Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1382
Views
4
Helpful
5
Replies

Keep tunnel up

Go to solution
robbor861
Level 1
Level 1

‎09-13-2013 10:13 AM

I have an 881 router with a static IP address, serving as a headquarter router.  I then have several remote site routers (also 881s) that have dynamic IP addresses.  I have successfully configured IPsec tunnels, which are initiated from the dynamic IP sites back to the HQ router.  I am trying to figure out how to keep the tunnel from going down due to inactivity.  There isn't going to consistently be a lot of traffic going back and forth, so left on its own, the tunnel eventually goes down.  The problem with that is that only the dynamic IP side can reinitiate the connection.  I need to prevent this from happening, so that the HQ router can send traffic through the tunnel, even if no traffic has passed for an extended period of time.

I've tried "crypto isakmp keepalive 30 10 periodic", but it didn't seem to do anything.

Any help would be appreciated.

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎09-13-2013 11:30 AM

DPDs are going over IKE SA not IPsec SA.

You can setup a simple SLA probe(s) on remote 880s to ping over tunnel sourced from local LAN interfaces(s) to remote addresses behind HQ 881. This should keep the tunnels up. A ICMP packet every 5 minutes should not cuause additional stress on the boxes.

View solution in original post

5 Replies 5

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎09-13-2013 11:30 AM

DPDs are going over IKE SA not IPsec SA.

You can setup a simple SLA probe(s) on remote 880s to ping over tunnel sourced from local LAN interfaces(s) to remote addresses behind HQ 881. This should keep the tunnels up. A ICMP packet every 5 minutes should not cuause additional stress on the boxes.

Go to solution
robbor861
Level 1
Level 1
In response to Marcin Latosiewicz

‎09-15-2013 01:05 PM

That fixed it for me.

Thanks!

0 Helpful

Go to solution
csco11579831
Level 1
Level 1
In response to robbor861

‎09-16-2013 04:09 AM

Hi Robbor,

Can you please tell me how you have configured IP SLA?

Merci.

0 Helpful

Go to solution
robbor861
Level 1
Level 1
In response to csco11579831

‎09-16-2013 08:54 AM

This is what I did:

# conf t
(config)# ip sla 10
(config-ip-sla)# icmp-echo 10.5.0.1 source-interface Vlan1
(config-ip-sla-echo)# frequency 300 (in seconds)
(config-ip-sla-echo)# exit
(config)# ip sla schedule 10 life forever start-time now

- 10.5.0.1 is whatever you are trying to ping.

- source-interface Vlan1 is the source you are addressing the pings from.  This is optional, depending on your purposes.

0 Helpful

Go to solution
csco11579831
Level 1
Level 1
In response to robbor861

‎09-16-2013 09:11 AM

I will test it and I will keep you informed,

Thank you so mush !

0 Helpful
Customers Also Viewed These Support Documents