Solved

Cisco ASA - how long a network dropout before a tunnel will drop out and stay dropped out?

Posted on 2013-11-09
2
630 Views
Last Modified: 2013-11-13
I have this situation:
VPN between local ASA and application service provider ASA.
(the ASAs are controlled by our application service provider).
Our local ISP was resetting a Radius server that interrupted our internet connection every 8 hours (how rude).

The VPN tunnel was dropping out and staying that way.  Well, at least it appeared to be staying that way during normal working hours when it happened.  
I have no idea what happened during the other 2 times in 24 hours .. but it must have come back in order to be working in the morning.....

It would take a large number of minutes to:
1) staff to realize that there was no connection
2) fiddle around ... finally decide to call the application service provider
3) the ASP would see the tunnel was down and "reset" it.
So, it must have been down for a pretty long time!

So, my question is:
How long does a network dropout need to last before an ASA will drop a tunnel?
Along with that:
Can an ASA tunnel be set to "stay alive" and re-connect after a network outage?
Will it?
If so, how long might it take to reconnect under reasonable circumstances?
Does our experience above say anything about how these two ASAs might be configured re: "keep alive"?
0
Comment
Question by:Fred Marshall
2 Comments
 
LVL 23

Accepted Solution

by:
Erik Bjers earned 500 total points
ID: 39636600
The VPN will drop as soon as the internet connection at either end drops but it should come back up as traffic from one end or the other is transmitted.

You can ask your service provider to enable keepalives, this should only be done on one end.

There is also a bug in some versions of the ASA code that causes the VPN to be up but you will have only TX or RX traffic and not both, restarting the ASA usually fixes this.  If you notice that restarting the ASA brings your VPN back up then please make sure your ASA is up-to-date and ask the service provider to do the same.

eb
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 39639538
With IPSec VPNs, there's a "Dead Peer Detection" (DPD) timer, which basically pings the other side to detect if the tunnel is up or not, and rebuilds it as necessary.
The ASA does support it, I can look up the exact config if you need it.

Tamas
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Nimble Storage 3 69
Dns issues 4 35
Help logging in to my router 12 48
Can you change the internal IP address on a Windows 2012 R2 server once it is deployed as DC and AD 8 38
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question