Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec establishment problems

Customer is trying to establish a connection to server 172.21.9.219 at London from address 192.168.233.1 at Manchester.

It appears that the SA's are not getting established in time for the customer login application.

If however the SA's are up then then login was virtually instant.

The SAs come up in a couple of seconds but I suspect not quickly enough for the customers application.

I don't think they can slow down their application which I suspect means I won't be able to fix this problem??

Has anybody got any ideas on how to get around this problem.

see logs & debug traces

Customer is trying to establish a connection to server 172.21.9.219 at London from address 192.168.233.1 at Manchester.

It appears that the SA's are not getting established in time for the customer login application.

If however the SA's are up then then login was virtually instant.

The SAs come up in a couple of seconds but I suspect not quickly enough for the customers application.

I don't think they can slow down their application which I suspect means I won't be able to fix this problem??

Has anybody got any ideas on how to get around this problem.

4 REPLIES
New Member

Re: IPSec establishment problems

Please answer several questions first:

1. what is the server product at London? IOS router, VPN3K, or PIX? and what's the version of the image?

2. what does your customer use to connect to the server? Cisco Unity Client, w2k client, SafeNet client, hardware client or another router...?

3. do you have the same problem when you are in the server room? how's the bandwidth of your customer's connection to the server? is it stable?

Thanks.

New Member

Re: IPSec establishment problems

Some answers

1. London is a Cisco router. running c7200-is56i-mz_120-8.bin.

The customer is having particular problems with dial in users.

These dial in via a router(Manchester)>VPN tunnel>Router head office(London)>Server. Manchester is running c3620-is56i-mz_120-12.bin

We have done some testing between these 2 routers with the same results.

Manchester>London

The customer logged in locally at Manchester and set a session going to London, debugging traces at the London & Manchester routers showed the SA's were establishing in about 2 seconds. In the mean time the customer login would not appear until 15-20 seconds later after an auto retry by the customers application. If the connection is manually dropped just after 2-3 seconds and retry manually the login is virtually instant as the SA's are then already established. If encryption is taken off there are no problems. It does not appear to be a B/W problem

The customer has been told that extending the delay on the application is not possible. I do wonder though, if it is possible to reduce the retry time to say 3 seconds

2. ? I will find out.. I suspect w2k

3. I do not think there are any bandwidth problems.

Thanks

New Member

Re: IPSec establishment problems

So you are actually using lan-to-lan tunnels right?

The negotiation of lan-to-lan tunnels between Cisco routers are dynamic or traffic triggered. The first packet that triggers the negotiation normally will be sacrificed, which causes the retry of the customer's application. The DH computation in IKE negotiation is quite CPU intensive and current 7200 does the computation in software.

One thing you can do in this situation is, if you know when the customer uses the connection, try to bring up the tunnel beforehand (set up a cron job in a Unix machine ) and set the IKE lifetime long enough to cover the period your customer uses the tunnel. Or ask your customer to send a ping first, then try his application~_^

Hope it helps.

New Member

Re: IPSec establishment problems

So about any delay but I now have been able to clarify the exact set up of the customers network.

Now after speaking direct to the customer, he has stated that remote users dial in via London through a VPN tunnel to a mail server at Manchester.

There are two firewalls on route.

The customers client/server application is Groupwise Novell/Netware and they are running Win2k.

99
Views
0
Helpful
4
Replies
CreatePlease login to create content