Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
613
Views
0
Helpful
3
Replies

Using NTP as a VPN Keepalive

Dean Romanelli
Level 4
Level 4

‎01-16-2017 08:38 AM - edited ‎03-05-2019 07:51 AM

Hi All,

I have an IPSec site-to-site VPN tunnel between two ASA 5505's, and the tunnel keeps dropping due to inactivity. Through research, trial & error, I have found that using NTP to keep the tunnel alive is probably going to be the best workaround.  I will point the ntp polling to a destination address within the interesting traffic (the LAN of the far-end of the VPN tunnel).  However, there are no formal NTP servers on that far-end LAN, which is where my question comes in:

Does the NTP poll mechanism on the ASA first send an ICMP ping to whatever you specify as the NTP server before it actually pulls the time?  I don't care as much if it doesn't get the time as much as I do that successful traffic to keep the tunnel up will be sent.

Labels:
0 Helpful
3 Replies 3

Mark Malone
VIP Alumni
VIP Alumni

‎01-16-2017 08:47 AM

Hi

just another option if your software version supports it , use an ip sla probe to keep it up

or try and set the idle timeout vpn-idle-timeout xxxx

https://supportforums.cisco.com/discussion/10987781/unlimited-idle-timeout-idle-timeout-session-30-minutes

0 Helpful

Dean Romanelli
Level 4
Level 4
In response to Mark Malone

‎01-16-2017 09:10 AM

Hi Mark,

Thanks for replying. Unfortunately ip sla doesn't work because there is no way to source the ping from the inside interface of the ASA, which means the ping attempt will not go over the tunnel.  To do that I would have to permit the WAN IP of the ASA in the interesting traffic, since the ping will always source from the outside.  Unfortunately I don't have any layer 3 switches sitting behind it to force the sla source to be a LAN IP.   As for the vpn-idle-timeout command, I have tried this and unfortunately it doesn't work.

Thanks.

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to Dean Romanelli

‎01-16-2017 09:17 AM

ah ok , strange the idle didn't work was it set on both sides of the tunnel , I seen in one of the posts I was looking at that's how they got it working correctly

Unfortunately I cant really answer the NTP question my basic understanding is it uses a UDP packet to initiate to the server , if not you could try capture the traffic with wireshark it may show you exactly

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card