cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1245
Views
0
Helpful
5
Replies

VPN Tunnel failure traps

john.wright
Level 3
Level 3

Does anyone know if an ASA5505 sends a trap when/If a L2L tunnel fails?

We are about to use L2L tunnel as our backup route and it would be real nice if we had notification when/if the tunnel drops.

1 Accepted Solution

Accepted Solutions

You got it. That for webvpn/anyconnect. I'm pretty sure for L2L tunnels it's already enabled (and not seen in the conifg).

View solution in original post

5 Replies 5

Collin Clark
VIP Alumni
VIP Alumni

There are numerous messages, here's a couple you could use. Most are at level 6 (informational) , but as you can see below there are a couple at lower levels. The first number after %ASA- is the logging level.

%ASA-5-713050: Group = a.b.c.d, IP = a.b.c.d, Connection terminated for peer

%ASA-6-713213: Group = a.b.c.d, IP = a.b.c.d, Deleting static route for L2L peer that came in on a dynamic map.

%ASA-7-713906: Group = a.b.c.d, IP = a.b.c.d, IKE SA MM:a5b280af rcv'd Terminate: state MM_ACTIV

%ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xCA24EAF8) between w.x.y.z and a.b.c.d (user= a.b.c.d) has been deleted.

%ASA-4-113019: Group = a.b.c.d, Username = a.b.c.d, IP = a.b.c.d, Session disconnected. Session Type: IPsec, Duration: 2h:48m:04s, Bytes xmt: 20362219, Bytes rcv: 3165343, Reason: User Requested

Hope that helps.

Thanks for the info. Yes it does help greatly!

I have a second question.

Do you know if it is likely that a L2L tunnel could be non-operational yet no alarms of any kind would be sent?

Yes, but Cisco has implemented Dead Peer Detection to combat it. A connection can be faulty, but still up , if a connection (the internet) starts dropping packets. DPD queries each side and if either side is non-responsive, it will tear down the tunnel. Each side will do this so the tunnel will be torn down on each side. Once interesting traffic is sent the tunnel will try and establish.

Thanks again!

Is this what we would need to code?

group-policy xxxx attributes

hostname(config-group-policy)# webvpn

hostname(config-group-policy)# svc dpd-interval gateway 30

Where xxxx = the group-policy name for the tunnel.

You got it. That for webvpn/anyconnect. I'm pretty sure for L2L tunnels it's already enabled (and not seen in the conifg).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: