Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2632
Views
0
Helpful
3
Replies

Aws VPN to ASA (9.8 code) aws side can't bring up tunnel

dmooreami
Level 3
Level 3

‎02-20-2021 11:37 AM

I have ASA running 9.8 code. have an Ipsec tunnel with AWS. Issue is that the server on the aws side can't "bring up the tunnel" with pings. I can bring up the tunnel with a ping stays up for the typical 30mins (no traffic) down tunnel goes. I have zero errors on my side in my logs.  AWS is not blocking outbound ping on their side, once tunnel up ping and traffic from AWS to me function fine. 

 

Naturally if I keep a constant ping going tunnel stays up due to the 30min idle time-out. But doing pings every 15 mins via an SLA monitor isn't a real solution.

 

I need the AWS side to have ability to bring up tunnel since they are "pushing" data to me.

 

What is the AWS vpn side missing? Is it something in their phase 1 crypto-map that defines interesting traffic? Once phase 1 is done, the tunnel is up traffic flows both ways.

 

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎02-20-2021 12:45 PM

Not sure how your VPN config, look for me you side VPN connection is initiator other side looks like Listener - as per your description, this required clarification.

 

You can place with VPN idle time out for connection up all time.

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html#solution13

 

or set up an EEM Script to ping to keep the tunnel up :

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html#anc6

 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

dmooreami
Level 3
Level 3
In response to balaji.bandi

‎02-20-2021 02:17 PM

Had a guy on Reddit networking drop this doc to me. Here is the "how to" on the AWS side.

Couple things jump out

https://docs.aws.amazon.com/vpn/latest/s2svpn/initiate-vpn-tunnels.html

 

  • Startup action: The action to take when establishing the VPN tunnel for a new or modified VPN connection. By default, your customer gateway device initiates the IKE negotiation process to bring the tunnel up. You can specify that AWS must initiate the IKE negotiation process instead.
  •  
  • DPD timeout action: The action to take after dead peer detection (DPD) timeout occurs. By default, the IKE session is stopped, the tunnel goes down, and the routes are removed. You can specify that AWS must restart the IKE session when DPD timeout occurs, or you can specify that AWS must take no action when DPD timeout occurs.

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎02-21-2021 02:23 AM

Sure - is this works? as per your requirement.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents