Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Tunnel dropping connection

I have two networks currently. Network A & B. Network A is a remote location where users connect to B through VPN. Once they establish a tunnel they rdp a terminal server. On this terminal server there are several printers installed. These printers actually live on Network A and are connected to B by a 3002 hardware vpn client. So, a recap, the users vpn in to B and print to printers located on site A. B has a 10.1.1.x network and the printers network is a 10.2.2.x. I added persistent routes on the terminal server so that traffic routes. I know this is a cludgy setup and you are probably asking me why don't we just use split tunneling. GOVT. system so I can't. In any event, this setup works, however, anytime the terminal server reboots are the hardware client loses power the tunnel doesn't fully re-establish. I can see the HW client connected from the concentrator but there is no traffic passsing and I can no longer ping the printers network from the terminal server. Here is where it gets interesting! If I initiate a ping from a printer from site A to the terminal server the pings are answered and I can connect again! It is the weirdest thing! I have all the lastest software. Anyone else experience this??? I know it's unlikely because of the silly arrangement I have on my network but any help would be great. Thanks.

5 REPLIES
Cisco Employee

Re: Tunnel dropping connection

Hi,

This is the default behaviour of EzVPN PAT mode. The traffic has to be initiated from Site A (HW Client), to get IPSec SA built. Once, the SA are built, the traffic will flow bidirectionally.

*Please rate if helped.

-Kanishka

Community Member

Re: Tunnel dropping connection

We are running in Network extension mode, not PAT. Any other suggestions?

Cisco Employee

Re: Tunnel dropping connection

Hi Robert,

It is the default behaviour not only for PAT mode but for EzVPN altogether. So, the traffic has to be initiated from the client's end so that the IPSEC SA can be built and once it is built, it can be bidirectional.

Regards,

Kamal

Community Member

Re: Tunnel dropping connection

The problem he describes sounds an awful lot like a problem I have run into with a site-to-site VPN connection that drops the tunnel periodically with no rhyme or reason.

The ASA in question is running 7.2.2 and terminates tunnels with two peers.

Community Member

Re: Tunnel dropping connection

I was running a PIX 501 tunnel using NEM to my asa 5520 and found that if the network connection was cut in-between then the ASA would not tear down the existing connection (even with keep alives on). I removed the NEM and it was perfect. Just my experience with it.

-chris

160
Views
5
Helpful
5
Replies
CreatePlease to create content