1. London is a Cisco router. running c7200-is56i-mz_120-8.bin.
The customer is having particular problems with dial in users.
These dial in via a router(Manchester)>VPN tunnel>Router head office(London)>Server. Manchester is running c3620-is56i-mz_120-12.bin
We have done some testing between these 2 routers with the same results.
The customer logged in locally at Manchester and set a session going to London, debugging traces at the London & Manchester routers showed the SA's were establishing in about 2 seconds. In the mean time the customer login would not appear until 15-20 seconds later after an auto retry by the customers application. If the connection is manually dropped just after 2-3 seconds and retry manually the login is virtually instant as the SA's are then already established. If encryption is taken off there are no problems. It does not appear to be a B/W problem
The customer has been told that extending the delay on the application is not possible. I do wonder though, if it is possible to reduce the retry time to say 3 seconds
2. ? I will find out.. I suspect w2k
3. I do not think there are any bandwidth problems.
So you are actually using lan-to-lan tunnels right?
The negotiation of lan-to-lan tunnels between Cisco routers are dynamic or traffic triggered. The first packet that triggers the negotiation normally will be sacrificed, which causes the retry of the customer's application. The DH computation in IKE negotiation is quite CPU intensive and current 7200 does the computation in software.
One thing you can do in this situation is, if you know when the customer uses the connection, try to bring up the tunnel beforehand (set up a cron job in a Unix machine ) and set the IKE lifetime long enough to cover the period your customer uses the tunnel. Or ask your customer to send a ping first, then try his application~_^
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :