Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
700
Views
0
Helpful
2
Replies

Can not access ASA via site-to-site VPN when inside-interface is shutdown

Harald Farinato
Level 1
Level 1

‎08-09-2017 03:34 AM

Hi,

we have multiple site-to-site vpn connections. On our main site is a 5525-X (9.8.1) and on our remote sites we use cisco asa 5505 and 5506. Normally there are some devices connected on the remote ASAs that are running all the time. But we have some 5505/5506 where are only some PCs connected. If one PCs is running, we can ping/ssh/asdm that ASA via the ip address of the inside interface which is accessible per vpn tunnel (management-access inside is set!). This ip adress is used from our monitoring tool to check, if the ASA is reachable and vpn is up working.

But when all clients are shutdown, the inside interface of the remote ASA will also shut down. Tunnel and SAs are still up but we can not reach the asa on the inside ip any more until a client comes back up.

Is there any chance to get connections to the inside ip working, altough there are no clients connected to the inside interface or do I need a connected device on the remote ASA that is running all the time?

Thanks a lot

Lukas

Labels:
0 Helpful
2 Replies 2

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎08-09-2017 03:47 AM

Hi Lukas,

This should not happen ideally.

Why does the inside interface go down?

What is connected to the inside interface?

Are clients connected through a switch ?

Regards,

Aditya

Please rate helpful and mark correct answers

0 Helpful

Harald Farinato
Level 1
Level 1
In response to Aditya Ganjoo

‎08-09-2017 10:51 PM

At one site (5505) there are some PCs and printers directly connected to the switch interfaces of the ASA. All of these ports are defined as inside ports on the same vlan.

On a second site (5506) there is only one PC connected directly to the interface 1/2 which is defined as inside interface with an ip of the remote subnet.

No switches are used on both ASAs.

The inside interface goes down, when you power off the last active device connected directly to the ASA. I thought this is a normal behaviour. When I try to ping inside from the ASA to one of the VPN-networks after that, it says "Error: INSIDE interface is shutdown". Tunnel-ID and SAs are still up.

0 Helpful
Customers Also Viewed These Support Documents