Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
454
Views
0
Helpful
1
Replies

ASA to AWS VPN

irbk
Level 1
Level 1

‎08-10-2023 10:35 AM - edited ‎08-10-2023 10:43 AM

First time setting up a VPN to AWS and it's a little daunting.  I'm less than happy about AWS just assuming that I'm going to just dump their config into my ASA.  Especially with having "any" statements in the AWS config.

First, I want to deal with the tunnel keep alive issue.  I have a VPN that seems to get through.  I can ping through and from the other side, they can ping through to me.  Great, except when the tunnel goes down they can't seem to re-establish the tunnel.  It just sits at a phase 1.  I ping through and it brings up phase 1 and phase 2 and everything is good again until the tunnel goes down and I've got to start the whole process over.  I was looking at the IP SLA monitoring to keep the VPN active, but I've only got 2 IPs (at the exact moment) that are allowed to pass traffic through the tunnel and "interface" IP's aren't any of these IPs, so I don't think the SLA monitoring is actually working.  So, working off of information from here https://community.cisco.com/t5/vpn/keep-a-vpn-tunnel-on-asa/m-p/3789508 I created an event manager, which will allow me to send a ping tcp, which will route traffic through the tunnel and in theory keep the tunnel up.  My question comes with managing the event manager applet.  If I add more AWS VPN tunnels in the future and I need to add more action lines to the applet, is there a way to do that in the ASDM?  If not, do I just use the same "Event manager applet PingAWSHost" command and enter 'action 2 cli command "ping tcp blah blah blah"'?
thanks!

*****EDIT*****
Of course I look and look but can't find anything, post the question, and 2 min later find the answer.  For anyone else that's looking in ASDM it's under Configuration > Device Management > Advanced > Embedded Event Manager

Labels:
0 Helpful
1 Reply 1

Cisco_Virtual_Engineer
Level 3
Level 3

‎08-17-2023 02:52 AM

Yes, you can manage the Event Manager Applet in ASDM. If you want to add more AWS VPN tunnels in the future and you need to add more action lines to the applet, you can do this in ASDM. You can find this under Configuration ) Device Management ) Advanced ) Embedded Event Manager. If you cannot find a way to add it directly in ASDM, you can use the same Event manager applet command and add the new action line you need using the CLI.

For instance, if you use `Event manager applet PingAWSHost` command and want to add a new action line, you can just enter 'action 2 cli command ping tcp your_new_ip'. This will add a new action to the applet which will ping the new IP and help keep the tunnel up.

Remember that you need to change 'your_new_ip' to the specific IP you want to ping. Make sure to save your configuration after you make changes.

And regarding the use of IP SLA monitoring, it's a viable option to keep VPN tunnels active. In this case, you just need to make sure the monitored IPs are allowed to pass through the VPN tunnel. If necessary, you can adjust your tunnel's access list to allow the IP SLA to pass through.

Keep in mind that every VPN configuration might need specific adjustments, so please adjust as necessary. I hope this helps to address your question. Let me know if you have any more queries!
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.
0 Helpful
Customers Also Viewed These Support Documents