Site to site tunnel initiation

Answered Question
Jun 19th, 2007
User Badges:

Is there any way to initiate phase 2 without sending data from an inside workstation.


Once the tunnels are up they are good to go unless they drop for an unforseen reason or if the SA's reset. The problem is that there isn't much traffic sourcing at the remote site to bring the tunnels back up if the drop however, the hub site needs to be able to reach out and touch the remote sites.


Remotes sites are configured with a static cryto map set to orginate-only and has two peers defined. The hub site is using a dynamic crypto map.


Thanks for any tips.

Correct Answer by acomiskey about 9 years 9 months ago

A way around this is to have a machine on the remote end or the remote pix itself use a local syslog server, ntp server etc. This traffic would bring up the tunnel without user intervention.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
acomiskey Wed, 06/20/2007 - 04:40
User Badges:
  • Green, 3000 points or more

A way around this is to have a machine on the remote end or the remote pix itself use a local syslog server, ntp server etc. This traffic would bring up the tunnel without user intervention.

m-ketchum Wed, 06/20/2007 - 06:03
User Badges:

Very cool...thanks for confirming that. I actually just thought of that 5 minutes ago while making breakfast.


I'm going to run a couple tests and will be back to rate.


Thanks!

acomiskey Wed, 06/20/2007 - 06:09
User Badges:
  • Green, 3000 points or more

Great minds think alike. If you want the source to be the pix on the remote end you need to include this traffic in your crypto acls. Let me know how it goes.

m-ketchum Wed, 06/20/2007 - 09:01
User Badges:

Works Great! Thanks!


I configured the remote ASA with a non-existent NTP server using an IP at the hub site and sourced it from the inside interface.



Actions

This Discussion