[c-nsp] Managing/robustifying CPE behind firewalls

Peter Hicks peter.hicks at poggs.co.uk
Thu Nov 29 16:49:21 EST 2007


Hello

I have a number of 850/870 series routers dotted about the globe, usually 
behind various types of firewall or NAT device.  They run an EzVPN back to 
either a PIX or an IOS router in the UK.

A number of them are running on poorly performing connectivity, e.g. flaky DSL 
or cable, or perhaps behind a consumer NAT box that frequently falls over.

Since I have no access to them when they're behind a firewall, can anyone offer 
advice on how to make the configuration robust, so:

  * If they lose their DHCP-assigned IP address on the Internet-facing side, 
they will continually try for a new address

  * If they lose IPSec connectivity, they will aggressively try to reconnect

  * If they lose IPSec connectivity for longer than one hour or so, they will 
reload

  * Syslog events are stored locally so they're preserved across a reboot 
(which may be asking too much).

What do other people do when you have call-home-only devices?  Currently, some 
of the routers use an IP SLA operation to ping a device included within the 
IPSec SA, but is this optimal?

Parallel discussions welcomed - if it saves having to call a guy in a foreign 
country to "reboot the router", it will be well received :)


Peter

-- 
Peter Hicks | e: my.name at poggs.co.uk | g: 0xE7C839F4 | w: www.poggs.com

   A: Because it destroys the flow of the conversation
   Q: Why is top-posting bad?


More information about the cisco-nsp mailing list