Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11212
Views
0
Helpful
9
Replies

Best way to keep VPN alive?

Go to solution
ALIAOF_
Level 6
Level 6

‎03-21-2011 09:05 AM

We have VPN's from remote locations using Cisco 861 routers back to an ASA and some to another IOS based router.  Wanted to find out what is the best way to keep the VPN's active.  We are using "ip sla" feature, but is there something better that can be done that will detect an inactive SA, clear it and recreate a new one?

I have worked with Juniper devices too and they have an option to "rekey" and that works pretty well.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to PAUL GILBERT ARIAS

‎03-21-2011 11:52 AM

Hi,


The crypto isakmp keepalive command is not going to keep the tunnel up.

The command is used to monitor the status of the tunnel and allow a site to torn the tunnel down if not receiving a response from a peer in a defined amount of seconds.

This is useful when one site loses Internet and tries to restablish the tunnel but can't because the other side ''thinks'' that the tunnel is still up.

You can think of it as this:

If not use crypto isakmp keepalives, then the SAs are not going to be torn down unless the lifetime expires or are manually cleared.

To avoid waiting for that to happen, just enable keepalives to make sure the tunnel is alive all the time.

Going back to keeping the tunnel up, there's no command (for VPN) to keep a tunnel up as far as I'm aware.

As long as there's traffic going through the tunnel, the tunnel is going to remain up.

One solution I have used is to configure IP SLA to send a single PING packet through the tunnel every say 10 minutes.

That single packet keeps the tunnel up because it resets the lifetime of the SA before it expires.

Hope it helps.


Federico.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5

‎03-21-2011 10:08 AM

On the ASA you have the following command "isakmp keepalive" inside the tunnel-group, for example:

tunnel-group RA type remote-access

tunnel-group RA ipsec-attributes

isakmp keepalive threshold 10 retry 2

here is a link with details about the command:

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/command/reference/i3.html#wp1881746

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to PAUL GILBERT ARIAS

‎03-21-2011 10:22 AM

Thank you what about on the IOS router though because on the ASA it is setup as answer only tunnel so all communication is initiated from the remote routers.

0 Helpful

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to ALIAOF_

‎03-21-2011 10:24 AM

on the routers you have the command "crypto isakmp keepalive"

It is basically the same thing as the ASA.

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to PAUL GILBERT ARIAS

‎03-21-2011 10:26 AM

1- Isn't that command for more like DPD so that VPN can fail over to the next peer?

2- Also if it can be used for my scenario is it best to leave it at default which is "on demand" or should it be "periodic" for better results?

0 Helpful

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to ALIAOF_

‎03-21-2011 11:20 AM

check this link, maybe it will help:

https://learningnetwork.cisco.com/thread/4060

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to PAUL GILBERT ARIAS

‎03-21-2011 11:52 AM

Hi,


The crypto isakmp keepalive command is not going to keep the tunnel up.

The command is used to monitor the status of the tunnel and allow a site to torn the tunnel down if not receiving a response from a peer in a defined amount of seconds.

This is useful when one site loses Internet and tries to restablish the tunnel but can't because the other side ''thinks'' that the tunnel is still up.

You can think of it as this:

If not use crypto isakmp keepalives, then the SAs are not going to be torn down unless the lifetime expires or are manually cleared.

To avoid waiting for that to happen, just enable keepalives to make sure the tunnel is alive all the time.

Going back to keeping the tunnel up, there's no command (for VPN) to keep a tunnel up as far as I'm aware.

As long as there's traffic going through the tunnel, the tunnel is going to remain up.

One solution I have used is to configure IP SLA to send a single PING packet through the tunnel every say 10 minutes.

That single packet keeps the tunnel up because it resets the lifetime of the SA before it expires.

Hope it helps.


Federico.

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to Federico Coto Fajardo

‎03-21-2011 12:50 PM

Ok so basically if I use Isakmp keep alive with the periodic option and ip sla command I can accomplise this:

1- If the internet goes down SA's will be torn down and recreated once the internet comes back up

2- I can keep the tunnel up by sending a ping

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to ALIAOF_

‎03-21-2011 12:51 PM

Correct.


Federico.

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to Federico Coto Fajardo

‎03-21-2011 01:08 PM

Thank you.

0 Helpful
Customers Also Viewed These Support Documents