Disconnection between Cisco 871 and VPN 3000

Unanswered Question
Feb 26th, 2010

Hi everybody,

I have many remote sites (Cisco 871 in ezvpn mode) connected to a VPN 3000 concentrator. My problem is that from the side of the concentrator, VPN tunnels go down quite often (I can see in the concentrator logs that it is due to DPD) but the other side stays UP... that is to say I'm not able to join the remote side in this case. I have to wait for the SA to expire in order the client try to bring the tunnel up again, or to ask somebody in the remote side to clear the SA...

I tried to turn on the DPD on the 871 side but I saw nothing when dubbuging (debug crypto isakmp). The command I used to turn on DPD was "(config)#crypto isakmp keepalive 10 2 periodic" or "(config)#crypto isakmp keepalive 10 2 on-demand". With both commands I didn't see anything in the debug. I precise that "terminal monitor" was on, of course...

Is there another command to turn DPD on, on the EZVPN side ???

The only tip I found was to shorten the IPSec lifetime on the concentrator for this group. I configured it to 1800 seconds, so that the VPN cannot stay unidirectionnaly up for more than 30 minutes.... But it is not very clean...

Has anyone an idea ??? I would appreciate it.

Thank you in advance


Thomas Andlauer

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion