cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4341
Views
5
Helpful
13
Replies

asa - vpn s2s with dynamic ip - keep tunnel up

acleri
Level 1
Level 1

Hi Guys,

we want to setup a vpn between our central asa5520 and a new branch office asa5505 with dynamic public ip.

This kind of configuration is supported but the tunnel can only be initiated from the remote asa (the central asa don't know how to reach the remote asa).

considererd that on this vpn will transit also voice traffic we need to keep the tunnel always up.

One solution would be to have a sort of continuos ping from the remote office to the central office... is there most "professional" wat to achieve our goal?

thank you.

1 Accepted Solution

Accepted Solutions

try , "management-access inside" on asa and ping

View solution in original post

13 Replies 13

olpeleri
Cisco Employee
Cisco Employee

Hello,

Why not configuring IP SLA on the remote ASA?

sla monitor 1

type echo protocol ipIcmpEcho <....Destination IP on the 5520 side> interface inside

sla monitor schedule 1 life forever start-time now

That would keep the SA up all the time [ Assuming the phones are behind the inside intf}

Cheers,,

Hello Olpeleri,

I set the sla as indicated by you, the internal lan on remote branch is 192.168.101.0/24 the internal lan on the central is 192.168.20.0/20

These is the config ont the remote asa:

"sla monitor 1

type echo protocol ipIcmpEcho 192.168.20.1 interface inside

sla monitor schedule 1 life forever start-time now"

The command have been accepted (see below) but how can I understand if it's working?

I don't think so, If I try to simply ping from the asa in the remote branch to the central one I get the following error

"Routing failed to locate next-hop for protocol from NP Identity Ifc:192.168.101.11 /0 to inside: 192.168.20.1/0"

Any idea?

Thank you.

"

sla monitor 1

type echo protocol ipIcmpEcho 192.168.20.1 interface inside

sla monitor schedule 1 life forever start-time now

"

192.168.

Hello,

2 commands can be used to check if it works or not.

sh sla monitor operational-state

sh sla monitor config

Hello,

from the output the ping is not working.

Entry number: 1

Modification time: 18:25:05.584 CEST Mon Oct 29 2012

Number of Octets Used by this Entry: 1480

Number of operations attempted: 867

Number of operations skipped: 0

Current seconds left in Life: Forever

Operational state of entry: Active

Last time this entry was reset: Never

Connection loss occurred: FALSE

Timeout occurred: TRUE

Over thresholds occurred: FALSE

Latest RTT (milliseconds): NoConnection/Busy/Timeout

Latest operation start time: 08:51:05.587 CEST Tue Oct 30 2012

Latest operation return code: Timeout

RTT Values:

RTTAvg: 0       RTTMin: 0       RTTMax: 0

NumOfRTT: 0     RTTSum: 0       RTTSum2: 0

A client on the internal network on the remote asa can reach through the tunnel vpn the central internal network but if I try to ping from the asa itself using the internal network as source ping do not work and I get a routing error message

"Routing failed to locate next-hop for icmp from

NP Identity Ifc:192.168.101.1 /0 to inside: 192.168.20.1/0"

It seems that the asa can't find the route on the internal network to  the remote network, in effect there's no route but simply the crypto map  should recognize this kind of traffic and tunnel it.

What should I do in order to let the ping from the asa itself be tunneled in to the vpn?

try , "management-access inside" on asa and ping

Hi Ali,

ping is working! tx

ping

TCP Ping [n]:

Interface: inside

Target IP address: 192.168.20.1

Repeat count: [5]

Datagram size: [100]

Timeout in seconds: [2]

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/40 ms

but the ip sla configure is not working.

Configuration:

sla monitor 1

type echo protocol ipIcmpEcho 192.168.20.1 interface inside

sla monitor schedule 1 life forever start-time now

sh sla monitor operational-state

Entry number: 1

Modification time: 10:33:26.253 CEST Tue Oct 30 2012

Number of Octets Used by this Entry: 1480

Number of operations attempted: 18

Number of operations skipped: 0

Current seconds left in Life: Forever

Operational state of entry: Active

Last time this entry was reset: Never

Connection loss occurred: FALSE

Timeout occurred: TRUE

Over thresholds occurred: FALSE

Latest RTT (milliseconds): NoConnection/Busy/Timeout

Latest operation start time: 10:49:26.256 CEST Tue Oct 30 2012

Latest operation return code: Timeout

RTT Values:

RTTAvg: 0       RTTMin: 0       RTTMax: 0

NumOfRTT: 0     RTTSum: 0       RTTSum2: 0

Any idea why?

change"

type echo protocol ipIcmpEcho 192.168.20.1 interface inside"

to

type echo protocol ipIcmpEcho 192.168.20.1 interface outside , if ur central asa in on outside zone , so it should be like following :-

sla monitor 1

type echo protocol ipIcmpEcho 192.168.20.1 interface outside

num-packets 3

frequency 10

sla monitor schedule 1 life forever start-time now

Message was edited by: Riyasat Ali

I try to change to the outside interface but it's still not working.

sla monitor 1

type echo protocol ipIcmpEcho 192.168.20.1 interface outside

sla monitor schedule 1 life forever start-time now

but I thinks it's normal, If I want to keep the tunnel up I need to generate traffic inside it so from the inside network to the inside network on the central pix (192.168.20.1).

for ip sla traffic doesnot initiates from inside, it initiates from firewall .and we specify interface because we want to go to that desination ip from that interface only.

so it does it mean that is not possible to generate traffic from the asa itself to keep the vpn always up?

when we configure ip sla, it means that we want traffic initiate from firewall itselfs to a specific zone like outside not from any particular zone to zone.

so, yes it is possible and it should work if ip sla has been configured in right way. check the following:-

sla monitor 1

type echo protocol ipIcmpEcho 192.168.20.1 interface outside

num-packets 3

frequency 10

sla monitor schedule 1 life forever start-time now

track 1 rtr 1 reachability

route outside 192.168.20.0 255.255.255.0 x.y.z.a 1 track 1

I was hoping it would work [ it's working on a Cisco IOS router ].

Do you have any managed switch on the LAN side where you could have IP SLA running?

That would be the solution

unfortunately it's a small office and they don't have managed switches.

but I found another solution on the web.

I setup an the remote asa to synch the ntp server with a server on the central network using the internal interface and the tunnel stay up.

thank you to everybody.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: