Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tunnel in ipsec vpn during idle time

hi guys!

what command should i use to  let the tunnel always up using  ipsec vpn without initiate any traffic during the idle time on the asa?


Hall of Fame Super Silver

Re: Tunnel in ipsec vpn during idle time

Hello Alsayed,

as in routers the security associations SA have a lifetime based on two factors: time and traffic volume.


IPsec SAs use a derived, shared, secret key. The key is an integral part of the SA; they time out together to require the key to refresh. Each SA has two lifetimes: "timed" and "traffic-volume." An SA expires after the respective lifetime and negotiations begin for a new one. The default lifetimes are 28,800 seconds (eight hours) and 4,608,000 kilobytes (10 megabytes per second for one hour).

Be aware that extending the lifetime exposes to security risk so it is not recommended.

the best way would be to have a GRE tunnel encapsulated in IPSec on the ASA originated and terminated on routers with a routing protocol running on it and high metric so that is not used until primary path is active.

R1 ---- ASA1 ---------------------------- ASA2 --- R2

Hope to help


New Member

Re: Tunnel in ipsec vpn during idle time

Hello Giuseppe!

Thanks for ur reply

New Member

Re: Tunnel in ipsec vpn during idle time

Freind Giuseppe, I need the tunnel to be up all time and ready whenever data to be send or not.