cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
394
Views
0
Helpful
4
Replies

IPSec establishment problems

grichardson
Level 1
Level 1

Customer is trying to establish a connection to server 172.21.9.219 at London from address 192.168.233.1 at Manchester.

It appears that the SA's are not getting established in time for the customer login application.

If however the SA's are up then then login was virtually instant.

The SAs come up in a couple of seconds but I suspect not quickly enough for the customers application.

I don't think they can slow down their application which I suspect means I won't be able to fix this problem??

Has anybody got any ideas on how to get around this problem.

see logs & debug traces

Customer is trying to establish a connection to server 172.21.9.219 at London from address 192.168.233.1 at Manchester.

It appears that the SA's are not getting established in time for the customer login application.

If however the SA's are up then then login was virtually instant.

The SAs come up in a couple of seconds but I suspect not quickly enough for the customers application.

I don't think they can slow down their application which I suspect means I won't be able to fix this problem??

Has anybody got any ideas on how to get around this problem.

4 Replies 4

wufan
Level 1
Level 1

Please answer several questions first:

1. what is the server product at London? IOS router, VPN3K, or PIX? and what's the version of the image?

2. what does your customer use to connect to the server? Cisco Unity Client, w2k client, SafeNet client, hardware client or another router...?

3. do you have the same problem when you are in the server room? how's the bandwidth of your customer's connection to the server? is it stable?

Thanks.

Some answers

1. London is a Cisco router. running c7200-is56i-mz_120-8.bin.

The customer is having particular problems with dial in users.

These dial in via a router(Manchester)>VPN tunnel>Router head office(London)>Server. Manchester is running c3620-is56i-mz_120-12.bin

We have done some testing between these 2 routers with the same results.

Manchester>London

The customer logged in locally at Manchester and set a session going to London, debugging traces at the London & Manchester routers showed the SA's were establishing in about 2 seconds. In the mean time the customer login would not appear until 15-20 seconds later after an auto retry by the customers application. If the connection is manually dropped just after 2-3 seconds and retry manually the login is virtually instant as the SA's are then already established. If encryption is taken off there are no problems. It does not appear to be a B/W problem

The customer has been told that extending the delay on the application is not possible. I do wonder though, if it is possible to reduce the retry time to say 3 seconds

2. ? I will find out.. I suspect w2k

3. I do not think there are any bandwidth problems.

Thanks

So you are actually using lan-to-lan tunnels right?

The negotiation of lan-to-lan tunnels between Cisco routers are dynamic or traffic triggered. The first packet that triggers the negotiation normally will be sacrificed, which causes the retry of the customer's application. The DH computation in IKE negotiation is quite CPU intensive and current 7200 does the computation in software.

One thing you can do in this situation is, if you know when the customer uses the connection, try to bring up the tunnel beforehand (set up a cron job in a Unix machine ) and set the IKE lifetime long enough to cover the period your customer uses the tunnel. Or ask your customer to send a ping first, then try his application~_^

Hope it helps.

grichardson
Level 1
Level 1

So about any delay but I now have been able to clarify the exact set up of the customers network.

Now after speaking direct to the customer, he has stated that remote users dial in via London through a VPN tunnel to a mail server at Manchester.

There are two firewalls on route.

The customers client/server application is Groupwise Novell/Netware and they are running Win2k.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: