IPSEC Tunnel stops responding

Unanswered Question
Feb 28th, 2007

Hi We have a problem with an IPSec tunnel between our Cisco 1812 and a partners Cisco router. 3 times in the last 2 months the tunnel has stopped responding, in that we can no longer access the server at the partners site or ping it. When we check our router it states the VPN connection is up and tests ok. We have found that cycling the power on our router fixes this issue. Unfortunatly the link is business critical and have little time to diagnose the problem. I can't see anything in the cisco logs relating to the VPN. Was wondering if this could be a problem at our partners end and any advise on how to diagnose this problem next time it happens would be greatly appreciated.

Stephen Weightman

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Kamal Malhotra Wed, 02/28/2007 - 02:56

Hi Stephen,

What we are expericing could be related to the lifetime not matching. If the tunnel on our router shows up but it does not work then there is a possibility that it is not up on their end. So this is how we should proceed in this :

1. When the problem occurs, you need to first check the tunnel status by issuing the command :

sh cry isak sa

What we are looking for is the source ip, dest ip, and status.

2. If it shows up on both the routers then we need to look into the ipsec SAs:

sh cry ipsec sa peer

We are looking for the status of the tunnel. The specific informatio to look for is the pkts encaps and decaps, inbound ESP sa and outbound ESP sa. Please be onformed that it has to be done on both the routers.

3. Another thing to check is when this problem occurs, do we see the pkts encaps increasing on our router.

4. If we see the tunnel up on our end but down on their end, does the problem go away if we just clear the SAs instead of rebooting the router.

5. Another thing to look for is the IPSEC SA lifetime in the show run. It should match.

HTH,

Please rate if it helps,

Regards,

Kamal

SilverFox5150 Thu, 03/29/2007 - 01:10

Hey Kamal

I think I have found the problem. The Security Lifetime at our end is set to 1 hour and 4GB, but the other end was just 1 Hr. My assumption is after about 30 days the 4GB limit would be reached resetting our connection. I plan to remove the 4GB lifetime.

Thanks for the help.

Stephen Weightman

Actions

This Discussion