Automatically reconnect VPN after wireless drop - ASA5550

Unanswered Question
Jun 18th, 2008
User Badges:

I have a wireless connection (microwave) that runs very high speed. I am running one asa5550 on each end configured for l2l ipsec tunnel. The problem is I don't own the wireless, I'm just allowed to use it. So, when the owner makes changes or brings the wireless down for even a second I have to recreate the tunnel. Does any of you masters know how to have the ASA device simpley reconnect the tunnel after a service interruption?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Thu, 06/19/2008 - 00:13
User Badges:
  • Red, 2250 points or more

Have you tried enable ISAKMP keepalives?


Regards


Farrukh

DustinBAE Thu, 06/19/2008 - 04:20
User Badges:

I did not set the keepalive, but I thought ISADMP keepalive was enable by default?


Default:

threshold 10 retry 2.


I will have to give it a try late on Friday and let you know how it goes.

Farrukh Haroon Thu, 06/19/2008 - 05:52
User Badges:
  • Red, 2250 points or more

Yes its there by default:


The default for a remote access group is a threshold of 300 seconds and a retry of 2 seconds.


For a LAN-to-LAN group, the default is a threshold of 10 seconds and a retry of 2 seconds.


Do you have any interesting traffic going over the VPN at all times?


Regards


Farrukh

DustinBAE Thu, 06/19/2008 - 05:54
User Badges:

Nothing suspicious or "different" than what you would expect. Mostly web traffic and database connections.

Farrukh Haroon Thu, 06/19/2008 - 06:00
User Badges:
  • Red, 2250 points or more

No what I meant was is there any persistent traffic that could cause the VPN to trigger onces it goes down.


How do you go about this now? Manually clear the SAs?


Regards


Farrukh

DustinBAE Thu, 06/19/2008 - 06:41
User Badges:

My fault. I reread your message just before I read this one....


Anyway, there isn't really any persistent traffic that requires a connection all the time.


Now we just clear the the tunnel configuration and re-apply it. I could be wrong on that one though because I just took on the ASA a few days ago. I just know we have to "recreate" the tunnel everytime our provider plays with the wireless connection and causes an interruption.


If you know of any place to read up on this so that it makes more sense to me that would be great. I have tried finding articles myself, but I don't really know what to look for. Thanks for all your help so far.

Farrukh Haroon Fri, 06/20/2008 - 11:53
User Badges:
  • Red, 2250 points or more

I know a feature in IOS to achieve a similar thing, not so sure about the ASA.


Is it possible for you to post output of 'show crypto isakmp sa detail' after the VPN is up, I need to check something.


Regards


Farrukh


Actions

This Discussion