Solved

Query relating to VPN tunnel timeouts

Posted on 2013-05-16
2
44 Views
Last Modified: 2015-11-05
Hello Experts

We have an environment where a server in the UK is connecting, via a VPN tunnel, to a server in the US. Both ends use Cisco devices. The device in the UK is a 881 and the one in the US is a ASA 5540.

The VPN tunnel is up and works fine. The issue comes when the tunnel is restarted. The problem we are having is that it takes 40 minutes to re-establish connectivity to devices in the US. The tunnel consistently takes 40 minutes to re-establish this connectivity.

In the past we have had questions raised about whether the 5540 is keeping the original tunnel active whilst trying to create a "post restart 2nd tunnel" to the 881 (which does not support multiple tunnels). With a tunnel timeout set to 40 minutes that would explain the issue.

Has anyone any experience with such device connectivity and could maybe offer any pointers as to where to begin my investigation?

The US based 5540 is not under my control (it is managed by HP) so it will take time to work through things on this question unfortunately!

Many thanks.
0
Comment
Question by:Plagus
2 Comments
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 39171260
This is a regular problem with IPsec tunnels.  One end of the tunnel retains its SPI, even when the other end has been rebooted, and refuses new IKE connections.

You're probably receiving an "invalid SPI" error on the ASA.

Try adding the command "crypto isakmp invalid-spi-recovery" to the 881.  I'm not sure if there is a comparable command on the ASA.

You can also try enabling IPSec keepalives.  ("crypto isakmp keepalive 120 10 periodic" or similar on IOS)
0
 

Author Comment

by:Plagus
ID: 39213995
Thank you for the response. I have been away, apologies for the inaction. I will investigate the recovery command for suitability for the environment and feedback.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now