Re: Keeping up a 857 EZVPN

OliverDarvall · ‎03-14-2012

Guys,

We have a VPN using 857 and 877 routers as remote connecting in to a 2800 EZVPN Server.

The VPN is working fine. However, the VPN connections sometimes (after a few hours/days) seem to "freeze". A "show crypt sess" shows the connections as Up/Active, but you can not ping antyhing from remote to server, or visa versa, nor does any traffic flow. I then added a "isakmp keep-alive" on the 2800, which improved the situation a bit, but not as much as I hoped.

On the 877 I then implemented a IP SLA, with Object Tracking and then use a Event Manager to just issue a "clear crypto session" . This solved the problem.

However, what do I do on the 857 ? It does not support Object Tracking or the Event Manager. Is there any other mechanism to monitor and reset these frozen/stale VPN connections automatically ?

Thanks !

paolo bevilacqua · ‎03-15-2012

Are you using latest IOS ?

Connections should never go in a forzen state and require clear to restart. That is an IOS bug.

OliverDarvall · ‎03-15-2012

No, not quite. We have a mixture of versions :

12.4.(15)T7

12.4.(15)T9

12.4.(15)T10

12.4.(15)T15

The routers are geographically distributed, so updateing all could be a challenge.

Are you aware of issues with those versions ?

paolo bevilacqua · ‎03-15-2012

T17 is the last. Update one and check with it.

OliverDarvall · ‎03-15-2012

Will do, but I assume thus that there are now real alternatives to IP SLA + Object Tracking + Event Manager ?

paolo bevilacqua · ‎03-16-2012

A sane network shouldn't need belt and suspenders to work well. After update if still trouble, please contact the TAC.