2

I managed to setup a site-to-site VPN connection from Amazon VPC to a company's network, and after a lot of configuration it was working fine, but now i realized that the VPN tunnel is DOWN every time there's no traffic going trough for a couple minutes.

The only way that i have found to generate traffic is to reach the amazon instance from the company's network and then the tunnel goes up again.

I had a cronjob doing ping every minute, but i think it should have a keepalive option somewhere, or at least a log file of the tunnels to find out what's going on.

Any ideas to keep the tunnel up and/or bring it up from amazon?

The firewall is a Checkpoint R75.20, it only allows one tunnel at a time for the same subnet, so i cant have both tunnels active.

Thank you, any questions just ask.

EDIT I forgot to add, the ping keepalive was working great (maybe generating a bit of traffic, but nothing to worry about), the connection dropped because i had to restart the instance, and it that little time it dropped me.

Asfura
  • 21
  • 1
  • 2
  • 4
  • 2
    This is how IPSec works - if there is no traffic, it won't renew the SAs until more traffic happens. Is this actually causing performance problems? If so, then just send a ping across via cron on either end of the tunnel. – EEAA Nov 14 '13 at 00:15

2 Answers2

1

Add an SLA monitor

Using sla monitor we can have the ASA do a continuous ping over the tunnel to keep it always up. Here’s a config to ping an IP over the tunnel every 5 seconds, forever.

sla monitor 1
    type echo protocol ipIcmpEcho 10.1.2.2 interface OUTSIDE
    frequency 5
exit

sla monitor schedule 1 life forever start-time now

The point of this is only to keep the tunnel up. It doesn’t matter if the pings are actually successful.

Ref: http://www.tunnelsup.com/troubleshooting-vpn-between-cisco-asa-and-amazon-aws

Sekenre
  • 2,943
  • 1
  • 20
  • 17
Kato
  • 11
  • 1
  • Thank you. The cron-based ping solution has worked fine until now. I'm not in that project anymore, but i'll rely your solution to the current IT guy there. – Asfura Jul 06 '15 at 19:41
0

Two ideas,

1) see if you can enable rekeying on the checkpoint side. This could be a long and complicated investigation that really might not work.

2) Since you are using VPC, do you have the "enable DNS" feature active? It is on by default. If so, there is an IP address that is always on inside the VPC -- the VPC DNS server. Even if all your instances are gone, it will still be there. Its IP address is easy to find from your instances' DHCP leases, but it is always the VPC subnet network number + 2. (For example, if the VPC is 172.20.0.0/16, the VPC DNS server IP is 172.20.0.2). You can do a dig @a.b.c.d whatever.com from your cron.

Lastly, having the connection go down after a couple minutes seems really too short. You may be able to modify the tunnel lifetimes on the checkpoint side (since the checkpoint is the one starting the tunnels, right?)

Good luck!

whitepaws
  • 377
  • 1
  • 2
  • Thanks for the ideas, i actually did the second one and it was working until the amazon VM crashed for no reason while i was away, and that caused the tunnel to fall. I'm thinking of having an instance just for that, keeping connections alive, but there must be a better way. – Asfura Nov 19 '13 at 17:53
  • Just wondering, did you ever find a better way to do this? Facing the same issue... @Asfura – ElasticThoughts May 23 '15 at 02:08