Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA VPN keep alive


I wanted to know if there was a way to keep a tunnel active 24/7 on the ASA 5510? My ASA is connecting to PIX 501's, Sonicwall TZ170 and 3com X5(not sure if that matters though)

Thanks in advance


Re: ASA VPN keep alive

As long as traffic pass through the tunnel it will not be torn down, you can go ahead and set the lifetime to 86400 seconds which cause the tunnel not to renew the key for 24 hours. But if there is no activity the tunnel will always go down at least on Cisco devices. ASA AFAIK has the featuer to set the lifetime for IKE to 0 which will not bring down the IKE tunnel but IPSEC is what has to rekey and I am not sure how the other vendors will support that. Pix won't support it.

New Member

Re: ASA VPN keep alive

As far as I know, If you setup keepalive on the tunnel group it should survive for hours/days, even after a rekey.

Just do the following:

tunnel-group ipsec-attributes

isakmp keepalive threshold 10

isakmp keepalive reset 2

Re: ASA VPN keep alive

Keepalives are a mechanism to detect whether the peer is active or not, this will not keep a tunnel up, it will actually do the opposite: bring down the tunnel when the remote peer does not respond to DPD (keepalive) packets

New Member

ASA VPN keep alive

This is a bit old, but I am going through this issue right now. I have a site to site VPN between two sites. One location has a sonicwall and the other has a ASA5505. I have found that the tunnel stays up but when I have a client session open to the remote side's AS400 system, after about 5 minutes of inactivity on the AS400 client access window, the session is terminated. I do not mind this, but 5 minutes is a bit short. Is there a way to change this?

New Member

Re: ASA VPN keep alive

Steven is correct, changing the ISAKMP Keepalive will only change the intervals of the DPD checks (Dead Peer Detection).  These do not count as "interesting" traffic and therefore do not reset idle timeoutes or serve to rebuild a tunnel after it has been tore down.

You do have the option to remove the idle timeout on VPN connections.  See code below:

group-policy NO-TIMER internal
group-policy NO-TIMER attributes
  vpn-idle-timeout none

You would then apply this group-policy to your site-site tunnel-group:

tunnel-group general-attributes

  default-group-policy NO-TIMER

However, do realize this will simply remove the idle timeout.  It can not do anything about tunnel re-keys.  If your tunnel rekeys when no interesting traffic is occuring, the tunnel will not rebuild until interesting traffic is seen.  There is no way around that.

I guess you could create a script on a server in your encryption domain to send a ping every few minutes to a host on the other side.  But at least from the Firewall, there is no way of forcing the tunnel to rebuild after a rekey.

CreatePlease login to create content