I inherited a situation I'm hoping anyone can shed light on. (I'm not cisco savey) Every day I get a call from one of my remote offices that they lose network connectivity. The quickest way to resolve their issue is to recycle their cisco box. Can anyone clarify whether or not the cisco routers recycle themselves every 12 hrs as I've heard? Is there a parameter that can be set so that the VPN tunnel renegotiate at predetermined times? Thanks in advance. TJ
"Can anyone clarify whether or not the cisco routers recycle themselves every 12 hrs as I've heard?"
Cisco routers don't recycle themselves every 12 hours. What exactly do you mean by recycle though because i take that to mean reload.
As for VPN's there are paramneters you can set that affect how long the tunnel will stay up, but even if the tunnel goes down onec activity is detected it should come back up without having to reload.
Thanks for you insite.
By recycle, perhaps reload it the correct word. Just every day at the same time they have the same problem. Where would I look in the VPN settings to see the length of time it is supposed to stay up?
Apologies for the delay in getting back. Is there any chance of you posting the configuration of the router minus any sensitive information such as public IP addresses, passwords, VPN keys (especially VPN keys).
I would emphasize though that to bring the tunnel back up should not require a reload of the router.
I thought of something else. 2 of 3 offices use Dymanic IP and 1 Static IP. The Static office doesn't have this issue. I haven't check yet with the ISP on the ip lease duration.
I'll be changing one of the 2 dymanic offices to static on Friday. Maybe that is what the issue is?
Take a look at this document. http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsaidle.html
It looks like it will use the defaults if you delete that line.
yes it may be the problem of the lifetime.
You can verify it on the cisco router and then troubleshoot and make changes.
show crypto isakmp sa.
Show crypto ipsec sa peer x.x.x.x
To get the tunnel up without reload
clear crypto isakmp sa.
clear crypto ipsec sa peer x.x.x.x
if this clear commnad works and you dont have to reload the router. do the following
crypto ipsec security-association lifetime seconds 120
You may also need to take a look at the remote side where the vpn tunnel is configured