[c-nsp] vpn down if no traffic

Alexandre Durand alexandre.durand at thecloud.net
Fri Feb 9 10:24:38 EST 2007


My vpn lifetime is 24h and goes down after maybe 10 minutes if there is 
no traffic. lifetime is not in relation with this issue. There is an 
idle timeout : i found something very interested on cisco website:


http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455b08.html

crypto ipsec security-association idle-time <time(between 60 and 86400 
seconds)>

i think the default value is 600 seconds=10 minutes

The question is the maximum is 24h, so we are not able to keep this vpn 
up after 24 hours without traffic.

Alex

Jorge Evangelista wrote:
> Yes, it is relation with your ipsec lifetime in both routers. I
> usually configure my routers with more of  80000, but you can
> configure this specify value number of seconds from 180 through 86400
> = 24 hours. I think that if you configure high value ipsec lifetime,
> you do not have to configure a kron. The tunnel should immediately
> re-establish when the router sees traffic that would want to go into
> the tunnel.
>
>
>
> On 2/9/07, Alexandre Durand <alexandre.durand at thecloud.net> wrote:
>   
>> That s fantastic, Thank you very much, that s exactly what i wanted to know.
>>
>> My question now is how often the vpn dies, is there a timer? is it in
>> relation with the ipsec lifetime?
>>
>> if i run this kron i need to know the frequency of pings.
>>
>> Regards,
>>
>> Alex
>>
>> Jorge Evangelista wrote:
>>     
>>> Also, you could configure a kron in the router cisco, send a ping for
>>> tunnel no die.
>>>
>>> kron occurrence sixtymins in 1:0 recurring
>>>  policy-list 60
>>> !
>>> kron policy-list 60
>>>  cli ping 192.168.2.1 source 192.168.1.1
>>> !
>>>
>>>
>>>
>>>
>>> On 2/8/07, Justin M. Streiner <streiner at cluebyfour.org> wrote:
>>>
>>>       
>>>> On Thu, 8 Feb 2007, Alexandre Durand wrote:
>>>>
>>>>
>>>>         
>>>>> I m wondering why with any cisco router, vpn tunnel site to site goes
>>>>> down if no traffic is generated. Is there a timeout somewhere we can
>>>>> configure or remove? is there a way to maintain this vpn tunnel up even
>>>>> if there is no traffic?
>>>>>
>>>>>           
>>>> This is normal behavior.  You're either running into an IKE or IPSEC
>>>> timeout (data or time).  The tunnel should immediately re-establish when
>>>> the router sees traffic that would want to go into the tunnel.  I don't
>>>> believe the timers can be disabled.  Re-establishing a site to site VPN
>>>> tunnel is prett painless and normally automatic, so it shouldn't be a big
>>>> issue.
>>>>
>>>> If you really wanted to, I suppose you could set up a machine on one side
>>>> of the tunnel to ping a machine on the other side once every few minutes
>>>> or so, but keep in mind that at some point the tunnel will still reach a
>>>> point where it has to drop and re-key, then come back up.
>>>>
>>>> jms
>>>>
>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>>>
>>>>         
>>>
>>>       
>> --
>> Alexandre Durand
>> Edge Network Engineer
>> A:      The Cloud Networks Ltd
>>        54 Bartholomew Close
>>        EC1A 7RY
>> M:      0770 291 1805
>> W:      www.thecloud.net
>>
>>
>>
>>     
>
>
>   


-- 
Alexandre Durand
Edge Network Engineer
A:	The Cloud Networks Ltd
	54 Bartholomew Close
	EC1A 7RY
M:	0770 291 1805
W:	www.thecloud.net 




More information about the cisco-nsp mailing list