12-16-2004 05:08 AM - edited 02-21-2020 01:30 PM
we have IPSec 3 DES tunnel configured between cisco 1760 router and PIX 515e.IPSec tunnel is going down intermitently & its coming up only after clearing crypto isakmp & clear crypto sa at router side.
do we need to configure somthing else at router and pix end so that tunnels remains always in active (QM_IDLE) state.
Solved! Go to Solution.
12-16-2004 04:38 PM
Sounds like the PIX is losing its connection and the router is unable to tell that the PIX dropped.
Try configuring isakmp keepalive on both devices but also check the devices wan links.
Cheers,
Paul.
12-16-2004 04:38 PM
Sounds like the PIX is losing its connection and the router is unable to tell that the PIX dropped.
Try configuring isakmp keepalive on both devices but also check the devices wan links.
Cheers,
Paul.
12-16-2004 09:49 PM
Hi there,
I manage a Cisco router network with IPSec between many 1700 routers and a Cisco VPN concentrator. All my 1700 routers are connected to the network via frame relay lines. Everytime I have any issue with a line I need to clear crypto sa, isakmp and ipsec for ip connectivity to be restablished. Furthermore, a substantial number of frame relay lines in this network are running errors. Reports of line problem to the carrier are often returned as "no problems found".I wonder if any IPSec issue has been identified that causes the line to show errors even if there are none. Or, I am suspecting the wrong thing? Thanks.
12-27-2004 09:12 AM
IPSec should not cause any line errors on the frame-relay link. Carriers saying there is "no problem" is pretty common, and is a way for them to get out of having to really test the line hard.
If you're getting errors on those links, you need to do a software and hardware loopback test and verify it's not a hardware issue or cabling issue on your end. Once you've done that, talk to the ISP and tell them your equipment is good and demand that they do testing on their line extensively. Your circuit might need to be down for several hours for them to extensively test it.I've run into these same issues with my ISP, and after months of calling daily reporting these problems, they finally replaced the circuit from our location to their CO and every piece of equipment on the line. The problem went away once they did that.
12-28-2004 01:49 PM
Hi there,
Thanks so much for the reply. It is rather useful to see other people's experience with issues we have in our network and not having to rework things. Good luck and all the best.
Sinval / Telstra Australia.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide