10-31-2017 03:54 AM - edited 03-12-2019 04:40 AM
Hello Dears,
please your advise in my situation ... i have a VPN Site2Site Tunnel .. everything is fine but i wanna to stay the tunnel up ...without any termination in Tunnel
Thanks,
10-31-2017 04:01 AM
Keep traffic flowing across it on a regular basis.
If there's no guaranteed end user system traffic, I have done this in the past with a tcp ping running once a minute on a management server
10-31-2017 04:03 AM
i miss your point sir .
can provide me with more information ?
thanks in advance
10-31-2017 04:13 AM
Normally a site-site VPN will only establish when traffic that matches what's allowed between the site is present. When the traffic is idle the VPN terminates after some time.
You asked how to keep it up. You keep it up by making sure traffic is always present.
10-31-2017 04:33 AM
Many thanks dear,
actually i know about this .. but i want to continue the session without terminate .
making something like IP SLA or some ping at given period to continue the tunnel up .
what you think .
thanks again
10-31-2017 04:44 AM
Yes - as I mentioned in my initial reply use something like an ongoing ping from a host at the local site to one at the remote site.
TCP ping is better since it is connection-oriented. A good utility for Windows systems is psping which can be found here:
https://docs.microsoft.com/en-us/sysinternals/downloads/psping
Run it from a command window on a server that is expected to be always up. For best results, make it part of a batch file in the startup folder or scheduled task so that it is sure to run even after server reload. Similar things can be done for Unix hosts.
10-31-2017 04:57 AM
Many thanks but what do you think about RTR ?
thanks
10-31-2017 05:00 AM
RTR (Response Time Reporter) can be used if you have a place internal to your network from which to run it.
You cannot use RTR or IP SLA on your ASA for this purpose since it will be the source of traffic and thus the packets will not be introduced into the tunnel as they never "arrive" on the ASA inside interface and get evaluated for VPN encapsulation.
10-31-2017 12:37 PM
many thanks for your interest with me ...
kindly can i know what best practice can i do in the CISCO devices ?
10-31-2017 01:10 PM
Hello @mohamed.ali,
You can apply EEM on the ASA and that way the VPN tunnel will stay up and running. Here is the example:
event manager applet VPN-Always-UP
event timer watchdog time 60
action 1 cli command "ping inside 192.168.20.1"
output none
This is better (can be considered a best practice) than using IP SLA for this purpose and the ASA will have the VPN tunnel up, also you can apply multiple actions and send the ping through multiple VPN tunnels. Here is the link for reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html
HTH
Gio
11-01-2017 02:29 AM
thanks for interesting with my case . please note i need more clarification if you can
thanks in advance
11-01-2017 02:31 AM
dears what do you think about
dead peer detection ipsec
11-01-2017 04:05 AM
11-01-2017 04:15 AM
dears even the connection reset one time ok .. no problem
how can i do
11-03-2017 04:40 PM
help help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide