Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Maintaining a constant IPSEC VPN tunnel using a Dynamic IP address at a remote site

First off - we are not cheap just trying to reduce wasted costs on many tunnels. Our ASA code used is 8.2.5  To simply add a single static IP to some of our sites results in a $30/month increase because of the required ISP speed increases which we don't need.

 

We have a lot of ASA 5505s and most use dynamic IPs with the ISPs. The tunnels are always up due to the fact that most remote sites have devices like IP phones  or PCs that are always trying to communicate with the main central site. In cases where we only have one or two PCs I may write a small batch file on the PC that pings the central site once or twice a day to maintain an IPSEC tunnel to the site, otherwise I have no way to determine the outside ASA IP address if I need to get to it.

 

I realize I can use dynamic dns app on the PC which updates DynDNS but that is somewhat of a hassle since our PCs are always being modified by  our techs or upgraded and I can't stay on top of it or verify it is always working properly. Plus if the machine is turned off there are no updates to DynDNS taking place.

 

At one site we have an ASA with a single PC and an outdoor sign. I will write a batch file on the PC to keep the tunnel up but I do NOT want to rely on this PC since it is not one we can control. I want to always be sure we can get to this sign and modify it without using a static IP on the ASA. So I always want to ensure the IPSEC tunnel is up and basically I only have the ASA using a dynamic IP address on the outside to rely on.

Any nifty ideas that don't use a ton of bandwidth. I know that I can use syslog and push that from the inside address over the tunnel to keep it up but usually I have to set it below info to maintain a tunnel. Anyone have an other ideas that can kick off something in the ASA every few hours? NTP ? Not sure how often that tries to update.  Archiving the config to a NAS?? but 8.2.5 doesn't support it like a 3750 switch.

 

Thanks

 

 

9 REPLIES

If you used Cisco routers

If you used Cisco routers instead of Asa's, you could use DMVPN.

New Member

I'll have to look into that

I'll have to look into that but briefly answer this. I would assume that I would need a router at the central site and not an ASA as the receiving spoke - correct?

 

 

Not sure if I want to go that route - have to think about it. Also let me to think that with an old cheap  p 871W I have I could also setup a dynamic IPSEC tunnel from it and have it archive its config twice a day to see if that would keep the tunnel active . Thanks

DMVPN requires routers at all

DMVPN requires routers at all locations.  Only the central site requires a fixed IP address.

New Member

you can use normal vpn with

you can use normal vpn with routers as well, depending on your needs, if you need a full meshed network go with dmvpn if not just use normal vpn.

use monitor SLA sending a ping across every second and identify this traffic as interesting, this means you are always building the tunnel from the point where you do not know the ip address toward the fixed ip address.

last, it doens't matter whether you use a vpn concentrator, ASA or router for normal VPN. for DMVPN you should all use routers.

 

I hope this helps ;-)

hi,The outcome of your

hi,

The outcome of your question is: your ipsec vpn should be active all time , finallly, your lease's  can't be expired. if it is true then try "sla monitor 1"

Regards,

kazim

"please rate me if post helpful"

New Member

I think I went down that

I think I went down that route years ago but tried it again. Unfortunately it fails. It will not push the echo through the VPN tunnel even though I can ping the same address over the tunnel if I use ping inside x.x.x.x     Sla monitor apparently has an issue when I use inside to reach addresses over the tunnel. Inside does work with actual addresses on the inside of the ASA and if I used outside for an address on the other side of the tunnel is tries to reach it outside of the tunnel and fails. So I don't see a way to use SLA Monitor with a VPN accessible IP address.  

 

Any other Ideas?  I keep thinking there must be something...will keep thinking about it before I start with the 871W install.  Thanks

Try , "management-access

Try , "management-access inside" on ASA and ping

secondly, NTP can be a good solution

 

Regards,

kazim

New Member

I think I found a solution

I think I found a solution and looked into it. If I use NTP and use a server on the other side of the VPN tunnel it appears to attempt to verify the timing every 64 - 1024 seconds with the server. I will leave as is for a day to test but I think this will keep the tunnel, active unless the ASA requires an address other than itself to keep the tunnel active but I think not. I also realized that when using vlans, if there are no ports on the "inside" vlan active, the tunnel will not come up because the "inside" vlan is down. The NTP requests will therefore not be allowed to be sent out. So I have to ensure there is always an active port on the "inside" vlan - either a cheap switch attached to one of the ports or a device that is never turned off. .

New Member

NTP works on all my remote

NTP works on all my remote dynamic IP sites using an inside central site roiuter address as the preferred time source. The ntp asso details show that the ASA or PIX checks the NTP time anywhere from 64 to 1024 seconds (every 17 minutes). Works great and have seen no issues now for a week on 20+ sites. None are ever down now waiting for a remote site user to initialize the VPN tunnel. 

708
Views
5
Helpful
9
Replies
CreatePlease login to create content