Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
5
Replies

Strange timeout Problem with 836 Router and (maybe) VPN

mkoenig
Level 1
Level 1

‎03-02-2004 12:15 AM - edited ‎02-21-2020 01:03 PM

Hello,

i've got a strange problem with outside connections from a 836 router which establishes a VPN tunnel to our pix. Everything works well about just 1 week - and suddenly the users after the router got no login and I'm not able to connect the router by isdn - until the router is resettet - then again everything works. The connsction is done by dsl and a dynamic ip. The users work with a terminal over a terminal-server which makes telnet connections to our database server.

I think there is somewhere a timeout which is not resettet - but where ?

Router IOS 12.3(4)T, Pix 6.3(1)

Labels:
0 Helpful
5 Replies 5

dshinde
Level 1
Level 1

‎03-02-2004 02:05 AM

Hi,

Does the VPN tunnel drop frequently ,if that is the case then you need to enable isakmp keepalives :

Router : crypto isakmp keepalive 30 5

Pix : isakmp keepalive 30 5

Note: The first number is the keepalive interval in seconds. It says to

send a keepalive every 30 seconds. This can be adjusted from 10 seconds to

3600. The second number is the retry interval. The device will try 5

consecutive times to reach the peer before dropping the connection if it has

not heard from the other device.

Please let me know ifthis helps , mail me if you have any queries.

Thanks.

0 Helpful

mkoenig
Level 1
Level 1
In response to dshinde

‎03-02-2004 03:53 AM

Hello dshinde,

thank you for your reply.

I' ll try it out. I' ve looked a lot for timeouts and how to configure. Will it be helpfull to see my configurations ? Because there is one router (with IOS 12.2.(13)ZH2) with a bit different configuration (even for the access-list and for nat/overload) and there are no timeout problems (the user behave the same).

And by the way - I figured out that it is not possible for IOS 12.3(4)T to set the crypto ipsec security-association lifetime in crypto map xyz configuration, only in "global" mode it works (will be regarded).

Kind regards

M.König

0 Helpful

mkoenig
Level 1
Level 1
In response to mkoenig

‎03-03-2004 04:22 AM

Hello,

so I now know that the isakmp timeout is NOT the problem.

The dsl - router is connected in Germany with german Telekom and gets a dynamic address. Every day at midnight the dsl connection is disconnected - no problem - next mornig I can establish a connection. But this works only one week (exactly and repeatable) , after this time it will not be possible to make a connection - it is no IP assignet (a sntp is running - but no affect). So the dialer and the vi1 will make a connection and in the same moment ist shuts down (I see this in the log). When I turn down and turn up the router - everything is fine again for one week.

But wher is the problem ?? The german Telekom isn't it - annother router (with IOS 12.2.(13)ZH2) is still running and the DSL Sync is o.k. (I see this on the LED's).

Any help for this ??

Kind regards

M.König

0 Helpful

dshinde
Level 1
Level 1
In response to mkoenig

‎03-03-2004 05:07 AM

Hi

Yes the problem seems to be with the german Telekom .the problem lies with the dhcp lease time ( dynamic ip address assignment to ur dsl router )being very less and with the ip assignment.

Hence we need to make sure lease time from the isp and keep it for a longer period.

Since the other side pix is configured for dynamic cryto maps as it does not know the ip of ur router (keeps changing) the peer ip is set to 0.0.0.0 on pix.

If the ISP assigns a different ip to ur router after the lease time the pix will only understand this ip only after the router is rebooted.

Pls let me know if this helps, mail me if you have any queries.

Thanks,

Deepali

0 Helpful

mkoenig
Level 1
Level 1
In response to dshinde

‎03-03-2004 06:52 AM

Hello,

..hm, this is no explanation to the fact that the router with the different IOS is able to manage and, if your opinion would be right, the reboot has to be after every change of the ip assignement (every morning, because the connection is disconnected every night and then there is mostly assignet a different ip, and ... why does the ISDN call in not work ? So in my opinion there are 2 possibilities: 1. The configuration of the router which is able to manage is different (even in the vpn configuration) and / or 2. There are different handlings by the used IOS.

I will look for the assigned ip's to the router and write it down.

Kind regards

M.König

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents