Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1135
Views
0
Helpful
4
Replies

After timeout is reached tunnel is tear down

Go to solution
mahesh18
Level 6
Level 6

‎12-22-2012 08:42 AM - edited ‎03-07-2019 10:44 AM

Hi Everyone,

I was studying about IPSEC VPN  here it says that

Once Data transmission is completed and timeout is reached the IPSEC tunnel will be torn down.

Need to know what does this mean?

Does this mean after x amount of data is transferred then the tunnel will be brought to down and it will regoniate the tunnel?

If tunnel is tear down do i see message in log that tunnel is down ?

When we say tunnel is tear down doe sit mean that physical interface is down?

When tunnel is tear down then does site 1 loses connectivity to site 2?

Where we config this timeout option?

Thanks

Mahesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to mahesh18

‎12-22-2012 11:15 AM

Hi Mahesh,

Correct. In my case I just have any any in the access-list because this is just a test environment.

Here is the access list increment before and after ping

R2#sh access-lists 101

Extended IP access list 101

    10 permit gre any any (9 matches)

R2#ping 20.20.20.20

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.20.20.20, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R2#sh access-lists 101

Extended IP access list 101

    10 permit gre any any (19 matches)

R2#  

HTH

Reza

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎12-22-2012 09:56 AM

Hi Mahesh,

IF the tunnel is not active for a certain amount of time, the router will bring down the tunnel.  Once you start sending packets again, it will bring it back up.  Have a look at this example.  At first the tunnel is down, once I start pinging the other router, the session comes back up:

R2#sh crypto session

Crypto session current status

Interface: GigabitEthernet0/0

Session status: DOWN

Peer: 1.1.1.2 port 500

  IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

        Active SAs: 0, origin: crypto map

R2#ping 20.20.20.20

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.20.20.20, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms

R2#sh crypto session

Crypto session current status

Interface: GigabitEthernet0/0

Session status: UP-ACTIVE    

Peer: 1.1.1.2 port 500

  IKE SA: local 10.1.1.1/500 remote 1.1.1.2/500 Active

  IPSEC FLOW: permit 47 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

        Active SAs: 2, origin: crypto map

HTH

Reza

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Reza Sharifi

‎12-22-2012 11:07 AM

Hi Reza,

By traffic here you mean interesting traffic that is described by ACL  right?

Thanks

MAhesh

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to mahesh18

‎12-22-2012 11:15 AM

Hi Mahesh,

Correct. In my case I just have any any in the access-list because this is just a test environment.

Here is the access list increment before and after ping

R2#sh access-lists 101

Extended IP access list 101

    10 permit gre any any (9 matches)

R2#ping 20.20.20.20

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.20.20.20, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R2#sh access-lists 101

Extended IP access list 101

    10 permit gre any any (19 matches)

R2#  

HTH

Reza

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Reza Sharifi

‎12-22-2012 11:45 AM

Hi Reza,

Many thanks for help.

Regards

MAhesh

0 Helpful
Customers Also Viewed These Support Documents