Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
894
Views
0
Helpful
6
Replies

site to site tunnel going down

ronshuster
Level 1
Level 1

‎01-31-2011 09:43 AM

We have dynamic vpns from our head office (ASA5510) to a number of ASA5505's and PIX's at the remote sites, which works fine.

Recently we've introduced another vlan at the head office and need this vlan to access the remote sites, after adding the necessary config on both firewalls (ie. nonat, etc.) we are able to send traffic across the tunnel from this newly defined vlan.  However this only works when we initiate traffic from the remote site...

I have added :  isakmp keepalive 60 5 (from config mode) and we want to try this as well:

securityappliance(config-tunnel-ipsec)#isakmp keepalive 
   threshold 15 retry 10

what else is required to allow traffic to be initated from both end points to get traffic across?

Labels:
0 Helpful
6 Replies 6

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-31-2011 10:32 AM

Hi,

What kind of dynamic VPN configuration do you have?

For example if you have Site-to-Site tunnels configured as Server-to-Client (where the server is the 5510 and the client the 5505s)... then the tunnel can be initiated only from the client side.

If you have an EzVPN setup, the tunnel can be initiated from the client side only as well.

This is because the client (almost always) has a dynamic IP and the server cannot initiate the tunnel towards the client (only respond when it's up already).

Federico.

0 Helpful

ronshuster
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-31-2011 10:59 AM

HI Federico and thank you for the quick reply,

We have the following setup but the only difference is that we do not have routers on the end points but rather PIX\ASA's

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

Here are the details:

1.1.1.1 --> spoke firewall --> Internet <-- hub firewall <-- 2.2.2.2 & 3.3.3.3

We need both 2.2.2.2 & 3.3.3.3 to access 1.1.1.1 at all times, however the only way to do that is IF 1.1.1.1 initiates traffic to the respective vlans on the hub site, otherwide the hub segments cannot see the spoke segment.

I recall that one of the limitations of this DVPN setup is that in order to get traffic across it must be initiated by the SPOKE, is that correct?

I have added isakmp keepalives but that did not do anything.

any idea???

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to ronshuster

‎01-31-2011 11:06 AM

The link that you're referring says:

This document provides a sample configuration for how to enable the PIX/ASA Security Appliance to accept dynamic IPsec connections from the IOS® router.

Is because the IOS is configured with a static crypto map (client) and the ASA with a dynamic crypto map (server).

The ASA will only accept VPN connections from the IOS routers (or in your case from PIX/ASAs)

This scenario will work, but the tunnel must always be initiated from the client side.

Federico.

0 Helpful

ronshuster
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-31-2011 11:40 AM

I am surprised there is no way to introduce a keepalive or something that would keep the tunnel up and running regaradless if traffic is initiated from the remote end or not... is there a workaround? I guess you can always send continous pings from the remote end to a device behind in the HUB location, that should do the trick.

Is this documented somewhere?

If you don't mind, can you send me the link that shows that remote sites in a DVPN must initiate traffic in order to get the tunnel up.

thank you again!

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to ronshuster

‎01-31-2011 12:26 PM

As long as the tunnel is up, you can initiate traffic from the central site to the remote sites.
The limitation is that the actual tunnel should be initiated initially from the remote site (once is up, traffic can be initiated in either direction).

My understanding is the following:
The remote site can initiate connections to the central site (it knows the end-point), but the central site cannot initiate connections to the remote site
(it does not know the endpoint).

Regarding the link explaining this, I will try to find something for you.

Federico.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Federico Coto Fajardo

‎02-01-2011 12:49 PM

Ron,

You can check this link:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ike.html

Dynamic crypto maps work only to negotiate SAs with remote peers that initiate the connection. The
adaptive security appliance cannot use dynamic crypto maps to initiate connections to a remote peer.
With a dynamic crypto map, if outbound traffic matches a permit entry in an access list and the
corresponding SA does not yet exist, the adaptive security appliance drops the traffic.

Federico.

0 Helpful
Customers Also Viewed These Support Documents