Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IPSEC tunnel re-establish 1

Status
Not open for further replies.
chieftan

chieftan

MIS
Dec 18, 2002
292
GB
Hi

Remote end is 870 series and corp end is 3845.

IPSEC tunnel works fine and is set to be permanantly up rather than looking for interesting traffic. The problem arises when the ADSL line goes down and the tunnel drops. When the ADSL line comes back up the Tunnel should establish again without manually having to clear crpto sessions and re-etablish SA's..... but, for some reason it is not doing this. Does anyone know any issues that may be prevailant across these 2 systems regarding this?

Oh, as an add on, ezVPN is being utilised.
 
Sort by date Sort by votes
im guessing its the timers for your tunnel ...
sample configs i've seen have it at a full hour before checking activity again ..

you might want to play around with that ..

post a config for the 870...


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
Upvote 0 Downvote
Here is the IPSEC info from the 870

crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 20 periodic
!
crypto ipsec security-association idle-time 60





crypto ipsec client ezvpn VPN1
connect auto
group vpngrp key 6 xxxxxxxxxxxxxxxxxxxx
mode network-extension
peer xxx.xxx.xxx.xxx
username ezvpn-ipstream password 6 xxxxxxxxxxxxxxxxx
xauth userid mode local

interface Vlan1
description *** LAN ***
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip tcp adjust-mss 1452
crypto ipsec client ezvpn VPN1 inside

interface Dialer10
description *** DIALER WAN INTERFACE TO ADSL ***
ip address negotiated
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxx
crypto ipsec client ezvpn VPN1
 
Upvote 0 Downvote
how long does it take for your connection to come back up ?

I see the config is from here:


which looks like The router sends one DPD R_U_THERE message and four retransmissions before it finally deletes the IPSec and IKE SAs.
maybe try increasing the wait time in between to a full minute to give it a bit longer for the interface to come back up?
crypto isakmp keepalive 30 60 periodic


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
Upvote 0 Downvote
imbadatthis

Thanks. We kind of had a feeling it would be timer / SA issues. The major problem we have though is the following:-

We do not think it is an actual configuration issue as the problem does not occur all the time, sometimes the tunnel comes back okay, sometimes it does not.

We are going to test the timers to see if it helps, but I think, personally, the best way forwards with this is to get historical references. In other words, each time it occurs, document it and get an overall view that may point to the issue in the future.

However, I am going to give you a star for confirming what we thought.
Thanks for your help.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

JMarine0811
  • Locked
  • Question
CISCO VG450 Factory reset
Replies
1
Views
483
whykap
whykap
BleuBell
  • Locked
  • Question
Command Rejected : Exceeded NNI ports Allowed
Replies
0
Views
163
BleuBell
BleuBell
Mogles49
  • Locked
  • Question
tshooting-tunnels
Replies
0
Views
126
Mogles49
Mogles49
DigitalG
  • Locked
  • Question
cisco rv180 vpn tunnel between a rv130
Replies
0
Views
114
DigitalG
DigitalG
RFCOMM2K1
  • Locked
  • Question
Cisco UCM reports
Replies
0
Views
84
RFCOMM2K1
RFCOMM2K1

Part and Inventory Search

Sponsor

Back
Top