Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site IPSec Tunnel issue

We have a system in place that pings our remote sites every min or so. We are (apparently randomly) seeing one of our sites go down (loss of ping response) from our main site but other sites can still ping it. After an hour (give or take a few mins) connectivity from main site is restored.

I am thinking key lifetime timeout or something but I really am looking for some advice/direction.

Any thoughts?

Michael

5 REPLIES
Cisco Employee

Re: Site to Site IPSec Tunnel issue

What are the 2 devices that terminates the site-to-site VPN tunnel?

You would want to make sure that the lifetime for both phase 1 and phase 2 (most importantly phase 2) matches between the 2 sites. It would be the "crypto map set security-association lifetime "

Hope that helps.

New Member

Re: Site to Site IPSec Tunnel issue

Thanks for the reply.

One side is a 3725 with the following code:

crypto map <#> ipsec-isakmp

set peer 1.1.1.1

set transform-set

match address 231

The other side is a 2600 with the following code:

crypto map <#> ipsec-isakmp

set peer 2.2.2.2

set transform-set

match address 172

* addresses have been changed to protect the innocent

All our IPSec links are configured in this fashion yet only the links to 2 of the Asia sites have this issue. Other Asia sites do not have any issue.

Cisco Employee

Re: Site to Site IPSec Tunnel issue

Please turn on crypto isakmp keepalive so if the peer is down for whatever reason, it will recover quickly.

Here is the command:

crypto isakmp keepalive 10 3

New Member

Re: Site to Site IPSec Tunnel issue

I thank you for the input and will try that, I have more questions.

It doesn't seem like the tunnel is down I just can't ping the devices on that segment from NY. Other connected sites (california for example) can ping though.

Cisco Employee

Re: Site to Site IPSec Tunnel issue

Can you share the configuration pls from both sides.

220
Views
0
Helpful
5
Replies