01-29-2019 05:48 PM
we have tunnel from PA to vendor which is using Cisco ASA.
When there is no interesting traffic tunnel is down by design this part is ok.
but today i saw phase 1 as red and phase 2 as green on gui.
I did the
test vpn ike command and phase 1 was green
but i was unable to ping across tunnel i see traffic going via tunnel but no replies.
Then i did
test vpn ipsec
i was able to ping lan device at other end.
need to know when phase shows down then is it best practice to use the test command for both phase 1 and 2?
when both phase 1 and 2 shows green and you can not ping across tunnel, you traffic going but no reply then should we use test command for phase 1 and phase 2?
01-29-2019 08:17 PM
Phase 1 doesn't need to show as active to still have a tunnel up and running. Essentially Phase 1 is just there to setup a secure channel for phase 2, and once that association has been made phase 1 doesn't matter. Therefore, Phase 1 can show as down and the tunnel will still be perfectly operational.
I would honestly guess here that your issue is more to do with not having a tunnel-monitoring profile assigned to the tunnel, which means the PA might not notice if your ASA closes the tunnel due to inactivity. Which means you kind of have two options:
1) Apply a tunnel monitoring profile so your PA actually knows when the ASA side of the tunnel goes down.
2) Configure the ASA so 'vpn-idle-timeout none' is present within the assigned group-policy attributes.
01-29-2019 08:17 PM
Phase 1 doesn't need to show as active to still have a tunnel up and running. Essentially Phase 1 is just there to setup a secure channel for phase 2, and once that association has been made phase 1 doesn't matter. Therefore, Phase 1 can show as down and the tunnel will still be perfectly operational.
I would honestly guess here that your issue is more to do with not having a tunnel-monitoring profile assigned to the tunnel, which means the PA might not notice if your ASA closes the tunnel due to inactivity. Which means you kind of have two options:
1) Apply a tunnel monitoring profile so your PA actually knows when the ASA side of the tunnel goes down.
2) Configure the ASA so 'vpn-idle-timeout none' is present within the assigned group-policy attributes.
01-29-2019 08:20 PM
we do not have tunnel monitoring setup as Cisco side is configured for tunnel down after 30 mins idle timeout.
Will ask Vendor to configure the ASA so 'vpn-idle-timeout none
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
