08-22-2008 06:57 PM - edited 03-06-2019 12:57 AM
We have IPSec VPN from 106 remote offices to central site. 3 core routers running 2800 and remote sites are running cisco 1711.We have 3 tunnels to three different core routers on head office via three different ISP's.Remote sites are using one ISP for DSL connection. i am noticing that regardless the time of the day random sites sometimes over 60 and 70 terminate tunnels to core routers for 10 sec or so and then lose OSPF adjencies and restabilish it after 10 seconds. I investigated this issue with Cisco yet no result all of my ISP's say that they dont see any connection drop even for few second on head end.
08-23-2008 12:16 AM
Hello Khurram,
we are experiencing similar troubles with a pair of cisco 7206VXR with Stateful IPsec over them.
We opened a TAC service request two mounths ago and we are still working on it.
Do you use stateful IPsec on your core routers ?
Best Regards
Giuseppe
08-23-2008 09:10 AM
Hello Giuseppe
My oplozies as i am not quite sure what you mean by statefull IPSec? I am sort of a rookie with VPN technologies.Isn't IPSec is layer 3 technology while statefull and stateless more on concept of layer 4.Means UDP is stateless and TCP is statefull means it have states for example SYN ,PST, RST AND ACK, they define specific state hence that communication is call ststefull.
Can be you be more clear on that?
08-23-2008 09:25 AM
Hello Khurram,
Stateful IPSec is a technology that emulates the behaviour of a pair of PIX or ASA firewall with stateful failover.
IPSec sessions are terminated over the HSRP VIP address on the public interface.
The router that is HSRP active on both the public and private interfaces actually builds the IPSec sessions and forwards and receives traffic.
The standby router has the knowledge of all the SAs (security associations) so that if the active node fails it can takes its role with minimal out of service
The two routers share this info with an inter-device communcation.
However, in our case this feature doesn't work correctly: every day we have random losses of connectivity to remote sites.
Also the communication has some troubles and the two routers don't exchange the state info of security associations.
I've seen a similar scenario so I've asked you if you are using the stateful ipsec.
Best Regards
Giuseppe
08-23-2008 09:30 AM
Oh i see what you saying, the answer to that question is no.We have no IPSec ststefull failover. i think you mean HSRP with SSO, so yeh we dont have any statefull failover. Sorry i totally misunderstood your question :)
08-23-2008 09:26 AM
Hi again
Just to add on that thought we are running GRE over IPsec header which is much larger than original header. My remote routers are sitting at 1000 mtu i am start to think may be the configuration is wrong and i need to increase my MTU size to 1512 bytes rather than 1000 bytes. Because if MTU is less than packet will be fragament which could cause some parameters of IPSec to behave strangly hence dropping the connection. What you think?
08-23-2008 09:53 AM
Hello Khurram,
you can increase MTU up to 1300 bytes.
But actually all this is done to avoid fragmentation so it is the opposite if all devices including end users agree on a 1300 byte MTU on LANs the routers never fragment and this is good.
see
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#iose
Hope to help
Giuseppe
08-23-2008 03:38 PM
Thanks for the reply, do you know how to use the segement here which called "ask the expert". How can i post the same question to one of these experts?
thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: