Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
925
Views
0
Helpful
7
Replies

Automatically reconnect VPN after wireless drop - ASA5550

DustinBAE
Level 1
Level 1

‎06-18-2008 11:07 AM - edited ‎02-21-2020 03:46 PM

I have a wireless connection (microwave) that runs very high speed. I am running one asa5550 on each end configured for l2l ipsec tunnel. The problem is I don't own the wireless, I'm just allowed to use it. So, when the owner makes changes or brings the wireless down for even a second I have to recreate the tunnel. Does any of you masters know how to have the ASA device simpley reconnect the tunnel after a service interruption?

Labels:
0 Helpful
7 Replies 7

Farrukh Haroon
VIP Alumni
VIP Alumni

‎06-19-2008 12:13 AM

Have you tried enable ISAKMP keepalives?

Regards

Farrukh

0 Helpful

DustinBAE
Level 1
Level 1
In response to Farrukh Haroon

‎06-19-2008 04:20 AM

I did not set the keepalive, but I thought ISADMP keepalive was enable by default?

Default:

threshold 10 retry 2.

I will have to give it a try late on Friday and let you know how it goes.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to DustinBAE

‎06-19-2008 05:52 AM

Yes its there by default:

The default for a remote access group is a threshold of 300 seconds and a retry of 2 seconds.

For a LAN-to-LAN group, the default is a threshold of 10 seconds and a retry of 2 seconds.

Do you have any interesting traffic going over the VPN at all times?

Regards

Farrukh

0 Helpful

DustinBAE
Level 1
Level 1
In response to Farrukh Haroon

‎06-19-2008 05:54 AM

Nothing suspicious or "different" than what you would expect. Mostly web traffic and database connections.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to DustinBAE

‎06-19-2008 06:00 AM

No what I meant was is there any persistent traffic that could cause the VPN to trigger onces it goes down.

How do you go about this now? Manually clear the SAs?

Regards

Farrukh

0 Helpful

DustinBAE
Level 1
Level 1
In response to Farrukh Haroon

‎06-19-2008 06:41 AM

My fault. I reread your message just before I read this one....

Anyway, there isn't really any persistent traffic that requires a connection all the time.

Now we just clear the the tunnel configuration and re-apply it. I could be wrong on that one though because I just took on the ASA a few days ago. I just know we have to "recreate" the tunnel everytime our provider plays with the wireless connection and causes an interruption.

If you know of any place to read up on this so that it makes more sense to me that would be great. I have tried finding articles myself, but I don't really know what to look for. Thanks for all your help so far.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to DustinBAE

‎06-20-2008 11:53 AM

I know a feature in IOS to achieve a similar thing, not so sure about the ASA.

Is it possible for you to post output of 'show crypto isakmp sa detail' after the VPN is up, I need to check something.

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents