Clearing Connections Upon a VPN Drop

Mike Wagner · ‎09-25-2020

So, we have a site to site VPN to serve VOIP to a remote location. The remote location has an ASA 5506-X and our main location has a Palo Alto firewall. It's a simple IPSec IKE VPN. We had the need to route multicast traffic across it, so we setup a GRE tunnel between voice routers both at the main location and remote location.

Whenever we do maintenance, or the ISP has issues and the VPN drops, once it re-establishes the GRE tunnel doesn't resume passing traffic. It shows as "up" on both voice routers. When I run a "clear connections" on the remote ASA, the tunnel starts passing traffic. I'm thinking the GRE tunnel is hanging out in the ASA as a stale connection. What would be the best way to resolve this?

Thanks!

-Mike

balaji.bandi · ‎09-25-2020

Not sure how is your ASA config, what version running, do you have any SIP inspect enabled ?

is the below command help to reset ? - test and advise.

timeout floating-conn 0:01:00
or 
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Mike Wagner · ‎09-25-2020

Hi Balaji,

We're running ASA code 8.2.5. SIP inspection is enabled, but we have NAT-Exempt setup for traffic going over the VPN.

Now that I'm reading up on the timeout floating-conn, it looks like that might do the trick! I've added the command and will test this weekend. Thank you!!!