crypto map outside 1 set connection-type originate-only
crypto map outside 1 set peer 184.108.40.206
crypto map outside 1 set transform-set test
crypto map outside interface outside
crypto isakmp enable outside
crypto isakmp policy 10
no crypto isakmp nat-traversal
crypto isakmp disconnect-notify
tunnel-group DefaultL2LGroup ipsec-attributes
//some commands missing
prompt hostname context
Setting up a Continuous Ping
The easiest way to resolve this issue is to have continuous traffic going through the tunnels. The traffic needs to match the crypto access-lists for the SAs that need to be kept alive. One way to accomplish this would be to set up a device behind each spoke ASA(ASA-Sx) to continuously ping the internal interfaces of all the ASAs. Managament access needs to be enabled on all ASAs. The downside to this is that often the network is such that there are only client machines behind the spoke ASA, and it isn't feasible to have the client machine on 24x7 just to run pings to keep an SA alive. Perhaps a neater solution to this is using the CALL-Home feature introduce in ASA software v8.2.2. Using the smart call home feature, we can create a snapshot of commands that the ASA is forced to execute at a periodic interval. Thus by using this feature, and enabling Management Access on all the inside interfaces of the ASAs we can keep the SAs alive.
The commands that need to be added to the spoke ASAs are:
call-home no alert-group inventory alert-group-config snapshot add-command "ping inside 192.168.1.1"// use the add-command to configure all the commands that you would like to execute automatically
add-command "ping inside 192.168.x.1" // to bring up the SAs between two spokes. contact-email-addr <dummy-mail-address>// the email address can be a dummy value as we do not require any reports to be sent after the commands are executed. mail-server <dummy-mailserver-ipaddress> priority 1
Alternatively, the following enhancement request #CSCtn29607 has also been filed to modify the behavior of SLA monitoring so as to allow SLA monitoring to source pings from interfaces that have management access enabled on them. If you would like to see this feature implemented, please attach this enhancement request to your service request and get in touch with your account team.
Apart from this solution the other way that this can be resolved involves an overhaul of the design. Instead of using dynamic crypto maps, the ASAs need to be configured for EzVPN. The previous link provides the configuration guide for EzVPN. The only downside to EzVPN is only ASA5505s can be configured as EzVpn clients, so in this case all the spokes will have to be ASA5505s.