cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11211
Views
0
Helpful
9
Replies

Best way to keep VPN alive?

ALIAOF_
Level 6
Level 6

We have VPN's from remote locations using Cisco 861 routers back to an ASA and some to another IOS based router.  Wanted to find out what is the best way to keep the VPN's active.  We are using "ip sla" feature, but is there something better that can be done that will detect an inactive SA, clear it and recreate a new one?

I have worked with Juniper devices too and they have an option to "rekey" and that works pretty well.

1 Accepted Solution

Accepted Solutions

Hi,


The crypto isakmp keepalive command is not going to keep the tunnel up.

The command is used to monitor the status of the tunnel and allow a site to torn the tunnel down if not receiving a response from a peer in a defined amount of seconds.

This is useful when one site loses Internet and tries to restablish the tunnel but can't because the other side ''thinks'' that the tunnel is still up.

You can think of it as this:

If not use crypto isakmp keepalives, then the SAs are not going to be torn down unless the lifetime expires or are manually cleared.

To avoid waiting for that to happen, just enable keepalives to make sure the tunnel is alive all the time.

Going back to keeping the tunnel up, there's no command (for VPN) to keep a tunnel up as far as I'm aware.

As long as there's traffic going through the tunnel, the tunnel is going to remain up.

One solution I have used is to configure IP SLA to send a single PING packet through the tunnel every say 10 minutes.

That single packet keeps the tunnel up because it resets the lifetime of the SA before it expires.

Hope it helps.


Federico.

View solution in original post

9 Replies 9

On the ASA you have the following command "isakmp keepalive" inside the tunnel-group, for example:

tunnel-group RA type remote-access

tunnel-group RA ipsec-attributes

isakmp keepalive threshold 10 retry 2

here is a link with details about the command:

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/command/reference/i3.html#wp1881746

Thank you what about on the IOS router though because on the ASA it is setup as answer only tunnel so all communication is initiated from the remote routers.

on the routers you have the command "crypto isakmp keepalive"

It is basically the same thing as the ASA.

1- Isn't that command for more like DPD so that VPN can fail over to the next peer?

2- Also if it can be used for my scenario is it best to leave it at default which is "on demand" or should it be "periodic" for better results?

check this link, maybe it will help:

https://learningnetwork.cisco.com/thread/4060

Hi,


The crypto isakmp keepalive command is not going to keep the tunnel up.

The command is used to monitor the status of the tunnel and allow a site to torn the tunnel down if not receiving a response from a peer in a defined amount of seconds.

This is useful when one site loses Internet and tries to restablish the tunnel but can't because the other side ''thinks'' that the tunnel is still up.

You can think of it as this:

If not use crypto isakmp keepalives, then the SAs are not going to be torn down unless the lifetime expires or are manually cleared.

To avoid waiting for that to happen, just enable keepalives to make sure the tunnel is alive all the time.

Going back to keeping the tunnel up, there's no command (for VPN) to keep a tunnel up as far as I'm aware.

As long as there's traffic going through the tunnel, the tunnel is going to remain up.

One solution I have used is to configure IP SLA to send a single PING packet through the tunnel every say 10 minutes.

That single packet keeps the tunnel up because it resets the lifetime of the SA before it expires.

Hope it helps.


Federico.

Ok so basically if I use Isakmp keep alive with the periodic option and ip sla command I can accomplise this:

1- If the internet goes down SA's will be torn down and recreated once the internet comes back up

2- I can keep the tunnel up by sending a ping

Correct.


Federico.

Thank you.