Site to Site VPN tunnel drops after business hours

Posted on 2009-02-20
Last Modified: 2012-06-27
Hi all. I have a branch router that has its vpn tunnel go down each night at 420pm after everyone goes home.  I can remote into it via dialup and ping our HQ router from the hub and the vpn tunnel comes back up.

How can I keep the tunnel up all the time?  I have seen a suggestion of setting up an NTP server.  Does anyone know how to do a continuous ping from a hub/switch?
My problem is that I use monitoring software that tells me when a vpn tunnel goes's very annoying.
Question by:computertech36
    LVL 3

    Accepted Solution

    There are many ways to keep the tunnel up. You are doing it by creating interesting traffic. Yes an NTP server would be a good idea even if it is not for the reason you intend. NTP should keep it up as it syncronizes but if you want to post your tunnel config, I can take a look.

    Assisted Solution

    you can write a little script that has a machine send a ping every few minutes to keep the tunnel up. This is probably the easisest.
     set up NTP across the link. You end up with two benefits:
    1. The clocks are in sync.
    2. The vpn stays up.
    LVL 29

    Expert Comment

    by:Michael W
    Some VPN endpoint routers have the ability to do 'keep alive', thus will send a signal to across the VPN tunnel to keep the tunnel up and operational.

    Which VPN endpoint routers are you using at the main site and the branch site(s)?

    Author Comment

    i am using a cisco PIX 515 at our HQ and a Cisco 1750 running 12.1.3(xt2) at the remote location.

    I added the following line to our PIX:   isakmp keepalive 20
    On the remote router, I added the following: crypto isakmp keepalive 20

    On thre remote router, I have the following:
    crypto isakmp policy 11
     hash md5
     authentication pre-share
    crypto isakmp key test address x.x.x.x
    crypto isakmp keepalive 20

    On the PIX, I have:

    crypto map mymap 8 ipsec-isakmp
    crypto map mymap 8 match address chr01rt01ec
    crypto map mymap 8 set peer (Ip address of WAN interface of 1750 router)
    crypto map mymap 8 set transform-set myset
    isakmp key ******** address (Ip address of WAN interface of 1750 router) netmask
    LVL 1

    Assisted Solution

    Why do you want it to stay up all the time, if no one is using it?  I would make sure the you have it configured to be able to come up from traffic on either end - it sounds like you only have it configured to be initiated by traffic from your remote end.  If you don't have traffic going over it, it shouldn't matter if it's up or not.  And, if you do have traffic going over it but the tunnel is down, it should come up quickly enough that the end users/applications don't know it was down.

    Author Comment

    You're right, it does not impact functionality...but it does get annoying getting a page on my phone that the location is down after hours.  Also, I have 40 other branch locations that use like equipment and do not have the issue.
    It's not a show stopper, just very annoying.

    FYI, I had a 2nd branch that started doing the same thing adn the NTP config worked for that.

    Thanks for the responses.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    #Citrix #Citrix Netscaler #HTTP Compression #Load Balance
    Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now