05-23-2007 09:53 AM - edited 03-09-2019 06:02 PM
Hi All,
I have a dynamic to static pix 501 to pix 501 os 6.3 configuration. I would like to use keepalives to re-establish the tunnel in case the tunnel goes down. Can this be done?
Solved! Go to Solution.
05-23-2007 10:39 AM
Theres a workaround for everything, you could have the pix at the far end use a local ntp or syslog server, this traffic would bring the tunnel up as long as it was defined as interesting.
05-23-2007 09:58 AM
You can use dead peer detection to ensure the tunnel doesn't go down...but I don't think that will bring it back up if it goes down.
isakmp keepalive 10
05-23-2007 10:21 AM
I've tried this (isakmp keepalive 10), to no avail. Thanks though.
05-23-2007 10:27 AM
That doesn't keep the tunnel from going down? Or are you just saying it doesn't bring it back up?
05-23-2007 10:35 AM
it doesn't bring it back up. i'm trying to prepare for the unavoidable power or internet outage that would bring the connection down. i would like the static location to reconnect without effort from the customer on that end. :)
05-23-2007 10:39 AM
Theres a workaround for everything, you could have the pix at the far end use a local ntp or syslog server, this traffic would bring the tunnel up as long as it was defined as interesting.
05-23-2007 11:00 AM
that's a good idea. a ping will bring it up. some type of ping utility would also work. i was just looking for a solution on the firewall.
unfortunately the way this has worked out, the static pix is at the remote site. that could be changed but it would be easier to work around it.
Thanks.
05-23-2007 11:09 AM
sorry, i'm kinda slow. a syslog service on the remote computer with the main office (dynamic pic) logging to the remote syslog should work. Think?
05-23-2007 11:19 AM
Ya, same difference. As long as the computer has data to send. I was confused before which end was dynamic. What I should have said, since your main end is dynamic, is to have your pix or a computer syslog or ntp to something at the remote site.
05-23-2007 11:26 AM
no reason you would have known, that would be the logical way. thanks again :)
05-24-2007 02:16 PM
EasyVPN was built for this - dynamic IP remote VPN endpoints to static head end.
Why involve more points of failure to the mix when you can have the firewalls take care of the tunnel.
Just my 2cents.
05-24-2007 02:21 PM
palomoj,
Not sure if it matters but in his case the head end firewall was dynamic. Would that still work?
05-24-2007 02:26 PM
Which ever site has the static can be configured as the EasyVPN server and the dynamic as the EasyVPN client.
05-24-2007 07:11 PM
Hi,
Correct me if i'm wrong, but I thought the pix 501 would not act as an easy vpn server, only a client.
05-24-2007 09:00 PM
You can configure 501 for server or client
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide