cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

3060
Views
5
Helpful
13
Replies
Highlighted
Beginner

asa - vpn s2s with dynamic ip - keep tunnel up

Hi Guys,

we want to setup a vpn between our central asa5520 and a new branch office asa5505 with dynamic public ip.

This kind of configuration is supported but the tunnel can only be initiated from the remote asa (the central asa don't know how to reach the remote asa).

considererd that on this vpn will transit also voice traffic we need to keep the tunnel always up.

One solution would be to have a sort of continuos ping from the remote office to the central office... is there most "professional" wat to achieve our goal?

thank you.

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

asa - vpn s2s with dynamic ip - keep tunnel up

try , "management-access inside" on asa and ping

13 REPLIES 13
Cisco Employee

asa - vpn s2s with dynamic ip - keep tunnel up

Hello,

Why not configuring IP SLA on the remote ASA?

sla monitor 1

type echo protocol ipIcmpEcho <....Destination IP on the 5520 side> interface inside

sla monitor schedule 1 life forever start-time now

That would keep the SA up all the time [ Assuming the phones are behind the inside intf}

Cheers,,

Beginner

asa - vpn s2s with dynamic ip - keep tunnel up

Hello Olpeleri,

I set the sla as indicated by you, the internal lan on remote branch is 192.168.101.0/24 the internal lan on the central is 192.168.20.0/20

These is the config ont the remote asa:

"sla monitor 1

type echo protocol ipIcmpEcho 192.168.20.1 interface inside

sla monitor schedule 1 life forever start-time now"

The command have been accepted (see below) but how can I understand if it's working?

I don't think so, If I try to simply ping from the asa in the remote branch to the central one I get the following error

"Routing failed to locate next-hop for protocol from NP Identity Ifc:192.168.101.11 /0 to inside: 192.168.20.1/0"

Any idea?

Thank you.

"

sla monitor 1

type echo protocol ipIcmpEcho 192.168.20.1 interface inside

sla monitor schedule 1 life forever start-time now

"

192.168.

Cisco Employee

asa - vpn s2s with dynamic ip - keep tunnel up

Hello,

2 commands can be used to check if it works or not.

sh sla monitor operational-state

sh sla monitor config

Beginner

asa - vpn s2s with dynamic ip - keep tunnel up

Hello,

from the output the ping is not working.

Entry number: 1

Modification time: 18:25:05.584 CEST Mon Oct 29 2012

Number of Octets Used by this Entry: 1480

Number of operations attempted: 867

Number of operations skipped: 0

Current seconds left in Life: Forever

Operational state of entry: Active

Last time this entry was reset: Never

Connection loss occurred: FALSE

Timeout occurred: TRUE

Over thresholds occurred: FALSE

Latest RTT (milliseconds): NoConnection/Busy/Timeout

Latest operation start time: 08:51:05.587 CEST Tue Oct 30 2012

Latest operation return code: Timeout

RTT Values:

RTTAvg: 0       RTTMin: 0       RTTMax: 0

NumOfRTT: 0     RTTSum: 0       RTTSum2: 0

A client on the internal network on the remote asa can reach through the tunnel vpn the central internal network but if I try to ping from the asa itself using the internal network as source ping do not work and I get a routing error message

"Routing failed to locate next-hop for icmp from

NP Identity Ifc:192.168.101.1 /0 to inside: 192.168.20.1/0"

It seems that the asa can't find the route on the internal network to  the remote network, in effect there's no route but simply the crypto map  should recognize this kind of traffic and tunnel it.

What should I do in order to let the ping from the asa itself be tunneled in to the vpn?

Beginner

asa - vpn s2s with dynamic ip - keep tunnel up

try , "management-access inside" on asa and ping

Beginner

asa - vpn s2s with dynamic ip - keep tunnel up

Hi Ali,

ping is working! tx

ping

TCP Ping [n]:

Interface: inside

Target IP address: 192.168.20.1

Repeat count: [5]

Datagram size: [100]

Timeout in seconds: [2]

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/40 ms

but the ip sla configure is not working.

Configuration:

sla monitor 1

type echo protocol ipIcmpEcho 192.168.20.1 interface inside

sla monitor schedule 1 life forever start-time now

sh sla monitor operational-state

Entry number: 1

Modification time: 10:33:26.253 CEST Tue Oct 30 2012

Number of Octets Used by this Entry: 1480

Number of operations attempted: 18

Number of operations skipped: 0

Current seconds left in Life: Forever

Operational state of entry: Active

Last time this entry was reset: Never

Connection loss occurred: FALSE

Timeout occurred: TRUE

Over thresholds occurred: FALSE

Latest RTT (milliseconds): NoConnection/Busy/Timeout

Latest operation start time: 10:49:26.256 CEST Tue Oct 30 2012

Latest operation return code: Timeout

RTT Values:

RTTAvg: 0       RTTMin: 0       RTTMax: 0

NumOfRTT: 0     RTTSum: 0       RTTSum2: 0

Any idea why?

Beginner

Re: asa - vpn s2s with dynamic ip - keep tunnel up

change"

type echo protocol ipIcmpEcho 192.168.20.1 interface inside"

to

type echo protocol ipIcmpEcho 192.168.20.1 interface outside , if ur central asa in on outside zone , so it should be like following :-

sla monitor 1

type echo protocol ipIcmpEcho 192.168.20.1 interface outside

num-packets 3

frequency 10

sla monitor schedule 1 life forever start-time now

Message was edited by: Riyasat Ali

Beginner

asa - vpn s2s with dynamic ip - keep tunnel up

I try to change to the outside interface but it's still not working.

sla monitor 1

type echo protocol ipIcmpEcho 192.168.20.1 interface outside

sla monitor schedule 1 life forever start-time now

but I thinks it's normal, If I want to keep the tunnel up I need to generate traffic inside it so from the inside network to the inside network on the central pix (192.168.20.1).

Beginner

Re: asa - vpn s2s with dynamic ip - keep tunnel up

for ip sla traffic doesnot initiates from inside, it initiates from firewall .and we specify interface because we want to go to that desination ip from that interface only.

Beginner

Re: asa - vpn s2s with dynamic ip - keep tunnel up

so it does it mean that is not possible to generate traffic from the asa itself to keep the vpn always up?

Beginner

Re: asa - vpn s2s with dynamic ip - keep tunnel up

when we configure ip sla, it means that we want traffic initiate from firewall itselfs to a specific zone like outside not from any particular zone to zone.

so, yes it is possible and it should work if ip sla has been configured in right way. check the following:-

sla monitor 1

type echo protocol ipIcmpEcho 192.168.20.1 interface outside

num-packets 3

frequency 10

sla monitor schedule 1 life forever start-time now

track 1 rtr 1 reachability

route outside 192.168.20.0 255.255.255.0 x.y.z.a 1 track 1

Cisco Employee

asa - vpn s2s with dynamic ip - keep tunnel up

I was hoping it would work [ it's working on a Cisco IOS router ].

Do you have any managed switch on the LAN side where you could have IP SLA running?

That would be the solution

Beginner

asa - vpn s2s with dynamic ip - keep tunnel up

unfortunately it's a small office and they don't have managed switches.

but I found another solution on the web.

I setup an the remote asa to synch the ntp server with a server on the central network using the internal interface and the tunnel stay up.

thank you to everybody.