I have to monitor several VPN locations in Cisco Secure.
In all locations there are 5-10 workstations and one print server. The VPN is realized in Network Extension Mode with a Pix501 in the outside locations and VPN Concentrator 3005 in the central side. We monitor the print server because it is allways powered on. But if all workstations are powered off and we got a change of the dynamically allocated IP address on the pix, no new VPN tunnel would be established. So we can´t poll the print server. If one workstation is powered on the VPN tunnel is going up and anything is working fine.
I should have a solution to monitor the print server if all workstations are being powerde off.
Unfortunately there's not a lot you can do here. Unless there's traffic originating from the remote site, the tunnel will go down after the SA expires. Even sending pings to teh print server won't stop the SA from expiring, and once it expires the traffic has to be initiated from the remote site.
Even extending the lifetime of your SA's won't help, cause you'll eventually get to a point where the SA expires and the PC's are powered off. It may reduce the frequency of your problem, but the problem will still occur every now and then.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...