ASA 5505 – Tunnel Keepalive?

Is there an easy way to keep an ipsec-L2L VPN tunnel up while there is no interesting traffic? I have an ASA 5505 setup for backup internet/LAN VPN access in event that the MPLS network is down (which has been a big issue in this location!) – IP SLA tracking is setup to change routes in the event of a failure and it works great. The only problem is that when the primary MPLS connection is up, the tunnel eventually dies because there is no traffic passing. For monitoring purposes I’d like to keep the tunnel up all of the time. I tried using the “isakmp keepalive” command under the tunnel group, but that doesn’t seem to work. An EEM script on the router to ping out through the interface connected to the ASA would work – but there has to be a better way to accomplish this! Thanks!

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

WillTech105

I'm sure theres a better way but what I do is keep a -t ping going. Never had to dig to deep into it but it worked for what I needed it to do.

pitviper

Yeah, looking for a more auto-magical way!

Looks like the lifetime can be set to 0 under the isakmp policy - May try that next.

QHalo

Another suggestion I saw online was to setup NTP to run across it. That would keep it alive.

pitviper

Set the lifetime to 0 (none) under the isakmp policy...tunnel dropped in 15 minutes or so.

Just pointed the NTP client on the ASA to our internal time server using the inside interface as the source. Fingers crossed

Bl8ckr0uter

QHalo wrote: »

Another suggestion I saw online was to setup NTP to run across it. That would keep it alive.

+Rep. Really good idea

pitviper

NTP did the trick! Looks like the ASA polls our internal NTP server every 64 seconds which is plenty of traffic to keep the tunnel up! Thanks for the tip!!