Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

3002 lost tunnel

I have a 3002 hardware client at a remote site connecting to a central 3060 concentrator. The DSL provider at the remote site has installed a DSL router. My 3002 sits behind the DSL router and gets a private address on the public interface from the router (

The 3002 runs Client Version 3.6.1.Rel Aug 29 2002 and I have created a new SA (ESP-AES253-MD5) for this tunnel.

The problem is this:

Several times a day I receive an alert that the private interface of the 3002 cannot be reached (via ping). When this happens the 3060 concentrator shows the remote active session but with as the assigned IP address instead of (the address I assigned to the private interface of the 3002).

As soon as a remote user tries to access central resources, file server the tunnel seems to come back and I can then ping the 3002 private interface from the central site.

Has anyone experienced something like this?

New Member

Re: 3002 lost tunnel

Hi mylest,

Actually i have the same issue. I have set my idle timeout to 0 as well as the maximum connect timeout on my concentrator but still having the same issue. As soon as they pass traffic through the VPN tunnel, i am able to ping them again. I know that the 3002 needs to initiate traffic first in order to have the IPSec tunnel back up again even though you have the network extension mode on or off. But IKE is what shows on the 3000 Concentrator to keep the connection somewhat active. I read this somewhere but cant find the link anymore. I dont worry about it as much anymore. Good luck.


Cisco Employee

Re: 3002 lost tunnel

You are running the 3002 in Network Extension Mode (NEM). Regardless of Client or NEM mode, the 3002 tunnel has to be initiated from the 3002 side . The tunnel can be setup either by pressing the Monitor\System Status\Connect button or by passing any traffic (ping, email, HTTP) to the Corporate nets of the headend VPN 3000.

When the NEM mode tunnel is established, no IP address is assigned by the headend VPN 3K. In the Admin|Sessions of the VPN 3K the Assigned IP column shows up as the subnet IP of the 3002's private interface (ie. . The assigned IP only shows up after you have passed at least one packet on the tunnel. If you try to use the Ping button (right side) on this connection it errors with " cannot be reached". This is correct since it is a subnet and not a host IP.

But you can ping the 3002's private IP fromth e Admin\Ping command of the 3000 or using a ping program from a host on the Corp. net.

The Assigned IP for the NEM tunnel shows up as if no traffic has yet passed over the tunnel, that is the data SA has yet not been established.

If at this point you try to ping (3002's private IP) it will fail.

Sorry for the long explanation. Hope this helps.


CreatePlease login to create content