I was thinking of enabling this on the tunnel, however we have a primary and backup interface being monitored via SLA. If I was to disable the keepalive on the primary tunnel, would that fail to establish a new tunnel on the backup interface if the primary goes down?
... View more
We are having connection issues between two sites. Each sites houses an ASA5510 and is connected via a site-to-site tunnel. The tunnel seems to drop randomly throughout the day. Sometimes it take only 3 hours, other times it takes several days. This issue interferes with our backup jobs since they tend to fail when the tunnel is dropped. On one of the ends, we noticed the following logs (there were a lot more but I felt these were most important) 2014-09-11 02:46:32 Local4.Error 192.168.2.2 %ASA-3-713123: Group = 1.1.1.1, IP = 1.1.1.1, IKE lost contact with remote peer, deleting connection (keepalive type: DPD) 2014-09-11 02:46:32 Local4.Notice 192.168.2.2 %ASA-5-713259: Group = 1.1.1.1, IP =1.1.1.1, Session is being torn down. Reason: Lost Service Any ideas/suggestions? If additional information is needed about our environment, please let me know.
... View more
Thank you for your help. As you can tell, I'm fairly new to this process so please bear with me. If I understand you correctly, all switches behind the 2960 do not need to be adjusted. Host traffic will flow through these switches and hit the 2960. The port going from 2960 to ASA will be trunked and the ASA will have the sub-interfaces configured for each VLAN. Will I also need to create these VLANS on the switch itself? Again, sorry for the stupid questions. I am trying to get a good understanding before moving forward.
... View more
Based on what I've been reading, this may be the best approach. There are several switches behind the 2960 switch. Would any configuration need to be done on these switches as-well? Or would I just need to trunk the port going from 2960 -> ASA.
... View more
Thank you for clarifying that for me. Currently, here is our inside interface: interface Ethernet0/1 nameif NJinternalIPs security-level 100 ip address 192.168.1.2 255.255.255.0 As you can see, no VLAN was setup for this interface. If I was to go with your approach, would I need to create 2 new sub-interfaces with their own associated VLAN? Or could I leave the existing interface and create 1 sub-interface with its own VLAN? I hope I worded that question correctly.
... View more
Hi All, We currently have an ASA 5510 sitting in front of a catalyst 2960 unmanaged switch. Would it be possible to assign multiple subnets to the inside interface of the ASA without the need to purchase more equipment (an additional router)? I ask because we are in the process of changing our internal subnet and we would like to do so with minimal downtime. So allowing us to have both networks up and slowly transition everything to the new subnet would be our best approach. All help/suggestions is appreciated. Thank you in advance!
... View more
Hi all, I understand the concept of NAT and why it is used. However, I am a bit confused given the following command: object network obj-internal nat (inside,outside) dynamic interface Please correct me if I am wrong, but so far I understand that this command creates a network object named "obj-internal", and creates a rule for traffic from the inside interface to the outside interface. However, I am confused with the dynamic interface portion. Could somebody please elaborate more on the meaning/use of this part? All help is greatly appreciated.
... View more