10-08-2015 09:50 AM
Hi Guys,
I have setup keep alive on a site to site vpn using
crypto isakmp keepalive 60 5
I have done this at both ends but the connection keeps dropping after 30 minutes which is the ipsec timeout .
if I issue "show vpn-sessiondb de l2l" I can see the ipsec tunnel idle to left keeps decreasing if there is no traffic across the tunnel.
As soon as I issue a ping the traffic goes back to 30 minutes idle left to timeout.
Any ideas?
I have also done debugging and can see the packets R-U-There and R-U-There-Ack going back and forth and acknowledged but it is not seens as traffic between two end points to keep the tunnel ip
many thanks
10-08-2015 03:04 PM
That has to be changed in the group-policy:
group-policy NAME-of-POLICY attributes vpn-idle-timeout none
10-08-2015 09:14 PM
Hi
thanks for your reply
this is a site to site vpn not remote access so does above still apply?
would it be the default gp?
10-08-2015 11:07 PM
Group-policies are applied to all kind of VPNs, also to site-2-site.
You can apply a specific GP to this VPN, or change the default GP. Changing the default GP will have effect on all your other VPNs also.
10-09-2015 12:43 AM
Hi,
Thanks for this. Isn't keepalive meant to be doing this ?
would the keep alive packets be sent from public to public or from private to private behind each firewall?
10-09-2015 01:02 AM
> Isn't keepalive meant to be doing this ?
doesn't need to be that way. it can also enable DPD instead of periodic keepalives. That is different depending on platform, version and config-mode.
10-09-2015 02:02 AM
Sure what I am asking is isn't keepalive meant to keep the connection on ?
on ASA you don't have DPD and have periodic keepalive and my understanding is that is used to keep the connection on but it doesn't so what is its use.
I can't see what it provides apart from detecting peer is dead and killing the connection
you are a legend by the way as that fixed it but still don't understand the role of keepalive
10-09-2015 02:02 AM
The ASA can do DPD. But it all depends on many factors. But regardless of keepalives, DPD and so on, the ASA uses a default idle-timeout of 30 Minutes. And that's what needs to be switched off.
10-09-2015 02:36 AM
do you know the command for DPD on asa ?
I get the idea that vpn session timeout is the one that is used but then what is keep alive used for . is it not to do the same thing and send packets and ensure both sides do get it ?
This is the output from debugging which shows R-U-There is received and sent back but still...
also when receiving and sending it looks as the group and ip stays the same ( i have changed th IP to not disclose any public ips)
Oct 09 2015 10:33:38: %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload
Oct 09 2015 10:33:38: %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing notify payload
Oct 09 2015 10:33:38: %ASA-7-715075: Group = 1.1.1.1, IP = 1.1.1.1, Received keep-alive of type DPD R-U-THERE (seq number 0x44f7d33e)
Oct 09 2015 10:33:38: %ASA-7-715036: Group = 1.1.1.1, IP = 1.1.1.1, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x44f7d33e)
Oct 09 2015 10:33:38: %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload
Oct 09 2015 10:33:38: %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload
Oct 09 2015 10:33:38: %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=42d738f5) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
10-09-2015 02:36 AM
DPD is typically controlled in the ipsec-section of the tunnel-group. Keepalives were used to keep the session up when they were not implemented as DPD long time ago. Nowadays it's more a traffic-management-feature that gives a peer the info that it's not worth to still send traffic or keep the session up if the peer is not responding.
10-13-2015 08:02 AM
sure so we are saying that keepalive is not subject to the crypto policy and does not count as traffic being sent between the two peers?
is it purely there to find if remote host is dead rather than keep sending traffic to keep the connection up.
sorry if I am going to deep but I don't understand why it is called keepalive and people say it is there to keep connection up yet it does nothing to keep the connection up
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide