Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Tunnel failure traps

Does anyone know if an ASA5505 sends a trap when/If a L2L tunnel fails?

We are about to use L2L tunnel as our backup route and it would be real nice if we had notification when/if the tunnel drops.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN Tunnel failure traps

You got it. That for webvpn/anyconnect. I'm pretty sure for L2L tunnels it's already enabled (and not seen in the conifg).

5 REPLIES

Re: VPN Tunnel failure traps

There are numerous messages, here's a couple you could use. Most are at level 6 (informational) , but as you can see below there are a couple at lower levels. The first number after %ASA- is the logging level.

%ASA-5-713050: Group = a.b.c.d, IP = a.b.c.d, Connection terminated for peer

%ASA-6-713213: Group = a.b.c.d, IP = a.b.c.d, Deleting static route for L2L peer that came in on a dynamic map.

%ASA-7-713906: Group = a.b.c.d, IP = a.b.c.d, IKE SA MM:a5b280af rcv'd Terminate: state MM_ACTIV

%ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xCA24EAF8) between w.x.y.z and a.b.c.d (user= a.b.c.d) has been deleted.

%ASA-4-113019: Group = a.b.c.d, Username = a.b.c.d, IP = a.b.c.d, Session disconnected. Session Type: IPsec, Duration: 2h:48m:04s, Bytes xmt: 20362219, Bytes rcv: 3165343, Reason: User Requested

Hope that helps.

New Member

Re: VPN Tunnel failure traps

Thanks for the info. Yes it does help greatly!

I have a second question.

Do you know if it is likely that a L2L tunnel could be non-operational yet no alarms of any kind would be sent?

Re: VPN Tunnel failure traps

Yes, but Cisco has implemented Dead Peer Detection to combat it. A connection can be faulty, but still up , if a connection (the internet) starts dropping packets. DPD queries each side and if either side is non-responsive, it will tear down the tunnel. Each side will do this so the tunnel will be torn down on each side. Once interesting traffic is sent the tunnel will try and establish.

New Member

Re: VPN Tunnel failure traps

Thanks again!

Is this what we would need to code?

group-policy xxxx attributes

hostname(config-group-policy)# webvpn

hostname(config-group-policy)# svc dpd-interval gateway 30

Where xxxx = the group-policy name for the tunnel.

Re: VPN Tunnel failure traps

You got it. That for webvpn/anyconnect. I'm pretty sure for L2L tunnels it's already enabled (and not seen in the conifg).

622
Views
0
Helpful
5
Replies
CreatePlease to create content