IPsec VPN tunnels losing adjenceny to central site

Unanswered Question
Aug 22nd, 2008
User Badges:

We have IPSec VPN from 106 remote offices to central site. 3 core routers running 2800 and remote sites are running cisco 1711.We have 3 tunnels to three different core routers on head office via three different ISP's.Remote sites are using one ISP for DSL connection. i am noticing that regardless the time of the day random sites sometimes over 60 and 70 terminate tunnels to core routers for 10 sec or so and then lose OSPF adjencies and restabilish it after 10 seconds. I investigated this issue with Cisco yet no result all of my ISP's say that they dont see any connection drop even for few second on head end.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sat, 08/23/2008 - 00:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Khurram,

we are experiencing similar troubles with a pair of cisco 7206VXR with Stateful IPsec over them.

We opened a TAC service request two mounths ago and we are still working on it.

Do you use stateful IPsec on your core routers ?


Best Regards

Giuseppe

khurrammateen Sat, 08/23/2008 - 09:10
User Badges:

Hello Giuseppe


My oplozies as i am not quite sure what you mean by statefull IPSec? I am sort of a rookie with VPN technologies.Isn't IPSec is layer 3 technology while statefull and stateless more on concept of layer 4.Means UDP is stateless and TCP is statefull means it have states for example SYN ,PST, RST AND ACK, they define specific state hence that communication is call ststefull.

Can be you be more clear on that?

Giuseppe Larosa Sat, 08/23/2008 - 09:25
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Khurram,

Stateful IPSec is a technology that emulates the behaviour of a pair of PIX or ASA firewall with stateful failover.


IPSec sessions are terminated over the HSRP VIP address on the public interface.

The router that is HSRP active on both the public and private interfaces actually builds the IPSec sessions and forwards and receives traffic.

The standby router has the knowledge of all the SAs (security associations) so that if the active node fails it can takes its role with minimal out of service

The two routers share this info with an inter-device communcation.


However, in our case this feature doesn't work correctly: every day we have random losses of connectivity to remote sites.

Also the communication has some troubles and the two routers don't exchange the state info of security associations.


I've seen a similar scenario so I've asked you if you are using the stateful ipsec.


Best Regards

Giuseppe


khurrammateen Sat, 08/23/2008 - 09:30
User Badges:

Oh i see what you saying, the answer to that question is no.We have no IPSec ststefull failover. i think you mean HSRP with SSO, so yeh we dont have any statefull failover. Sorry i totally misunderstood your question :)

khurrammateen Sat, 08/23/2008 - 09:26
User Badges:

Hi again


Just to add on that thought we are running GRE over IPsec header which is much larger than original header. My remote routers are sitting at 1000 mtu i am start to think may be the configuration is wrong and i need to increase my MTU size to 1512 bytes rather than 1000 bytes. Because if MTU is less than packet will be fragament which could cause some parameters of IPSec to behave strangly hence dropping the connection. What you think?


Giuseppe Larosa Sat, 08/23/2008 - 09:53
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Khurram,

you can increase MTU up to 1300 bytes.

But actually all this is done to avoid fragmentation so it is the opposite if all devices including end users agree on a 1300 byte MTU on LANs the routers never fragment and this is good.


see

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#iose


Hope to help

Giuseppe



khurrammateen Sat, 08/23/2008 - 15:38
User Badges:

Thanks for the reply, do you know how to use the segement here which called "ask the expert". How can i post the same question to one of these experts?


thanks

Actions

This Discussion