09-29-2020 12:20 AM
Hello,
I have several site to site VPN's who are active, but some subnets are not reachable untill a ping is sent from the other site. After that communication is working for some time. The next day when I want to check communication from site B to site A pings are working for most of the subnets, but some are not. To establish communication I need to send a ping from site A to site B in order to get communication working.
Site A is always a Cisco Firepower 2110 Threat Defense and site B can be a Cisco router or an ASA device
Any help?
Thanks in advance
Pieter
09-29-2020 12:22 AM
Hello,
hard to say without seeing the configs. Do you have keepalives configured ?
09-29-2020 12:36 AM
Hello Georg,
This is the config from one of the routers where I have this issue
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 5
crypto isakmp key XXXXXXXXX! address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 15 5
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set VTI esp-aes 256 esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile VTI
set security-association lifetime seconds 86400
set transform-set VTI
set pfs group5
!
!
!
!
!
!
!
interface Tunnel0
ip address 172.16.144.5 255.255.255.252
ip mtu 1435
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1360
load-interval 30
keepalive 15 5
tunnel source 192.168.100.2
tunnel mode ipsec ipv4
tunnel destination 5.2.36.2
tunnel protection ipsec profile VTI
09-29-2020 12:56 AM
Hello,
you could change some settings to make sure the VPN never goes down. On the ASA, you would configure this under the group policy:
vpn-idle-timeout none
On the routers, you could configure a simple EEM script that pings the other side every 60 seconds:
event manager applet VPN_ALWAYS_UP
event timer watchdog time 60
action 1.0 cli command "enable"
action 2.0 cli command "ping x.x.x.x"
output none
09-29-2020 01:03 AM
Hello Georg,
For the vpn-idle-timeoute none setting on the ASA, do I need to make changes on the other side aswell?
I will give the EEM script a go today and keep you posted tomorrow.
Thanks
Pieter
09-29-2020 01:28 AM
Hello,
configure the idle timeout on all ASAs (if both ends are ASAs).
Curious to know the results...
09-29-2020 07:07 AM
I am interested in this part of the partial config that was posted
crypto isakmp key XXXXXXXXX! address 0.0.0.0
This suggests that the peer for the ipsec tunnel has a dynamic address. If this is the case then it is expected behavior that the negotiation of the ipsec sa must be initiated from the peer with the dynamic address (which makes sense because the peer with the fixed IP can not be sure which IP the dynamic peer will be using). This is consistent with the symptoms described that the vpn only works after a ping from the other end.
But then the rest of the configuration posted seems to be a static VTI encrypted tunnel where the peer address is known. Can we get some clarification about the peer and whether the addressing is static or dynamic?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide