×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN-reconnect fails after ADSL-reconnect

Unanswered Question
Aug 17th, 2003
User Badges:

VPN-reconnect fails after ADSL-reconnect


Hello,


we have the following vpn-configuration:

Branch Office: Cisco 1751 configured with EzVPN Client, ADSL-/PPPoE-Connect to the ISP and dynamic ip address; Main Office: Cisco VPN Concentrator 3030 and static ip address


The configuration is nearly exact the same as in the configuration example from cco - http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml - with only one great difference: we have no static ip address on the outside interface because of the ADSL-/PPPoE-Connction to the ISP with a dialer interface which negotiats a dynamic ip address on every new connection. This happens once a day because the ISP terminats the connection every 24 hours (this is normal for some isp's to prevent address reservation). And this is the problem: the vpn setup works perfect if you power on the router, but if the connection is terminated by the ISP and the dialer interface negotiats an new dynamic ip address the ezvpn client fails to establish the vpn connection. A "debug crypto ipsec client ezvpn" shows only:


EZVPN: Current State: IDLE

EZVPN: Event: TUNNEL_HAS PUBLIC_IP_ADD

EZVPN: No state change


You can clear all interfaces but nothing happens to bring up the vpn connection. The only way to reconnect is to reload the router. After that the connection is up for 24 hours and so on. We have tried several IOS versions - 12.2(4)YA, 12.2(15)T...


Is this a software bug or what can we do?

Thanks for any help


Marcus


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
p.abbeel Wed, 08/20/2003 - 02:22
User Badges:

Hi,


We are experiencing the same problem in our lab environment.


Thx for any help given,


Peter

FOr standards based IPSec, your only option is to reduce the time and data lifetimes of isakmp - this will force more frequent renegotiations, but still likely cause some problems.


But since you are all cisco, you should be able to use cisco's proprietary isakmp keepalive:


crypto isakmp keepalive 40

tells the router to send a keepalive every 40 seconds


I think the 3000 is keepalive ready by default, but am not sure. So try that on the IOS side, and see if it helps.

Actions

This Discussion