Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Keep Alive on ASA 5505

Posted on 2011-09-02
Medium Priority
Last Modified: 2012-05-12
Is there a way to set up my ASA 5505 to keep the tunnel up all the time without a computer plugged into it?  I have tried some different keep alive commands with no luck.  This is set up as Site to Site between an ASA 5505 and an ASA 5520.   Below is a copy of my config,  Any help would be appriciated.

hostname Testvpn
enable password ****      
passwd ***
username admin password **** privilege 15

name Corp_LAN
name Corp_Voice
name Testvpn

object-group network Corp_Networks
 network-object Corp_LAN
 network-object Corp_Voice

interface vlan2
nameif outside
 security-level 0
ip address dhcp setroute
no shut

interface vlan1
nameif inside
security-level 100
ip address
no shut

interface Ethernet0/0
switchport access vlan 2
no shut


dhcpd enable inside
dhcpd address inside
dhcpd dns interface inside
dhcpd domain sun.ins interface inside
dhcpd enable inside

logging enable
logging buffer-size 10000
logging monitor debugging
logging buffered informational
logging asdm informational

access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list inside_access_in extended permit ip any
access-list inside_access_in extended permit icmp any

access-list VPN extended permit ip any

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside

global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1

http server enable
http inside
http inside
http outside
ssh inside
ssh inside
ssh outside
ssh timeout 20

management-access inside

dhcpd Testvpn auto_config outside

crypto ipsec transform-set VPN esp-3des esp-md5-hmac
crypto map outside_map 1 match address VPN
crypto map outside_map 1 set peer *****
crypto map outside_map 1 set transform-set VPN
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 WATRemotehentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800

tunnel-group ****** type ipsec-l2l
tunnel-group ****** ipsec-attributes
 pre-shared-key ********

int eth 0/1
no shut
int eth 0/2
no shut
int eth 0/3
no shut
int eth 0/4
no shut
int eth 0/5
no shut
int eth 0/6
no shut
int eth 0/7
no shut

Question by:mrsports3
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 33

Expert Comment

ID: 36474260
Well, you could change the lifetimes to 0 which essentially mean forever to prevent rekeying....  

 lifetime 28800
 lifetime 0  

Although if there are any tunnel issues, you might need to manually 'clear crypto ipsec sa' to tear down the tunnel.    

The keepalives along with this should help.    Best bet is to just have an automated process to send a PING across the tunnel once per minute to keep it up.
LVL 18

Expert Comment

ID: 36474815
Hopefully this goes without saying, but the ping needs to match the ACLs defining interesting traffic for what activates (and maintains) the IPSec tunnel.

Not trying to be critical, but typically it only takes an IPSec tunnel a few seconds (at most) to activate once it sees interesting traffic.  I'm not sure I see a huge benefit in going to the effort of not allowing the tunnel to close.  I tend to agree with what MikeKane is getting at, that setting the timers so the tunnel never rekeys somewhat complicates the operation of the tunnel if there's a problem in the network.  If you absolutely must keep the tunnel active, of the two options, I would definitely stick with the ICMP traffic.  But my experience has been it's not a big deal to launch the tunnel, and even if some traffic doesn't get through, higher-level protocols typically react to that and adjust what needs to be sent.  My $.02....

Accepted Solution

mrsports3 earned 0 total points
ID: 36474955
The reason I am looking to do this, is that I have a time clock that is pulled by a server once every hour.  This is the only thing plugged into the ASA.  If there is no traffic in that hour, the tunnel goes down.  One thing I found that is working so far, is that I set up the NTP to look at our NTP server.  So far the tunnel has not dropped and its been a couple of hours.

Author Closing Comment

ID: 36494084
This solution keeps the tunnel up and has not dropped in a couple of hours

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question