Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
941
Views
0
Helpful
9
Replies

IPsec tunnel active time

M Talha
Level 1
Level 1

‎06-02-2018 01:35 AM - edited ‎03-12-2019 05:20 AM

Dear All,

I have implemented IPSec tunnels b/w my Hub and branch router, but after some time it shows session status : DOWN even after i ping from LAN to LAN devices from both ends. I just want that session status will always be UP on both ends at all the time. Help needed.

Labels:
0 Helpful
9 Replies 9

Rob Ingram
VIP
VIP

‎06-02-2018 02:12 AM

Hi,
Is the VPN tunnel idle for long periods, with no traffic being sent over the tunnel?
Are you running a routing protocol over the VPN tunnel?
What is the configured lifetimes of iskamp or ikev2?
Is DPD configured?
0 Helpful

M Talha
Level 1
Level 1
In response to Rob Ingram

‎06-02-2018 02:18 AM

Yes some times it is idle for around 10-12 hours and no traffic passes over the tunnel.

I am running RIPv2 over the tunnel and the lifetime i have configured is 86400. No i haven't configured DPD. Please help me with that too.

Regards,

Talha

0 Helpful

Rob Ingram
VIP
VIP
In response to M Talha

‎06-02-2018 02:31 AM

Well if you are running RIPv2 it's timers should act as keepalives and be generating regular traffic sent over the tunnel. Useful DPD link, this explains how to configure, this may not resolve your issue but very useful.

0 Helpful

M Talha
Level 1
Level 1
In response to Rob Ingram

‎06-02-2018 02:38 AM

So should i move to EIGRP or OSPF and that would generate traffic b/w tunnels and will resolve the issue ?

Regards,

Talha

0 Helpful

Rob Ingram
VIP
VIP
In response to M Talha

‎06-02-2018 02:47 AM

No. I was merely trying to determine if you were running any routing protocol, it's hello timers would act as keepalive for the VPN tunnel. So no you don't need to move to eigrp or ospf to resolve this issue.

What version of IOS are you running on Hub and Spoke?
Is the tunnel DOWN on both Hub and Spoke?
0 Helpful

M Talha
Level 1
Level 1
In response to Rob Ingram

‎06-02-2018 02:55 AM

HUB : Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2)

 

SPOKE : Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1)

 

Right now i have reconfigured them and now they are working and traffic is passing the two routers.

0 Helpful

Rob Ingram
VIP
VIP
In response to M Talha

‎06-02-2018 03:55 AM

So is this just a sVTI between just 2 routers?

Is the tunnel DOWN on both routers or just one router?
0 Helpful

M Talha
Level 1
Level 1
In response to Rob Ingram

‎06-02-2018 04:48 AM - edited ‎06-02-2018 04:49 AM

Dear RJI,

Currently its working from both ends now. But now i am adding another Spoke so should i have to configure another policy or i can use the same policy i configured for first spoke. Secondly i want to use same transform set for second spoke. what else should i need to add for second spoke ?

0 Helpful

Rob Ingram
VIP
VIP
In response to M Talha

‎06-02-2018 05:06 AM

You said you can still ping through the tunnel? So it's just the fact the tunnel says it's DOWN, but it's not actually down?

If the session status says it is DOWN on one end this may just be a cosmetic issue affecting that router firmware and a bug. Please confirm which router, this may be resolvable by upgrading the firmware. Both your IOS versions out old, so upgrading might be advisable anyway.

I don't know your current configuration, I assume it's a sVTI, so therefore the tunnel destination is set. You would probably be better off converting to a DVTI on the hub, you'd still use a sVTI on the spokes. Alternatively you could configure DMVPN (your 2800 router won't support FlexVPN).

HTH
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents