?
Solved

Cisco ASA - how long a network dropout before a tunnel will drop out and stay dropped out?

Posted on 2013-11-09
2
Medium Priority
?
648 Views
Last Modified: 2013-11-13
I have this situation:
VPN between local ASA and application service provider ASA.
(the ASAs are controlled by our application service provider).
Our local ISP was resetting a Radius server that interrupted our internet connection every 8 hours (how rude).

The VPN tunnel was dropping out and staying that way.  Well, at least it appeared to be staying that way during normal working hours when it happened.  
I have no idea what happened during the other 2 times in 24 hours .. but it must have come back in order to be working in the morning.....

It would take a large number of minutes to:
1) staff to realize that there was no connection
2) fiddle around ... finally decide to call the application service provider
3) the ASP would see the tunnel was down and "reset" it.
So, it must have been down for a pretty long time!

So, my question is:
How long does a network dropout need to last before an ASA will drop a tunnel?
Along with that:
Can an ASA tunnel be set to "stay alive" and re-connect after a network outage?
Will it?
If so, how long might it take to reconnect under reasonable circumstances?
Does our experience above say anything about how these two ASAs might be configured re: "keep alive"?
0
Comment
Question by:Fred Marshall
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 23

Accepted Solution

by:
Erik Bjers earned 2000 total points
ID: 39636600
The VPN will drop as soon as the internet connection at either end drops but it should come back up as traffic from one end or the other is transmitted.

You can ask your service provider to enable keepalives, this should only be done on one end.

There is also a bug in some versions of the ASA code that causes the VPN to be up but you will have only TX or RX traffic and not both, restarting the ASA usually fixes this.  If you notice that restarting the ASA brings your VPN back up then please make sure your ASA is up-to-date and ask the service provider to do the same.

eb
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 39639538
With IPSec VPNs, there's a "Dead Peer Detection" (DPD) timer, which basically pings the other side to detect if the tunnel is up or not, and rebuilds it as necessary.
The ASA does support it, I can look up the exact config if you need it.

Tamas
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question