keepalives to reestablish a dynamic to static tunnel?

Answered Question
May 23rd, 2007

Hi All,

I have a dynamic to static pix 501 to pix 501 os 6.3 configuration. I would like to use keepalives to re-establish the tunnel in case the tunnel goes down. Can this be done?

Correct Answer by acomiskey about 9 years 9 months ago

Theres a workaround for everything, you could have the pix at the far end use a local ntp or syslog server, this traffic would bring the tunnel up as long as it was defined as interesting.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Wed, 05/23/2007 - 09:58

You can use dead peer detection to ensure the tunnel doesn't go down...but I don't think that will bring it back up if it goes down.

isakmp keepalive 10

ed-rucker Wed, 05/23/2007 - 10:21

I've tried this (isakmp keepalive 10), to no avail. Thanks though.

acomiskey Wed, 05/23/2007 - 10:27

That doesn't keep the tunnel from going down? Or are you just saying it doesn't bring it back up?

ed-rucker Wed, 05/23/2007 - 10:35

it doesn't bring it back up. i'm trying to prepare for the unavoidable power or internet outage that would bring the connection down. i would like the static location to reconnect without effort from the customer on that end. :)

Correct Answer
acomiskey Wed, 05/23/2007 - 10:39

Theres a workaround for everything, you could have the pix at the far end use a local ntp or syslog server, this traffic would bring the tunnel up as long as it was defined as interesting.

ed-rucker Wed, 05/23/2007 - 11:00

that's a good idea. a ping will bring it up. some type of ping utility would also work. i was just looking for a solution on the firewall.

unfortunately the way this has worked out, the static pix is at the remote site. that could be changed but it would be easier to work around it.

Thanks.

ed-rucker Wed, 05/23/2007 - 11:09

sorry, i'm kinda slow. a syslog service on the remote computer with the main office (dynamic pic) logging to the remote syslog should work. Think?

acomiskey Wed, 05/23/2007 - 11:19

Ya, same difference. As long as the computer has data to send. I was confused before which end was dynamic. What I should have said, since your main end is dynamic, is to have your pix or a computer syslog or ntp to something at the remote site.

ed-rucker Wed, 05/23/2007 - 11:26

no reason you would have known, that would be the logical way. thanks again :)

palomoj@saccourt.com Thu, 05/24/2007 - 14:16

EasyVPN was built for this - dynamic IP remote VPN endpoints to static head end.

Why involve more points of failure to the mix when you can have the firewalls take care of the tunnel.

Just my 2cents.

acomiskey Thu, 05/24/2007 - 14:21

palomoj,

Not sure if it matters but in his case the head end firewall was dynamic. Would that still work?

palomoj@saccourt.com Thu, 05/24/2007 - 14:26

Which ever site has the static can be configured as the EasyVPN server and the dynamic as the EasyVPN client.

ed-rucker Thu, 05/24/2007 - 19:11

Hi,

Correct me if i'm wrong, but I thought the pix 501 would not act as an easy vpn server, only a client.

Actions

This Discussion