[c-nsp] Managing/robustifying CPE behind firewalls
Peter Hicks
peter.hicks at poggs.co.uk
Thu Nov 29 16:49:21 EST 2007
Hello
I have a number of 850/870 series routers dotted about the globe, usually
behind various types of firewall or NAT device. They run an EzVPN back to
either a PIX or an IOS router in the UK.
A number of them are running on poorly performing connectivity, e.g. flaky DSL
or cable, or perhaps behind a consumer NAT box that frequently falls over.
Since I have no access to them when they're behind a firewall, can anyone offer
advice on how to make the configuration robust, so:
* If they lose their DHCP-assigned IP address on the Internet-facing side,
they will continually try for a new address
* If they lose IPSec connectivity, they will aggressively try to reconnect
* If they lose IPSec connectivity for longer than one hour or so, they will
reload
* Syslog events are stored locally so they're preserved across a reboot
(which may be asking too much).
What do other people do when you have call-home-only devices? Currently, some
of the routers use an IP SLA operation to ping a device included within the
IPSec SA, but is this optimal?
Parallel discussions welcomed - if it saves having to call a guy in a foreign
country to "reboot the router", it will be well received :)
Peter
--
Peter Hicks | e: my.name at poggs.co.uk | g: 0xE7C839F4 | w: www.poggs.com
A: Because it destroys the flow of the conversation
Q: Why is top-posting bad?
More information about the cisco-nsp
mailing list