Basic LAN to LAN VPN Questions

Unanswered Question
Mar 14th, 2008

Hi, we've got several Internet IPSec/ISAKMP VPNs. HQ is using a VPN3030 Concentrator and the remote sites are using Pix 501s. Looking at the session statistics on the VPN3030 some of the tunnels stay up for days and some won't stay up for more than a few hours.

I've got a couple of questions:

1). Should traffic from either side bring the tunnel up?

2). When the tunnel comes up should it stay up for a certain number of hours even if there is no more traffic sent? i.e. if the tunnel is brought up by a ping will it stay up? Or more specifically should it stay up? And if it goes down after an hour or so on a reqular basis then should I be investigating the remote site's DSL line Internet connection as the first port of call?

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Sat, 03/15/2008 - 15:11

I looked this up for you, in your vpn 3030 check ike keepalive configuration for both the tunnels that stay up for days and the tunnels that drop in time,compare their keepalive configuration. I would suspect that tunnels that droped in time if there is not activity it could be there is no keepalive configured in them, I could be wrong with your problem but worth checking.

on concentrator go to:

configuration/user management/groups , then select tunnel in question, select ipsec tab and look for ike keepalive whether is checked or un-checked.

VPN 3030 ike keepalive for more information

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00800dc700.html#1685475

on PIX/ASA firewalls, see isakmp keepalive

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution4

HTH

Rgds

Jorge

Peter.D.Brown Mon, 03/17/2008 - 10:36

Thanks for the reply Jorge,

yes I had configured keepalives on all a couple of weeks ago because one of them was going down and staying down for hours. Now it goes down but usually comes back up in between a few seconds and a minute or so. I'm thinking that the DSL line is problematic and will now troubleshoot that.

Pete.

Actions

This Discussion