01-06-2009 07:43 AM - edited 03-06-2019 03:16 AM
I inherited a situation I'm hoping anyone can shed light on. (I'm not cisco savey) Every day I get a call from one of my remote offices that they lose network connectivity. The quickest way to resolve their issue is to recycle their cisco box. Can anyone clarify whether or not the cisco routers recycle themselves every 12 hrs as I've heard? Is there a parameter that can be set so that the VPN tunnel renegotiate at predetermined times? Thanks in advance. TJ
01-06-2009 08:02 AM
"Can anyone clarify whether or not the cisco routers recycle themselves every 12 hrs as I've heard?"
Cisco routers don't recycle themselves every 12 hours. What exactly do you mean by recycle though because i take that to mean reload.
As for VPN's there are paramneters you can set that affect how long the tunnel will stay up, but even if the tunnel goes down onec activity is detected it should come back up without having to reload.
Jon
01-06-2009 08:48 AM
Jon
Thanks for you insite.
By recycle, perhaps reload it the correct word. Just every day at the same time they have the same problem. Where would I look in the VPN settings to see the length of time it is supposed to stay up?
TJ
01-06-2009 01:43 PM
TJ
Apologies for the delay in getting back. Is there any chance of you posting the configuration of the router minus any sensitive information such as public IP addresses, passwords, VPN keys (especially VPN keys).
I would emphasize though that to bring the tunnel back up should not require a reload of the router.
Jon
01-07-2009 04:41 AM
Yes - I'll post it soon
01-07-2009 10:06 AM
I thought of something else. 2 of 3 offices use Dymanic IP and 1 Static IP. The Static office doesn't have this issue. I haven't check yet with the ISP on the ip lease duration.
I'll be changing one of the 2 dymanic offices to static on Friday. Maybe that is what the issue is?
01-07-2009 04:12 PM
Very intresting situation! Sounds like a statetment is pointing to your public ip instead of the outside interface some were in the config.
~Roman
01-08-2009 05:16 AM
I'll be posting the config file later tonight. Feel free to advise on any settings
thanks
01-08-2009 05:16 PM
01-12-2009 06:35 AM
This line looks like it will disconnect the vpn every 24 hours.
crypto ipsec security-association lifetime seconds 86400
01-12-2009 06:49 AM
Ok - thanks. If omitted, will the vpn stay connected indefinately?
01-12-2009 06:56 AM
Take a look at this document. http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftsaidle.html
It looks like it will use the defaults if you delete that line.
01-12-2009 06:59 AM
Thanks - I'll check it out.
01-12-2009 10:47 PM
yes it may be the problem of the lifetime.
You can verify it on the cisco router and then troubleshoot and make changes.
show crypto isakmp sa.
Show crypto ipsec sa peer x.x.x.x
To get the tunnel up without reload
clear crypto isakmp sa.
clear crypto ipsec sa peer x.x.x.x
if this clear commnad works and you dont have to reload the router. do the following
config t
crypto ipsec security-association lifetime seconds 120
You may also need to take a look at the remote side where the vpn tunnel is configured
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide