cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
536
Views
0
Helpful
5
Replies

Site to Site IPSec Tunnel issue

johnm
Level 1
Level 1

We have a system in place that pings our remote sites every min or so. We are (apparently randomly) seeing one of our sites go down (loss of ping response) from our main site but other sites can still ping it. After an hour (give or take a few mins) connectivity from main site is restored.

I am thinking key lifetime timeout or something but I really am looking for some advice/direction.

Any thoughts?

Michael

5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

What are the 2 devices that terminates the site-to-site VPN tunnel?

You would want to make sure that the lifetime for both phase 1 and phase 2 (most importantly phase 2) matches between the 2 sites. It would be the "crypto map set security-association lifetime "

Hope that helps.

Thanks for the reply.

One side is a 3725 with the following code:

crypto map <#> ipsec-isakmp

set peer 1.1.1.1

set transform-set

match address 231

The other side is a 2600 with the following code:

crypto map <#> ipsec-isakmp

set peer 2.2.2.2

set transform-set

match address 172

* addresses have been changed to protect the innocent

All our IPSec links are configured in this fashion yet only the links to 2 of the Asia sites have this issue. Other Asia sites do not have any issue.

Please turn on crypto isakmp keepalive so if the peer is down for whatever reason, it will recover quickly.

Here is the command:

crypto isakmp keepalive 10 3

I thank you for the input and will try that, I have more questions.

It doesn't seem like the tunnel is down I just can't ping the devices on that segment from NY. Other connected sites (california for example) can ping though.

Can you share the configuration pls from both sides.

Review Cisco Networking for a $25 gift card