Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Basic LAN to LAN VPN Questions

Hi, we've got several Internet IPSec/ISAKMP VPNs. HQ is using a VPN3030 Concentrator and the remote sites are using Pix 501s. Looking at the session statistics on the VPN3030 some of the tunnels stay up for days and some won't stay up for more than a few hours.

I've got a couple of questions:

1). Should traffic from either side bring the tunnel up?

2). When the tunnel comes up should it stay up for a certain number of hours even if there is no more traffic sent? i.e. if the tunnel is brought up by a ping will it stay up? Or more specifically should it stay up? And if it goes down after an hour or so on a reqular basis then should I be investigating the remote site's DSL line Internet connection as the first port of call?



Re: Basic LAN to LAN VPN Questions

I looked this up for you, in your vpn 3030 check ike keepalive configuration for both the tunnels that stay up for days and the tunnels that drop in time,compare their keepalive configuration. I would suspect that tunnels that droped in time if there is not activity it could be there is no keepalive configured in them, I could be wrong with your problem but worth checking.

on concentrator go to:

configuration/user management/groups , then select tunnel in question, select ipsec tab and look for ike keepalive whether is checked or un-checked.

VPN 3030 ike keepalive for more information

on PIX/ASA firewalls, see isakmp keepalive




New Member

Re: Basic LAN to LAN VPN Questions

Thanks for the reply Jorge,

yes I had configured keepalives on all a couple of weeks ago because one of them was going down and staying down for hours. Now it goes down but usually comes back up in between a few seconds and a minute or so. I'm thinking that the DSL line is problematic and will now troubleshoot that.