Keep Alive on ASA 5505

Posted on 2011-09-02
Medium Priority
Last Modified: 2012-05-12
Is there a way to set up my ASA 5505 to keep the tunnel up all the time without a computer plugged into it?  I have tried some different keep alive commands with no luck.  This is set up as Site to Site between an ASA 5505 and an ASA 5520.   Below is a copy of my config,  Any help would be appriciated.

hostname Testvpn
enable password ****      
passwd ***
username admin password **** privilege 15

name Corp_LAN
name Corp_Voice
name Testvpn

object-group network Corp_Networks
 network-object Corp_LAN
 network-object Corp_Voice

interface vlan2
nameif outside
 security-level 0
ip address dhcp setroute
no shut

interface vlan1
nameif inside
security-level 100
ip address
no shut

interface Ethernet0/0
switchport access vlan 2
no shut


dhcpd enable inside
dhcpd address inside
dhcpd dns interface inside
dhcpd domain sun.ins interface inside
dhcpd enable inside

logging enable
logging buffer-size 10000
logging monitor debugging
logging buffered informational
logging asdm informational

access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list inside_access_in extended permit ip any
access-list inside_access_in extended permit icmp any

access-list VPN extended permit ip any

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside

global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1

http server enable
http inside
http inside
http outside
ssh inside
ssh inside
ssh outside
ssh timeout 20

management-access inside

dhcpd Testvpn auto_config outside

crypto ipsec transform-set VPN esp-3des esp-md5-hmac
crypto map outside_map 1 match address VPN
crypto map outside_map 1 set peer *****
crypto map outside_map 1 set transform-set VPN
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 WATRemotehentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800

tunnel-group ****** type ipsec-l2l
tunnel-group ****** ipsec-attributes
 pre-shared-key ********

int eth 0/1
no shut
int eth 0/2
no shut
int eth 0/3
no shut
int eth 0/4
no shut
int eth 0/5
no shut
int eth 0/6
no shut
int eth 0/7
no shut

Question by:mrsports3
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 33

Expert Comment

ID: 36474260
Well, you could change the lifetimes to 0 which essentially mean forever to prevent rekeying....  

 lifetime 28800
 lifetime 0  

Although if there are any tunnel issues, you might need to manually 'clear crypto ipsec sa' to tear down the tunnel.    

The keepalives along with this should help.    Best bet is to just have an automated process to send a PING across the tunnel once per minute to keep it up.
LVL 18

Expert Comment

ID: 36474815
Hopefully this goes without saying, but the ping needs to match the ACLs defining interesting traffic for what activates (and maintains) the IPSec tunnel.

Not trying to be critical, but typically it only takes an IPSec tunnel a few seconds (at most) to activate once it sees interesting traffic.  I'm not sure I see a huge benefit in going to the effort of not allowing the tunnel to close.  I tend to agree with what MikeKane is getting at, that setting the timers so the tunnel never rekeys somewhat complicates the operation of the tunnel if there's a problem in the network.  If you absolutely must keep the tunnel active, of the two options, I would definitely stick with the ICMP traffic.  But my experience has been it's not a big deal to launch the tunnel, and even if some traffic doesn't get through, higher-level protocols typically react to that and adjust what needs to be sent.  My $.02....

Accepted Solution

mrsports3 earned 0 total points
ID: 36474955
The reason I am looking to do this, is that I have a time clock that is pulled by a server once every hour.  This is the only thing plugged into the ASA.  If there is no traffic in that hour, the tunnel goes down.  One thing I found that is working so far, is that I set up the NTP to look at our NTP server.  So far the tunnel has not dropped and its been a couple of hours.

Author Closing Comment

ID: 36494084
This solution keeps the tunnel up and has not dropped in a couple of hours

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question