PIX506e VPN inactivity time out issue

you can keep the tunnel pegged open with a bat file or script running a continous ping on any workstation/ server. Another option is to increase the Ike and sa lifetime to a very long amount ( not recomended as it weakens the security of your vpn )

Why the 515 won't properly initiate the tunnel is probably a configuration issue can you paste the 2 configurations ommitting customer information?

Sounds like the isakmp lifetime is expiring. See the below for more information:

That sounds to me as if the PIX 515 is configured to accept the connection from the PIX 506E via a "crypto dynamic-map". That would be the usual configuration if the PIX 506E does not have a static IP address. If the PIX 506E does have a static IP address and there is a specific crypto map policy for it, then sometimes the problem is that there is a dynamic-map policy with a higher priority (lower policy number) than the host-specific policy: the policy with the lower policy number will be used first.

could be that timeouts are different, so that when one end, thinks the tunnel is down, the other doesnt. try issue "show ipsec sa" on both ends, before and after the tunnel times out

could also be the nature of your VPN setup, and/or your no-nat setting.

Check the nat-0 statments check that isakmp settings are the same on both ends. check policy order (numbering)

HTH Martin Bilgrav

In theory that should not happen: the tunnel lifetime is taken to be the minimum of what you have and what the other side offers.

Hi Walter,

I know. But never the less I have seen this happend in reallife, several times. i.e. one side see the tunnel up the other as down, hence the tunne will not "reconnect"

regards Martin Bilgrav