Shark Attack
asked on
ipsec tunnel question
Is there a way where I can automate "clear crypto ipsec sa peer #####" so the tunnel is reset let's say every 24 hours without my intervention? I'm using 5520 asa
ASKER
I already have that set to
crypto ipsec security-association lifetime seconds 28800
that don't reset the peer. Dont I need scripts or something?
crypto ipsec security-association lifetime seconds 28800
that don't reset the peer. Dont I need scripts or something?
Well, it renegotiates the security association which means it re validates the phase 2 portion of your IPSEC VPN ensuring that your peer still possesses the correct trusted configuration.
What are you trying to do?
harbor235 ;}
What are you trying to do?
harbor235 ;}
ASKER
I dont know, I have an ipsec tunnel configured on both ends. It's all functional but it goes down like once a week. When I do "clear crypto ipsec sa peer" it comes right back up. I don't know why it's doing this. I check all times on both devices and they match. The weird thing is, when it's down, I cannot ping the peers interesting traffic BUT in the "show crypto ipsec sa" I see encaps and decaps increasing.
I dont see much in debugs, nothing interesting
I dont see any drops when i configure capture drop-all
The other end is using none-cisco device
I dont see much in debugs, nothing interesting
I dont see any drops when i configure capture drop-all
The other end is using none-cisco device
ASKER
I dont see anything with on my end, i even reached out to cisco to verify that there is nothing going on my end and they confirned it must be the other end, i told me other then it's them they're saying its not them that nothing is wrong on their end.
So to make this easier, I just wanted to automate "clear crypto ipsec" and just get this over with
So to make this easier, I just wanted to automate "clear crypto ipsec" and just get this over with
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
max,
I only get this
I only get this
Primary-ASA(config-tunnel-ipsec)# isakmp keepalive ?
tunnel-group-ipsec mode commands/options:
disable Disable IKE keepalives
retry Enter the interval between retries after a keepalive response has not been received.
threshold Enter the number of seconds that the peer is allowed to idle before beginning keepalive monitoring
<cr>
then it should already be enabled
might be worth to try and disable it
since the other side of the tunnel terminates on a different device from asa they might have a mismatch
max
might be worth to try and disable it
since the other side of the tunnel terminates on a different device from asa they might have a mismatch
max
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Cool. AutoIT for Linux....
ASKER
thanks all, I used Cat tools. Works like a charm and it's very easy to setup.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for zgil86's comment #a41234085
for the following reason:
Used alternate app
Accepted answer: 0 points for zgil86's comment #a41234085
for the following reason:
Used alternate app
Experts provided valid answers, even if the final product selected was not one of the tools suggested.
For newer IOS try the following:
configure terminal
crypto ipsec security-association idle-time [seconds]
harbor235 ;}