I have a cisco router (3845) and I have configured Multiple Site-to-Site tunnel for vendors/partners.
Now, I want to monitor the tunnels for the vendors. As I know the timeout setting is 24 hr / 86400 Sec to keep the tunnel UP. But If any there is no interesting traffic for more than 24hr then it will bring down the tunnel and will generate false alert (because as there is no interesting traffic , however there is no issue from other side). I want to monitor the tunnels in such a way that only it should generate alert when there is an issue or its unreachable due to some issue (ISP or hardware).
I have gone thru multiple articles and got suggestion about IP SLA or NTP communication thru tunnel to keep tunnels UP.
For IP SLA with ICMP-ECHO, i may get some resistance form some vendors, because for this they need to allow Ping on their firewall which may be not allowed due to security policy.
For NTP traffic, I am not sure if Vendor will be ready to use our NTP server to synchronize the router time.
Kindly suggest op this.
On ASA you can add "vpn-idle-timeout none" on 'group-policy '. Not sure if this is available on your router.
-If I helped you somehow, please, rate it as useful.-
Very useful Flavio, thank you.
My case is site to site.
(config-group-policy)# vpn-idle-timeout ?
group-policy mode commands/options:
<1-35791394> Number of minutes
alert-interval Specify timeout alert interval in minutes
none Site-to-Site (IKEv1, IKEv2) and IKEv1 remote-access: Disable
timeout and allow an unlimited idle period; AnyConnect (SSL,
IPSec/IKEv2): Use value of default-idle-timeout
If you are doing a ping with ip sla and/or eem you can make the traffic go via the VPN.
Thus the 3rd party firewall only sees more IPsec encrypted traffic and does not need to allow icmp echo-requests from outside.
Only the remote device you are pinging needs to send echo-reply
Thanks for your suggestion.
What changes will be required from my side and vendor side.
can you please share some configuratiion examples?
Please see the following example:
The vendor side requires no changes - you only need an address in their internal network that will respond to your pings. If they don't have any such host you could even use tcp ping (which is available on the ASA) and have eem connect via whatever port is open to introduce interesting traffic that will keep the VPN tunnel up.
Is there any way to find out what the default "vpn-idle-timeout" is by using a CLI command? I didn't configure any timeout under the group-policy.
Also, I like the EEM approach and was wondering why one would use EEM over vpn-idle-timeout. Any thoughts?
Thanks in advance, ~zK