cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2701
Views
0
Helpful
9
Replies

VPN drops if we don't keep a continuous ping

Andy White
Level 3
Level 3

Hello,

I have a VPN between 2 ASA firewalls, I don't manage the other side, but we have to keep a continous ping going to a remote PC on the other side of this VPn to stop it from downing the VPN.

Our SA life time is set to 8 hours, but is there an option regarding who can initiate the VPN as the remote site can't, when they ping the tunnel stays down, when we ping it comes up?

 

Thanks

9 Replies 9

Poonam Garg
Level 3
Level 3

Hi Andy,

Generally when you set up EasyVPN remote access, then tunnel will only come up when client initiate the connection. Once tunnel is up, it is bi-directional communication, any side can initiate the traffic.

You must be having 5505 ASA firewall as Hardware client.

Please share if it is L2L ipsec VPN or EasyVPN.

There are L2L VPNs between 2 ASA 5520s.

 

There are so man VPN onthe ASA, what CLI command is best to use for you?

Hi Andy,

For L2L VPN, both side can initiate the traffic.

Please share the output of "show crypto isakmp sa" and "show crypto ipsec sa peer peer ipadd". Also the configuration of group-policy applied to the relevant tunnel-group. Check if any VPN-Filter is applied to group-policy.

Trying to see if there is an easy way to get the group policy for you, but here is the rest

 

show crypto ipsec sa peer 82.196.42.x
peer address: 82.196.42.x
    Crypto map tag: outside_map, seq num: 28, local addr: 81.171.15.x

      access-list outside_cryptomap_13 extended permit ip host 10.100.1.67 10.28.150.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.100.1.67/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (10.28.150.0/255.255.255.0/0/0)
      current_peer: 82.196.42.x

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 81.171.15.x/0, remote crypto endpt.: 82.196.42.x/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: clear-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 0DA1A163
      current inbound spi : E9BD2613

    inbound esp sas:
      spi: 0xE9BD2613 (3921487379)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
         slot: 0, conn_id: 192753664, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3915000/28043)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x0DA1A163 (228696419)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
         slot: 0, conn_id: 192753664, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3915000/28043)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001


36  IKE Peer: 82.196.42.x
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

Andy,

show run tunnel-group (choose the one with the relevant peer) under that check the group policy name (default group policy ------) applied to that tunnel-group.

Then execute "show run all group-policy nameof group-policy.

show run all group-policy

show run all group-policy GroupPolicy_82.196.42.x
group-policy GroupPolicy_82.196.42.x internal
group-policy GroupPolicy_82.196.42.x attributes
 vpn-session-timeout none

 

Andy,

Cisco Site to Site VPN connections BY DESIGN are NOT perisistant. This is how Cisco designed them. 

Configure a maximum amount of time for VPN connections with the vpn-session-timeout command in group-policy configuration mode or in username configuration mode:

 

ASA(config)#group-policy DfltGrpPolicy attributes
ASA(config-group-policy)#vpn-session-timeout none

 

 

Just tried that command too in the CLI, where does it show this in the ASDL as the remote company doesn't know CLI?

Check the attached screenshot for equivalent configuration in ASDM

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: