Introduction
An existing VPN tunnel requires active traffic every so often to keep the tunnel up and running If the tunnel is used for backup purposes and the traffic is generated only once per day , most likely the tunnel will remain down until new traffic is generated.
If you want to avoid this behavior, you can use IP SLA to generate traffic across the tunnel and keep the connection up.
Requirements
Cisco IOS running 12.x and above
Cisco ASA running 8.4 and above
Topology
Scenario
On this example , the IP SLA isconfigured on the router at the Site A, the SLA will ping the IP address 192.168.0.1 at the remote site from the interface Fastethernet 0/1 which have an IP address that is part ofthe interesting traffic for this VPN.
The ping will be triggered every 5 minutes with a timeout of 3 seconds.
Configuration Required
Site A Configuration
Router(config)# ip sla 1
Router(config-ip-sla)# icmp-echo 192.168.0.1 source-interface fa0/1
Router(config-ip-sla-echo)# frequency 300
Device(config-ip-sla-echo)# timeout 3000
Using the previous topology but with the same concept, we can configure the IP SLA for the same purpose on the ASA.
The only ASA limitation with IP SLA is that we cannot source the interface of the ICMP echo packet, the ASA can only determine the egress interface for the packet, keeping this in mind the outside interface of the ASA must be part of the interesting traffic in order to work properly this design. Another option is to initiate the IP SLA from a device behind the ASA a router or switch for example.
ASA configuration
ASA(config)#sla monitor 123
ASA(config-sla-monitor)# type echo protocol ipIcmpEcho 192.168.0.1 interface outside
ASA(config-sla-monitor-echo)#num-packets 3
ASA(config-sla-monitor-echo)# frequency 300
ASA(config-sla-monitor-echo)# threshold 3000
Hope it helps
-Randy-