I am using a Cisco ASA 5510. Our tunnels always drop due to inactivity, which is a security issue I understand, and it only takes some "interesting traffic" to bring it back up. My problem is that it looks like the interesting traffic has to originate from my side of the tunnel, when our clients send traffic and the tunnel is down due to inactivity it does not come back up. Is there a setting that I am overlooking that will make it come back up no matter who sends traffic? Or, is there a way to make it stay up through inactivity?
Thanks for the reply, the only place I could find something like that was on the crypto map connection-type for the tunnel I have a choice of bidirectional, answer-only, and originate-only. Is that what you are talking about? because all of my site-to-site vpn's are set to bidirectional.
what may control the initiation :
3-crypto map originate options.
4-if one of the peer is behined a dynamic NAT device.
could you please share the config and point to the map that you are using , and also you can change the idle time using group policy and apply that one to the crypto map.
Almost everything you mentioned there is on this paticular tunnel. Here is the config for that tunnel:
name 220.127.116.11 ACME_01 description Cedars Sinai
name 18.104.22.168 ACME_02 description Cedars Sinai
name 22.214.171.124 ACME_03 description Cedars Sinai
name 126.96.36.199 ACME_04 description Cedars Sinai
name 188.8.131.52 ACME_05 description Cedars Sinai
name 184.108.40.206 ACME_06 description Cedars Sinai
object-group network ACME_GRP
network-object host 220.127.116.11
network-object host 18.104.22.168
network-object host 22.214.171.124
network-object host 126.96.36.199
network-object host 188.8.131.52
network-object host 184.108.40.206
access-list private_nat0_outbound extended permit ip host 220.127.116.11 object-group ACME_GRP
access-list Outside_24_cryptomap extended permit ip host 18.104.22.168 object-group ACME_GRP
group-policy ACME internal
group-policy ACME attributes
vpn-tunnel-protocol IPSec svc
crypto map Outside_map 24 match address Outside_24_cryptomap
crypto map Outside_map 24 set peer 22.214.171.124
crypto map Outside_map 24 set transform-set ESP-3DES-SHA
crypto map Outside_map 24 set security-association lifetime seconds 86400
tunnel-group 126.96.36.199 type ipsec-l2l
tunnel-group 188.8.131.52 general-attributes
tunnel-group 184.108.40.206 ipsec-attributes
and also the the box on my local side is behind a dynamic NAT