06-01-2010 07:12 AM - edited 03-04-2019 08:39 AM
We have a system in place that pings our remote sites every min or so. We are (apparently randomly) seeing one of our sites go down (loss of ping response) from our main site but other sites can still ping it. After an hour (give or take a few mins) connectivity from main site is restored.
I am thinking key lifetime timeout or something but I really am looking for some advice/direction.
Any thoughts?
Michael
06-02-2010 02:05 AM
What are the 2 devices that terminates the site-to-site VPN tunnel?
You would want to make sure that the lifetime for both phase 1 and phase 2 (most importantly phase 2) matches between the 2 sites. It would be the "crypto map
Hope that helps.
06-02-2010 06:16 AM
Thanks for the reply.
One side is a 3725 with the following code:
crypto map
set peer 1.1.1.1
set transform-set
match address 231
The other side is a 2600 with the following code:
crypto map
set peer 2.2.2.2
set transform-set
match address 172
* addresses have been changed to protect the innocent
All our IPSec links are configured in this fashion yet only the links to 2 of the Asia sites have this issue. Other Asia sites do not have any issue.
06-02-2010 06:21 AM
Please turn on crypto isakmp keepalive so if the peer is down for whatever reason, it will recover quickly.
Here is the command:
crypto isakmp keepalive 10 3
06-02-2010 07:00 AM
I thank you for the input and will try that, I have more questions.
It doesn't seem like the tunnel is down I just can't ping the devices on that segment from NY. Other connected sites (california for example) can ping though.
06-03-2010 04:17 AM
Can you share the configuration pls from both sides.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: