ASA VPN keep alive

Unanswered Question
Apr 13th, 2009

Hello,

I wanted to know if there was a way to keep a tunnel active 24/7 on the ASA 5510? My ASA is connecting to PIX 501's, Sonicwall TZ170 and 3com X5(not sure if that matters though)

Thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Mon, 04/13/2009 - 14:51

As long as traffic pass through the tunnel it will not be torn down, you can go ahead and set the lifetime to 86400 seconds which cause the tunnel not to renew the key for 24 hours. But if there is no activity the tunnel will always go down at least on Cisco devices. ASA AFAIK has the featuer to set the lifetime for IKE to 0 which will not bring down the IKE tunnel but IPSEC is what has to rekey and I am not sure how the other vendors will support that. Pix won't support it.

fraunhoferpt Mon, 04/13/2009 - 17:55

As far as I know, If you setup keepalive on the tunnel group it should survive for hours/days, even after a rekey.

Just do the following:

tunnel-group ipsec-attributes

isakmp keepalive threshold 10

isakmp keepalive reset 2

Ivan Martinon Tue, 04/14/2009 - 05:43

Keepalives are a mechanism to detect whether the peer is active or not, this will not keep a tunnel up, it will actually do the opposite: bring down the tunnel when the remote peer does not respond to DPD (keepalive) packets

Steven Williams Thu, 12/08/2011 - 08:35

This is a bit old, but I am going through this issue right now. I have a site to site VPN between two sites. One location has a sonicwall and the other has a ASA5505. I have found that the tunnel stays up but when I have a client session open to the remote side's AS400 system, after about 5 minutes of inactivity on the AS400 client access window, the session is terminated. I do not mind this, but 5 minutes is a bit short. Is there a way to change this?

eddie.harmoush Thu, 12/08/2011 - 09:37

Steven is correct, changing the ISAKMP Keepalive will only change the intervals of the DPD checks (Dead Peer Detection).  These do not count as "interesting" traffic and therefore do not reset idle timeoutes or serve to rebuild a tunnel after it has been tore down.

You do have the option to remove the idle timeout on VPN connections.  See code below:

group-policy NO-TIMER internal
group-policy NO-TIMER attributes
  vpn-idle-timeout none

You would then apply this group-policy to your site-site tunnel-group:

tunnel-group 11.22.33.44 general-attributes

  default-group-policy NO-TIMER

However, do realize this will simply remove the idle timeout.  It can not do anything about tunnel re-keys.  If your tunnel rekeys when no interesting traffic is occuring, the tunnel will not rebuild until interesting traffic is seen.  There is no way around that.

I guess you could create a script on a server in your encryption domain to send a ping every few minutes to a host on the other side.  But at least from the Firewall, there is no way of forcing the tunnel to rebuild after a rekey.

Actions

This Discussion