09-04-2008 08:37 AM - edited 03-09-2019 09:24 PM
That's the big question !
How do you tunnels without the need of pinging a remote host in the target network ? Our costumers get hanged on a regular base because of this issue. 10 points to the first answer !
Solved! Go to Solution.
09-04-2008 12:02 PM
Hello,
You can setup keepalives on VPN end .
For example
On PIX
isakmp keepalive 30 2
On IOS
crypto isakmp keepalive 10 periodic
If it does not resolve it and you need some kind of traffic then you can configure NTP across the VPN link (source it from private interface so that it is interesting traffic for VPN).
HTH
Saju
09-05-2008 06:02 AM
Check the following example for PIX to PIX Ipsec-NTP
You can make a Router in your network as ntp master and sync clocks on PIX and other non-cisco devices to the router.
HTH
Saju
09-05-2008 07:19 AM
You do not need to authenticate ( its optional )Just use ntp server command.
also in "ntp server 10.0.6.5 key 1 source outside"
use source as inside.
i think you will also have to enable "management-access inside" to make it work .
09-04-2008 12:02 PM
Hello,
You can setup keepalives on VPN end .
For example
On PIX
isakmp keepalive 30 2
On IOS
crypto isakmp keepalive 10 periodic
If it does not resolve it and you need some kind of traffic then you can configure NTP across the VPN link (source it from private interface so that it is interesting traffic for VPN).
HTH
Saju
09-04-2008 11:54 PM
We have a lot of non-cisco peers. Can you put some detail on how to configure NTP ? Thanks.
09-05-2008 06:02 AM
Check the following example for PIX to PIX Ipsec-NTP
You can make a Router in your network as ntp master and sync clocks on PIX and other non-cisco devices to the router.
HTH
Saju
09-05-2008 06:46 AM
ntp authentication-key 1 md5 ********
ntp trusted-key 1
ntp server 10.0.6.5 key 1 source outside
As I see, this is the only parameters you have to configure ?
Why do you need that key to auth ?
What is the ntp trusted-key 1 ?
09-05-2008 07:19 AM
You do not need to authenticate ( its optional )Just use ntp server command.
also in "ntp server 10.0.6.5 key 1 source outside"
use source as inside.
i think you will also have to enable "management-access inside" to make it work .
09-05-2008 08:08 AM
ok, I managed to make it work. But, I'm looking for a better solution. I mean, we don't care if the tunnels go down but we need them up when the customers start to send interesting traffic through the tunnel. I don't know why the customers can't start the tunnels when initiating a SIP connection but we can bring up the tunnel making a ping to their networks. Is there a way to make the tunnel go up when, for example the customer start working on monday morning ( a call center for example ) they start the first call and then the tunnel get up by their side ? Thanks !
09-05-2008 09:18 AM
Thanks for the rating!
You can consider writing a script to Ping regularly across the tunnel.
09-07-2008 04:01 AM
Xavier
Your description sounds like the tunnel does start when there is traffic from your end but does not start when there is traffic from the remote. Is this correct?
The symptom of starting only from one side is common when one side has a fixed IP address and the other side has a dynamic IP. Is this perhaps the case that the remote side has a dynamic IP address?
Perhaps if we could see some configuration details we might understand the issue better and be able to give you better answers.
HTH
Rick
09-08-2008 05:30 AM
No, the Ip's are static at both ends. It's really necessary stay generating traffic all the time to get the tunnels always up ?
09-08-2008 08:18 AM
Xavier
If you want the tunnel to be always up then yes you need some kind of traffic being generated all the time. I frequently accomplish that by running a routing protocol through the tunnel and the routing protocol hello messages help to keep the tunnel up. Running NTP through the tunnel would also be a good way to do this.
The tunnel should initialize when there is interesting traffic. Your description of the symptoms sounds like the tunnel does initialize when there is traffic from your side, but not when there is traffic from the other side. Is that the case? That would seem to indicate some issue in the configuration of the VPN tunnel. Can you post the configurations from both ends?
HTH
Rick
09-08-2008 08:27 AM
yes I can do that . . but the config file is so big . . . that's only happening with point to point VPN's. The client to server VPN's are working fine. Please tell me what part of the config you want to check and I will post it. Thanks.
09-08-2008 08:48 AM
Xavier
I could tell you more easily what part if I knew on what platform you are running the VPN. On a router I would want to see the crypto map entry and the access list which is referred to in the crypto map to identify traffic. If it was on PIX/ASA I would want the crypto map, the crypto access-list referred to in the map, and the nonat rule.
HTH
Rick
09-08-2008 08:54 AM
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to212.78.144.13
set peer 212.78.144.13
set security-association lifetime seconds 86400
set transform-set REUS
match address 104
------------------------------------------------
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.3.0 0.0.0.255 172.16.4.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.3.0 0.0.0.255 192.168.241.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.3.0 0.0.0.255 192.168.236.0 0.0.3.255
We haven't any nonat rules. All the cryptomaps are the same. Thanks !
09-08-2008 09:16 AM
Xavier
Thanks for posting the crypto map and the access list. Would I be correct in assuming that this is from your router? Can you also post the crypto map and the access list from the remote router?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide