Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How do i make L2L tunnel active only when traffic is sent

Hey guys!

I just built a L2L IPSEC tunnel, however, i dont want to tunnel up all the time. I only want it up when there is traffic sent. Is there a way to do that?

Thank you!

Dustin

I am on a ASA 5520

5 REPLIES

Re: How do i make L2L tunnel active only when traffic is sent

Hi Dustin,

An ipsec tunnel will only become active if traffic is flowing through it, after no traffic is going through it, keepalives will become active and after a certain idle time (which can be configured) the tunnel will be torn down.

Bare in mind that IKE has higher idle times or lifetimes than ipsec.

New Member

Re: How do i make L2L tunnel active only when traffic is sent

Sorry for the delay,

I have two tunnels that pretty much mimmick each other. However, one tunnel stays up whether traffic is flowing through it or not, and the other tunnel only comes up if traffic is flowing through it.

How is that possible if they are pretty much mirrored after each other?

Any idea?

Re: How do i make L2L tunnel active only when traffic is sent

The way to see if indeed traffic is not g oing through it is with the "show crypto ipsec sa" this will show you if packets are being encrypted or not, if you see a consistent amount of packets increasing then something is still passing traffic. On the other hand remember that every tunnel has a lifetime which tells how long will it be up regardless on whether the packets are passing or not, you could also configure and idle lifetime to bring the tunnel down after it has been inactive for a while.

The show crypto ipsec sa for this tunnel will show you the remaining lifetime, in this case the lifetime will have to be expired in order for the tunnel to be torn down regardless of activity or not, it usually is around 8 hours.

New Member

Re: How do i make L2L tunnel active only when traffic is sent

i have the lifetime at 86400 for the policy, here is the config..

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

crypto map OUTSIDE_VPN_MAP 51 match address DALLAS_ARCHIVE

crypto map OUTSIDE_VPN_MAP 51 set peer 123.123.123.123

crypto map OUTSIDE_VPN_MAP 51 set transform-set ESP-AES-256-MD5

crypto map OUTSIDE_VPN_MAP interface outside  

i dont see a idle timeout, unless, can the other end have it set to idle timeout, or does it have to be on both ends of tunnel?

Re: How do i make L2L tunnel active only when traffic is sent

Isakmp policy lifetime is only used for IKE,  the IPSec lifetime if not configured is 28800 seconds by default and it is configured under the crypto map, issue a show run all crypto to see it, as for the idle time, the best practice is to configure it on both sides.

244
Views
0
Helpful
5
Replies