I can not get any SSH or ping connections on the WAN interface until I perform an extended ping from the BVI1 interface.

I use PuTTY on a server on the main subnet (192.9) and PuTTY on my computer (which is on the 102.x network). I have checked and the settings for the PuTTY clients are exactly the same for each 871 we have.

My thought has always been an internal issue on our LAN (routing, firewall rule, etc), but the WAN Administrator has checked that and said everything is fine. My thought now is that the 192.9 network can connect because of the VPN tunnel it is keeping open (our VPN concentrator is on the 192.9 network). So therefore, a ping from BVI1 to the 192.9 default gateway is not necessary as the tunnel is performing the same function. I hope I am making sense of this. So, I am wondering if there is a way to perform a keepalive for certain subnets, i.e. can I have the 871 send a keepalive request (or ping) to the default gateway of the 101 and 102 subnets to avoid a timeout? Cause as I said before, once the ping has been performed from the BVI1 interface to the default gateway of the subnet, I can access the 871 via SSH until the timeout. If I keep a ping going from my PC (102.x) to the 871, the interface stays open and I can SSH, but if I stop and allow the connection to timeout, I have to perform the extended ping again.

Any ideas?

Including that info in the initial post would have been beneficial.

edit: It sounds like your WAN Administrator has configured ACLs, Inspection, or both (at HQ) to prohibit tunnel initiation from the 101 & 102 subnets (deliberately or erroneously).

Unless there is a specific (unstated) requirement for this, it should be provisioned such that the tunnel can be initiated from either end, and from any of the networks defined within the crypto protection suite.

If you want to initiate and sustain IPsec SAs from the remote side, you might consider using NTP to synchronize the 871's clocks with a clock at HQ, or implement IPSec + GRE tunnels and run dynamic routing updates through the tunnel.

Sorry about not posting that at the beginning. I am more of a Desktop Support guy myself, so I wasn't sure what information would be helpful.

I am confused by the statement that my Admin has prohibited tunnel initiation from 101 and 102. If that were the case, I would not be able to get any SSH capabilities to the 871's from 101 and 102, correct? In other words, even though I can SSH to the 871 from the 101/102 subnets after I run the extended ping from the 871 BVI1 interface, he could still be prohibiting access?

According to my Admin, the 871 firewall/vpn rules are created as though they are just another extension of our DHCP LAN. He has looked over the firewall/routing aspect of our LAN a few times and insists that it has to be an issue with the 871 configuration.

Let me add a note that I just realized. From a laptop hooked up to an 871 (with a 871 DHCP given address of 192.168.100.100), I can ping all 3 subnets, but cannot ping the other 871 networks. However, even though I can ping my computer on the 102.x subnet from a laptop within the 871 network, I cannot ping the laptop within the 871 network from my PC.

Thanks for your assistance so far. I do appreciate it.

My interpretation of your post was that you felt that you needed to bring up the IPSec tunnel by triggering it with a ping from the remote side. My view is that you should be able to trigger it with traffic initiated from either end, and that if you can't, you should determine why that is.

I would clear the IPSec SAs (inbound and outbound) for the 102.x - 100.x protected flow from the SA database, then initiate an SSH connection from your 102.x host to the 871 (presumably BVI1, but you haven't confirmed that).

Then examine the SA database to confirm that new IPSec SAs are successfully created for the 102.x - 100.x protected flow, regardless of whether the SSH connection is successfully established or not. Determining whether the IPSec SAs are established will help you determine your next step.

If IPSec SAs are not successfully negotiated for this protected flow, your SSH connection initiation will fail due to the private destination IP address which requires the encapsulation to be provided by IPSec (ESP most likely). You would then need to identify why IPSec SAs could not be successfully negotiated.

If IPSec SAs are successfully negotiated, but SSH connection establishment fails, you will need to pursue that avenue of exploration.

It is important to note that it takes time to establish IPSec SAs, particularly when using a lower-end router like an 871. I would not necessarily expect the first SSH attempt to work.

The first packet that matches the crypto ACL entry for that protected flow will trigger the negotiation of IPSec SAs (assuming an ISAKMP SA already exists). If an ISAKMP SA does not exist, it will have to be negotiated first.

The time that is required to negotiate the required SAs may exceed the timeout for SSH connection setup.

Once the SAs exist, a subsequent SSH connection would be expected to succeed given no other configuration issues.

I would place a Sniffer on the WAN port and watch for any indication of asymmetrical operation (e.g.: SSH not being encapsulated within the IPSec tunnel). This could indicate an issue with non-mirrored crypto ACLs, or perhaps a NAT issue.

With regard to not being able to ping the laptop within the 871 network from your PC, you should determine whether that is within your security policy or not (i.e.: is it supposed to work, or is it denied by security policy).