Cisco ASA and Keepalives

cisco
gre
asa

(Lior) #1

Hello community!
Does anyone have experience with passing Cisco router GRE keepalives through ASA firewall performing NAT?

We are seeing strange issue the keepalives keep failing. it appears that the NAT is performed somewhat partially and not on the state the keepalive packets, despite them going through the GRE tunnel.

Anyone came across this?

Thx!


(Scott Bullock) #2

Hi Lior,
Cisco ASA (I think all firewalls actuall) don’t have a ALG for NAT
keepalive, this means the keeplive packers cannot traverse NAT.

The solution is to disable keepalives and use only IPSLA when GRE is behind
a NAT.

Cheers,
@skottieb


(Lior) #3

Hi Skotie and thank you!
By any chance would you know of any documentation to back this up?


(Scott Bullock) #4

IPSLA examples can be found here -->
https://help.zscaler.com/zia/best-practices-deploying-gre-tunnels

Keepalives and NAT incompatibility is more a general knowledge thing, best
speak to you NAT device manufacturer for info on their ability to support
GRE (IP Protocol 47) Keepalive ALG.

Cheers,
Scott-