Solved

Keep Alive on ASA 5505

Posted on 2011-09-02
4
1,556 Views
Last Modified: 2012-05-12
Is there a way to set up my ASA 5505 to keep the tunnel up all the time without a computer plugged into it?  I have tried some different keep alive commands with no luck.  This is set up as Site to Site between an ASA 5505 and an ASA 5520.   Below is a copy of my config,  Any help would be appriciated.

hostname Testvpn
enable password ****      
passwd ***
username admin password **** privilege 15

name 10.0.0.0 Corp_LAN
name 192.168.64.0 Corp_Voice
name 172.31.134.0 Testvpn

object-group network Corp_Networks
 network-object Corp_LAN 255.0.0.0
 network-object Corp_Voice 255.255.255.0

interface vlan2
nameif outside
 security-level 0
ip address dhcp setroute
no shut

interface vlan1
nameif inside
security-level 100
ip address 172.31.134.1 255.255.255.0
no shut

exit
interface Ethernet0/0
switchport access vlan 2
no shut

exit

dhcpd enable inside
dhcpd address 172.31.134.10-172.31.134.30 inside
dhcpd dns 10.10.10.7 10.10.10.44 interface inside
dhcpd domain sun.ins interface inside
dhcpd enable inside

logging enable
logging buffer-size 10000
logging monitor debugging
logging buffered informational
logging asdm informational

access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list inside_access_in extended permit ip 172.31.134.0 255.255.255.0 any
access-list inside_access_in extended permit icmp 172.31.134.0 255.255.255.0 any

access-list VPN extended permit ip  172.31.134.0 255.255.255.0 any

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside

global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1 172.31.134.0 255.255.255.0

http server enable
http 172.31.134.0 255.255.255.0 inside
http 10.0.0.0 255.0.0.0 inside
http 123.123.145.64 255.255.255.224 outside
ssh 10.0.0.0 255.0.0.0 inside
ssh 172.31.134.0 255.255.255.0 inside
ssh 123.123.145.64 255.255.255.224 outside
ssh timeout 20

management-access inside

dhcpd Testvpn auto_config outside

crypto ipsec transform-set VPN esp-3des esp-md5-hmac
crypto map outside_map 1 match address VPN
crypto map outside_map 1 set peer *****
crypto map outside_map 1 set transform-set VPN
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 WATRemotehentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800

tunnel-group ****** type ipsec-l2l
tunnel-group ****** ipsec-attributes
 pre-shared-key ********

exit
int eth 0/1
shut
no shut
int eth 0/2
shut
no shut
int eth 0/3
shut
no shut
int eth 0/4
shut
no shut
int eth 0/5
shut
no shut
int eth 0/6
shut
no shut
int eth 0/7
shut
no shut

0
Comment
Question by:mrsports3
  • 2
4 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 36474260
Well, you could change the lifetimes to 0 which essentially mean forever to prevent rekeying....  

Change
 lifetime 28800
to
 lifetime 0  


Although if there are any tunnel issues, you might need to manually 'clear crypto ipsec sa' to tear down the tunnel.    

The keepalives along with this should help.    Best bet is to just have an automated process to send a PING across the tunnel once per minute to keep it up.
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36474815
Hopefully this goes without saying, but the ping needs to match the ACLs defining interesting traffic for what activates (and maintains) the IPSec tunnel.

Not trying to be critical, but typically it only takes an IPSec tunnel a few seconds (at most) to activate once it sees interesting traffic.  I'm not sure I see a huge benefit in going to the effort of not allowing the tunnel to close.  I tend to agree with what MikeKane is getting at, that setting the timers so the tunnel never rekeys somewhat complicates the operation of the tunnel if there's a problem in the network.  If you absolutely must keep the tunnel active, of the two options, I would definitely stick with the ICMP traffic.  But my experience has been it's not a big deal to launch the tunnel, and even if some traffic doesn't get through, higher-level protocols typically react to that and adjust what needs to be sent.  My $.02....
0
 

Accepted Solution

by:
mrsports3 earned 0 total points
ID: 36474955
The reason I am looking to do this, is that I have a time clock that is pulled by a server once every hour.  This is the only thing plugged into the ASA.  If there is no traffic in that hour, the tunnel goes down.  One thing I found that is working so far, is that I set up the NTP to look at our NTP server.  So far the tunnel has not dropped and its been a couple of hours.
0
 

Author Closing Comment

by:mrsports3
ID: 36494084
This solution keeps the tunnel up and has not dropped in a couple of hours
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now