Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
583
Views
0
Helpful
10
Replies

L2L between PIX and VPNC3000.

andrea.meconi
Level 2
Level 2

‎05-29-2006 05:34 AM

When VPNC or PIX disconnect a L2L if there isn't interesting traffic?

Thanks.

Andrea.

Labels:
0 Helpful
10 Replies 10

a.kiprawih
Level 7
Level 7

‎05-29-2006 06:01 AM

Hi Andrea,

Termination of L2L tunnel does not necessarily due to no interesting traffic to trigger, or to maintain the tunnel to stay connected (after no activity within certain period of time).

Nevertheless, this could also due to configuration issue, e.g someone made changes during L2L tunnel session, network connectivity issue (on LAN/WAN) between the VPN devices, or could be one of the VPN device internal operational issues (firmware/image, memory, etc).

Rgds,

AK

0 Helpful

andrea.meconi
Level 2
Level 2
In response to a.kiprawih

‎05-29-2006 11:15 AM

Many thanks for your help but I don't understand well!

My L2L never goes down! Why?

Regards.

Andrea.

0 Helpful

a.kiprawih
Level 7
Level 7
In response to andrea.meconi

‎05-30-2006 01:34 AM

It's hard to tell why. You need to capture & take a look at the log and probably run debug to get additional info.

Apart from that, you also need to check/verify the VPN config on both VPN devices are correctly done (just in case if someone made changes).

Rgds,

AK

0 Helpful

andrea.meconi
Level 2
Level 2
In response to a.kiprawih

‎05-30-2006 06:06 AM

I think that DPD takes up my L2L when no interesting traffic between VPNC and PIX.

Regards.

Andrea.

0 Helpful

Vikas Saxena
Cisco Employee
Cisco Employee
In response to andrea.meconi

‎05-31-2006 02:35 AM

Hello,

DPD are never sent when the tunnel is idle. They are only sent when there is a traffic. They follow the traffic, otherwise if there is a dead peer the other side will never know that the traffic is going into oblivion. If DPD will be sent on an idle tunnel then the tunnel will never drop, again a security hazard and against RFC.

Check the DPD RFC for more info.

Vikas

0 Helpful

a.kiprawih
Level 7
Level 7

‎05-30-2006 07:05 AM

It could be. How long your L2L has been running before the problem started?

DPD function is similar to Cisco IOS keepalives. If this is the case, try to adjust the timer to maximum/longer time.

But I think, run the debug (debug crypto isakmp) command to verify what's happening to your VPN setup.

The following doc gives you a good DPD explanation:

http://www.cisco.com/en/US/partner/products/ps6635/products_white_paper09186a00801ee19a.shtml#wp1027129

Rgds,

AK

0 Helpful

Vikas Saxena
Cisco Employee
Cisco Employee

‎05-31-2006 02:37 AM

Hello,

The tunnel between a PIX and a Conc. will drop when the isakmp tunnel drops. If you really want your tunnel to be dropped when there is no traffic plan for a shorted isa and ipsec timers.

With router this scenario is little different.

Vikas

0 Helpful

andrea.meconi
Level 2
Level 2
In response to Vikas Saxena

‎05-31-2006 04:53 AM

I have just tried with a different timers without success. My L2L comes up with interesting traffic and never goes down.

Regards.

Andrea.

0 Helpful

Vikas Saxena
Cisco Employee
Cisco Employee
In response to andrea.meconi

‎05-31-2006 08:52 PM

Hello,

Please give us the timer values in PIX as well as in Conc.

Vikas

0 Helpful

Vikas Saxena
Cisco Employee
Cisco Employee
In response to Vikas Saxena

‎05-31-2006 08:54 PM

Hello,

Please drop the tunnel and collect the debugs after initiating it from PIX.

The lesser timer value should be accepted as per the RFC.

Vikas

0 Helpful
Customers Also Viewed These Support Documents