Site-to-Site VPN breaks after router reset

Answered Question
Aug 27th, 2010
User Badges:

Hello all,


I'm having an extremely vexing issue.  I have a CallManager server setup on one site (Site A) and IP Phones that connect to it via a site-to-site IPSec VPN tunnel on Site B.  The WAN link on Site B (Cable ISP with Static IP) can be a bit unreliable at times.  Everything was working flawlessly, except when the router resets or loses connection on site B, everything breaks.  I have the tftp option 150 set to the CUCM server on Site A (192.168.10.250).  The tunnel does NOT come back up automatically after a router loses connection, and once that occurs, it appears nothing I can do can re-establish full connectivity.  I know I must be missing something, but have no idea what.  The nbar protocol-discovery on the outside interface of the router at Site B shows TFTP and Skinny packets going outbound, but nothing coming back in.  I can NOT ping any internal resources on Site A from Site B.  I do a "show crypto isakmp sa" on either router and it shows the tunnel as being up.  In order to bring the tunnel back up, I have to access the router on Site A with the SDM tool and do a "test" of the VPN tunnel.  It shows it as down, and when I have SDM generate traffic, using source IP as 192.168.10.1 (inside interface of router on Site A) and destination IP of 192.168.11.1 (inside interface of router on Site B), the tunnel comes back up.  Yet, even though the tunnel is re-established, nothing works as far as being able to ping site A from Site B, or tftp coming from Site A to Site B.  Any help on this issue is GREATLY appreciated.  Any suggestions on how to setup a reliable site-to-site VPN so that if cnnection is lost on one end, the tunnel comes back up and devices on Site B can access resources such as CallManager server on Site A.  Thanks in advance!

Correct Answer by praprama about 6 years 11 months ago

Hi,


One way you can have the tunnel come back up automatically even if it goes down is to setup SLA monitoring on one of the site's routers so that it sends periodic pings to the inside IP address of the router on the other site. For example, on Siite A configure it for SLA monitoring using source IP as its inside interface 192.168.10.1 and making it ping the inside interface of Site B regularly, 192.168.11.1. For config guide, please refer the below page:


http://www.cisco.com/en/US/docs/ios/12_4/ip_sla/configuration/guide/hsicmp.html#wp1027188


Regarding traffic not passing, can you please paste the output of "show cry isa sa", "show cry ipsec sa" and the current configuration of both the routers if possible?


Regards,

Prapanch

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
praprama Fri, 08/27/2010 - 04:47
User Badges:
  • Cisco Employee,

Hi,


One way you can have the tunnel come back up automatically even if it goes down is to setup SLA monitoring on one of the site's routers so that it sends periodic pings to the inside IP address of the router on the other site. For example, on Siite A configure it for SLA monitoring using source IP as its inside interface 192.168.10.1 and making it ping the inside interface of Site B regularly, 192.168.11.1. For config guide, please refer the below page:


http://www.cisco.com/en/US/docs/ios/12_4/ip_sla/configuration/guide/hsicmp.html#wp1027188


Regarding traffic not passing, can you please paste the output of "show cry isa sa", "show cry ipsec sa" and the current configuration of both the routers if possible?


Regards,

Prapanch

Actions

This Discussion