Always up lan-to-lan tunnel

Unanswered Question
May 5th, 2008

Hi all,

I have a Cisco ASA 5540 which has several Lan-to-Lan tunnels on it. Most of these tunnels are fine to drop with traffic inactivity, but a few can not.

These VPN links are monitored by our data center and when they drop our data center freaks out. Right now they have been told to basically ignore the warnings and continue on.

Anyway with the ASAs to configure a tunnel that is ALWAYS connected? If the tunnel ever does drop, the ASA will instantly try to reconnect.

I have set the inactivity time-outs up to 4 hours and played with several other settings but still dropping.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
stephenshaw Mon, 05/05/2008 - 07:20


a couple of items to think about:

1. Is the monitoring being done by accessing the device on the far-end of the tunnel? i.e. occasional pings from a NMS may be keeping the tunnels up.

2. Is it possible that a routing protocol is keeping the tunnel up on these specific VPN tunnels?


acomiskey Mon, 05/05/2008 - 07:28

Check out...

tunnel-group ipsec-attributes

isakmp keepalive threshold # retry #

This should enable dead peer detection and keep your tunnels up.


This Discussion