IPSec KeepAlive Between Peers

netbeginner · ‎12-03-2020

Hi All,

We have multiple IPSec tunnels configured on Cisco FTD FW. We'll monitor all those tunnels on our monitoring system.

We want to make provision that Tunnels should only goes down whenever there is some reachability issue on either of the internet links i.e. Tunnel should UP even in case there is no traffic...probably this require some Keepalive mechanism and configuration. Just to support and make monitoring more accurate.

Point to remember here that only Remote end configuration and support are not controlled from our end. We have to plan supporting new configuration(If any) at Cisco FTD end only.

regards

balaji.bandi · ‎12-04-2020

Once you build the VPN Phase 1 will be always up and running between devices. only you do not see phase 2 since there is no interesting traffic not processing.

its not a good practice to keep VPN open all time when there is no intresting traffic. available.

But you can do other option you can setup a monitoring system like NMS in the intresting traffic allow ping to SNMP to monitor other side network to meet your requirement.

if you looking to keepalive this explains a bit of it.

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_threat_defense_site_to_site_vpns.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ngkin2010 · ‎12-04-2020

May I add one more option here:

Alternatively, he may consider to set the idle-timeout from default 30-minutes to none.

It's easy to do on ASA, but may require "FlexConfig" on FTD.

https://www.cisco.com/c/dam/en/us/td/docs/security/firepower/migration-tool/migration-guide/s2s_ikev1_psk.pdf