Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
541
Views
5
Helpful
5
Replies

Tunnel dropping connection

robertacree
Level 1
Level 1

‎02-27-2007 08:08 AM - edited ‎02-21-2020 01:25 AM

I have two networks currently. Network A & B. Network A is a remote location where users connect to B through VPN. Once they establish a tunnel they rdp a terminal server. On this terminal server there are several printers installed. These printers actually live on Network A and are connected to B by a 3002 hardware vpn client. So, a recap, the users vpn in to B and print to printers located on site A. B has a 10.1.1.x network and the printers network is a 10.2.2.x. I added persistent routes on the terminal server so that traffic routes. I know this is a cludgy setup and you are probably asking me why don't we just use split tunneling. GOVT. system so I can't. In any event, this setup works, however, anytime the terminal server reboots are the hardware client loses power the tunnel doesn't fully re-establish. I can see the HW client connected from the concentrator but there is no traffic passsing and I can no longer ping the printers network from the terminal server. Here is where it gets interesting! If I initiate a ping from a printer from site A to the terminal server the pings are answered and I can connect again! It is the weirdest thing! I have all the lastest software. Anyone else experience this??? I know it's unlikely because of the silly arrangement I have on my network but any help would be great. Thanks.

0 Helpful
5 Replies 5

kaachary
Cisco Employee
Cisco Employee

‎03-04-2007 05:08 AM

Hi,

This is the default behaviour of EzVPN PAT mode. The traffic has to be initiated from Site A (HW Client), to get IPSec SA built. Once, the SA are built, the traffic will flow bidirectionally.

*Please rate if helped.

-Kanishka

0 Helpful

robertacree
Level 1
Level 1
In response to kaachary

‎03-05-2007 05:38 AM

We are running in Network extension mode, not PAT. Any other suggestions?

0 Helpful

Kamal Malhotra
Cisco Employee
Cisco Employee
In response to robertacree

‎03-05-2007 09:51 AM

Hi Robert,

It is the default behaviour not only for PAT mode but for EzVPN altogether. So, the traffic has to be initiated from the client's end so that the IPSEC SA can be built and once it is built, it can be bidirectional.

Regards,

Kamal

laurent.geyer
Level 1
Level 1
In response to Kamal Malhotra

‎03-07-2007 12:46 PM

The problem he describes sounds an awful lot like a problem I have run into with a site-to-site VPN connection that drops the tunnel periodically with no rhyme or reason.

The ASA in question is running 7.2.2 and terminates tunnels with two peers.

0 Helpful

cgleaves
Level 1
Level 1
In response to robertacree

‎03-14-2007 12:43 PM

I was running a PIX 501 tunnel using NEM to my asa 5520 and found that if the network connection was cut in-between then the ASA would not tear down the existing connection (even with keep alives on). I removed the NEM and it was perfect. Just my experience with it.

-chris

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card