN timeout issues

  • April 4, 2008
  • 3 replies
  • 4588 views
Specs: [ul]
  • 2 FG 500As in Active-Passive HA mode connected into our AD with FSAE.
  • 93 FG 60ADSL and 3 FG 60B units out in the field.
  • 96 IPSEC tunnels running between the 500As and the individual FG 60s. [/ul] Issue: I can see the FSAE_Auth in the 500 logs and the FA logs. I can connect and stay in each location from HQ for about 10-15 minutes at a time before I drop. So far I' ve attempted to fix this by increasing session-ttl from 3600 seconds to 18000. I have even configured the specific port we use to hit the remote locations with a timeout of 27000. I' ve bumped the phase 2 keep alive from the standard 1800 seconds to 43200 seconds. I' ve almost finished upgrading the firmware from build 564 to build 660. What am I missing? Our helpdesk is having a difficult time supporting our stores because they can' t stay in them long enough to troubleshoot. Is there a timeout setting in FSAE I need to look at?

      • 3 replies

      rwpatterson
      rwpatterson
      New Member
      April 4, 2008
      First off, welcome to the forums. As far as your answer try this. From the CLI, under the phase 2 config for any tunnel you wish to remain connected, add the command: 
        config vpn ipsec phase2      edit " <tunnel_name>"           set auto-negotiate enable      next  end
      As opposed to the keep alive check box, this will bring a tunnel up and keep it there even after the phase 2 lifetime or data limit has expired. Hope this helps.
      A
      Anonymous_UserAuthor
      Contributor
      April 4, 2008
      Thanks, Bob, for both the nice welcome and the reply. I tested the solution on one tunnel and was piped into that location. At the same time I was piped into another location through a different unmodified tunnel. Both sessions dropped at exactly the same time.
      rwpatterson
      rwpatterson
      New Member
      April 5, 2008
      Are you sure that your Internet connection is OK? Perhaps some dropped packets. From the CLI, try the following command: gateway # diagnose hardware deviceinfo nic <interface_name> You can see from the output if you have any direct connection issues. Good luck
      A
      Anonymous_UserAuthor
      Contributor
      April 10, 2008
      Turned out to be a memory issue. I turned off some of the logging and av I was doing out in the field and things are fine. Bob - thanks for the suggestions. -Scott FG500A x2(HA) - 3.00 MR6 FM3000 - 3.00 MR6 FA2000A - 3.00 MR5 FG60ADSL x95 - 3.00 MR6 FG60B x6 - 3.00 MR6
      Terms & ConditionsAccessibility statement