Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Site to Site VPN tunnel drops after business hours

Posted on 2009-02-20
Medium Priority
Last Modified: 2012-06-27
Hi all. I have a branch router that has its vpn tunnel go down each night at 420pm after everyone goes home.  I can remote into it via dialup and ping our HQ router from the hub and the vpn tunnel comes back up.

How can I keep the tunnel up all the time?  I have seen a suggestion of setting up an NTP server.  Does anyone know how to do a continuous ping from a hub/switch?
My problem is that I use monitoring software that tells me when a vpn tunnel goes down...it's very annoying.
Question by:computertech36

Accepted Solution

ciscoguy69 earned 672 total points
ID: 23695442
There are many ways to keep the tunnel up. You are doing it by creating interesting traffic. Yes an NTP server would be a good idea even if it is not for the reason you intend. NTP should keep it up as it syncronizes but if you want to post your tunnel config, I can take a look.

Assisted Solution

IPsec88 earned 664 total points
ID: 23695758
you can write a little script that has a machine send a ping every few minutes to keep the tunnel up. This is probably the easisest.
 set up NTP across the link. You end up with two benefits:
1. The clocks are in sync.
2. The vpn stays up.
LVL 29

Expert Comment

by:Michael Worsham
ID: 23712008
Some VPN endpoint routers have the ability to do 'keep alive', thus will send a signal to across the VPN tunnel to keep the tunnel up and operational.

Which VPN endpoint routers are you using at the main site and the branch site(s)?
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!


Author Comment

ID: 23715692
i am using a cisco PIX 515 at our HQ and a Cisco 1750 running 12.1.3(xt2) at the remote location.

I added the following line to our PIX:   isakmp keepalive 20
On the remote router, I added the following: crypto isakmp keepalive 20

On thre remote router, I have the following:
crypto isakmp policy 11
 hash md5
 authentication pre-share
crypto isakmp key test address x.x.x.x
crypto isakmp keepalive 20

On the PIX, I have:

crypto map mymap 8 ipsec-isakmp
crypto map mymap 8 match address chr01rt01ec
crypto map mymap 8 set peer (Ip address of WAN interface of 1750 router)
crypto map mymap 8 set transform-set myset
isakmp key ******** address (Ip address of WAN interface of 1750 router) netmask

Assisted Solution

zv92470 earned 664 total points
ID: 23791590
Why do you want it to stay up all the time, if no one is using it?  I would make sure the you have it configured to be able to come up from traffic on either end - it sounds like you only have it configured to be initiated by traffic from your remote end.  If you don't have traffic going over it, it shouldn't matter if it's up or not.  And, if you do have traffic going over it but the tunnel is down, it should come up quickly enough that the end users/applications don't know it was down.

Author Comment

ID: 23807268
You're right, it does not impact functionality...but it does get annoying getting a page on my phone that the location is down after hours.  Also, I have 40 other branch locations that use like equipment and do not have the issue.
It's not a show stopper, just very annoying.

FYI, I had a 2nd branch that started doing the same thing adn the NTP config worked for that.

Thanks for the responses.

Featured Post

The Growing Need for Data Analysts

As the amount of data rapidly increases in our world, so does the need for qualified data analysts. WGU's MS in Data Analytics and maximize your leadership opportunities as a data engineer, business analyst, information research scientist, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question