cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
274
Views
0
Helpful
1
Replies

How to install keepalives on a site-to-site VPN?

Hello.

My vendor complains that, because he doesnt send traffic before the (24 hour) tunnel timeout expires, the tunnel keeps closing, and when his software tries to then send a query over the tunnel, it fails.

Security dictates that we cannot keep the tunnel perpetually open.

Thus, needed is a keepalive config-- I expect it is some SLA config that pings the remote interface perpetually. Will the remote vendor device also need configuration? Will BGP need to be involved?

Can you please tell me the logical solution here, and please send some kind of config reference link?

Thank you!

1 Accepted Solution

Accepted Solutions

@jmaxwellUSAF if you do not wish to keep the tunnel perpetually open then surely you do not want to use IP SLA, this is generally used explictly to send traffic in order to keep the VPN tunnel up. Any traffic generating traffic over the VPN would be enough to keep the tunnel from expiring due to inactivity. You can use an EEM script to send traffic every X minute if you do want to always keep the tunnel up. https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html

If there is a problem after 24 hours then that usually indicates a misconfiguration between the peers, potentially lifetimes. You can  ensure both peers are configured to use DPD keepalives, this will remove any stale SAs. https://community.cisco.com/t5/security-knowledge-base/dead-peer-detection/ta-p/3111324

 

View solution in original post

1 Reply 1

@jmaxwellUSAF if you do not wish to keep the tunnel perpetually open then surely you do not want to use IP SLA, this is generally used explictly to send traffic in order to keep the VPN tunnel up. Any traffic generating traffic over the VPN would be enough to keep the tunnel from expiring due to inactivity. You can use an EEM script to send traffic every X minute if you do want to always keep the tunnel up. https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html

If there is a problem after 24 hours then that usually indicates a misconfiguration between the peers, potentially lifetimes. You can  ensure both peers are configured to use DPD keepalives, this will remove any stale SAs. https://community.cisco.com/t5/security-knowledge-base/dead-peer-detection/ta-p/3111324

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: