cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1481
Views
0
Helpful
4
Replies

To keep the IPsec tunnel UP

arunnnarayanan
Beginner
Beginner

i would like to keep keep the IPsec tunnel up even when there is no traffic. Im using cisco ASA at both ends and using an easy vpn (NEM) connection.

 

Tried icreasing the idletimout value but it didnt work.

 

Tried using IPSLA at the easy at the client asa. But the ping will end up in timeout when ping is generated from inside interface.

 

Bu im able to ping when doing "Ping inside 10.10.112.10" (10.10.112.10 is the lan  ip on the head office end).

 

How can i achieve this? 

4 Replies 4

Dennis Mink
Advisor
Advisor

you can use isakmp keepalives

Please remember to rate useful posts, by clicking on the stars below.

GioGonza
Enthusiast
Enthusiast

Hello @arunnnarayanan

 

You can try EEM, if you can ping from the inside you can schedule that command and keep the tunnel UP, the feature is called "VPN PREEMPT".

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html

 

HTH

Gio

Thanks, but here im trying to keep the ipsec tunnel  by pinging the lan subnet of the central site.

There are multiple subnets at the central site and few tunnels stays up because there's continuous traffic like dns.

but theres no constant traffic between other subnets (especially voice vlans). so this will come up only when the call is initiated from the easyvpn client end. 

 

 

 

 

Michael Braun
Beginner
Beginner

Hi all,

i know this is an old post, but get this:

###### = comment

## in config mode ##

event manager applet PingHost ###> PingHost is the applet name
event timer watchdog time 300 ###> i set it to repeat every 5 min
action 1 cli command "ping inside 10.4.121.112 repeat 2" ###> ping my host on the other side of the VPN
action 2 cli command "ping inside 10.4.121.121 repeat 2" ###> ping my second host on the other side of the VPN

output none ###> you could add like a syslog entry, in my case nothing

## add more if you want  - of course change the IP to the host you try to reach @##

## you need the " at the end ##

## This will send a periodic ping with source from the inside interface to a destination of your choice - thus bringing up the tunnel ##

 

## in ASDM: Device Management > Advanced > Embedded Event Manager ##

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers