[c-nsp] IPSec peers not responding - advice

Justin M. Streiner streiner at cluebyfour.org
Tue Apr 18 10:57:10 EDT 2006


On Tue, 18 Apr 2006, Peter Hicks wrote:

> I have 40+ remote VPN sites, and a handful of them have gotten in to the
> habit of switching their routers off when not in use.  Naturally, this
> makes monitoring them problematic, so they're subject to a much worse SLA
> (i.e. reactive, not proactive).
>
> Discussing wasted CPU cycles on the hub routers with a colleague of mine,
> I suggested (and he validated) having the hub routers acting passively,
> not attempting to establish a VPN connection, but instead responding.
>
> Is this possible?  If so, are there any downsides to doing this?

This is possible.  We normally configure remote VPN tunnels to have the 
remote side try to initiate the connection.  The routers at the remote 
sites are normally not under our control, so this made the most sense to 
us.  As for people powering off routers at the end of the day, if they're 
under your control, the easiest fix may be a big red sticker that reads 
"DO NOT TURN OFF" or something similar :-)

jms


More information about the cisco-nsp mailing list