VPN often hanging up

Unanswered Question
Mar 23rd, 2007

Dear friends,

I have the following scenario:

2 site-to-site VPNs. The first one is established between a 2801 and a 1841, both using Advanced IP Services (versions right below). The second one is established between the same previous 2801 and a PIX 515E.

The VPN between the two routers is ok, but that one between the 2801 and the PIX is frequently hanging up. To put it up, I have to remove the crypto map from the router's outside interface and put it again.

What could be the cause of this??? These are the versions of softwares running on my boxes:

. 1841 -> Advanced IP Services - 12.4(9)T1

. 2801 -> Advanced IP Services - 12.4(9)T

. PIX 515E -> 7.0(2)

Regards!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kamal Malhotra Fri, 03/23/2007 - 06:46

Hi,

The problem that you are facing could be caused by the IPSEC SA lifetimes. The default SA lifetime on the router is 3600 seconds (1 hour) and the default IPSEC SA lifetime on the PIX is 28800 seconds (8 hours). So please make sure that they are the same on othe the boxes. To confirm you can use the following command on the router:

show crypto ipsec security-association lifetime

When you type 'sh run cry map' on the PIX and don't see any specific lifetime configured then it is indicative that we are using the default lifetime. You can either configure 28800 on the router for the specific tunnel under the crypto map or 3600 on the PIX for the specific tunnel under the crypto map.

HTH,

Please rate if it helps,

Regards,

Kamal

mauricioharley Fri, 03/23/2007 - 07:44

Kamal,

I configured this in my boxes and I'll wait until the end of today to see the results. I would answer you about the progress.

Thanks!

mauricioharley Mon, 03/26/2007 - 10:28

Hi, Kamal,

I did what you asked me. The VPN seemed to be ok during the weekend. However, the day (this monday) did't start so good. I had to remove and put the crypto map again.

Do you know any bug related to this particular version of IOS software running on 2801 (12.4(9)T)? Should I upgrade it?

Cheers,

Mauricio

Actions

This Discussion