I am attempting to setup an ip sla. I have a vpn tunnel to another site that I want to have traffic on at all times to prevent that tunnel from ever going down. I created this sla and the tracking object. Typically you would apply this tracking object to a static route. With this being a vpn tunnel there is no static route to apply this tracking object.
How can I apply this to the vpn?? I want to keep traffic on this tunnel at all times.
sla monitor 97
type echo protocol ipIcmpEcho 10.10.14.1 interface CORPORATE
sla monitor schedule 97 life forever start-time now
track 97 rtr 97 reachability
Do you need a particular SA to be always up or the whole tunnel? What are your proxy ID? What ASA version is this?
I don't think you need tracking in this case.
You can add a proxy ID matching icmp traffic between tunnel endpoints and ping all the time.
I did a short lab test.
Even with management-acces insde, I'm not able to initiate pings from inside interface - expected behavior, was worth a short.
%ASA-6-110003: Routing failed to locate next hop for icmp from NP Identity Ifc:172.16.0.1/0 to inside:10.0.0.254/0
172.16.0.1 is my inside IP 10.0.0.254 some host on other network.
The asa ver is 8.2(2) . I would like for the whole tunnel to remain up. The local network is 10.10.0.0 and the remote network is 10.14.0.0. I was going to set an sla to monitor 10.14.1.1 sending 3 icmp packets every 15 seconds.
You mention 'You can add a proxy ID matching icmp traffic between tunnel endpoints and ping all the time.' Can you provide me with an example of this?? I am not famliar with proxy ids. Sorry
Well if you want to keep the tunnel up, why not run a simple cron and run a script with ping on one of the hosts to keep the tunnel up?
If you add a new proxy ID (identifying what traffic is interesting for encryption) you will only keep this particular tunnel up (we're talking about IPsec/SPI not IKE).
And again we come to the point where we need to see your proxy IDs to say whether this will work. For sure you cannot ping from "inside" on one ASA towards anything on the "outside" like you can do on a router.
The proxy Id (interesting traffic) is 10.10.0.0 255.255.0.0 to 10.14.0.0 255.255.0.0
I do not want to have to rely on a host machine to generate the traffic to keep the tunnel up.
I did my test on ASA 8.3 but I believe you will face same limitation in other ASA version as with PIX before.
If both sides are ASA it might be problematic to use the proxy identities you highlighted for traffic from the box itself.
Did you already set the vpn-idle-timeout and vpn-session-timeout to none? That would be one place to start.
If you trying use ip sla for only keep de tunnel established or active traffic, why you don´t use IKE Keepalive and DPD ?
Look this document to check if it´s possible in your environment.
Hope i help you
DPDs or keepalives will not keep the tunnels up, nor will they trigger the tunnel to go up if it should go down. DPD is a "control" plane mechanism (in limited scope of this word).
Exactly, but when IKE messages are exchange between peers, they keep up and try recovery if this goes down. If this tunnel doesn't have any traffic, so can be down depending setup configuration.
For example, in my environment, i use only ike keepalived and it works perfectly.
Anyway, the important it work.. ;-)
So we agree that DPDs are only recovery mechanism ;-)
And yes I believe it is a good practice to have them on in 99% of setups.
Marcus wanted to have the data plane connection up all the time - ie. keep SPI busy.
In addition to the suggestions here, you might also try configuring the remote device to synchronize it's clock using NTP over the VPN tunnel. You can set the source interface of the NTP requests to be an interface that has rights to traverse the tunnel. Just make sure it's synchronizing to a router or server that it has access to.
NTP update interval is variable but in my experience it has averaged out to be about once a minute. If you wanted more NTP traffic, setup several devices on the other end of the VPN tunnel to be NTP servers and have the remote device poll all of them.