Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
311
Views
0
Helpful
2
Replies

Site-To_Site_VPN

Go to solution
Stephen Sisson
Level 1
Level 1

‎05-15-2014 12:46 PM

Hello everyone

My question is there a way to keep our site-to-site VPN connection up 24/7, we make a VPN connection with one our customers who has problems bringing the VPN online, and this would help everyone if we can keep the tunnel up 24/7

We current use a Cisco 5505 ASA for this tunnel running IOS 8.4.5, the customer has Juniper firewalls.

Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-15-2014 03:45 PM

Depending on the settings, most IPSec VPNs will allow the security associations to expire after a period without any "interesting traffic". For instance, the default for an ASA IPsec VPN is 24 hours (Phase 1 ISAMKP SAs) and 1 hour (Phase 2 IPsec SAs).

I have found in the past that one easy way to avoid ever allowing the VPN to expire is to run a small background program on a utility server. In a previous job where we had ASAs talking to Juniper Netscreens over a problematic VPN, we ran a script that sent a "tcp ping" (using the tcping Linux utility) every couple of seconds to an address across the VPN. That sufficed to keep the Phase 1 SA and at least one Phase 2 SA always active.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-15-2014 03:45 PM

Depending on the settings, most IPSec VPNs will allow the security associations to expire after a period without any "interesting traffic". For instance, the default for an ASA IPsec VPN is 24 hours (Phase 1 ISAMKP SAs) and 1 hour (Phase 2 IPsec SAs).

I have found in the past that one easy way to avoid ever allowing the VPN to expire is to run a small background program on a utility server. In a previous job where we had ASAs talking to Juniper Netscreens over a problematic VPN, we ran a script that sent a "tcp ping" (using the tcping Linux utility) every couple of seconds to an address across the VPN. That sufficed to keep the Phase 1 SA and at least one Phase 2 SA always active.

0 Helpful

Go to solution
Stephen Sisson
Level 1
Level 1

‎05-20-2014 06:21 AM

 

Hello,

I was hoping you had something we could use on our ASA firewall, will use the script on our server to keep the VPN sit-to-site up 24/7

 

Thank you for your help 

0 Helpful
Customers Also Viewed These Support Documents