02-25-2022 02:16 AM
Hi All,
Do we have any way to bring up the Site to Site VPN tunnel on ASA from responder end if it gets down in between. It should not required initiator involvement.
Please share if anyone has solution if
02-25-2022 02:20 AM
Is the remote peer defined as initiator only? Or both initiator and responder?
If both, you could clear the IKE and IPSec SAs on your end, hopefully the peer device will have DPD and will clear the dead SAs on their end. You'd have to then generate interesting traffic in order to bring up the tunnel.
02-25-2022 04:01 AM
Thanks for revert !!
Is the remote peer defined as initiator only? its hard coded initiator only
If there would have initiator or responder both then we could initiate ping and get generate interested traffic as well.
I wanted to search a way in which other side would not involve.
02-25-2022 04:10 AM
@sachmalv ifthe remote peer is hard coded as the initiator, then the remote peer has to be peer to initiate the tunne establishment, they need to generate the interesting traffic. I don't know of a way you force it yourselves.
02-27-2022 08:07 PM
@Rob Ingram Thankyou for revert !! further exploring let see..
02-25-2022 05:26 AM
can you more elaborate the issue, I don't get why you need to make VPN tunnel always UP ?
02-27-2022 08:05 PM
Hey MHM,
Thanks for revert !!
Let me give you a brief. This query is not about to make VPN tunnel always be up.
Say, We have two sites A & B running with VPN tunnel on ASA. Site A is initiator and B as responder hard coded. One day as a part of maintenance site B need to reboot ASA at site B. Then VPN tunnel would go down between A and B and can't come up until someone from site A initiate the traffic on VPN.
Than this down culprit would be site B network guy
Hence I am just searching a way so responder site can generate any kind of traffic to bring this VPN up.
02-27-2022 09:12 PM
Hello,
The IKE Responder-Only Mode feature provides support for controlling the initiation of Internet Key Exchange (IKE) negotiation and rekeying. When a device is configured as a responder-only device, it will not initiate IKE main, aggressive, or quick modes (for IKE and IP security [IPsec] security association [SA] establishment) nor will it rekey IKE and IPsec SAs. The device will respond to any negotiations initiated by its peers.
Make some kind of auto script or use any automatic tool such as PRTG to generate ICMP packets from the initiator side only.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide