Can i have your network setup diagram , Do you have any L3 Device behind your firewall . if you have L3 Device you can run IP sla on your L3 Switch Pinging your central firewall inside segment thereby you will have your tunnel up always .
IP SLA is supported only from Cisco IOS software not on ASA code .
Q. What Cisco hardware supports Cisco IOS IP SLA?
A. All Cisco hardware that runs Cisco IOS Software supports Cisco IOS IP SLAs.
There is a SLA feature on ASA firewalls. The command SLA monitor NNN, type echo.
AFAIK, sla packets are not matched against vpn access-list but I might be wrong.
( branch LAN ) --- [ Firewall ] -- [ DSL router with dynamic IP address ] --- | "Internet" | --- [ HQ VPN FW ]
Dynamic IPSEC VPNs are triggered from the remote site only, not from the main FW with static IP hence the problem with monitoring branches from main site if for some reason the VPN is down and no traffic is sent to main site.
If i understood your issue correctly you have a dynamic to static VPN and you want that you use SLA feature of the ASA so that ASA keep on sending the ICMP echo which will keep the tunnel up.
I don't think so SLA is an option here because if you willl enable the SLA on the ASA it will use outside as his source in the echo packet that he will sent. To send that echo across the VPN you will have to add the outside interface IP in the crypto access-list. Because your ASA has a dynmic IP you can't do that.
And i don't see any point in enabling the SLA on the head quarter for the VPN.
So in this case you do not have any option other than to have a continuous traffic going (may be a continuous ping) from any machine behind the Dynamic ASA
Thanks for your network layout , I got your request completely now ( Request : hence the problem with monitoring branches from main site if for some reason the VPN is down and no traffic is sent to main site.)
If you have DNS resolution for your Branch site , you can define your peer IP address with fqdn from your head office Security device (ASA)
Main mode fully qualified domain name (FQDN)—Negotiation is based on DNS resolution, with no reliance on IP address. This option can only be used if the DNS resolution service is available for the host. It is useful when managing devices with dynamic IP addresses that have DNS resolution capabilities.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :