Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Two 3015 Concentrators behind CSS

Hello all,

I have the following scenario currently in production:

VPNClient---Internet---CSS--2VPNConcentrators

The CSS is 11500 with ver 6.10 .

The Cisco VPN clients are connecting with NAT-T IPSec (UDP 4500). The VPN tunnels are built without a problem. However, the VPN tunnels do not stay built much longer then several hours. If I constantly send 'ping'/ICMP traffic over the tunnel, it will stay up for days.

I have DPD/IKE keepalives enabled. Even with IKE keepalives configured, the tunnels still drop. The VPN Concentrators indicate that they have 'Lose Contact' with the VPN client. The VPN Client will then rebuild the tunnel and stay built for approximately 3-4-5 hours. I attached the config file.

Should the flows always be active for this type of traffic to pass? Maybe I should set the flow for UDP/4500 to permanent?

I'm sort of new to CSS administration. Let me know if anyone has any ideas.

Thanks,

Mike

1 REPLY
Silver

Re: Two 3015 Concentrators behind CSS

Yes, the flow should always be active for the traffic to pass.

108
Views
0
Helpful
1
Replies
CreatePlease login to create content