VPN idle timeout on Cisco devices
October 11, 2022 | 2 minute readIntroduction:
Oracle has many customers who use a Site-to-Site VPN to connect from on-premises to OCI. A significant number of them use various versions of Cisco ASA as Customer Premises Equipment (CPE). This blog focuses on identifying an issue with some older Cisco ASA versions when longer sessions are run over a VPN connection.
Problem Statement:
Recently, a customer with Cisco ASA as CPE was trying to transfer data to the OCI over the VPN connection through SCP. Due to the large volume of data, the time estimated to transfer was nearly around 60-90 minutes. However, approximately after 30 minutes, SCP used to fail with an error “broken pipe”. The expectation is to reset the VPN connection every 30 minutes if traffic is not there. For an unknown reason, traffic was continually being sent but the SSH connection was the only one affected.
We implemented the following measures to see if it fixes the issue:
1. Made changes to the Client Alive interval and Server Alive interval which can help keep the connection open for longer periods
2. Made changes to the TCP keepalive counter at the OS level (/etc/ sysctl.conf)
However, the above changes did not yield the expected results.
The Solution:
We asked to check the VPN configuration on the customer’s Cisco ASA. After looking at the parameters carefully, we found the following:
The default value of ‘vpn idle timeout’ is set to 30 minutes. So, if the device finds no activity for more than 30 minutes, it will be breaking the connection and reset the timer. So, for longer sessions over VPN to work, customers need to set the ‘vpn-idle-timeout’ and ‘vpn-session-timeout’ to ‘none’ by entering the following commands:
vpn-session-timeout none
vpn-idle-timeout none
This will ensure that the tunnel remains always up and is never dropped.
Step-by-step instructions are documented in this official Cisco documentation:
Conclusion:
In this blog, we identified why long sessions over VPN do not work with some older Cisco ASA firewall versions with the default configuration and how to fix it.