Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2621
Views
0
Helpful
5
Replies

Setup automated/scheduled ping in ASA or ASDM?

captainbluff
Level 1
Level 1

‎09-23-2013 06:50 AM

We have an ASA5520 with multiple site to site VPN, there is one particular tunnel that the customer can't seem to consistently iniate the tunnel. The other tunnels work fine. They are using a low end DSL Cisco router, 881W. So we end up initiating the tunnels for them by sending ping packets. Is there a way to automate or schedule a ping in ASA or ASDM?

Thanks

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-23-2013 07:36 AM

The ASA itself generally cannot introduce interesting traffic from itself for a VPN it terminates.

I've done this in the past with an AT job (Windows) running a TCP ping every minute to the remote site in order to keep presenting interesting traffic to the firewall so that the VPN tunnel stays up.

If you have a downstream router (or layer 3 switch) you can also do this with an ip sla job. For example:

ip sla 1

icmp-echo [remote IP here]

timeout 3000

frequency 5

ip sla schedule 1 life forever start-time now

0 Helpful

captainbluff
Level 1
Level 1
In response to Marvin Rhoads

‎09-23-2013 10:09 AM

Thanks Marvin, but it looks it is also possible to do it in the ASA

!ip sla monitor

sla monitor 1

type echo protocol ipIcmpEcho x.x.x.x interface inside_nat

num-packets 5

frequency 60

!timer for monitor

sla monitor schedule 1 life forever start-time now

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to captainbluff

‎09-23-2013 10:27 AM

True, you can do ip sla on the ASA. That I knew.

However, even though you can specify the source interface as you noted above, have you verified that actually works through the site-site VPN?

I thought the site-site VPN traffic was only considered "interesting" if it arrived at the ASA inside interface and hit the incoming access-list that is referenced by the cryptomap (which then puts into into ipsec encapsulation and sends it on to the peer). If it's generated from the ASA itself, it never hits that access-list - or does it?

0 Helpful

captainbluff
Level 1
Level 1
In response to Marvin Rhoads

‎09-23-2013 10:31 AM

The site to site VPN tunnel comes up when I ping it from the ASA or ASDM. Waiting for approval to implement IPSLA in the ASA, will keep you posted.

0 Helpful

tonybushong
Level 1
Level 1
In response to captainbluff

‎06-10-2014 09:47 AM

Hello,

Did you ever determine a solution for this?

I can bring the Tunnel up when pinging from the inside interface, but when I setup the SLA, it does not bring up the Tunnel.

0 Helpful
Customers Also Viewed These Support Documents