Solved: Site to site tunnel initiation

m-ketchum · ‎06-19-2007

Is there any way to initiate phase 2 without sending data from an inside workstation.

Once the tunnels are up they are good to go unless they drop for an unforseen reason or if the SA's reset. The problem is that there isn't much traffic sourcing at the remote site to bring the tunnels back up if the drop however, the hub site needs to be able to reach out and touch the remote sites.

Remotes sites are configured with a static cryto map set to orginate-only and has two peers defined. The hub site is using a dynamic crypto map.

Thanks for any tips.

acomiskey · ‎06-20-2007

A way around this is to have a machine on the remote end or the remote pix itself use a local syslog server, ntp server etc. This traffic would bring up the tunnel without user intervention.

View solution in original post

acomiskey · ‎06-20-2007

A way around this is to have a machine on the remote end or the remote pix itself use a local syslog server, ntp server etc. This traffic would bring up the tunnel without user intervention.

m-ketchum · ‎06-20-2007

Very cool...thanks for confirming that. I actually just thought of that 5 minutes ago while making breakfast.

I'm going to run a couple tests and will be back to rate.

Thanks!

acomiskey · ‎06-20-2007

Great minds think alike. If you want the source to be the pix on the remote end you need to include this traffic in your crypto acls. Let me know how it goes.

m-ketchum · ‎06-20-2007

Works Great! Thanks!

I configured the remote ASA with a non-existent NTP server using an IP at the hub site and sourced it from the inside interface.