We have a Cisco ASA and at the remote end I have no idea what the device is. This is what happening:
When I send a packet or generate interesting traffic, it brings up the tunnel and everything starts working. The problem is that the remote end doesn't have an interesting traffic trigger and they won't be able to ping my machine until I send a packet and bring the tunnel up.
I did set SLA to generate interesting traffic but we have multiple subnets and every subnet creates its own tunnel.
This is what we have in the ACL at my side to generate interesting traffic:
Object group name - NET-REMOTE - 172.16.x.x/16
Here is the ACL:
access-list ACL-VPN extended permit ip 71.x.x.x 255.255.255.0 object-group NET-REMOTE
access-list ACL-VPN extended permit ip 61.x.x.x.x 255.255.254.0 object-group NET-REMOTE
access-list ACL-VPN extended permit ip 10.x.x.x 255.255.0.0 object-group NET-REMOTE
Here is the SLA statement:
sla monitor 10
type echo protocol ipIcmpEcho 172.16.1.1 interface outside
frequency 30
I can see that my isakmp policy lifetime is 86400 (24 Hours); but, still my tunnel is getting turned down in a few minutes:
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
At present, I have setup a continuous ping from one of my hosts to keep the tunnel up; but, this is not a good solution.
There must be a way to do this better.
Best Answer
You should be able to disable this in the group policy attributes.