Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
678
Views
0
Helpful
3
Replies

Keep VPN connection UP

lmel
Level 1
Level 1

‎06-03-2021 06:20 AM

Hello

I have a site-to-site VPN running between 2 cisco ASA. Everytime the connection drops, i have to restart the FIREWALLs to bring up the tunnel again.
Is there way to maintain the connection even if drops (ex: failed WAN connection).

Plus, i cannot understand the difrence between LIFETE and CRYPTO ISAKAMP KEEPALIVE.

Thanks

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎06-03-2021 02:43 PM 

Is there way to maintain the connection even if drops (ex: failed WAN connection).

if the WAN connection drop VPN go down, but when it comes back depends on the timer configured it should reconnect.

 

ti suggest best we need more information what is this device? what is other end devices? your configuration.

 

if you want to keep up all the time if there is no active session connection then you need to tune the config.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

lmel
Level 1
Level 1
In response to balaji.bandi

‎06-03-2021 03:41 PM

Hey

We have one ASA in each site establishing the TUNNEL

 

VPN Config:

 

SITE A

access-list outside_20_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.100.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 10.0.20.0 255.255.255.0
nat (Inside) 0 access-list inside_nat0_outbound


crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer IP_SitteB
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside


crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group ip_SiteB type ipsec-l2l
tunnel-group ip-SiteB ipsec-attributes
pre-shared-key **********
exit


SITE B

access-list outside_20_cryptomap extended permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound


crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer ip_SiteA
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside


crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group ip_SiteB type ipsec-l2l
tunnel-group ip_SiteB ipsec-attributes
pre-shared-key ***********
exit

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to lmel

‎06-04-2021 12:42 AM

as per the config looks good.

 

coming back to your statement  :

 

 i have to restart the FIREWALLs to bring up the tunnel again.

why do you need to reload FW, what is the outcome reset the tunnel?  also, you need to understand what causes the FW to terminate the Tunnel also check what kind of Traffic this FW handling also important here.  ( your Logs can give you more information when the next time Tunnel drops check the logs and offload the logs for understanding).

 

Not sure what causing the VPN Drop out, is this because of no traffic or due to idle?

 

Also, keep up the tunnel always read the below: set up an idle timeout.

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html#anc6

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents