VPN Config Problem!!

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by ed001, Nov 26, 2006.

  1. ed001

    ed001 Network Guru Member

    Hey all, need a little help.
    I seem to be having a problem when it comes time to reestablish phase1. I have a client who has an application at multiple locations that needs constant communication with a server at one location. Everything runs great except every 8 hours I get a call from each location (when they're open) that the application hangs with a message "no longer connected to database". Ironlcally the phase 1 is set to 28800 (8 hours). So I checked the logs and it seems that at the time of the problem of a given location there are many attempts to reestablish the tunnel. Sometimes 15-20 inside of a 2 minute window.
    To me it looks like both sides are trying to be the initiator and confusing each other. Each side logs "unknown SA" and deletes them and proceeds to renegotiate over and over again.
    I noticed on both ends of the tunnel "Keep Alive" is checked. I was wondering if this is the switch that tells the router it is the initiator? If so would unchecking KA on one side alleviate the problem? Please keep in mind that these are business critical and in production.
  2. pablito

    pablito Network Guru Member

    It might help to tell us what you're using on each end and the tunnel specs besides 28800. The keep alive on each side should be fine and dead peer detection should also be on.

    What specs are you using for the tunnel? Mine stays up with AES256/28000/SHA1--G5/AES128/14400/SHA1 Compress/Keep-alive/Dead-Peer
  3. ed001

    ed001 Network Guru Member

    I am using rv082 at all locations. The config is as follows

    DH5 Phase 1
    PFS checked
    DH2 Phase 2
    Keep Alive checked
    NetBios checked
    DPD 10 seconds checked
    Tunnel Backup set with static IP

    None of the other options are checked.
    Again the tunnels themselves work fine except for those 2-4 minute hicups every 28800 seconds.

  4. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Hey Ed. You might want to turn off the keepalives but I don't think they are the culprit for your crazed Ph I "two-step". The keepalives are what keep the tunnel operational...they don't sense its collapse. The option for keepalives is there so that if you are using dialup or some other circuit-on-demand technology between the gateways that you don't want to stay up (think $$$$ / packet) you have the option of turning it off.

    What I would do is turn off DPD (Dead Peer Detection) on *one* of the peers. Ie: one of the peers should be the first to see that the tunnel has been torn down (the tunnel can be deleted by either of the peers). The check box is in the "Advanced Settings" (ie; press the +Advanced button) of the Gateway to Gateway VPN settings. This is the setting which I think you're confusing with IKE keepalives. If you leave DPD on one of your peers, it's more likely that it will re-negotiate the tunnel before the other one does.

    Another general observation I would make is that there's no real reason to set your Phase I lifetime to only 28800 seconds (8 hours). Conventional wisdom was that, since Ph I is no longer needed after Ph II completes that leaving up the tunnel is a vulnerability. I would suggest setting it to 86400 seconds. That way it's likely to be available anytime the Ph II connection needs to renegotiate, since all negotiation and authentication happens in Ph I.

    Let us know what you find out. I'll be lurking....

  5. ed001

    ed001 Network Guru Member

    I did change the phase 1 lifetime to 86400 and initialized the tunnels on off hours. This should make the hicups happen daily but after business hours. I cannot disable DPD because the VPN backup functionality is dependent on DPD. The router will not let you.
    Now the 86400 setting will limit the impact on business and someone suggested that I return the DPD setting to the default 30 seconds and that this may be causing the problem.
    Thanks for the input, and if you think of anything else let me know.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice