Solved: Can we automatically renegotiate Phase 2 SA so that VPN tunnel s

mitchen · ‎11-22-2012

We have a site-to-site IPSEC VPN with Cisco ASA5520 at our end and a Fortigate firewall at the other end (maintained by a 3rd party company)

To cut a long story short, we want to be able to keep the VPN connection up at all times (i.e. even when there is no “interesting traffic” passing) Is there any means to do this other than e.g. sending a continuous ping across it?

The Fortigate people tell me they have a feature called “autokey keepalive” which would achieve this if they had a Fortigate at each end of the connection (it ensures a new SA is negotiated even if there is no traffic so that the VPN tunnel stays up)

Is there a Cisco equivalent that we could implement at our end? I’ve not heard of anything similar with Cisco – can anyone confirm? And, if no specific feature, is there any workaround to achieve this with Cisco?

olpeleri · ‎11-22-2012

Hello,

On IOS or ASA such kind of feature does not exists.

However, U can trick that either by configuring IP SLA on an inside device [ within the inside subnet].

Cheers,

Olivier

View solution in original post

olpeleri · ‎11-22-2012

Hello,

On IOS or ASA such kind of feature does not exists.

However, U can trick that either by configuring IP SLA on an inside device [ within the inside subnet].

Cheers,

Olivier

mitchen · ‎11-22-2012

Hi Olivier, thanks for the info - I'll implement IP SLA as a workaround for this then.

Can we automatically renegotiate Phase 2 SA so that VPN tunnel stays up even if no traffic?