cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
433
Views
0
Helpful
2
Replies

VPN-reconnect fails after ADSL-reconnect

slieser
Level 1
Level 1

VPN-reconnect fails after ADSL-reconnect

Hello,

we have the following vpn-configuration:

Branch Office: Cisco 1751 configured with EzVPN Client, ADSL-/PPPoE-Connect to the ISP and dynamic ip address; Main Office: Cisco VPN Concentrator 3030 and static ip address

The configuration is nearly exact the same as in the configuration example from cco - http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml - with only one great difference: we have no static ip address on the outside interface because of the ADSL-/PPPoE-Connction to the ISP with a dialer interface which negotiats a dynamic ip address on every new connection. This happens once a day because the ISP terminats the connection every 24 hours (this is normal for some isp's to prevent address reservation). And this is the problem: the vpn setup works perfect if you power on the router, but if the connection is terminated by the ISP and the dialer interface negotiats an new dynamic ip address the ezvpn client fails to establish the vpn connection. A "debug crypto ipsec client ezvpn" shows only:

EZVPN: Current State: IDLE

EZVPN: Event: TUNNEL_HAS PUBLIC_IP_ADD

EZVPN: No state change

You can clear all interfaces but nothing happens to bring up the vpn connection. The only way to reconnect is to reload the router. After that the connection is up for 24 hours and so on. We have tried several IOS versions - 12.2(4)YA, 12.2(15)T...

Is this a software bug or what can we do?

Thanks for any help

Marcus

2 Replies 2

p.abbeel
Level 1
Level 1

Hi,

We are experiencing the same problem in our lab environment.

Thx for any help given,

Peter

mostiguy
Level 6
Level 6

FOr standards based IPSec, your only option is to reduce the time and data lifetimes of isakmp - this will force more frequent renegotiations, but still likely cause some problems.

But since you are all cisco, you should be able to use cisco's proprietary isakmp keepalive:

crypto isakmp keepalive 40

tells the router to send a keepalive every 40 seconds

I think the 3000 is keepalive ready by default, but am not sure. So try that on the IOS side, and see if it helps.