Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-To_Site_VPN

Hello everyone

My question is there a way to keep our site-to-site VPN connection up 24/7, we make a VPN connection with one our customers who has problems bringing the VPN online, and this would help everyone if we can keep the tunnel up 24/7

We current use a Cisco 5505 ASA for this tunnel running IOS 8.4.5, the customer has Juniper firewalls.

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Depending on the settings,

Depending on the settings, most IPSec VPNs will allow the security associations to expire after a period without any "interesting traffic". For instance, the default for an ASA IPsec VPN is 24 hours (Phase 1 ISAMKP SAs) and 1 hour (Phase 2 IPsec SAs).

I have found in the past that one easy way to avoid ever allowing the VPN to expire is to run a small background program on a utility server. In a previous job where we had ASAs talking to Juniper Netscreens over a problematic VPN, we ran a script that sent a "tcp ping" (using the tcping Linux utility) every couple of seconds to an address across the VPN. That sufficed to keep the Phase 1 SA and at least one Phase 2 SA always active.

2 REPLIES
Hall of Fame Super Silver

Depending on the settings,

Depending on the settings, most IPSec VPNs will allow the security associations to expire after a period without any "interesting traffic". For instance, the default for an ASA IPsec VPN is 24 hours (Phase 1 ISAMKP SAs) and 1 hour (Phase 2 IPsec SAs).

I have found in the past that one easy way to avoid ever allowing the VPN to expire is to run a small background program on a utility server. In a previous job where we had ASAs talking to Juniper Netscreens over a problematic VPN, we ran a script that sent a "tcp ping" (using the tcping Linux utility) every couple of seconds to an address across the VPN. That sufficed to keep the Phase 1 SA and at least one Phase 2 SA always active.

New Member

 Hello,I was hoping you had

 

Hello,

I was hoping you had something we could use on our ASA firewall, will use the script on our server to keep the VPN sit-to-site up 24/7

 

Thank you for your help 

64
Views
0
Helpful
2
Replies