ipsec tunnel question

Is there a way where I can automate "clear crypto ipsec sa peer #####" so the tunnel is reset let's say every 24 hours without my intervention? I'm using 5520 asa
LVL 3
Shark AttackNetwork adminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

harbor235Commented:
Which IOS are you using?

For newer IOS try the following:

 
configure terminal
crypto ipsec security-association idle-time [seconds]


harbor235 ;}
Shark AttackNetwork adminAuthor Commented:
I already have that set to
crypto ipsec security-association lifetime seconds 28800
that don't reset the peer. Dont I need scripts or something?
harbor235Commented:
Well, it renegotiates the security association which means it re validates the phase 2 portion of your IPSEC VPN ensuring that your peer still possesses the correct trusted configuration.

What are you trying to do?

harbor235 ;}
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Shark AttackNetwork adminAuthor Commented:
I dont know, I have an ipsec tunnel configured on both ends. It's all functional but it goes down like once a week. When I do "clear crypto ipsec sa peer" it comes right back up. I don't know why it's doing this. I check all times on both devices and they match. The weird thing is, when it's down, I cannot ping the peers interesting traffic BUT in the "show crypto ipsec sa" I see encaps and decaps increasing.

I dont see much in debugs, nothing interesting
I dont see any drops when i configure capture drop-all

The other end is using none-cisco device
Shark AttackNetwork adminAuthor Commented:
I dont see anything with on my end, i even reached out to cisco to verify that there is nothing going on my end and they confirned it must be the other end, i told me other then it's them they're saying its not  them that nothing is wrong on their end.

So to make this easier, I just wanted to automate "clear crypto ipsec" and just get this over with
harbor235Commented:
Try setting the phase 1 lifetime, default is 86400 seconds or 1 day. This forces rekeying to be performed
and will bring down the VPN. However, it sounds like this is done by default now, also keep in mind that
this is a IPSEC VPN over the internet ( I assume), packet loss, latency, jitter, all of which are unpredictable on the internet can cause
your VPN to hiccup.

If you think the manual clear works better why not develop a ineractive script that logs in and issues the clear command.


harbor235 ;}
max_the_kingCommented:
Hi,
although it is probably a problem of the other side firewall, you may want to try and use Dead-Peer-Detection on you tunnel, just in case one side of the tunnel believes the other is dead.
This will send keepalives to the other end (default is every 10 seconds).
To enable this:
tunnel-group tunnel-group-name ipsec-attributes
isakmp keepalive enable

might be worth a try ...
hope this helps
max
Shark AttackNetwork adminAuthor Commented:
max,

I only get this

Primary-ASA(config-tunnel-ipsec)# isakmp keepalive ?

tunnel-group-ipsec mode commands/options:
  disable    Disable IKE keepalives
  retry      Enter the interval between retries after a keepalive response has not been received.
  threshold  Enter the number of seconds that the peer is allowed to idle before beginning keepalive monitoring
  <cr>

Open in new window

max_the_kingCommented:
then it should already be enabled
might be worth to try and disable it
since the other side of the tunnel terminates on a different device from asa they might have a mismatch
max
asavenerCommented:
Take a look at RANCID (http://www.shrubbery.net/rancid/) for running remote commands on Cisco devices.
harbor235Commented:
All you need to do is use expect, run autoexpect then enter cli commands that you normally use, end autoexpect,
Autoexpect will capture all commands you enter and generate an executable that you can run or cron, pretty simple.


http://www.admin-magazine.com/Articles/Automating-with-Expect-Scripts


harbor235 ;}

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
asavenerCommented:
Cool.  AutoIT for Linux....
Shark AttackNetwork adminAuthor Commented:
thanks all, I used Cat tools. Works like a charm and it's very easy to setup.
Shark AttackNetwork adminAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for zgil86's comment #a41234085

for the following reason:

Used alternate app
asavenerCommented:
Experts provided valid answers, even if the final product selected was not one of the tools suggested.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.