ASA 5505 – Tunnel Keepalive?

pitviperpitviper CCNP:Collaboration, CCNP:R&S, CCNA:S, CCNA:V, CCNA, CCENTMember Posts: 1,376 ■■■■■■■□□□
Is there an easy way to keep an ipsec-L2L VPN tunnel up while there is no interesting traffic? I have an ASA 5505 setup for backup internet/LAN VPN access in event that the MPLS network is down (which has been a big issue in this location!) – IP SLA tracking is setup to change routes in the event of a failure and it works great. The only problem is that when the primary MPLS connection is up, the tunnel eventually dies because there is no traffic passing. For monitoring purposes I’d like to keep the tunnel up all of the time. I tried using the “isakmp keepalive” command under the tunnel group, but that doesn’t seem to work. An EEM script on the router to ping out through the interface connected to the ASA would work – but there has to be a better way to accomplish this! Thanks!
CCNP:Collaboration, CCNP:R&S, CCNA:S, CCNA:V, CCNA, CCENT

Comments

  • WillTech105WillTech105 Member Posts: 216
    I'm sure theres a better way but what I do is keep a -t ping going. Never had to dig to deep into it but it worked for what I needed it to do.
    In Progress: CCNP ROUTE
  • pitviperpitviper CCNP:Collaboration, CCNP:R&S, CCNA:S, CCNA:V, CCNA, CCENT Member Posts: 1,376 ■■■■■■■□□□
    Yeah, looking for a more auto-magical way!

    Looks like the lifetime can be set to 0 under the isakmp policy - May try that next.
    CCNP:Collaboration, CCNP:R&S, CCNA:S, CCNA:V, CCNA, CCENT
  • QHaloQHalo Member Posts: 1,488
    Another suggestion I saw online was to setup NTP to run across it. That would keep it alive.
  • pitviperpitviper CCNP:Collaboration, CCNP:R&S, CCNA:S, CCNA:V, CCNA, CCENT Member Posts: 1,376 ■■■■■■■□□□
    Set the lifetime to 0 (none) under the isakmp policy...tunnel dropped in 15 minutes or so.

    Just pointed the NTP client on the ASA to our internal time server using the inside interface as the source. Fingers crossed :)
    CCNP:Collaboration, CCNP:R&S, CCNA:S, CCNA:V, CCNA, CCENT
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    QHalo wrote: »
    Another suggestion I saw online was to setup NTP to run across it. That would keep it alive.

    +Rep. Really good idea
  • pitviperpitviper CCNP:Collaboration, CCNP:R&S, CCNA:S, CCNA:V, CCNA, CCENT Member Posts: 1,376 ■■■■■■■□□□
    NTP did the trick! Looks like the ASA polls our internal NTP server every 64 seconds which is plenty of traffic to keep the tunnel up! Thanks for the tip!!
    CCNP:Collaboration, CCNP:R&S, CCNA:S, CCNA:V, CCNA, CCENT
Sign In or Register to comment.