VPN Connection without end session

mohamed.ali · ‎10-31-2017

Hello Dears,

please your advise in my situation ... i have a VPN Site2Site Tunnel .. everything is fine but i wanna to stay the tunnel up ...without any termination in Tunnel

Thanks,

Marvin Rhoads · ‎10-31-2017

Keep traffic flowing across it on a regular basis.

If there's no guaranteed end user system traffic, I have done this in the past with a tcp ping running once a minute on a management server

mohamed.ali · ‎10-31-2017

i miss your point sir .

can provide me with more information ?

thanks in advance

Marvin Rhoads · ‎10-31-2017

Normally a site-site VPN will only establish when traffic that matches what's allowed between the site is present. When the traffic is idle the VPN terminates after some time.

You asked how to keep it up. You keep it up by making sure traffic is always present.

mohamed.ali · ‎10-31-2017

Many thanks dear,

actually i know about this .. but i want to continue the session without terminate .

making something like IP SLA or some ping at given period to continue the tunnel up .

what you think .

thanks again

Marvin Rhoads · ‎10-31-2017

Yes - as I mentioned in my initial reply use something like an ongoing ping from a host at the local site to one at the remote site.

TCP ping is better since it is connection-oriented. A good utility for Windows systems is psping which can be found here:

https://docs.microsoft.com/en-us/sysinternals/downloads/psping

Run it from a command window on a server that is expected to be always up. For best results, make it part of a batch file in the startup folder or scheduled task so that it is sure to run even after server reload. Similar things can be done for Unix hosts.

mohamed.ali · ‎10-31-2017

Many thanks but what do you think about RTR ?

thanks

Marvin Rhoads · ‎10-31-2017

RTR (Response Time Reporter) can be used if you have a place internal to your network from which to run it.

You cannot use RTR or IP SLA on your ASA for this purpose since it will be the source of traffic and thus the packets will not be introduced into the tunnel as they never "arrive" on the ASA inside interface and get evaluated for VPN encapsulation.

mohamed.ali · ‎10-31-2017

many thanks for your interest with me ...

kindly can i know what best practice can i do in the CISCO devices ?

GioGonza · ‎10-31-2017

Hello @mohamed.ali,

You can apply EEM on the ASA and that way the VPN tunnel will stay up and running. Here is the example:

event manager applet VPN-Always-UP
 event timer watchdog time 60
 action 1 cli command "ping inside 192.168.20.1"
 output none

This is better (can be considered a best practice) than using IP SLA for this purpose and the ASA will have the VPN tunnel up, also you can apply multiple actions and send the ping through multiple VPN tunnels. Here is the link for reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118087-technote-asa-00.html

HTH

Gio

mohamed.ali · ‎11-01-2017

thanks for interesting with my case . please note i need more clarification if you can

thanks in advance

mohamed.ali · ‎11-01-2017

dears what do you think about

dead peer detection ipsec

Mohammed al Baqari · ‎11-01-2017

I don't think you can achieve this. You can disable idle timeout if you
want but you can't disable rekeying.

mohamed.ali · ‎11-01-2017

dears even the connection reset one time ok .. no problem

how can i do

mohamed.ali · ‎11-03-2017

help help