01-28-2015 03:22 AM
Hello,
I have a VPN between 2 ASA firewalls, I don't manage the other side, but we have to keep a continous ping going to a remote PC on the other side of this VPn to stop it from downing the VPN.
Our SA life time is set to 8 hours, but is there an option regarding who can initiate the VPN as the remote site can't, when they ping the tunnel stays down, when we ping it comes up?
Thanks
01-28-2015 07:20 AM
Hi Andy,
Generally when you set up EasyVPN remote access, then tunnel will only come up when client initiate the connection. Once tunnel is up, it is bi-directional communication, any side can initiate the traffic.
You must be having 5505 ASA firewall as Hardware client.
Please share if it is L2L ipsec VPN or EasyVPN.
01-29-2015 12:19 AM
There are L2L VPNs between 2 ASA 5520s.
There are so man VPN onthe ASA, what CLI command is best to use for you?
01-29-2015 01:41 AM
Hi Andy,
For L2L VPN, both side can initiate the traffic.
Please share the output of "show crypto isakmp sa" and "show crypto ipsec sa peer peer ipadd". Also the configuration of group-policy applied to the relevant tunnel-group. Check if any VPN-Filter is applied to group-policy.
01-29-2015 02:11 AM
Trying to see if there is an easy way to get the group policy for you, but here is the rest
show crypto ipsec sa peer 82.196.42.x
peer address: 82.196.42.x
Crypto map tag: outside_map, seq num: 28, local addr: 81.171.15.x
access-list outside_cryptomap_13 extended permit ip host 10.100.1.67 10.28.150.0 255.255.255.0
local ident (addr/mask/prot/port): (10.100.1.67/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.28.150.0/255.255.255.0/0/0)
current_peer: 82.196.42.x
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 81.171.15.x/0, remote crypto endpt.: 82.196.42.x/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 0DA1A163
current inbound spi : E9BD2613
inbound esp sas:
spi: 0xE9BD2613 (3921487379)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 192753664, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/28043)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x0DA1A163 (228696419)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 192753664, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/28043)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
36 IKE Peer: 82.196.42.x
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
01-29-2015 02:17 AM
Andy,
show run tunnel-group (choose the one with the relevant peer) under that check the group policy name (default group policy ------) applied to that tunnel-group.
Then execute "show run all group-policy nameof group-policy.
01-29-2015 02:33 AM
show run all group-policy
show run all group-policy GroupPolicy_82.196.42.x
group-policy GroupPolicy_82.196.42.x internal
group-policy GroupPolicy_82.196.42.x attributes
vpn-session-timeout none
01-29-2015 02:12 AM
Andy,
Cisco Site to Site VPN connections BY DESIGN are NOT perisistant. This is how Cisco designed them.
Configure a maximum amount of time for VPN connections with the vpn-session-timeout command in group-policy configuration mode or in username configuration mode:
ASA(config)#group-policy DfltGrpPolicy attributes ASA(config-group-policy)#vpn-session-timeout none
01-29-2015 02:31 AM
Just tried that command too in the CLI, where does it show this in the ASDL as the remote company doesn't know CLI?
01-29-2015 03:33 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: