06-18-2008 11:07 AM - edited 02-21-2020 03:46 PM
I have a wireless connection (microwave) that runs very high speed. I am running one asa5550 on each end configured for l2l ipsec tunnel. The problem is I don't own the wireless, I'm just allowed to use it. So, when the owner makes changes or brings the wireless down for even a second I have to recreate the tunnel. Does any of you masters know how to have the ASA device simpley reconnect the tunnel after a service interruption?
06-19-2008 12:13 AM
Have you tried enable ISAKMP keepalives?
Regards
Farrukh
06-19-2008 04:20 AM
I did not set the keepalive, but I thought ISADMP keepalive was enable by default?
Default:
threshold 10 retry 2.
I will have to give it a try late on Friday and let you know how it goes.
06-19-2008 05:52 AM
Yes its there by default:
The default for a remote access group is a threshold of 300 seconds and a retry of 2 seconds.
For a LAN-to-LAN group, the default is a threshold of 10 seconds and a retry of 2 seconds.
Do you have any interesting traffic going over the VPN at all times?
Regards
Farrukh
06-19-2008 05:54 AM
Nothing suspicious or "different" than what you would expect. Mostly web traffic and database connections.
06-19-2008 06:00 AM
No what I meant was is there any persistent traffic that could cause the VPN to trigger onces it goes down.
How do you go about this now? Manually clear the SAs?
Regards
Farrukh
06-19-2008 06:41 AM
My fault. I reread your message just before I read this one....
Anyway, there isn't really any persistent traffic that requires a connection all the time.
Now we just clear the the tunnel configuration and re-apply it. I could be wrong on that one though because I just took on the ASA a few days ago. I just know we have to "recreate" the tunnel everytime our provider plays with the wireless connection and causes an interruption.
If you know of any place to read up on this so that it makes more sense to me that would be great. I have tried finding articles myself, but I don't really know what to look for. Thanks for all your help so far.
06-20-2008 11:53 AM
I know a feature in IOS to achieve a similar thing, not so sure about the ASA.
Is it possible for you to post output of 'show crypto isakmp sa detail' after the VPN is up, I need to check something.
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide