Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2314
Views
0
Helpful
4
Replies

Dynamic VPN tunnel lifetime

mukundh86
Level 1
Level 1

‎05-30-2011 12:42 PM

Hi all

I have a setup in which there are two routers, one is a Linksys RV-024 and the other is a cisco 2811. Dynamic VPN has been set up between both of them. The newtwork behind the Linksys is 10.0.0.1 and the network behind cisco is 10.0.0.2. The users of 10.0.0.1 have to initiate the IPSEC tunnel as in cisco the dynamic VPN tunnel will be established only when the user in the remote end starts it.

The users of 10.0.0.2 have started complaining about the accessibility to 10.0.0.1 network and are not happy with always asking someone from the 10.0.0.1 network to start the tunnel.

Is there a way to overcome this problem? I know that both phase 1 and phase 2 have a maximum lifetime of 86400 secs , but is there a chance to set the lifetime of either phase 1 or phase 2( or even both) to forever so that the tunnel doesn'y die out. Another method would be to configure Static IPSEC but the remote users do not want that.  Is there a way to configure Dynamic GRE and will it help in this case? Or is there a way tohave that linksys reestablish the tunnel once every 86400 secs?

Help would be really appreciated for this issue.

Thanks

Mukundh

Labels:
0 Helpful
4 Replies 4

Vikas Saxena
Cisco Employee
Cisco Employee

‎06-02-2011 09:36 PM

Hi Mukund,

The tunnel can be kept alive if there is constant traffic inside the tunnel. For this you can use different ways to send periodic continuous traffic in side the tunnel. Like an SNMP server constantly pulling data from router or sending pings periodically, in case if SNMP is an overkill you can use smartcallhome feature on the Cisco router to schedule ping to a site as well. OR, you can configure SLA monitoring just to send constant pings to keep the tunnel alive.

The tunnel WILL die down if there is no traffic, the only way to keep it alive is by constant stream of traffic.

-Vikas

0 Helpful

mukundh86
Level 1
Level 1
In response to Vikas Saxena

‎06-03-2011 08:45 AM

Thanks Vikas :). I shall try the sla commands and see how it works

Mukundh

0 Helpful

mukundh86
Level 1
Level 1
In response to mukundh86

‎06-03-2011 09:41 AM

Hi Vikas

I am unable to add "ip sla monitor" on the router. The IOS supports only these sla commands.

VanWallPerryIA(config)#ip sla ?
  <1-2147483647>          Entry Number
  enable                  Enable Event Notifications
  ethernet-monitor        IP SLAs Auto Ethernet configuration
  group                   Group Configuration or Group Scheduling
  key-chain               Use MD5 authentication for IP SLAs Control Messages
  logging                 Enable Syslog
  low-memory              Configure Low Water Memory Mark
  reaction-configuration  IP SLAs Reaction-Configuration
  reaction-trigger        IP SLAs Trigger Assignment
  reset                   IP SLAs Reset
  responder               Enable IP SLAs Responder
  restart                 Restart An Active Entry
  schedule                IP SLAs Entry Scheduling

Is it possible to do constant pings with any of these or do we need the "ip sla monitor " command?

0 Helpful

angeliqqo
Level 1
Level 1
In response to mukundh86

‎06-28-2012 11:08 AM

hi all,

i have 8211 router with the same issue the command ip sla monitor is missing. this router support SLA monitor configuration?

router iso version 12.4(13r)t11

0 Helpful
Customers Also Viewed These Support Documents