I've had the same problem on 2960x with IOS 15.2(4)E3. I don't understand all these versions are still on the download site ?
When I was testing the failed release, I did a test with a 15.2.5 image, and the switch booted OK with that version, but I can't remember which one it was.
I would test it in LAB first if possible :-)
... View more
Hello Javier, Many thanks for your testing and answer !!! There is a minor error in your example: Down->Up should be Up->Down I've put your idea into action. At first it didn't work. The applet executed the commands but the VPN stayed down. After a bit of troubleshoot, I found the problem. I am testing on a xDSL link at work, with a cisco router acting as the "ISP NAT router" I spoke of. It does natting, and has the Cisco IOS firewall running. The latter was preveting the reconnection. The connection is monitored by the IOS FW, which means it's using source/destination port/IP to identify the connection. However, since neither the destination or source IP changes, and source/dest ports are both 4500, it does not see it as a new connection and seems to reject it. At least that's what I think. When I cleared the IOS FW sessions, the VPN came back up. I tried switching to cTCP. That works since it's using a random source port, unlike NAT-T which uses udp/4500 as source AND destination ports. cTCP also seems less impacted by the change in public IP address. But I've done testing with cTCP and I did have issues, I just don't seem to be able to reproduce them right now (It re-established even without the workaround applet). I am going to leave the router in test, using both your workaround solution and cTCP and see if I can get the VPN stable for a longer time. I have another test router at home and I will test the NAT-T with your workaround there. That router is behind a ISP provided router. It might be less sensitive to the udp/4500 connection identification. Fingers crossed...
... View more
I am doing some tests with Cisco Easy VPN between 2 IOS routers. The VPN server is behind static NAT (done by a checkpoint firewall) and it has a fixed IP. The Easy VPN client runs on a residential xDSL internet connection. It's behind a NAT router provided by the ISP. The internet router has a dynamic public IP adres, and it changes every 36 hours (ISP does that, can't change it). The easy vpn works fine. Both devices detect the NAT, and enable NAT-transparancy. The link comes up and works OK. The issue I have, is that when the xDSL router changes it's public IP address, the IPSEC link drops and can't get back online. It seems that the change in public IP address prevents the client to re-establish the VPN. When I reload the vpn client router, the VPN comes back up. Has anyone encountered this and is there any way I can avoid this problem ?
... View more