Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Keep tunnel up

I have an 881 router with a static IP address, serving as a headquarter router.  I then have several remote site routers (also 881s) that have dynamic IP addresses.  I have successfully configured IPsec tunnels, which are initiated from the dynamic IP sites back to the HQ router.  I am trying to figure out how to keep the tunnel from going down due to inactivity.  There isn't going to consistently be a lot of traffic going back and forth, so left on its own, the tunnel eventually goes down.  The problem with that is that only the dynamic IP side can reinitiate the connection.  I need to prevent this from happening, so that the HQ router can send traffic through the tunnel, even if no traffic has passed for an extended period of time.

I've tried "crypto isakmp keepalive 30 10 periodic", but it didn't seem to do anything.

Any help would be appreciated.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Keep tunnel up

DPDs are going over IKE SA not IPsec SA.

You can setup a simple SLA probe(s) on remote 880s to ping over tunnel sourced from local LAN interfaces(s) to remote addresses behind HQ 881. This should keep the tunnels up. A ICMP packet every 5 minutes should not cuause additional stress on the boxes.

5 REPLIES
Cisco Employee

Keep tunnel up

DPDs are going over IKE SA not IPsec SA.

You can setup a simple SLA probe(s) on remote 880s to ping over tunnel sourced from local LAN interfaces(s) to remote addresses behind HQ 881. This should keep the tunnels up. A ICMP packet every 5 minutes should not cuause additional stress on the boxes.

New Member

Keep tunnel up

That fixed it for me.

Thanks!

New Member

Keep tunnel up

Hi Robbor,

Can you please tell me how you have configured IP SLA?

Merci.

New Member

Re: Keep tunnel up

This is what I did:

# conf t

(config)# ip sla 10

(config-ip-sla)# icmp-echo 10.5.0.1 source-interface Vlan1

(config-ip-sla-echo)# frequency 300 (in seconds)

(config-ip-sla-echo)# exit

(config)# ip sla schedule 10 life forever start-time now

- 10.5.0.1 is whatever you are trying to ping.

- source-interface Vlan1 is the source you are addressing the pings from.  This is optional, depending on your purposes.

New Member

Keep tunnel up

I will test it and I will keep you informed,

Thank you so mush !

417
Views
4
Helpful
5
Replies
CreatePlease to create content