[c-nsp] vpn down if no traffic
Jorge Evangelista
netsecuredata at gmail.com
Fri Feb 9 09:17:01 EST 2007
Yes, it is relation with your ipsec lifetime in both routers. I
usually configure my routers with more of 80000, but you can
configure this specify value number of seconds from 180 through 86400
= 24 hours. I think that if you configure high value ipsec lifetime,
you do not have to configure a kron. The tunnel should immediately
re-establish when the router sees traffic that would want to go into
the tunnel.
On 2/9/07, Alexandre Durand <alexandre.durand at thecloud.net> wrote:
> That s fantastic, Thank you very much, that s exactly what i wanted to know.
>
> My question now is how often the vpn dies, is there a timer? is it in
> relation with the ipsec lifetime?
>
> if i run this kron i need to know the frequency of pings.
>
> Regards,
>
> Alex
>
> Jorge Evangelista wrote:
> > Also, you could configure a kron in the router cisco, send a ping for
> > tunnel no die.
> >
> > kron occurrence sixtymins in 1:0 recurring
> > policy-list 60
> > !
> > kron policy-list 60
> > cli ping 192.168.2.1 source 192.168.1.1
> > !
> >
> >
> >
> >
> > On 2/8/07, Justin M. Streiner <streiner at cluebyfour.org> wrote:
> >
> >> On Thu, 8 Feb 2007, Alexandre Durand wrote:
> >>
> >>
> >>> I m wondering why with any cisco router, vpn tunnel site to site goes
> >>> down if no traffic is generated. Is there a timeout somewhere we can
> >>> configure or remove? is there a way to maintain this vpn tunnel up even
> >>> if there is no traffic?
> >>>
> >> This is normal behavior. You're either running into an IKE or IPSEC
> >> timeout (data or time). The tunnel should immediately re-establish when
> >> the router sees traffic that would want to go into the tunnel. I don't
> >> believe the timers can be disabled. Re-establishing a site to site VPN
> >> tunnel is prett painless and normally automatic, so it shouldn't be a big
> >> issue.
> >>
> >> If you really wanted to, I suppose you could set up a machine on one side
> >> of the tunnel to ping a machine on the other side once every few minutes
> >> or so, but keep in mind that at some point the tunnel will still reach a
> >> point where it has to drop and re-key, then come back up.
> >>
> >> jms
> >>
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >>
> >
> >
> >
>
>
> --
> Alexandre Durand
> Edge Network Engineer
> A: The Cloud Networks Ltd
> 54 Bartholomew Close
> EC1A 7RY
> M: 0770 291 1805
> W: www.thecloud.net
>
>
>
--
"The network is the computer"
More information about the cisco-nsp
mailing list