cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3600
Views
5
Helpful
6
Replies
Beginner

How to keep Site-to-Site VPN tunnel UP always

HI All,

 

I have a cisco router (3845) and I have configured Multiple Site-to-Site tunnel for vendors/partners.

Now, I want to monitor the tunnels for the vendors. As I know the timeout setting is 24 hr / 86400 Sec to keep the tunnel UP. But If any there is no interesting traffic for more than 24hr then it will bring down the tunnel and will generate false alert (because as there is no interesting traffic , however there is no issue from other side). I want to monitor the tunnels in such a way that only it should generate alert when there is an issue or its unreachable due to some issue (ISP or hardware).

 

I have gone thru multiple articles and got suggestion about IP SLA or NTP communication thru tunnel to keep tunnels UP.

 

For IP SLA with ICMP-ECHO, i may get some resistance form some vendors, because for this they need to allow Ping on their firewall which may be not allowed due to security policy.

 

For NTP traffic, I am not sure if Vendor will be ready to use our NTP server to synchronize the router time.

 

Kindly suggest op this.

 

6 REPLIES 6
VIP Advisor

Re: How to keep Site-to-Site VPN tunnel UP always

Hi @BSCMITTAA1

 

  On  ASA you can add "vpn-idle-timeout none" on 'group-policy '. Not sure if this is available on your router.

 

 

 

-If I helped you somehow, please, rate it as useful.-

 

 

Beginner

Re: How to keep Site-to-Site VPN tunnel UP always

Very useful Flavio, thank you.

 

My case is site to site.

 

(config-group-policy)# vpn-idle-timeout ?

group-policy mode commands/options:
  <1-35791394>    Number of minutes
  alert-interval  Specify timeout alert interval in minutes
  none            Site-to-Site (IKEv1, IKEv2) and IKEv1 remote-access: Disable
                  timeout and allow an unlimited idle period; AnyConnect (SSL,
                  IPSec/IKEv2): Use value of default-idle-timeout

Hall of Fame Master

Re: How to keep Site-to-Site VPN tunnel UP always

If you are doing a ping with ip sla and/or eem you can make the traffic go via the VPN.

 

Thus the 3rd party firewall only sees more IPsec encrypted traffic and does not need to allow icmp echo-requests from outside.

 

Only the remote device you are pinging needs to send echo-reply 

Beginner

Re: How to keep Site-to-Site VPN tunnel UP always

Thanks for your suggestion.

 

What changes will be required from my side and vendor side.

can you please share some configuratiion examples?

Hall of Fame Master

Re: How to keep Site-to-Site VPN tunnel UP always

Please see the following example:

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html#anc6

 

The vendor side requires no changes - you only need an address in their internal network that will respond to your pings. If they don't have any such host you could even use tcp ping (which is available on the ASA) and have eem connect via whatever port is open to introduce interesting traffic that will keep the VPN tunnel up.

Highlighted
Participant

Re: How to keep Site-to-Site VPN tunnel UP always

Hi Marvin,

 

Is there any way to find out what the default "vpn-idle-timeout" is by using a CLI command? I didn't configure any timeout under the group-policy.

 

Also, I like the EEM approach and was wondering why one would use EEM over vpn-idle-timeout. Any thoughts?

 

Thanks in advance, ~zK