cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1590
Views
0
Helpful
9
Replies
Highlighted
Explorer

VPN drops if we don't keep a continuous ping

Hello,

I have a VPN between 2 ASA firewalls, I don't manage the other side, but we have to keep a continous ping going to a remote PC on the other side of this VPn to stop it from downing the VPN.

Our SA life time is set to 8 hours, but is there an option regarding who can initiate the VPN as the remote site can't, when they ping the tunnel stays down, when we ping it comes up?

 

Thanks

9 REPLIES 9
Highlighted
Participant

Hi Andy,

Generally when you set up EasyVPN remote access, then tunnel will only come up when client initiate the connection. Once tunnel is up, it is bi-directional communication, any side can initiate the traffic.

You must be having 5505 ASA firewall as Hardware client.

Please share if it is L2L ipsec VPN or EasyVPN.

Highlighted

There are L2L VPNs between 2 ASA 5520s.

 

There are so man VPN onthe ASA, what CLI command is best to use for you?

Highlighted

Hi Andy,

For L2L VPN, both side can initiate the traffic.

Please share the output of "show crypto isakmp sa" and "show crypto ipsec sa peer peer ipadd". Also the configuration of group-policy applied to the relevant tunnel-group. Check if any VPN-Filter is applied to group-policy.

Highlighted

Trying to see if there is an easy way to get the group policy for you, but here is the rest

 

show crypto ipsec sa peer 82.196.42.x
peer address: 82.196.42.x
    Crypto map tag: outside_map, seq num: 28, local addr: 81.171.15.x

      access-list outside_cryptomap_13 extended permit ip host 10.100.1.67 10.28.150.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.100.1.67/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (10.28.150.0/255.255.255.0/0/0)
      current_peer: 82.196.42.x

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 81.171.15.x/0, remote crypto endpt.: 82.196.42.x/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: clear-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 0DA1A163
      current inbound spi : E9BD2613

    inbound esp sas:
      spi: 0xE9BD2613 (3921487379)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
         slot: 0, conn_id: 192753664, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3915000/28043)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x0DA1A163 (228696419)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
         slot: 0, conn_id: 192753664, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3915000/28043)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001


36  IKE Peer: 82.196.42.x
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

Highlighted

Andy,

show run tunnel-group (choose the one with the relevant peer) under that check the group policy name (default group policy ------) applied to that tunnel-group.

Then execute "show run all group-policy nameof group-policy.

Highlighted

show run all group-policy

show run all group-policy GroupPolicy_82.196.42.x
group-policy GroupPolicy_82.196.42.x internal
group-policy GroupPolicy_82.196.42.x attributes
 vpn-session-timeout none

 

Highlighted

Andy,

Cisco Site to Site VPN connections BY DESIGN are NOT perisistant. This is how Cisco designed them. 

Configure a maximum amount of time for VPN connections with the vpn-session-timeout command in group-policy configuration mode or in username configuration mode:

 

ASA(config)#group-policy DfltGrpPolicy attributes
ASA(config-group-policy)#vpn-session-timeout none

 

 

Highlighted

Just tried that command too in the CLI, where does it show this in the ASDL as the remote company doesn't know CLI?

Highlighted

Check the attached screenshot for equivalent configuration in ASDM