Re: How to keep Site-to-Site VPN tunnel UP always

BSCMITTAA1 · ‎11-22-2017

HI All,

I have a cisco router (3845) and I have configured Multiple Site-to-Site tunnel for vendors/partners.

Now, I want to monitor the tunnels for the vendors. As I know the timeout setting is 24 hr / 86400 Sec to keep the tunnel UP. But If any there is no interesting traffic for more than 24hr then it will bring down the tunnel and will generate false alert (because as there is no interesting traffic , however there is no issue from other side). I want to monitor the tunnels in such a way that only it should generate alert when there is an issue or its unreachable due to some issue (ISP or hardware).

I have gone thru multiple articles and got suggestion about IP SLA or NTP communication thru tunnel to keep tunnels UP.

For IP SLA with ICMP-ECHO, i may get some resistance form some vendors, because for this they need to allow Ping on their firewall which may be not allowed due to security policy.

For NTP traffic, I am not sure if Vendor will be ready to use our NTP server to synchronize the router time.

Kindly suggest op this.

Flavio Miranda · ‎11-22-2017

Hi @BSCMITTAA1

On ASA you can add "vpn-idle-timeout none" on 'group-policy '. Not sure if this is available on your router.

-If I helped you somehow, please, rate it as useful.-

a.maldonado · ‎08-02-2018

Very useful Flavio, thank you.

My case is site to site.

(config-group-policy)# vpn-idle-timeout ?

group-policy mode commands/options:
<1-35791394>    Number of minutes
alert-interval Specify timeout alert interval in minutes
none            Site-to-Site (IKEv1, IKEv2) and IKEv1 remote-access: Disable
                  timeout and allow an unlimited idle period; AnyConnect (SSL,
                  IPSec/IKEv2): Use value of default-idle-timeout

Marvin Rhoads · ‎11-23-2017

If you are doing a ping with ip sla and/or eem you can make the traffic go via the VPN.

Thus the 3rd party firewall only sees more IPsec encrypted traffic and does not need to allow icmp echo-requests from outside.

Only the remote device you are pinging needs to send echo-reply

BSCMITTAA1 · ‎11-24-2017

Thanks for your suggestion.

What changes will be required from my side and vendor side.

can you please share some configuratiion examples?

Marvin Rhoads · ‎11-24-2017

Please see the following example:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html#anc6

The vendor side requires no changes - you only need an address in their internal network that will respond to your pings. If they don't have any such host you could even use tcp ping (which is available on the ASA) and have eem connect via whatever port is open to introduce interesting traffic that will keep the VPN tunnel up.

zekebashi · ‎09-09-2019

Hi Marvin,

Is there any way to find out what the default "vpn-idle-timeout" is by using a CLI command? I didn't configure any timeout under the group-policy.

Also, I like the EEM approach and was wondering why one would use EEM over vpn-idle-timeout. Any thoughts?

Thanks in advance, ~zK

Jefferey Lebowski · ‎01-17-2020

show running-config all group-policy DfltGrpPolicy | i vpn-idle-timeout

Michael Braun · ‎11-20-2020

Hi all,

i know this is an old post, but get this:

###### = comment

## in config mode ##

event manager applet PingHost ###> PingHost is the applet name
event timer watchdog time 300 ###> i set it to repeat every 5 min
action 1 cli command "ping inside 10.4.121.112 repeat 2" ###> ping my host on the other side of the VPN
action 2 cli command "ping inside 10.4.121.121 repeat 2" ###> ping my second host on the other side of the VPN

output none ###> you could add like a syslog entry, in my case nothing

## add more if you want - of course change the IP to the host you try to reach @##

## you need the " at the end ##

## This will send a periodic ping with source from the inside interface to a destination of your choice - thus bringing up the tunnel ##