IPSEC Dynamic Tunnel

s.g.shanker · ‎03-28-2011

Dear All,

I have an IPSEC tunnel between the router (branch office)and the ASA (Data Ccentre). The Router is configured with Dynamic IP address and ASA with static IP address. I understand the Tunnel will only come up if there is a traffic initiated from the Router end(branch office) as it is using dynamic IP for the ASA to know the Dynamic IP address and the tunnel is formed. But if the users in the branch office is idle…and no traffic flows expecially night times the tunnel goes down in the morning as no traffic is initited form the Branch office end. Is there a command to keep the tunnel UP permanently so that this dosent happen?

Regards

Shan

andrew.prince · ‎03-28-2011

Shan,

Not really for a site to site connection - but you have other options:-

1) Run a time IP ICMP SLA from src to dst

2) Leave a machine on the LAN @ the branch to continually ping the Data Center.

A few examples.

HTH>

s.g.shanker · ‎03-28-2011

Thanks Andrew. Ii will have that as an option. But just wondering if these commands

crypto ipsec security-association idle-time

crypto ipsec security-association lifetime

or the Keeplive , Lifetime commands solve this ???

andrew.prince · ‎03-28-2011

Shan,

They are for the IPSEC Security Association - What they do not do/control is the "traffic" that traverses the IPSEC tunnel

The 2 settings you mention "protect" the routers resources from running out by not keeping process intensive tunnels up.

HTH>