Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA self initiating L2L VPN - SLA ?

Hello,

Is it possible that a ASA fw self initiates a L2L VPN connection with ip sla or any other mechanism to a central firewall?

This is in the case of a dynamic L2L VPN.

I'm wondering since the VPN access-list would only be triggred by passing through traffic..

Any idea ?

Regards,

Thibault

Everyone's tags (4)
6 REPLIES
New Member

ASA self initiating L2L VPN - SLA ?

Hi Thibault ,

                Can i have your network setup diagram , Do you have any L3 Device behind your firewall . if you have L3 Device you can run IP sla on your L3 Switch Pinging your central firewall inside segment thereby you will have your tunnel up always .

IP SLA is supported only from Cisco IOS software not on ASA code .

Q. What Cisco hardware supports Cisco IOS IP SLA?

A. All Cisco hardware that runs Cisco IOS Software supports Cisco IOS IP SLAs.

http://www.cisco.com/en/US/partner/technologies/tk648/tk362/tk920/technologies_qas0900aecd8017bd5a.html

HTH

Regards
Santhosh Saravanan

HTH Regards Santhosh Saravanan
New Member

ASA self initiating L2L VPN - SLA ?

Hello,

There is a SLA feature on ASA firewalls. The command SLA monitor NNN, type echo.

AFAIK, sla packets are not matched against vpn access-list but I might be wrong.

( branch LAN ) --- [ Firewall ] -- [ DSL router with dynamic IP address ] --- | "Internet" | --- [ HQ VPN FW ]

Dynamic IPSEC VPNs are triggered from the remote site only, not from the main FW with static IP hence the problem with monitoring branches from main site if for some reason the VPN is down and no traffic is sent to main site.

Regards,

Thibault

Cisco Employee

ASA self initiating L2L VPN - SLA ?

Hi,

If i understood your issue correctly you have a dynamic to static VPN and you want that you use SLA feature of the ASA so that ASA keep on sending the ICMP echo which will keep the tunnel up.

I don't think so SLA is an option here because if you willl enable the SLA on the ASA it will use outside as his source in the echo packet that he will sent. To send that echo across the VPN you will have to add the outside interface IP in the crypto access-list. Because your ASA has a dynmic IP you can't do that.

And i don't see any point in enabling the SLA on the head quarter for the VPN.

So in this case you do not have any option other than to have a continuous traffic going (may be a continuous ping) from any machine behind the Dynamic ASA

Thanks

Jeet Kumar

New Member

ASA self initiating L2L VPN - SLA ?

Hello Jeet,

You understood the issue correctly.

SLA was enabled on the branch site since only traffic from branch  to HQ can bring the tunnel up (dynamic L2L VPN ).

That was just a test for me to try keeping the L2L VPN UP.

Hard to find order of operation for ASA control plane traffic, but as far as I understand, VPN ACLs are skipped for sla traffic.

Strange Cisco has no solution for this, I gues I'm not the only facing this issue.

Regards,

Thibault

New Member

ASA self initiating L2L VPN - SLA ?

Hi

            Thanks for your network layout , I got your request completely now  ( Request : hence the problem with monitoring branches from main site if for some reason the VPN is down and no traffic is sent to main site.)

If you have DNS resolution for your Branch site , you can define your peer IP address with fqdn from your head office Security device (ASA)

Main mode fully qualified domain name (FQDN)—Negotiation is based on DNS resolution, with no reliance on IP address. This option can only be used if the DNS resolution service is available for the host. It is useful when managing devices with dynamic IP addresses that have DNS resolution capabilities.

HTH

Regards
Santhosh Saravanan

HTH Regards Santhosh Saravanan
New Member

ASA self initiating L2L VPN - SLA ?

Hello Santhosh,

Thanks for the answer.

The point here is to have permanent traffic from branch to HQ to keep L2L VPN up all the time, even if public ip from branch site changes and no traffic is sent to hq from devices at the branch site.

Seems there no feature on the ASA to do the job.

Regards,

Thibault

728
Views
8
Helpful
6
Replies
CreatePlease to create content