cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
435
Views
0
Helpful
7
Replies

IPsec VPN tunnels losing adjenceny to central site

khurrammateen
Level 1
Level 1

We have IPSec VPN from 106 remote offices to central site. 3 core routers running 2800 and remote sites are running cisco 1711.We have 3 tunnels to three different core routers on head office via three different ISP's.Remote sites are using one ISP for DSL connection. i am noticing that regardless the time of the day random sites sometimes over 60 and 70 terminate tunnels to core routers for 10 sec or so and then lose OSPF adjencies and restabilish it after 10 seconds. I investigated this issue with Cisco yet no result all of my ISP's say that they dont see any connection drop even for few second on head end.

7 Replies 7

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Khurram,

we are experiencing similar troubles with a pair of cisco 7206VXR with Stateful IPsec over them.

We opened a TAC service request two mounths ago and we are still working on it.

Do you use stateful IPsec on your core routers ?

Best Regards

Giuseppe

Hello Giuseppe

My oplozies as i am not quite sure what you mean by statefull IPSec? I am sort of a rookie with VPN technologies.Isn't IPSec is layer 3 technology while statefull and stateless more on concept of layer 4.Means UDP is stateless and TCP is statefull means it have states for example SYN ,PST, RST AND ACK, they define specific state hence that communication is call ststefull.

Can be you be more clear on that?

Hello Khurram,

Stateful IPSec is a technology that emulates the behaviour of a pair of PIX or ASA firewall with stateful failover.

IPSec sessions are terminated over the HSRP VIP address on the public interface.

The router that is HSRP active on both the public and private interfaces actually builds the IPSec sessions and forwards and receives traffic.

The standby router has the knowledge of all the SAs (security associations) so that if the active node fails it can takes its role with minimal out of service

The two routers share this info with an inter-device communcation.

However, in our case this feature doesn't work correctly: every day we have random losses of connectivity to remote sites.

Also the communication has some troubles and the two routers don't exchange the state info of security associations.

I've seen a similar scenario so I've asked you if you are using the stateful ipsec.

Best Regards

Giuseppe

Oh i see what you saying, the answer to that question is no.We have no IPSec ststefull failover. i think you mean HSRP with SSO, so yeh we dont have any statefull failover. Sorry i totally misunderstood your question :)

khurrammateen
Level 1
Level 1

Hi again

Just to add on that thought we are running GRE over IPsec header which is much larger than original header. My remote routers are sitting at 1000 mtu i am start to think may be the configuration is wrong and i need to increase my MTU size to 1512 bytes rather than 1000 bytes. Because if MTU is less than packet will be fragament which could cause some parameters of IPSec to behave strangly hence dropping the connection. What you think?

Hello Khurram,

you can increase MTU up to 1300 bytes.

But actually all this is done to avoid fragmentation so it is the opposite if all devices including end users agree on a 1300 byte MTU on LANs the routers never fragment and this is good.

see

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#iose

Hope to help

Giuseppe

Thanks for the reply, do you know how to use the segement here which called "ask the expert". How can i post the same question to one of these experts?

thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: