Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
41628
Views
5
Helpful
5
Replies

ASA VPN keep alive

ciscona728
Level 1
Level 1

‎04-13-2009 11:48 AM - edited ‎03-11-2019 08:17 AM

Hello,

I wanted to know if there was a way to keep a tunnel active 24/7 on the ASA 5510? My ASA is connecting to PIX 501's, Sonicwall TZ170 and 3com X5(not sure if that matters though)

Thanks in advance

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Ivan Martinon
Level 7
Level 7

‎04-13-2009 02:51 PM

As long as traffic pass through the tunnel it will not be torn down, you can go ahead and set the lifetime to 86400 seconds which cause the tunnel not to renew the key for 24 hours. But if there is no activity the tunnel will always go down at least on Cisco devices. ASA AFAIK has the featuer to set the lifetime for IKE to 0 which will not bring down the IKE tunnel but IPSEC is what has to rekey and I am not sure how the other vendors will support that. Pix won't support it.

0 Helpful

fraunhoferpt
Level 1
Level 1
In response to Ivan Martinon

‎04-13-2009 05:55 PM

As far as I know, If you setup keepalive on the tunnel group it should survive for hours/days, even after a rekey.

Just do the following:

tunnel-group ipsec-attributes

isakmp keepalive threshold 10

isakmp keepalive reset 2

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to fraunhoferpt

‎04-14-2009 05:43 AM

Keepalives are a mechanism to detect whether the peer is active or not, this will not keep a tunnel up, it will actually do the opposite: bring down the tunnel when the remote peer does not respond to DPD (keepalive) packets

0 Helpful

Steven Williams
Level 4
Level 4
In response to Ivan Martinon

‎12-08-2011 08:35 AM

This is a bit old, but I am going through this issue right now. I have a site to site VPN between two sites. One location has a sonicwall and the other has a ASA5505. I have found that the tunnel stays up but when I have a client session open to the remote side's AS400 system, after about 5 minutes of inactivity on the AS400 client access window, the session is terminated. I do not mind this, but 5 minutes is a bit short. Is there a way to change this?

0 Helpful

eddie.harmoush
Level 1
Level 1
In response to Steven Williams

‎12-08-2011 09:37 AM

Steven is correct, changing the ISAKMP Keepalive will only change the intervals of the DPD checks (Dead Peer Detection).  These do not count as "interesting" traffic and therefore do not reset idle timeoutes or serve to rebuild a tunnel after it has been tore down.

You do have the option to remove the idle timeout on VPN connections.  See code below:

group-policy NO-TIMER internal
group-policy NO-TIMER attributes
  vpn-idle-timeout none

You would then apply this group-policy to your site-site tunnel-group:

tunnel-group 11.22.33.44 general-attributes

  default-group-policy NO-TIMER

However, do realize this will simply remove the idle timeout.  It can not do anything about tunnel re-keys.  If your tunnel rekeys when no interesting traffic is occuring, the tunnel will not rebuild until interesting traffic is seen.  There is no way around that.

I guess you could create a script on a server in your encryption domain to send a ping every few minutes to a host on the other side.  But at least from the Firewall, there is no way of forcing the tunnel to rebuild after a rekey.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card