I have a 3002 hardware client at a remote site connecting to a central 3060 concentrator. The DSL provider at the remote site has installed a DSL router. My 3002 sits behind the DSL router and gets a private address on the public interface from the router (192.168.1.1).
The 3002 runs Client Version 3.6.1.Rel Aug 29 2002 and I have created a new SA (ESP-AES253-MD5) for this tunnel.
The problem is this:
Several times a day I receive an alert that the private interface of the 3002 cannot be reached (via ping). When this happens the 3060 concentrator shows the remote active session but with 0.0.0.0 as the assigned IP address instead of 10.1.1.1 (the address I assigned to the private interface of the 3002).
As soon as a remote user tries to access central resources e.g.email, file server the tunnel seems to come back and I can then ping the 3002 private interface from the central site.
Actually i have the same issue. I have set my idle timeout to 0 as well as the maximum connect timeout on my concentrator but still having the same issue. As soon as they pass traffic through the VPN tunnel, i am able to ping them again. I know that the 3002 needs to initiate traffic first in order to have the IPSec tunnel back up again even though you have the network extension mode on or off. But IKE is what shows on the 3000 Concentrator to keep the connection somewhat active. I read this somewhere but cant find the link anymore. I dont worry about it as much anymore. Good luck.
You are running the 3002 in Network Extension Mode (NEM). Regardless of Client or NEM mode, the 3002 tunnel has to be initiated from the 3002 side . The tunnel can be setup either by pressing the Monitor\System Status\Connect button or by passing any traffic (ping, email, HTTP) to the Corporate nets of the headend VPN 3000.
When the NEM mode tunnel is established, no IP address is assigned by the headend VPN 3K. In the Admin|Sessions of the VPN 3K the Assigned IP column shows up as the subnet IP of the 3002's private interface (ie. 10.1.1.0) . The assigned IP only shows up after you have passed at least one packet on the tunnel. If you try to use the Ping button (right side) on this connection it errors with "10.1.1.0 cannot be reached". This is correct since it is a subnet and not a host IP.
But you can ping the 3002's private IP 10.1.1.1 fromth e Admin\Ping command of the 3000 or using a ping program from a host on the Corp. net.
The Assigned IP for the NEM tunnel shows up as 0.0.0.0 if no traffic has yet passed over the tunnel, that is the data SA has yet not been established.
If at this point you try to ping 10.1.1.1 (3002's private IP) it will fail.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :