IPsec VPN tunnels losing adjenceny to central site

Unanswered Question
Aug 22nd, 2008

We have IPSec VPN from 106 remote offices to central site. 3 core routers running 2800 and remote sites are running cisco 1711.We have 3 tunnels to three different core routers on head office via three different ISP's.Remote sites are using one ISP for DSL connection. i am noticing that regardless the time of the day random sites sometimes over 60 and 70 terminate tunnels to core routers for 10 sec or so and then lose OSPF adjencies and restabilish it after 10 seconds. I investigated this issue with Cisco yet no result all of my ISP's say that they dont see any connection drop even for few second on head end.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sat, 08/23/2008 - 00:16

Hello Khurram,

we are experiencing similar troubles with a pair of cisco 7206VXR with Stateful IPsec over them.

We opened a TAC service request two mounths ago and we are still working on it.

Do you use stateful IPsec on your core routers ?

Best Regards

Giuseppe

khurrammateen Sat, 08/23/2008 - 09:10

Hello Giuseppe

My oplozies as i am not quite sure what you mean by statefull IPSec? I am sort of a rookie with VPN technologies.Isn't IPSec is layer 3 technology while statefull and stateless more on concept of layer 4.Means UDP is stateless and TCP is statefull means it have states for example SYN ,PST, RST AND ACK, they define specific state hence that communication is call ststefull.

Can be you be more clear on that?

Giuseppe Larosa Sat, 08/23/2008 - 09:25

Hello Khurram,

Stateful IPSec is a technology that emulates the behaviour of a pair of PIX or ASA firewall with stateful failover.

IPSec sessions are terminated over the HSRP VIP address on the public interface.

The router that is HSRP active on both the public and private interfaces actually builds the IPSec sessions and forwards and receives traffic.

The standby router has the knowledge of all the SAs (security associations) so that if the active node fails it can takes its role with minimal out of service

The two routers share this info with an inter-device communcation.

However, in our case this feature doesn't work correctly: every day we have random losses of connectivity to remote sites.

Also the communication has some troubles and the two routers don't exchange the state info of security associations.

I've seen a similar scenario so I've asked you if you are using the stateful ipsec.

Best Regards

Giuseppe

khurrammateen Sat, 08/23/2008 - 09:30

Oh i see what you saying, the answer to that question is no.We have no IPSec ststefull failover. i think you mean HSRP with SSO, so yeh we dont have any statefull failover. Sorry i totally misunderstood your question :)

khurrammateen Sat, 08/23/2008 - 09:26

Hi again

Just to add on that thought we are running GRE over IPsec header which is much larger than original header. My remote routers are sitting at 1000 mtu i am start to think may be the configuration is wrong and i need to increase my MTU size to 1512 bytes rather than 1000 bytes. Because if MTU is less than packet will be fragament which could cause some parameters of IPSec to behave strangly hence dropping the connection. What you think?

khurrammateen Sat, 08/23/2008 - 15:38

Thanks for the reply, do you know how to use the segement here which called "ask the expert". How can i post the same question to one of these experts?

thanks

Actions

This Discussion