Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Keep few site-site IPSEC VPN tunnels inactive


I have 50 active site-to-site ipsec tunnels.  I want to keep 3 of the established tunnels Inactive due to some reasons. and I want to be able to activate those 3-tunnels while required.

i want to know is it possible to do such ?  please advise me



Keep few site-site IPSEC VPN tunnels inactive

There is no "inactive" for VPN, so what I usually do is remove the peer from the crypto map.

Hope it helps.

Super Bronze

Keep few site-site IPSEC VPN tunnels inactive


I would probably personally use the above suggested way.

I am not sure why you would want to do what you describe.

I guess if you wanted other options you could consider some of the following options

  • VPN Filter / interface ACL
    • With this option you could stop traffic from leaving from your network to the L2L VPN connection or traffic coming from the L2L VPN from going through your firewall. Naturally this would not help much if you option was to keep the VPN connection itself down completely
  • Time Based ACL
    • You could probably use ACL statements that use a time range if your aim was to control traffic flow during some hours of the day. I have not used these type of ACLs that much myself so I am not sure if they are convinient in your setup.

I was also wondering if setting the L2L VPN connection in the "crypto map" configurations as "originate-only" would give you any options of keeping the L2L VPN down until you want to bring it up. Again a command that I have not had to use myself.

I guess how you should do this depends on the actual situation and reason you are wanting to do this.

The above suggested way is very simple. Though you should backup your "crypto map" configurations before removing anything so you can keep a track where you need to add the peer IP again when you want it working.

If the VPN can be up but you want to limit traffic then an ACL statement that you would activate and make inactive might also be a solution.

- Jouni