Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6105
Views
0
Helpful
0
Replies

ASA IPsec VPN tunnel keepalive option

yang yang
Level 1
Level 1

‎08-10-2016 01:45 AM - edited ‎02-21-2020 08:55 PM

Hi Every one

i am not so familiar with ASA and have a question regarding to establish IPsec VPN between ASA and net-screen. I have configure an IPsec VPN over ASA as follow, do not  have any interest flow and do not have any configuration over peer site.  if i configure  ”isakmp keepalive threshold 10 retry 2“ on ASA.  is that possible for me to see this tunnel's status on ASA by use show crypto isakmp sa or see any debug message(debug crypto ikev1)?

i am asking this is because under the above condition i can not see any result but for  junnper net-screen with "tunnel monitor" on  i can see the IPsec establish attempt show on monitor log. (are the "keep alive" different from "tunnel monitor")

i understand this is cisco web may not find information about net-screen, could any one let me  how ASA works. i have done some search but still can not tell the difference. can any one help me with this?


name 172.X.X.30 switch_p1.origin_172.X.X.30
name 172.X.X.32 switch_p2.origin_172.X.X.32
name 23.0.0.77 switch_p1_23.0.0.77
name 23.0.0.78 switch_p2_23.0.0.78

object network switch_p1.origin_172.X.X.30
 host 172.X.X.30
object network switch_p2.origin_172.X.X.32
 host 172.X.X.32
object network switch_p1_23.0.0.77
 host 23.0.0.77
object network switch_p2_23.0.0.78
 host 23.0.0.78

object-group network switch_p1
 network-object object switch_p1.origin_172.X.X.30
object-group network switch_p2
 network-object object switch_p2.origin_172.X.X.32

access-list IPSec_switch_out extended permit ip object UPI_p1_23.0.0.21 object switch_p1.origin_172.X.X.30
access-list IPSec_switch_out extended permit ip object UPI_p1_23.0.0.20 object switch_p1.origin_172.X.X.30
access-list IPSec_switch_out extended permit ip object UPI_p2_23.0.0.23 object switch_p2.origin_172.X.X.32

route outside X.X.X.1 255.255.255.255 outside_NextHop 1
route outside switch_p1.origin_172.X.X.30 255.255.255.255 outside_NextHop 1
route outside switch_p2.origin_172.X.X.32 255.255.255.255 outside_NextHop 1

crypto map MAP_member 40 match address IPSec_switch_out
crypto map MAP_member 40 set peer X.X.X.1
crypto map MAP_member 40 set ikev1 transform-set TRANSFORM-ESP-AES-256-SHA

tunnel-group X.X.X.1 type ipsec-l2l
tunnel-group X.X.X.1 ipsec-attributes
 ikev1 pre-shared-key XXXXXXXX
 isakmp keepalive threshold 10 retry 2

object network switch_p1.origin_172.X.X.30
 nat (outside,inside) static switch_p1_203.0.0.77
object network switch_p2.origin_172.X.X.32
 nat (outside,inside) static switch_p2_203.0.0.78


ip route 203.0.0.76 255.255.255.240 192.168.0.36 tag 110 name switch_p1_VPN

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents