06-01-2010 07:12 AM - edited 03-04-2019 08:39 AM
We have a system in place that pings our remote sites every min or so. We are (apparently randomly) seeing one of our sites go down (loss of ping response) from our main site but other sites can still ping it. After an hour (give or take a few mins) connectivity from main site is restored.
I am thinking key lifetime timeout or something but I really am looking for some advice/direction.
Any thoughts?
Michael
06-02-2010 02:05 AM
What are the 2 devices that terminates the site-to-site VPN tunnel?
You would want to make sure that the lifetime for both phase 1 and phase 2 (most importantly phase 2) matches between the 2 sites. It would be the "crypto map
Hope that helps.
06-02-2010 06:16 AM
Thanks for the reply.
One side is a 3725 with the following code:
crypto map
set peer 1.1.1.1
set transform-set
match address 231
The other side is a 2600 with the following code:
crypto map
set peer 2.2.2.2
set transform-set
match address 172
* addresses have been changed to protect the innocent
All our IPSec links are configured in this fashion yet only the links to 2 of the Asia sites have this issue. Other Asia sites do not have any issue.
06-02-2010 06:21 AM
Please turn on crypto isakmp keepalive so if the peer is down for whatever reason, it will recover quickly.
Here is the command:
crypto isakmp keepalive 10 3
06-02-2010 07:00 AM
I thank you for the input and will try that, I have more questions.
It doesn't seem like the tunnel is down I just can't ping the devices on that segment from NY. Other connected sites (california for example) can ping though.
06-03-2010 04:17 AM
Can you share the configuration pls from both sides.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide