Keep Alive on ASA 5505

Posted on 2011-09-02
Last Modified: 2012-05-12
Is there a way to set up my ASA 5505 to keep the tunnel up all the time without a computer plugged into it?  I have tried some different keep alive commands with no luck.  This is set up as Site to Site between an ASA 5505 and an ASA 5520.   Below is a copy of my config,  Any help would be appriciated.

hostname Testvpn
enable password ****      
passwd ***
username admin password **** privilege 15

name Corp_LAN
name Corp_Voice
name Testvpn

object-group network Corp_Networks
 network-object Corp_LAN
 network-object Corp_Voice

interface vlan2
nameif outside
 security-level 0
ip address dhcp setroute
no shut

interface vlan1
nameif inside
security-level 100
ip address
no shut

interface Ethernet0/0
switchport access vlan 2
no shut


dhcpd enable inside
dhcpd address inside
dhcpd dns interface inside
dhcpd domain sun.ins interface inside
dhcpd enable inside

logging enable
logging buffer-size 10000
logging monitor debugging
logging buffered informational
logging asdm informational

access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list inside_access_in extended permit ip any
access-list inside_access_in extended permit icmp any

access-list VPN extended permit ip any

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside

global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1

http server enable
http inside
http inside
http outside
ssh inside
ssh inside
ssh outside
ssh timeout 20

management-access inside

dhcpd Testvpn auto_config outside

crypto ipsec transform-set VPN esp-3des esp-md5-hmac
crypto map outside_map 1 match address VPN
crypto map outside_map 1 set peer *****
crypto map outside_map 1 set transform-set VPN
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 WATRemotehentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800

tunnel-group ****** type ipsec-l2l
tunnel-group ****** ipsec-attributes
 pre-shared-key ********

int eth 0/1
no shut
int eth 0/2
no shut
int eth 0/3
no shut
int eth 0/4
no shut
int eth 0/5
no shut
int eth 0/6
no shut
int eth 0/7
no shut

Question by:mrsports3
  • 2
LVL 33

Expert Comment

ID: 36474260
Well, you could change the lifetimes to 0 which essentially mean forever to prevent rekeying....  

 lifetime 28800
 lifetime 0  

Although if there are any tunnel issues, you might need to manually 'clear crypto ipsec sa' to tear down the tunnel.    

The keepalives along with this should help.    Best bet is to just have an automated process to send a PING across the tunnel once per minute to keep it up.
LVL 18

Expert Comment

ID: 36474815
Hopefully this goes without saying, but the ping needs to match the ACLs defining interesting traffic for what activates (and maintains) the IPSec tunnel.

Not trying to be critical, but typically it only takes an IPSec tunnel a few seconds (at most) to activate once it sees interesting traffic.  I'm not sure I see a huge benefit in going to the effort of not allowing the tunnel to close.  I tend to agree with what MikeKane is getting at, that setting the timers so the tunnel never rekeys somewhat complicates the operation of the tunnel if there's a problem in the network.  If you absolutely must keep the tunnel active, of the two options, I would definitely stick with the ICMP traffic.  But my experience has been it's not a big deal to launch the tunnel, and even if some traffic doesn't get through, higher-level protocols typically react to that and adjust what needs to be sent.  My $.02....

Accepted Solution

mrsports3 earned 0 total points
ID: 36474955
The reason I am looking to do this, is that I have a time clock that is pulled by a server once every hour.  This is the only thing plugged into the ASA.  If there is no traffic in that hour, the tunnel goes down.  One thing I found that is working so far, is that I set up the NTP to look at our NTP server.  So far the tunnel has not dropped and its been a couple of hours.

Author Closing Comment

ID: 36494084
This solution keeps the tunnel up and has not dropped in a couple of hours

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question