Re: site to site vpn does not stay up

pietersaenen · ‎09-29-2020

Hello,

I have several site to site VPN's who are active, but some subnets are not reachable untill a ping is sent from the other site. After that communication is working for some time. The next day when I want to check communication from site B to site A pings are working for most of the subnets, but some are not. To establish communication I need to send a ping from site A to site B in order to get communication working.

Site A is always a Cisco Firepower 2110 Threat Defense and site B can be a Cisco router or an ASA device

Any help?

Thanks in advance

Pieter

Georg Pauwen · ‎09-29-2020

Hello,

hard to say without seeing the configs. Do you have keepalives configured ?

pietersaenen · ‎09-29-2020

Hello Georg,

This is the config from one of the routers where I have this issue

crypto isakmp policy 2
encr aes 256
authentication pre-share
group 5
crypto isakmp key XXXXXXXXX! address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 15 5
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set VTI esp-aes 256 esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile VTI
set security-association lifetime seconds 86400
set transform-set VTI
set pfs group5
!
!
!
!
!
!
!
interface Tunnel0
ip address 172.16.144.5 255.255.255.252
ip mtu 1435
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1360
load-interval 30
keepalive 15 5
tunnel source 192.168.100.2
tunnel mode ipsec ipv4
tunnel destination 5.2.36.2
tunnel protection ipsec profile VTI

Georg Pauwen · ‎09-29-2020

Hello,

you could change some settings to make sure the VPN never goes down. On the ASA, you would configure this under the group policy:

vpn-idle-timeout none

On the routers, you could configure a simple EEM script that pings the other side every 60 seconds:

event manager applet VPN_ALWAYS_UP
event timer watchdog time 60

action 1.0 cli command "enable"
action 2.0 cli command "ping x.x.x.x"
output none

pietersaenen · ‎09-29-2020

Hello Georg,

For the vpn-idle-timeoute none setting on the ASA, do I need to make changes on the other side aswell?

I will give the EEM script a go today and keep you posted tomorrow.

Thanks

Pieter

Georg Pauwen · ‎09-29-2020

Hello,

configure the idle timeout on all ASAs (if both ends are ASAs).

Curious to know the results...

Richard Burts · ‎09-29-2020

I am interested in this part of the partial config that was posted

crypto isakmp key XXXXXXXXX! address 0.0.0.0

This suggests that the peer for the ipsec tunnel has a dynamic address. If this is the case then it is expected behavior that the negotiation of the ipsec sa must be initiated from the peer with the dynamic address (which makes sense because the peer with the fixed IP can not be sure which IP the dynamic peer will be using). This is consistent with the symptoms described that the vpn only works after a ping from the other end.

But then the rest of the configuration posted seems to be a static VTI encrypted tunnel where the peer address is known. Can we get some clarification about the peer and whether the addressing is static or dynamic?

HTH

Rick