Solved

Cisco ASA - how long a network dropout before a tunnel will drop out and stay dropped out?

Posted on 2013-11-09
2
621 Views
Last Modified: 2013-11-13
I have this situation:
VPN between local ASA and application service provider ASA.
(the ASAs are controlled by our application service provider).
Our local ISP was resetting a Radius server that interrupted our internet connection every 8 hours (how rude).

The VPN tunnel was dropping out and staying that way.  Well, at least it appeared to be staying that way during normal working hours when it happened.  
I have no idea what happened during the other 2 times in 24 hours .. but it must have come back in order to be working in the morning.....

It would take a large number of minutes to:
1) staff to realize that there was no connection
2) fiddle around ... finally decide to call the application service provider
3) the ASP would see the tunnel was down and "reset" it.
So, it must have been down for a pretty long time!

So, my question is:
How long does a network dropout need to last before an ASA will drop a tunnel?
Along with that:
Can an ASA tunnel be set to "stay alive" and re-connect after a network outage?
Will it?
If so, how long might it take to reconnect under reasonable circumstances?
Does our experience above say anything about how these two ASAs might be configured re: "keep alive"?
0
Comment
Question by:Fred Marshall
2 Comments
 
LVL 23

Accepted Solution

by:
Erik Bjers earned 500 total points
Comment Utility
The VPN will drop as soon as the internet connection at either end drops but it should come back up as traffic from one end or the other is transmitted.

You can ask your service provider to enable keepalives, this should only be done on one end.

There is also a bug in some versions of the ASA code that causes the VPN to be up but you will have only TX or RX traffic and not both, restarting the ASA usually fixes this.  If you notice that restarting the ASA brings your VPN back up then please make sure your ASA is up-to-date and ask the service provider to do the same.

eb
0
 
LVL 17

Expert Comment

by:TimotiSt
Comment Utility
With IPSec VPNs, there's a "Dead Peer Detection" (DPD) timer, which basically pings the other side to detect if the tunnel is up or not, and rebuilds it as necessary.
The ASA does support it, I can look up the exact config if you need it.

Tamas
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now