I do have the 'vpn-idle

stownsend · ‎01-23-2017

I would like to be able to connect from one remote Cisco AnyConnect VPN or 5506 VPN Connection to another Remote 5506 VPN Connection though the Main ASA.

HQ 10.10.0.0/16

Remote-A 10.50.1.0/24

Remote-B 10.50.2.0/24

AnyConnect 10.55.1.0/24

If I have a device at the both remote sites that ping the other remote site, the tunnel comes up and passes traffic.

if I start a Ping from Remote-A to the AnyConnect IP (it initially timesout) , no Tunnel, then I ping from AnyConnect to Remote-A, then the tunnel gets established and I can connect from AnyConnect though HQ to Remote-A and the first ping now replies. The reverse works too. I ping from AnyConnect to Remote-A, it timeout. then I ping from Remote-A to the AnyConnect IP, and it starts to pass traffic and the first ping now replies.

I just want the ability to bring up the tunnel from either side of the remote connection without having to do anything at the other side.

I want to be able to access Remote-B from Remote-A (and vise versa) without having to have traffic from both sides initiate a tunnel.

Can this be done?

Thanks!

Marius Gunnerud · ‎01-24-2017

You could try to set the vpn-idle-timeout <value> setting under the group-policy. You can try the none keyword but I have heard mixed feedback regarding this. Instead I would suggest setting the timeout to the max (35791394 minutes) for the site to site VPN tunnel.

Try this out and let us know how it goes.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

stownsend · ‎01-24-2017

I do have the 'vpn-idle-timeout none' set in the DfltGrpPolicy, though I don't think its being used. The Group-Policy for the remote offices is:

group-policy RemoteASA5506 internal
group-policy RemoteASA5506 attributes
 vpn-tunnel-protocol ikev1 
 ipsec-udp disable

There is no group-policy on the remote side, so maybe that's where the timeout is getting its default and shutting down?

Rahul Govindan · ‎01-24-2017

If you have the remote sites set as Ezvpn remote or a dynamic peer, this is not possible. The ASA does not know the peer address and cannot initiate to the remote devices.

Now, an alternative is to have the remote sites as static VPN tunnels (if their WAN ip address is static). This way, the ASA can initiate towards them when the Anyconnect sends traffic to the remote site.

stownsend · ‎01-24-2017

If you have the remote sites set as Ezvpn remote or a dynamic peer, this is not possible.

The AnyConnect and the Remote Sites are Dynamic IP Addresses. There is Constant Communication between the Remote Subnet and the HQ Subnet. So the Tunnel for those Subnets is always up.

HQ 10.10.0.0/16 <--> Remote-A 10.50.1.0/24

HQ 10.10.0.0/16 <--> Remote-B 10.50.2.0/24

Its when I want to talk to Remote-A from Remote-B The ASA Knows how to get there, its just that the tunnel for Remote-A 10.50.1.0/24 <--> Remote-B 10.50.2.0/24 is not established on the same VPN Connection.

Rahul Govindan · ‎01-24-2017

In that case, the best option, IMO, is to keep the SA's between the 2 remote sites active at all times. Previously we had to use Smart call home to continuously send traffic to an IP in the remote network. Now, you can use EEM to achieve the same. Create an EEM on Remote-A to send constant traffic to to an address in 10.50.2.0/24. Same on Remote B. An example to do that is here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html#anc6

Hope this helps.

Bring up VPN Tunnel without Interesting Traffic? - VPN <-> HQ <-> Remote VPN Office