12-13-2011 12:01 PM
I am using a Cisco ASA 5510. Our tunnels always drop due to inactivity, which is a security issue I understand, and it only takes some "interesting traffic" to bring it back up. My problem is that it looks like the interesting traffic has to originate from my side of the tunnel, when our clients send traffic and the tunnel is down due to inactivity it does not come back up. Is there a setting that I am overlooking that will make it come back up no matter who sends traffic? Or, is there a way to make it stay up through inactivity?
12-13-2011 01:05 PM
check you have not configured the tunnel to be "initiate" only?
Sent from Cisco Technical Support iPad App
12-15-2011 10:37 AM
Thanks for the reply, the only place I could find something like that was on the crypto map connection-type for the tunnel I have a choice of bidirectional, answer-only, and originate-only. Is that what you are talking about? because all of my site-to-site vpn's are set to bidirectional.
12-15-2011 10:44 AM
Hi ,
what may control the initiation :
1-NAT
2-Dynamic MAPs
3-crypto map originate options.
4-if one of the peer is behined a dynamic NAT device.
could you please share the config and point to the map that you are using , and also you can change the idle time using group policy and apply that one to the crypto map.
HTH
Mohammad.
12-15-2011 11:38 AM
Almost everything you mentioned there is on this paticular tunnel. Here is the config for that tunnel:
name 175.124.120.55 ACME_01 description Cedars Sinai
name 175.124.120.56 ACME_02 description Cedars Sinai
name 175.124.120.57 ACME_03 description Cedars Sinai
name 175.124.120.58 ACME_04 description Cedars Sinai
name 175.124.120.59 ACME_05 description Cedars Sinai
name 175.124.120.60 ACME_06 description Cedars Sinai
object-group network ACME_GRP
description ACME
network-object host 175.124.120.55
network-object host 175.124.120.56
network-object host 175.124.120.57
network-object host 175.124.120.58
network-object host 175.124.120.59
network-object host 175.124.120.60
access-list private_nat0_outbound extended permit ip host 71.175.218.169 object-group ACME_GRP
access-list Outside_24_cryptomap extended permit ip host 71.175.218.169 object-group ACME_GRP
group-policy ACME internal
group-policy ACME attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec svc
crypto map Outside_map 24 match address Outside_24_cryptomap
crypto map Outside_map 24 set peer 192.175.86.12
crypto map Outside_map 24 set transform-set ESP-3DES-SHA
crypto map Outside_map 24 set security-association lifetime seconds 86400
tunnel-group 192.175.86.12 type ipsec-l2l
tunnel-group 192.175.86.12 general-attributes
default-group-policy ACME
tunnel-group 192.175.86.12 ipsec-attributes
pre-shared-key *********
and also the the box on my local side is behind a dynamic NAT
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: