• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 60
  • Last Modified:

Query relating to VPN tunnel timeouts

Hello Experts

We have an environment where a server in the UK is connecting, via a VPN tunnel, to a server in the US. Both ends use Cisco devices. The device in the UK is a 881 and the one in the US is a ASA 5540.

The VPN tunnel is up and works fine. The issue comes when the tunnel is restarted. The problem we are having is that it takes 40 minutes to re-establish connectivity to devices in the US. The tunnel consistently takes 40 minutes to re-establish this connectivity.

In the past we have had questions raised about whether the 5540 is keeping the original tunnel active whilst trying to create a "post restart 2nd tunnel" to the 881 (which does not support multiple tunnels). With a tunnel timeout set to 40 minutes that would explain the issue.

Has anyone any experience with such device connectivity and could maybe offer any pointers as to where to begin my investigation?

The US based 5540 is not under my control (it is managed by HP) so it will take time to work through things on this question unfortunately!

Many thanks.
0
Plagus
Asked:
Plagus
1 Solution
 
asavenerCommented:
This is a regular problem with IPsec tunnels.  One end of the tunnel retains its SPI, even when the other end has been rebooted, and refuses new IKE connections.

You're probably receiving an "invalid SPI" error on the ASA.

Try adding the command "crypto isakmp invalid-spi-recovery" to the 881.  I'm not sure if there is a comparable command on the ASA.

You can also try enabling IPSec keepalives.  ("crypto isakmp keepalive 120 10 periodic" or similar on IOS)
0
 
PlagusAuthor Commented:
Thank you for the response. I have been away, apologies for the inaction. I will investigate the recovery command for suitability for the environment and feedback.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now