CIsco IOS EZVPN Timeout Issue

mrjoshuapmrjoshuap Member Posts: 8 ■□□□□□□□□□
Hello All,

I have an issue i'm hoping someone can assist me with or provide valuable feedback.
I just got my home router a 2821 configured as a EZVPN server, as of right now i have everything configured to where i can connect and access all my devices on my local lan. However the ISAKMP SA only allows to be connected for 60mins at a time, i tried adjusting the ISAKMP policy lifetime but it turn out that the default max life seem to be only 86400 seconds. Is there a way i can disable the lifetime of the ISAKMP policy so it's always up as long as i have traffic flowing?
Please see below for exact router config;

crypto isakmp policy 10
encr aes
authentication pre-share
hash sha
group 2
crypto isakmp key Pr0Duct1on address
crypto isakmp client configuration address-pool local EZVPN_POOL
ip local pool EZVPN_POOL
crypto isakmp client configuration group EZVPN
key Pr0Duct
max-users 10
max-logins 10
crypto isakmp profile EZVPN_PROFILE
match identity group EZVPN
client authentication list EZVPN_RADIUS
isakmp authorization list GROUP
client configuration address respond
client configuration group EZVPN
virtual-template 1
crypto ipsec transform-set EZVPN_SET esp-aes esp-sha-hmac
crypto ipsec profile EZVPN_PROFILE
set transform-set EZVPN_SET
set isakmp-profile EZVPN_PROFILE
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile EZVPN_PROFILE
ip nat inside

HQ_BK_E55th_RT1#sh crypto isakmp sa de

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1024 ACTIVE aes sha 2 00:47:32 CXN
Engine-id:Conn-id = SW:24


  • networker050184networker050184 Mod Posts: 11,962 Mod
    The default ISAKMP lifetime is 86,400 seconds which is 24hrs so that probably has nothing to do with your getting kicked off in one hour. I think the IPSEC lifetime defaults to around half that so probably not your problem either. There is also a traffic timeout which I don't remember off the top of my head so maybe you can look into that.
    An expert is a man who has made all the mistakes which can be made.
  • mrjoshuapmrjoshuap Member Posts: 8 ■□□□□□□□□□
    Thanks for in the insight, it helped pointing me in the right direction to the IPsec Profile. I would need to apply set security-association lifetime seconds to specify the lifetime of the tunnel. However for Mac devices such as laptop, ipad, ipohones and Mac desktops all default to a lifetime of 1 hour (3600 seconds). I spend all day yesterday trying to figure out why i was only able to keep the tunnel up for 1 hour.

    Below i have the article i used to help me figure out what the problem was. I hope some Apple users find this very useful.

    Link --->

  • networker050184networker050184 Mod Posts: 11,962 Mod
    Glad you got it sorted and thanks for posting your solution!
    An expert is a man who has made all the mistakes which can be made.
Sign In or Register to comment.