1710 in EzVPN network Extension Mode Tunnel timeout

jerry.roy · ‎05-14-2003

Hi all,

I have a few 1710's in EzVPN network Extension Mode and it seems as if the tunnels timeout. Can anyone tell me if this is in fact the case? These are all terminated at a 3030 concentrator. I have a custom system that pings the IP address that is assigned to the wan of the 1710. I ping it one time per minute for 10 minutes. If I do not get a response in 10 minutes - I open a troubleticket. I have this site that has been up for 2 days solid and my system never opened a ticket. I confirmed the IP is still the same and I can still ssh into them. Customer says site was down for 4 hours today and totally kicked my ass because he said why I didn't see it. I checked our logs since last reboot and out system didn't skip a beat. I have tried to set keepalives but they don't seem to work with EzVPN. Anyone can offer some input? How can I confirm if tunnels are going up and down or timing out?

Thanks,

Jerry

gfullage · ‎05-14-2003

The tunnel does have a lifetime associated, and it will go down after that lifetime, regardless of how often packets are flowing across it. The tunnel should be automatically brought straight back up and no-one is the wiser.

There is a "connect manual" command in EzVPN Phase II that'll make the remote router wait for user interaction before bringing the tunnel back up when it expires, do you have this in your config?

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122y/122yj/ftezvp2.htm#1152261

Other than that, why don't you ping an internal host with your script, rather than the WAN interface? Pinging the WAN interface will tell you if the router or link has died, but won't tell you if the VPN is up or not.