Keep Site to Site VPN link up indefinitely.

sean.a.murphy · ‎07-25-2012

I have a Site to Site VPN link up between two ASA (8.4) boxes, one of which is on a static IP (on campus) and the other a dynamic IP (remote). The link is up and functional and works flawlessly as I need it to, however, on the dynamic end, there is only one device behind the remote ASA, a point of sale terminal.

The POS terminal / server works like this. The terminal has a static IP on the private network behind the remote ASA, and our financial server knows this IP, and connects out from our campus to the remote terminal. The terminal itself never calls home. Because of how this works, if the VPN link goes down, the terminal never tries to reconnect back home, which would force the remote ASA to rebuild the link, and if the link is down, because the remote end is dynamically addressed, our campus ASA doesn't know to bring the link back up.

Is there a way to ensure, or at least attempt, to keep this VPN link up indefinitately? With keepalives or timeout settings or whatnot? I want the link to never, ever, ever get torn down, unless something catastrophic has happened.

Jennifer Halim · ‎07-25-2012

well, if your remote end outside interface changes its ip address due to DHCP renew, the VPN will definitely drop off because there is no way to keep the VPN up with the old address when the new address is already assigned to the outside interface on the dynamic end.

The old ip address might be assigned to another customer by the ISP, hence there is no way to keep the VPN up with the old address when the ip address changes.