How do i make L2L tunnel active only when traffic is sent

Unanswered Question
Feb 8th, 2010

Hey guys!

I just built a L2L IPSEC tunnel, however, i dont want to tunnel up all the time. I only want it up when there is traffic sent. Is there a way to do that?

Thank you!


I am on a ASA 5520

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Mon, 02/08/2010 - 08:36

Hi Dustin,

An ipsec tunnel will only become active if traffic is flowing through it, after no traffic is going through it, keepalives will become active and after a certain idle time (which can be configured) the tunnel will be torn down.

Bare in mind that IKE has higher idle times or lifetimes than ipsec.

cisco_himg Wed, 02/10/2010 - 06:17

Sorry for the delay,

I have two tunnels that pretty much mimmick each other. However, one tunnel stays up whether traffic is flowing through it or not, and the other tunnel only comes up if traffic is flowing through it.

How is that possible if they are pretty much mirrored after each other?

Any idea?

Ivan Martinon Wed, 02/10/2010 - 08:01

The way to see if indeed traffic is not g oing through it is with the "show crypto ipsec sa" this will show you if packets are being encrypted or not, if you see a consistent amount of packets increasing then something is still passing traffic. On the other hand remember that every tunnel has a lifetime which tells how long will it be up regardless on whether the packets are passing or not, you could also configure and idle lifetime to bring the tunnel down after it has been inactive for a while.

The show crypto ipsec sa for this tunnel will show you the remaining lifetime, in this case the lifetime will have to be expired in order for the tunnel to be torn down regardless of activity or not, it usually is around 8 hours.

cisco_himg Wed, 02/10/2010 - 09:06

i have the lifetime at 86400 for the policy, here is the config..

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

crypto map OUTSIDE_VPN_MAP 51 match address DALLAS_ARCHIVE

crypto map OUTSIDE_VPN_MAP 51 set peer

crypto map OUTSIDE_VPN_MAP 51 set transform-set ESP-AES-256-MD5

crypto map OUTSIDE_VPN_MAP interface outside  

i dont see a idle timeout, unless, can the other end have it set to idle timeout, or does it have to be on both ends of tunnel?

Ivan Martinon Wed, 02/10/2010 - 09:28

Isakmp policy lifetime is only used for IKE,  the IPSec lifetime if not configured is 28800 seconds by default and it is configured under the crypto map, issue a show run all crypto to see it, as for the idle time, the best practice is to configure it on both sides.


This Discussion