Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
346
Views
0
Helpful
1
Replies

How to install keepalives on a site-to-site VPN?

Go to solution
jmaxwellUSAF
VIP
VIP

‎08-11-2023 09:26 AM

Hello.

My vendor complains that, because he doesnt send traffic before the (24 hour) tunnel timeout expires, the tunnel keeps closing, and when his software tries to then send a query over the tunnel, it fails.

Security dictates that we cannot keep the tunnel perpetually open.

Thus, needed is a keepalive config-- I expect it is some SLA config that pings the remote interface perpetually. Will the remote vendor device also need configuration? Will BGP need to be involved?

Can you please tell me the logical solution here, and please send some kind of config reference link?

Thank you!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎08-11-2023 11:21 AM - edited ‎08-11-2023 11:32 AM

@jmaxwellUSAF if you do not wish to keep the tunnel perpetually open then surely you do not want to use IP SLA, this is generally used explictly to send traffic in order to keep the VPN tunnel up. Any traffic generating traffic over the VPN would be enough to keep the tunnel from expiring due to inactivity. You can use an EEM script to send traffic every X minute if you do want to always keep the tunnel up. https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html

If there is a problem after 24 hours then that usually indicates a misconfiguration between the peers, potentially lifetimes. You can  ensure both peers are configured to use DPD keepalives, this will remove any stale SAs. https://community.cisco.com/t5/security-knowledge-base/dead-peer-detection/ta-p/3111324

 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Rob Ingram
VIP
VIP

‎08-11-2023 11:21 AM - edited ‎08-11-2023 11:32 AM

@jmaxwellUSAF if you do not wish to keep the tunnel perpetually open then surely you do not want to use IP SLA, this is generally used explictly to send traffic in order to keep the VPN tunnel up. Any traffic generating traffic over the VPN would be enough to keep the tunnel from expiring due to inactivity. You can use an EEM script to send traffic every X minute if you do want to always keep the tunnel up. https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html

If there is a problem after 24 hours then that usually indicates a misconfiguration between the peers, potentially lifetimes. You can  ensure both peers are configured to use DPD keepalives, this will remove any stale SAs. https://community.cisco.com/t5/security-knowledge-base/dead-peer-detection/ta-p/3111324

 

0 Helpful
Customers Also Viewed These Support Documents