Re: SITE-2-SITE VPN

Jean Paul Enerst · ‎03-11-2020

Hi Gents,

I have been struggling with that one for a while now... I have a site-2-site VPN with our Parent company where they have to initiate the tunnel in order to send traffic. for some subnets everything works fine, we can initiate the traffic; however, there is a specific server, even-thought the tunnel is up, sometimes we have issues to communicate with that server. They also claim they have to initiate the traffic from that server as well.

My concern is when that server is down, even though we report it to them, it will take them weeks before they finally bring it back up...

I was wondering, is there any way in my side that i can force that server to stay up- communication to that server? I have been trying to send a ping request to that server. Obviously it does no work!

thanks,

Rob Ingram · ‎03-11-2020

Hi,
A couple of options: -
- Run a Route Based VPN (using a VTI) instead of a Policy Based VPN, a VTI is always up, so you do not need to generate traffic.
- From your network management solution (assuming you have one) monitor a device over the VPN tunnel, this will generate interesting traffic to keep the tunnel up.
- Run IP SLA monitor from the local LAN to the remote device, this will continue to generate interesting traffic to keep the tunnel up.

HTH

Jean Paul Enerst · ‎03-11-2020

Hi RJI,

Thanks for the prompt reply, really appreciated the help.

However, i don't VTI will work for me. The ASA is currently running 9.6.4 code and show interface does not display tunnel:

(config)# int ?

configure mode commands/options:
GigabitEthernet GigabitEthernet IEEE 802.3z
Management Management interface
Port-channel Ethernet Channel of interfaces
Redundant Redundant Interface
vni VNI Interface
<cr>

Also i have full access to one site of the tunnel, and i am not sure the guys in the order site will be willing to change their side of the configuration much... I have promised to put a keepalive in place, but it has been more than 3 months!

Thanks,

Rob Ingram · ‎03-11-2020

VTI was only introduced on ASA in version 9.7.x. So assuming there is not an underlying issue with the tunnels and the tunnels are only down because lack of interesting traffic keeping the tunnel alive, you need something to just constantly send traffic over the tunnel - use one of the suggestions previously mentioned should work.

HTH

Jean Paul Enerst · ‎03-11-2020

RJI,

Sorry if i did not mention that... the tunnel itself is up and running. And other subnets can send traffic under the tunnel. It's only that specific server or the subnets that server resides on...

They know about it, they do have a ticket in the house to change the keepalive, assuming it's just a keepalive thing.

Yeah, i just found that VTI was introduce in 9.7.1. I can upgrade my side of the tunnel any time with a maintenance window of course, but i can't guarantee or force them to do the same.

Thanks,

Rob Ingram · ‎03-11-2020

If that server resides on a separate subnet, depending on your configuration it could have a unique IPSec SA compared to the other subnets. So that SA might timeout if no interesting traffic sent, but the other SAs might not necessarily timeout.

chrisjoyce1980 · ‎03-11-2020

What services does the server run?

Websites, SQL, File, etc...

It might be possible to run a scheduled job to poll that service to ensure that the service is up.

It would be nice to get to the root cause of the issue with that service being down. Do you have any logs that could help?

Cristian Matei · ‎03-11-2020

Hi,

Ib by "down" you mean the server is shutdown, there is nothing you can do about it. Or what exactly do you mean by the server being "down"?

Regards,

Cristian Matei.