Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1670
Views
85
Helpful
7
Replies

How to bring up Site to Site VPN tunnle from responder side, if down?

sachmalv
Level 1
Level 1

‎02-25-2022 02:16 AM

Hi All,

 

Do we have any way to bring up the Site to Site VPN tunnel on ASA from responder end if it gets down in between. It should not required initiator involvement.

 

Please share if anyone has solution if

7 Replies 7

Rob Ingram
VIP
VIP

‎02-25-2022 02:20 AM

@sachmalv

Is the remote peer defined as initiator only? Or both initiator and responder?

 

If both, you could clear the IKE and IPSec SAs on your end, hopefully the peer device will have DPD and will clear the dead SAs on their end. You'd have to then generate interesting traffic in order to bring up the tunnel.

sachmalv
Level 1
Level 1
In response to Rob Ingram

‎02-25-2022 04:01 AM

Thanks for revert !!

 

Is the remote peer defined as initiator only? its hard coded initiator only 

 

If there would have initiator or responder both then we could initiate ping and get generate interested traffic as well.

 

I wanted to search a way in which other side would not involve.

 

 

 

Rob Ingram
VIP
VIP
In response to sachmalv

‎02-25-2022 04:10 AM

@sachmalv ifthe remote peer is hard coded as the initiator, then the remote peer has to be peer to initiate the tunne establishment, they need to generate the interesting traffic. I don't know of a way you force it yourselves.

sachmalv
Level 1
Level 1
In response to Rob Ingram

‎02-27-2022 08:07 PM

@Rob Ingram Thankyou for revert !! further exploring let see..

 

MHM Cisco World
VIP
VIP

‎02-25-2022 05:26 AM

can you more elaborate the issue, I don't get why you need to make VPN tunnel always UP ?

sachmalv
Level 1
Level 1
In response to MHM Cisco World

‎02-27-2022 08:05 PM

Hey MHM,

 

Thanks for revert !!

Let me give you a brief. This query is not about to make VPN tunnel always be up.

 

Say, We have two sites A & B running with VPN tunnel on ASA. Site A is initiator and B as responder hard coded. One day as a part of maintenance site B need to reboot ASA at site B. Then VPN tunnel would go down between A and B and can't come up until someone from site A initiate the traffic on VPN. 

 

Than this down culprit would be site B network guy . he has to provide RCA ... 

 

Hence I am just searching a way so responder site can generate any kind of traffic to bring this VPN up. 

 

 

Deepak Kumar
VIP Alumni
VIP Alumni

‎02-27-2022 09:12 PM

Hello,

The IKE Responder-Only Mode feature provides support for controlling the initiation of Internet Key Exchange (IKE) negotiation and rekeying. When a device is configured as a responder-only device, it will not initiate IKE main, aggressive, or quick modes (for IKE and IP security [IPsec] security association [SA] establishment) nor will it rekey IKE and IPsec SAs. The device will respond to any negotiations initiated by its peers.

 

Make some kind of auto script or use any automatic tool such as PRTG to generate ICMP packets from the initiator side only. 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
Customers Also Viewed These Support Documents