Hi, we've got several Internet IPSec/ISAKMP VPNs. HQ is using a VPN3030 Concentrator and the remote sites are using Pix 501s. Looking at the session statistics on the VPN3030 some of the tunnels stay up for days and some won't stay up for more than a few hours.
I've got a couple of questions:
1). Should traffic from either side bring the tunnel up?
2). When the tunnel comes up should it stay up for a certain number of hours even if there is no more traffic sent? i.e. if the tunnel is brought up by a ping will it stay up? Or more specifically should it stay up? And if it goes down after an hour or so on a reqular basis then should I be investigating the remote site's DSL line Internet connection as the first port of call?
I looked this up for you, in your vpn 3030 check ike keepalive configuration for both the tunnels that stay up for days and the tunnels that drop in time,compare their keepalive configuration. I would suspect that tunnels that droped in time if there is not activity it could be there is no keepalive configured in them, I could be wrong with your problem but worth checking.
on concentrator go to:
configuration/user management/groups , then select tunnel in question, select ipsec tab and look for ike keepalive whether is checked or un-checked.
yes I had configured keepalives on all a couple of weeks ago because one of them was going down and staying down for hours. Now it goes down but usually comes back up in between a few seconds and a minute or so. I'm thinking that the DSL line is problematic and will now troubleshoot that.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...