Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Dynamic to Static VPN dies after about 4 minutes

Hey everyone, I have an interesting issue with a dynamic to static VPN setup. I currently run a pair of Cisco Pix 515e firewalls in a failover setup. They are running OS 8.0.4 and they run great. I used to have a VPN between these and my office where the remote office had a static IP address. I am moving that to a new connection which uses dynamic IP addresses.

I setup a pre-shared key on the DefaultL2LGroup on the Pix and removed the existing static tunnel-group. I also reconfigured the remote firewall which is a Netgear firewall to connect to the Pix. It is still using main mode and the rest of the setup is pretty much the same.

The VPN connection establishes fine and I can pass traffic through it with no issues. The problem is that every 3 minutes and 50 seconds, the VPN will go down for a few seconds. It looks like it rekeys. My stuff will stop responding and then it will re-establish and it is fine. It happens every 3 minutes and 50 seconds like clockwork.

I have checked everything I could think of and am not sure where the issue is. I know I can do detailed debugs on the IPSec but am not sure what I should be looking there. The basic debug just givs the generic message below that says the tunnel can't communicate with the peer. I have seen that message before but not usually with a VPN that establishes. Generally if this message comes up, the tunnel never works.

Any ideas would be great.



Group = DefaultL2LGroup, IP = X.X.X.X, Removing peer from peer table failed, no match!

Group = DefaultL2LGroup, IP = X.X.X.X, Error: Unable to remove PeerTblEntry

New Member

Dynamic to Static VPN dies after about 4 minutes

I did more testing and it seems that the tunnel sites at the MM_ACTIVE state and doesn't go past that. The information is the same on both ends of the tunnel and traffic passes fine when at this state but then it rekeys after about 4 minutes and starts again.

I tried changing the tunnel to an Aggresive Mode tunnel but using a name for the remote office firewall ID and now it sits at AM_ACTIVE but doesn't go past that point either.