Solved

Cisco ASA - how long a network dropout before a tunnel will drop out and stay dropped out?

Posted on 2013-11-09
2
643 Views
Last Modified: 2013-11-13
I have this situation:
VPN between local ASA and application service provider ASA.
(the ASAs are controlled by our application service provider).
Our local ISP was resetting a Radius server that interrupted our internet connection every 8 hours (how rude).

The VPN tunnel was dropping out and staying that way.  Well, at least it appeared to be staying that way during normal working hours when it happened.  
I have no idea what happened during the other 2 times in 24 hours .. but it must have come back in order to be working in the morning.....

It would take a large number of minutes to:
1) staff to realize that there was no connection
2) fiddle around ... finally decide to call the application service provider
3) the ASP would see the tunnel was down and "reset" it.
So, it must have been down for a pretty long time!

So, my question is:
How long does a network dropout need to last before an ASA will drop a tunnel?
Along with that:
Can an ASA tunnel be set to "stay alive" and re-connect after a network outage?
Will it?
If so, how long might it take to reconnect under reasonable circumstances?
Does our experience above say anything about how these two ASAs might be configured re: "keep alive"?
0
Comment
Question by:Fred Marshall
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 23

Accepted Solution

by:
Erik Bjers earned 500 total points
ID: 39636600
The VPN will drop as soon as the internet connection at either end drops but it should come back up as traffic from one end or the other is transmitted.

You can ask your service provider to enable keepalives, this should only be done on one end.

There is also a bug in some versions of the ASA code that causes the VPN to be up but you will have only TX or RX traffic and not both, restarting the ASA usually fixes this.  If you notice that restarting the ASA brings your VPN back up then please make sure your ASA is up-to-date and ask the service provider to do the same.

eb
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 39639538
With IPSec VPNs, there's a "Dead Peer Detection" (DPD) timer, which basically pings the other side to detect if the tunnel is up or not, and rebuilds it as necessary.
The ASA does support it, I can look up the exact config if you need it.

Tamas
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question