Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1739
Views
5
Helpful
2
Replies

EzVPN client loses connection and doesn't attempt to reconnect

psnead
Level 1
Level 1

‎09-14-2007 07:57 AM - edited ‎03-09-2019 06:49 PM

I have a Cisco 871 router configured as an EzVPN client connecting to a PIX. The router is running latest IOS (c870-advsecurityk9-mz.124-15.T1.bin) and the PIX is running 6.3(5) code.

Every so often, the remote 871 router will drop its VPN connection to the PIX and will not re-attempt to establish it.

I've configured "crypto isakmp keepalive 30 20 periodic" on the 871 and the ezvpn client is configured for "connect auto".

I can connect to the 871's global IP address, so it has Internet connectivity. When I display the crypto ipsec client ezvpn, it tells me that IPSEC is active, yet there are no crypto isakmp sa's or crypto ipsec sa's displayed.

I also have a "debug crypto ipsec client ezvpn" and "debug crypto isakmp" running on the 871, and I see no debugs.

I've tried forcing traffic by pinging from an internal host to the main site, but it doesn't attempt to re-establish the VPN.

I guess what bothers me the most is that the ezvpn client is displaying the "IPSEC_ACTIVE" state, when it really isn't.

Am I missing something here?

I've attached a text file with the 871's configuration. It also has a show version, and the sho crypto commands that I've mentioned.

Thanks in advance for any help.

(P.S. -- Also, if I reboot the router, it automatically re-connects, or I can force it by manually connecting. I just can't seem to have the router itself re-connect on its own.)

1 person had this problem
Labels:
Preview file
8 KB
0 Helpful
2 Replies 2

didyap
Level 6
Level 6

‎09-20-2007 11:09 AM

The reason your ezvpn client is displaying the "IPSEC_ACTIVE" state is because the connection is not properly terminated from remote end (i.e PIX). Make sure you have configured "isakmp keepalive 30 20" on PIX also. By configuring keepalives on both sides, when the tunnel goes down the IPSEC peer will be aware of the tunnel loss and flush all the isakmp and ipsec SA that it has for the previous connection. With this mechanism, when traffic tries to go over the tunnel, both sides will try to rebuild the tunnel and cases of invalid SPI will be avoided.

psnead
Level 1
Level 1
In response to didyap

‎09-20-2007 11:21 AM

Thanks for the reply. I thought I had keepalives configured on the PIX, but on reviewing it, I see that the keepalive statement is missing.

I've added it and I'll see if that resolves my problem.

Thanks again for your help.

0 Helpful
Customers Also Viewed These Support Documents