Basic LAN to LAN VPN Questions

Unanswered Question
Mar 14th, 2008
User Badges:

Hi, we've got several Internet IPSec/ISAKMP VPNs. HQ is using a VPN3030 Concentrator and the remote sites are using Pix 501s. Looking at the session statistics on the VPN3030 some of the tunnels stay up for days and some won't stay up for more than a few hours.

I've got a couple of questions:

1). Should traffic from either side bring the tunnel up?

2). When the tunnel comes up should it stay up for a certain number of hours even if there is no more traffic sent? i.e. if the tunnel is brought up by a ping will it stay up? Or more specifically should it stay up? And if it goes down after an hour or so on a reqular basis then should I be investigating the remote site's DSL line Internet connection as the first port of call?


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Sat, 03/15/2008 - 15:11
User Badges:
  • Green, 3000 points or more

I looked this up for you, in your vpn 3030 check ike keepalive configuration for both the tunnels that stay up for days and the tunnels that drop in time,compare their keepalive configuration. I would suspect that tunnels that droped in time if there is not activity it could be there is no keepalive configured in them, I could be wrong with your problem but worth checking.


on concentrator go to:

configuration/user management/groups , then select tunnel in question, select ipsec tab and look for ike keepalive whether is checked or un-checked.



VPN 3030 ike keepalive for more information

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00800dc700.html#1685475


on PIX/ASA firewalls, see isakmp keepalive

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution4



HTH


Rgds

Jorge

Peter.D.Brown Mon, 03/17/2008 - 10:36
User Badges:

Thanks for the reply Jorge,

yes I had configured keepalives on all a couple of weeks ago because one of them was going down and staying down for hours. Now it goes down but usually comes back up in between a few seconds and a minute or so. I'm thinking that the DSL line is problematic and will now troubleshoot that.


Pete.

Actions

This Discussion