Site to Site IPSec Tunnel issue

Unanswered Question

We have a system in place that pings our remote sites every min or so. We are (apparently randomly) seeing one of our sites go down (loss of ping response) from our main site but other sites can still ping it. After an hour (give or take a few mins) connectivity from main site is restored.


I am thinking key lifetime timeout or something but I really am looking for some advice/direction.


Any thoughts?

Michael

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Wed, 06/02/2010 - 02:05
User Badges:
  • Cisco Employee,

What are the 2 devices that terminates the site-to-site VPN tunnel?


You would want to make sure that the lifetime for both phase 1 and phase 2 (most importantly phase 2) matches between the 2 sites. It would be the "crypto map set security-association lifetime "


Hope that helps.

Thanks for the reply.


One side is a 3725 with the following code:



crypto map <#> ipsec-isakmp

set peer 1.1.1.1

set transform-set

match address 231

The other side is a 2600 with the following code:



crypto map <#> ipsec-isakmp

set peer 2.2.2.2

set transform-set

match address 172


* addresses have been changed to protect the innocent


All our IPSec links are configured in this fashion yet only the links to 2 of the Asia sites have this issue. Other Asia sites do not have any issue.

Jennifer Halim Wed, 06/02/2010 - 06:21
User Badges:
  • Cisco Employee,

Please turn on crypto isakmp keepalive so if the peer is down for whatever reason, it will recover quickly.


Here is the command:

crypto isakmp keepalive 10 3

Jennifer Halim Thu, 06/03/2010 - 04:17
User Badges:
  • Cisco Employee,

Can you share the configuration pls from both sides.

Actions

This Discussion