Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
512
Views
10
Helpful
14
Replies

ASA 5525: How to keep IKEv2 L2L tunnel always open?

Go to solution
jmaxwellUSAF
Contributor
Contributor

‎04-26-2023 08:57 AM - edited ‎04-26-2023 08:57 AM

Hello.

I have various network symptoms in which ASA5525 IKEv2 L2L VPN traffic intermittently fails.

I am wondering if this is because the tunnels are down until interesting traffic passes, so server transactions fail on 1st attempts.

QUESTIONS:

1. Does my theory make sense?

2. How do I configure this VPN to always remain up (open)?

3. (seperate to above L2L tunnel)-- Do DMVPN tunnels remain always up, or are they off until interesting traffic begins to pass?

(Here is a helpful link, though I don't trust it. I trust fresh feedback from this forum.) To keep the IPsec tunnel UP - Cisco Community

Thank you!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master

‎04-26-2023 09:04 AM

@jmaxwellUSAF yes a policy based VPN needs regular interesting traffic to keep the tunnel up.

You could configure your NMS to probe (ping/snmp) a device on the remote network, therefore there will always be regular traffic to keep the tunnel up.

Refer to this EEM script to keep a policy based VPN tunnel up - https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html#anc6

A rotue based VPN (DMVPN or FlexVPN/VTI) will always be up.

View solution in original post

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

‎04-26-2023 09:04 AM

Run IP SLA from local lan to remote lan  this will keeep vpn tunnel always up

View solution in original post

14 Replies 14

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master

‎04-26-2023 09:04 AM

@jmaxwellUSAF yes a policy based VPN needs regular interesting traffic to keep the tunnel up.

You could configure your NMS to probe (ping/snmp) a device on the remote network, therefore there will always be regular traffic to keep the tunnel up.

Refer to this EEM script to keep a policy based VPN tunnel up - https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html#anc6

A rotue based VPN (DMVPN or FlexVPN/VTI) will always be up.

Go to solution
jmaxwellUSAF
Contributor
Contributor
In response to Rob Ingram

‎04-26-2023 09:12 AM

Thank you, Rob.

QUESTION: As opposed to a standard VPN, why is a route-based VPN is always up?

0 Helpful

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master
In response to jmaxwellUSAF

‎04-26-2023 09:16 AM

@jmaxwellUSAF from the cisco docs - https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/configuration/vpn/asa-919-vpn-config/vpn-vti.html

"IKE and IPsec security associations will be re-keyed continuously regardless of data traffic in the tunnel. This ensures that VTI tunnels are always up"

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

‎04-26-2023 09:04 AM

Run IP SLA from local lan to remote lan  this will keeep vpn tunnel always up

Go to solution
jmaxwellUSAF
Contributor
Contributor
In response to MHM Cisco World

‎04-26-2023 09:08 AM

How often should the pings go out? (any links you have to this topic, and configs, would be helpful also.)

0 Helpful

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master
In response to jmaxwellUSAF

‎04-26-2023 09:12 AM

@jmaxwellUSAF 60 seconds should suffice, as per the example in the link provided above.

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor
In response to Rob Ingram

‎04-26-2023 09:29 AM

Check the IKEv2 lifetime you use make it below that value.

Make it every 60 sec is put much process to cpu.

Go to solution
jmaxwellUSAF
Contributor
Contributor
In response to MHM Cisco World

‎04-26-2023 11:39 AM

QUESTION: Is it true that to accomplish the intent, there must be an SLA config on both ends of the tunnel?

0 Helpful

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master
In response to jmaxwellUSAF

‎04-26-2023 11:39 AM

@jmaxwellUSAF no, as long as there is traffic traversing the tunnel, either side can send the traffic.

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

‎04-26-2023 09:30 AM

DMVPN tunnel not support keepalive so same run IP SLA for dmvpn tunnel also.

0 Helpful

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master
In response to MHM Cisco World

‎04-26-2023 09:40 AM

DMVPN doesn't require interesting traffic to be established, so no need for IP SLA. The mGRE tunnel used with DMVPN will always be up providing it has a valid tunnel source and routable tunnel destination.

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor
In response to Rob Ingram

‎04-26-2023 09:46 AM

DMVPN is two tunnel 

static toward hub 

Dynamic between spoke (spoke to spoke) this need IP SLA otherwise it will down.

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master
In response to MHM Cisco World

‎04-26-2023 09:55 AM

That is actually true for spoke-to-spoke tunnels, they are built dynamically. Not practical to have IP SLA configured between all peers in a large spoke-to-spoke environment though.

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor
In response to Rob Ingram

‎04-26-2023 09:59 AM

You are correct

But I think he want for some spoke not all.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents