Solved

Query relating to VPN tunnel timeouts

Posted on 2013-05-16
2
50 Views
Last Modified: 2015-11-05
Hello Experts

We have an environment where a server in the UK is connecting, via a VPN tunnel, to a server in the US. Both ends use Cisco devices. The device in the UK is a 881 and the one in the US is a ASA 5540.

The VPN tunnel is up and works fine. The issue comes when the tunnel is restarted. The problem we are having is that it takes 40 minutes to re-establish connectivity to devices in the US. The tunnel consistently takes 40 minutes to re-establish this connectivity.

In the past we have had questions raised about whether the 5540 is keeping the original tunnel active whilst trying to create a "post restart 2nd tunnel" to the 881 (which does not support multiple tunnels). With a tunnel timeout set to 40 minutes that would explain the issue.

Has anyone any experience with such device connectivity and could maybe offer any pointers as to where to begin my investigation?

The US based 5540 is not under my control (it is managed by HP) so it will take time to work through things on this question unfortunately!

Many thanks.
0
Comment
Question by:Plagus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 39171260
This is a regular problem with IPsec tunnels.  One end of the tunnel retains its SPI, even when the other end has been rebooted, and refuses new IKE connections.

You're probably receiving an "invalid SPI" error on the ASA.

Try adding the command "crypto isakmp invalid-spi-recovery" to the 881.  I'm not sure if there is a comparable command on the ASA.

You can also try enabling IPSec keepalives.  ("crypto isakmp keepalive 120 10 periodic" or similar on IOS)
0
 

Author Comment

by:Plagus
ID: 39213995
Thank you for the response. I have been away, apologies for the inaction. I will investigate the recovery command for suitability for the environment and feedback.
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question