Solved

Cisco ASA - how long a network dropout before a tunnel will drop out and stay dropped out?

Posted on 2013-11-09
2
625 Views
Last Modified: 2013-11-13
I have this situation:
VPN between local ASA and application service provider ASA.
(the ASAs are controlled by our application service provider).
Our local ISP was resetting a Radius server that interrupted our internet connection every 8 hours (how rude).

The VPN tunnel was dropping out and staying that way.  Well, at least it appeared to be staying that way during normal working hours when it happened.  
I have no idea what happened during the other 2 times in 24 hours .. but it must have come back in order to be working in the morning.....

It would take a large number of minutes to:
1) staff to realize that there was no connection
2) fiddle around ... finally decide to call the application service provider
3) the ASP would see the tunnel was down and "reset" it.
So, it must have been down for a pretty long time!

So, my question is:
How long does a network dropout need to last before an ASA will drop a tunnel?
Along with that:
Can an ASA tunnel be set to "stay alive" and re-connect after a network outage?
Will it?
If so, how long might it take to reconnect under reasonable circumstances?
Does our experience above say anything about how these two ASAs might be configured re: "keep alive"?
0
Comment
Question by:Fred Marshall
2 Comments
 
LVL 23

Accepted Solution

by:
Erik Bjers earned 500 total points
ID: 39636600
The VPN will drop as soon as the internet connection at either end drops but it should come back up as traffic from one end or the other is transmitted.

You can ask your service provider to enable keepalives, this should only be done on one end.

There is also a bug in some versions of the ASA code that causes the VPN to be up but you will have only TX or RX traffic and not both, restarting the ASA usually fixes this.  If you notice that restarting the ASA brings your VPN back up then please make sure your ASA is up-to-date and ask the service provider to do the same.

eb
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 39639538
With IPSec VPNs, there's a "Dead Peer Detection" (DPD) timer, which basically pings the other side to detect if the tunnel is up or not, and rebuilds it as necessary.
The ASA does support it, I can look up the exact config if you need it.

Tamas
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now