Keep Alive on ASA 5505

mrsports3 used Ask the Experts™
Is there a way to set up my ASA 5505 to keep the tunnel up all the time without a computer plugged into it?  I have tried some different keep alive commands with no luck.  This is set up as Site to Site between an ASA 5505 and an ASA 5520.   Below is a copy of my config,  Any help would be appriciated.

hostname Testvpn
enable password ****      
passwd ***
username admin password **** privilege 15

name Corp_LAN
name Corp_Voice
name Testvpn

object-group network Corp_Networks
 network-object Corp_LAN
 network-object Corp_Voice

interface vlan2
nameif outside
 security-level 0
ip address dhcp setroute
no shut

interface vlan1
nameif inside
security-level 100
ip address
no shut

interface Ethernet0/0
switchport access vlan 2
no shut


dhcpd enable inside
dhcpd address inside
dhcpd dns interface inside
dhcpd domain sun.ins interface inside
dhcpd enable inside

logging enable
logging buffer-size 10000
logging monitor debugging
logging buffered informational
logging asdm informational

access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list inside_access_in extended permit ip any
access-list inside_access_in extended permit icmp any

access-list VPN extended permit ip any

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside

global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1

http server enable
http inside
http inside
http outside
ssh inside
ssh inside
ssh outside
ssh timeout 20

management-access inside

dhcpd Testvpn auto_config outside

crypto ipsec transform-set VPN esp-3des esp-md5-hmac
crypto map outside_map 1 match address VPN
crypto map outside_map 1 set peer *****
crypto map outside_map 1 set transform-set VPN
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 WATRemotehentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800

tunnel-group ****** type ipsec-l2l
tunnel-group ****** ipsec-attributes
 pre-shared-key ********

int eth 0/1
no shut
int eth 0/2
no shut
int eth 0/3
no shut
int eth 0/4
no shut
int eth 0/5
no shut
int eth 0/6
no shut
int eth 0/7
no shut

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2010

Well, you could change the lifetimes to 0 which essentially mean forever to prevent rekeying....  

 lifetime 28800
 lifetime 0  

Although if there are any tunnel issues, you might need to manually 'clear crypto ipsec sa' to tear down the tunnel.    

The keepalives along with this should help.    Best bet is to just have an automated process to send a PING across the tunnel once per minute to keep it up.
John MeggersNetwork Architect

Hopefully this goes without saying, but the ping needs to match the ACLs defining interesting traffic for what activates (and maintains) the IPSec tunnel.

Not trying to be critical, but typically it only takes an IPSec tunnel a few seconds (at most) to activate once it sees interesting traffic.  I'm not sure I see a huge benefit in going to the effort of not allowing the tunnel to close.  I tend to agree with what MikeKane is getting at, that setting the timers so the tunnel never rekeys somewhat complicates the operation of the tunnel if there's a problem in the network.  If you absolutely must keep the tunnel active, of the two options, I would definitely stick with the ICMP traffic.  But my experience has been it's not a big deal to launch the tunnel, and even if some traffic doesn't get through, higher-level protocols typically react to that and adjust what needs to be sent.  My $.02....
The reason I am looking to do this, is that I have a time clock that is pulled by a server once every hour.  This is the only thing plugged into the ASA.  If there is no traffic in that hour, the tunnel goes down.  One thing I found that is working so far, is that I set up the NTP to look at our NTP server.  So far the tunnel has not dropped and its been a couple of hours.


This solution keeps the tunnel up and has not dropped in a couple of hours

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial