cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1851
Views
0
Helpful
3
Replies

Aws VPN to ASA (9.8 code) aws side can't bring up tunnel

dmooreami
Level 3
Level 3

I have ASA running 9.8 code. have an Ipsec tunnel with AWS. Issue is that the server on the aws side can't "bring up the tunnel" with pings. I can bring up the tunnel with a ping stays up for the typical 30mins (no traffic) down tunnel goes. I have zero errors on my side in my logs.  AWS is not blocking outbound ping on their side, once tunnel up ping and traffic from AWS to me function fine. 

 

Naturally if I keep a constant ping going tunnel stays up due to the 30min idle time-out. But doing pings every 15 mins via an SLA monitor isn't a real solution.

 

I need the AWS side to have ability to bring up tunnel since they are "pushing" data to me.

 

What is the AWS vpn side missing? Is it something in their phase 1 crypto-map that defines interesting traffic? Once phase 1 is done, the tunnel is up traffic flows both ways.

 

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

Not sure how your VPN config, look for me you side VPN connection is initiator other side looks like Listener - as per your description, this required clarification.

 

You can place with VPN idle time out for connection up all time.

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html#solution13

 

or set up an EEM Script to ping to keep the tunnel up :

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html#anc6

 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Had a guy on Reddit networking drop this doc to me. Here is the "how to" on the AWS side.

Couple things jump out

https://docs.aws.amazon.com/vpn/latest/s2svpn/initiate-vpn-tunnels.html

 

  • Startup action: The action to take when establishing the VPN tunnel for a new or modified VPN connection. By default, your customer gateway device initiates the IKE negotiation process to bring the tunnel up. You can specify that AWS must initiate the IKE negotiation process instead.
  •  
  • DPD timeout action: The action to take after dead peer detection (DPD) timeout occurs. By default, the IKE session is stopped, the tunnel goes down, and the routes are removed. You can specify that AWS must restart the IKE session when DPD timeout occurs, or you can specify that AWS must take no action when DPD timeout occurs.

 

balaji.bandi
Hall of Fame
Hall of Fame

Sure - is this works? as per your requirement.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: