[c-nsp] IPSec peers not responding - advice
Justin M. Streiner
streiner at cluebyfour.org
Tue Apr 18 10:57:10 EDT 2006
On Tue, 18 Apr 2006, Peter Hicks wrote:
> I have 40+ remote VPN sites, and a handful of them have gotten in to the
> habit of switching their routers off when not in use. Naturally, this
> makes monitoring them problematic, so they're subject to a much worse SLA
> (i.e. reactive, not proactive).
>
> Discussing wasted CPU cycles on the hub routers with a colleague of mine,
> I suggested (and he validated) having the hub routers acting passively,
> not attempting to establish a VPN connection, but instead responding.
>
> Is this possible? If so, are there any downsides to doing this?
This is possible. We normally configure remote VPN tunnels to have the
remote side try to initiate the connection. The routers at the remote
sites are normally not under our control, so this made the most sense to
us. As for people powering off routers at the end of the day, if they're
under your control, the easiest fix may be a big red sticker that reads
"DO NOT TURN OFF" or something similar :-)
jms
More information about the cisco-nsp
mailing list