11-13-2008 08:02 PM
Hi everyone,
I am having ezvpn remote network extension mode connecting to ezvpn server using pre-shared key authentication. The remote router in network extension mode is on dynamic IP. Now, each time the IP address changes on the remote router the ISAKMP SAs stay in QM_IDLE state even with the peers that were the previous IP addresses of the remote router. When I connect with a VPN software client to ezvpn server the tunnel for this client tears down as soon as the clients disconnects.
How can I do the same for the remote router in network extension mode?
Having this problem with the remote network extension it could easily exhaust my ezvpn resources (only 10 IPSec tunnels allowed) if the IP address changes pretty often on the remote router.
Many thanks for your help.
regards,
Remi
Solved! Go to Solution.
11-14-2008 09:58 AM
Looks like a bug. Use "sh cry isa sa det" to see if keepalives are indeed active and "deb cry isa" to see they are sent (you need the "periodic" option to verify this). Are IPSec SAs deleted when IP address changes? Verify with "sh cry ipsec sa".
11-14-2008 02:54 AM
Try
crypto isakmp keepalive secs retries-secs [periodic]
on both sides
11-14-2008 07:48 AM
Hi,
I had keepalives set before but without "periodic" option. I changed now to include periodic and still no help. Below I have a proof. As you can see, the ezvpn server maintains tunnels even to dead peers hence exhausting VPN resources...
crypto isakmp keepalive 20 3 periodic (on both peers)
Remote router in NEM after change of dynamic IP address:
ezvpn_nem#sh cry isa sa
dst src state conn-id slot status
172.30.17.5 172.30.20.4 QM_IDLE 5 0 ACTIVE
EZVPN Server router:
ezvpn_srv#sh cry isa sa
dst src state conn-id slot status
172.30.17.5 172.30.20.3 QM_IDLE 1 0 ACTIVE
172.30.17.5 172.30.20.4 QM_IDLE 2 0 ACTIVE
Thanks very much for yoru help.
Remi
11-14-2008 09:58 AM
Looks like a bug. Use "sh cry isa sa det" to see if keepalives are indeed active and "deb cry isa" to see they are sent (you need the "periodic" option to verify this). Are IPSec SAs deleted when IP address changes? Verify with "sh cry ipsec sa".
11-14-2008 10:29 AM
Hi,
Thanks for checking this up for me. Here I have the answers:
On both peers I receive packets from each other DPD/R_U_THERE every 20sec so keepalives work. Checked that with "deb cry isa".
In regards to "sh cry isa sa det" it looks like the ezvpn_srv keeps the tunnel up until IKE lifetime expires = 24h but even for the dead peer. Take a look below:
ezvpn_nem#sh cry isa sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
7 172.30.20.4 172.30.17.5 ACTIVE 3des sha 2 23:22:56 CDX
Connection-id:Engine-id = 7:2(hardware)
ezvpn_srv#sh cry isa sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1 172.30.17.5 172.30.20.3 ACTIVE 3des sha 2 21:06:35 CDX
Connection-id:Engine-id = 1:1(software)
4 172.30.17.5 172.30.20.4 ACTIVE 3des sha 2 23:21:48 CDX
Connection-id:Engine-id = 4:1(software)
Also there are no SAs for the dead peer on ezvpn_srv. Only for the active one.
I am clearing all ISAKMP SAs and trying all over again. I will get back to you on that.
Thanks,
Remi
11-14-2008 10:45 AM
I have a next update. I looks like it started to work. The ezvpn_srv deletes SAs for the dead peers. I just had to "clear cry isa" and now any SAs for the peers that are no longer active (with the old IP addresses) are marked as deleted and eventually they clear from the "sh cry isa sa" list.
This one that could not clear off was probably the previous one before I implemented "cry isa keepalive 20 3 periodic".
It looks like "cry isa keepalive 20 3 periodic" did the job.
Thanks a lot for your help. If you don't mind I'll get back to you should I still have some troubles.
Remi
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: