cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
773
Views
0
Helpful
4
Replies

IPSec tunnel is getting deactivated

gaurav_saxena
Level 1
Level 1

we have IPSec 3 DES tunnel configured between cisco 1760 router and PIX 515e.IPSec tunnel is going down intermitently & its coming up only after clearing crypto isakmp & clear crypto sa at router side.

do we need to configure somthing else at router and pix end so that tunnels remains always in active (QM_IDLE) state.

1 Accepted Solution

Accepted Solutions

turnbull
Level 1
Level 1

Sounds like the PIX is losing its connection and the router is unable to tell that the PIX dropped.

Try configuring isakmp keepalive on both devices but also check the devices wan links.

Cheers,

Paul.

View solution in original post

4 Replies 4

turnbull
Level 1
Level 1

Sounds like the PIX is losing its connection and the router is unable to tell that the PIX dropped.

Try configuring isakmp keepalive on both devices but also check the devices wan links.

Cheers,

Paul.

Hi there,

I manage a Cisco router network with IPSec between many 1700 routers and a Cisco VPN concentrator. All my 1700 routers are connected to the network via frame relay lines. Everytime I have any issue with a line I need to clear crypto sa, isakmp and ipsec for ip connectivity to be restablished. Furthermore, a substantial number of frame relay lines in this network are running errors. Reports of line problem to the carrier are often returned as "no problems found".I wonder if any IPSec issue has been identified that causes the line to show errors even if there are none. Or, I am suspecting the wrong thing? Thanks.

IPSec should not cause any line errors on the frame-relay link. Carriers saying there is "no problem" is pretty common, and is a way for them to get out of having to really test the line hard.

If you're getting errors on those links, you need to do a software and hardware loopback test and verify it's not a hardware issue or cabling issue on your end. Once you've done that, talk to the ISP and tell them your equipment is good and demand that they do testing on their line extensively. Your circuit might need to be down for several hours for them to extensively test it.I've run into these same issues with my ISP, and after months of calling daily reporting these problems, they finally replaced the circuit from our location to their CO and every piece of equipment on the line. The problem went away once they did that.

Hi there,

Thanks so much for the reply. It is rather useful to see other people's experience with issues we have in our network and not having to rework things. Good luck and all the best.

Sinval / Telstra Australia.