?
Solved

Query relating to VPN tunnel timeouts

Posted on 2013-05-16
2
Medium Priority
?
56 Views
Last Modified: 2015-11-05
Hello Experts

We have an environment where a server in the UK is connecting, via a VPN tunnel, to a server in the US. Both ends use Cisco devices. The device in the UK is a 881 and the one in the US is a ASA 5540.

The VPN tunnel is up and works fine. The issue comes when the tunnel is restarted. The problem we are having is that it takes 40 minutes to re-establish connectivity to devices in the US. The tunnel consistently takes 40 minutes to re-establish this connectivity.

In the past we have had questions raised about whether the 5540 is keeping the original tunnel active whilst trying to create a "post restart 2nd tunnel" to the 881 (which does not support multiple tunnels). With a tunnel timeout set to 40 minutes that would explain the issue.

Has anyone any experience with such device connectivity and could maybe offer any pointers as to where to begin my investigation?

The US based 5540 is not under my control (it is managed by HP) so it will take time to work through things on this question unfortunately!

Many thanks.
0
Comment
Question by:Plagus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 28

Accepted Solution

by:
asavener earned 2000 total points
ID: 39171260
This is a regular problem with IPsec tunnels.  One end of the tunnel retains its SPI, even when the other end has been rebooted, and refuses new IKE connections.

You're probably receiving an "invalid SPI" error on the ASA.

Try adding the command "crypto isakmp invalid-spi-recovery" to the 881.  I'm not sure if there is a comparable command on the ASA.

You can also try enabling IPSec keepalives.  ("crypto isakmp keepalive 120 10 periodic" or similar on IOS)
0
 

Author Comment

by:Plagus
ID: 39213995
Thank you for the response. I have been away, apologies for the inaction. I will investigate the recovery command for suitability for the environment and feedback.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question