10-20-2008 02:17 AM - edited 02-21-2020 03:59 PM
I have setup a basic site to site VPN, one side dynamic one side static. When using SDM, there is a 'test connecton' button, when I hit that button it tests the VPN, and it says that it works, and the vpn does work. At some point, the VPN will drop, and never re-establish.
The only way to get the VPN to re-establish is to press the test button in SDM on the dynamic side... So I am convinced this is some sort of issue on that side, because the static side doesn't know about the dynamic side until it get's an establish request, which it never gets (did a debug on the static side)
Any ideas? Thanks.
DYNAMIC SIDE
------
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key KEY_WENT_HERE address REMOTE_STATIC_PEER
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to REMOTE_STATIC_PEER
set peer REMOTE_STATIC_PEER
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
set pfs group2
match address 102
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.5.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 remark access to remote phone vlan
access-list 102 permit ip 10.5.1.0 0.0.0.255 10.200.102.0 0.0.0.255
access-list 175 remark SDM_ACL Category=18
access-list 175 remark access to remote phone vlan
access-list 175 deny ip 10.5.1.0 0.0.0.255 10.200.102.0 0.0.0.255
access-list 175 remark IPSec Rule
access-list 175 deny ip 10.5.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 permit ip 10.5.1.0 0.0.0.255 any
!
route-map SDM_RMAP_1 permit 1
match ip address 175
interface Dialer1
bandwidth 10000000
ip address negotiated
no ip unreachables
ip mtu 1400
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
no fair-queue
ppp authentication pap callin
ppp pap sent-username username password 0
crypto map SDM_CMAP_1
10-20-2008 01:04 PM
Justin
Are there routing statements in the dynamic side router? If so can you post them?
If the tunnel does not normally re-establish on its own, it suggests that there is not interesting traffic. Are you sure that something is attempting to send traffic from the dynamic side to the static side? If so can you describe what that is?
HTH
Rick
10-20-2008 05:08 PM
Rick;
This is what I assumed as well, no interesting traffic so the link dropped off. Is there anyway to tell the link to be persistent? I was attempting a ping from the dynamic side to the static side and it wasn't establishing -- until I did an extended ping, and forced it to use the inside interface as it's source address and the tunnel came up.
Because only the dynamic side can establish the link, it would be great if the dynamic side would be persistent.
10-23-2008 09:29 AM
Justin
In most of the IPSec VPNs that I have done we have run a dynamic routing protocol over the tunnel. The hello traffic of the protocol has been effective in keeping the tunnel active. If you are not running a routing protocol is there something that can be done at the dynamic side to generate periodic traffic (perhaps a cron job that would send a ping)?
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: