Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Needs Ping to Stay Up

Hi,

Does anyone know why some of our site to site VPNs need a ping every half hour to stay up? Others don't.

Thanks, Pat.

3 REPLIES
Hall of Fame Super Silver

VPN Needs Ping to Stay Up

If there's no interesting traffic being presented on the tunnel, the default behavior would be to tear it down after the Phase 2 SA times out.

If there is interesting traffic, yet it still drops, it could be an interoperability bug with a different vendor at the distant end. I have seen that on occassion between ASA and Juniper Netscreen.

New Member

VPN Needs Ping to Stay Up

would Phase 2 be the Security Association Lifetime Settings?  On this particular VPN, they are set to 8 hours.

Thanks, Pat

Hall of Fame Super Silver

VPN Needs Ping to Stay Up

Yes, lifetime settings would be it.

"Show crypto ipsec sa" will show you. among other things, what the firewall believes is the configured and remaining time. See examples in this document. You might want to verify that at both ends to confirm the settings.

306
Views
10
Helpful
3
Replies