Cisco Cisco ASA 5515-X Adaptive Security Appliance Guia De Resolução De Problemas
Dynamic−to−Static L2L Always Up
When establishing a LAN−to−LAN tunnel, the IP address of both IPSec peers needs to be known. If one of
the IP addresses is not known because it is dynamic, i.e. obtained via DHCP, then the only alternative is to use
a dynamic crypto map. The tunnel can only be initiated from the device with the dynamic IP since the other
peer has no idea of the IP being used.
the IP addresses is not known because it is dynamic, i.e. obtained via DHCP, then the only alternative is to use
a dynamic crypto map. The tunnel can only be initiated from the device with the dynamic IP since the other
peer has no idea of the IP being used.
This is a problem in case nobody is behind the device with the dynamic IP to bring up the tunnel in case it
goes down; thus the need of having this tunnel always up. Even if you set the idle−timeout to none, this will
not address the issue because, upon a rekey, if there is no traffic passing the tunnel will go down. At that
moment the only way to bring up the tunnel again is to send traffic from the device with the dynamic IP. The
same thing applies if the tunnel goes down for an unexpected reason such as DPDs, etc.
goes down; thus the need of having this tunnel always up. Even if you set the idle−timeout to none, this will
not address the issue because, upon a rekey, if there is no traffic passing the tunnel will go down. At that
moment the only way to bring up the tunnel again is to send traffic from the device with the dynamic IP. The
same thing applies if the tunnel goes down for an unexpected reason such as DPDs, etc.
This EEM will send a ping every 60 seconds across the tunnel matching the desired SA in order to keep the
connection up.
connection up.
event manager applet VPN−Always−UP
event timer watchdog time 60
action 1 cli command "ping inside 192.168.20.1"
output none
Disconnect All VPN Existing Connections at a Certain Time
The ASA does not have a way to set a hard cut off time for VPN sessions. However you do this with EEM.
This example demonstrates how to dicsonnect both VPN Clients and Anyconnect Clients at 5:00 PM
This example demonstrates how to dicsonnect both VPN Clients and Anyconnect Clients at 5:00 PM
event manager applet VPN−Disconnect
event timer absolute time 17:00:00
action 1 cli command "vpn−sessiondb logoff ra−ikev1−ipsec noconfirm"
action 2 cli command "vpn−sessiondb logoff anyconnect noconfirm"
output none
Updated: Sep 08, 2014
Document ID: 118087