Revisited - Need help with IPSec tunnel periodically collapsing with 7206 to Linksys BEFVP41

Discussion in 'Cisco' started by Ted Mittelstaedt, Dec 10, 2004.

  1. Hi All,

    I am posting some followup information on a post I made back in Sun, 18
    Jul 2004 15:12:26 -0700,
    titled "Need help with IPSec tunnel periodically collapsing". message ID
    newscache$j0j21i$qs5$

    I have some followup information on this:

    Firat, we aren't using a VAM card in the 7206. I have also tried the most
    current IOS and the problem
    actually worsened. 12.1 seems to be the best release so far. I've tried
    this with both ip cef
    enabled or disabled, makes no difference.

    The ACL on the 7206 and the BEFVP41 match, and they are a permit ip
    statement, no permit
    tcp or any of that.

    The linksys does support keepalives and it is checked, it makes no
    difference though what the
    setting is.

    Now for the new information,

    I finally did setup a perl script that queries the remote linksys through
    the VPN, if it cannot reach it,
    the script sends the "clear crypto sa" command to the 7206. The script is
    called out of cron once a
    minute on a convenient UNIX system.

    I have discovered that what seems to be the problem is when the key expires
    (both the Linksys and
    the 7206 have a key lifetime set to 3600 seconds, ie: 1 hour) that MOST of
    the time the 7206
    and the Linksys do correctly renegotiate the key and the VPN does not go
    down.

    But, every once in a while the Cisco doesen't renegotiate it, and the VPN
    goes down - then a minute
    later my script is clearing the ca and then the two devices do their
    renegotiation and everything
    is fine again.

    It's an icky bandaid but it works. Here's the script in case anyone needs
    to do the same thing:

    #!/usr/bin/perl -w

    $mail{From} = 'Automated monitoring <>';
    $mail{To} = 'Support Desk<>';
    $server = 'mail.eatme.net';

    use Net::Telnet;
    use Net::ping::External qw(ping);
    use Mail::Sendmail;

    if(ping(host => '192.168.168.168', count => 5, size => 16, timeout => 3)){
    exit;
    }
    $telnet = new Net::Telnet ( Timeout=>10,
    Errmode=>'die');
    $telnet->open('7206-rtr.eatme.net');
    $telnet->waitfor('/Username: $/i');
    $telnet->print('tedm');
    $telnet->waitfor('/Password: $/i');
    $telnet->print('eatme');
    $telnet->waitfor('/\>$/i');
    $telnet->print('en');
    $telnet->waitfor('/Password: $/i');
    $telnet->print('eatme');
    $telnet->waitfor('/\#$/i');
    $telnet->print('clear crypto sa');
    $telnet->print('');


    $mail{Smtp} = $server;
    $mail{Subject} = "Reinitialized crypto on 7206-rtr, message sent from
    Mail::Sendmail version $Mail::Sendmail::VERSION ";

    $mail{Message} = "On " . Mail::Sendmail::time_to_date() . " the Remote
    customer Linksys router\n";
    $mail{Message} .= "stopped responding, and crypto SA was reset on the
    7206-rtr.eatme.net\n";
    $mail{Message} .= "router. See http://vpn.biteme.com:8080/ for loginfo.\n";

    if (sendmail %mail) {
    print "content of \$Mail::Sendmail::log:\n$Mail::Sendmail::log\n";
    if ($Mail::Sendmail::error) {
    print "content of
    \$Mail::Sendmail::error:\n$Mail::Sendmail::error\n";
    }
    print "ok 2\n";
    }
    else {
    print "\n!Error sending mail:\n$Mail::Sendmail::error\n";
    print "not ok 2\n";
    }

    exit;


    And of course, if anyone can make any suggestions for setting changes on the
    Linksys or Cisco that
    would be great.

    Now that Cisco owns Linksys maybe they will be more interested in fixing
    interoperability? (hint hint)

    Thanks,

    Ted Mittelstaedt
     
    Ted Mittelstaedt, Dec 10, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ted Mittelstaedt
    Replies:
    6
    Views:
    5,357
    Hansang Bae
    Jul 22, 2004
  2. Replies:
    0
    Views:
    2,820
  3. Walter Roberson

    Linksys BEFVP41 -- a first look

    Walter Roberson, Apr 6, 2005, in forum: Cisco
    Replies:
    6
    Views:
    2,282
    Walter Roberson
    Apr 9, 2005
  4. Replies:
    3
    Views:
    2,789
    Walter Roberson
    Jul 27, 2005
  5. FLEngineer

    7206-dslam-adsl-7206

    FLEngineer, May 8, 2008, in forum: Cisco
    Replies:
    0
    Views:
    786
    FLEngineer
    May 8, 2008
Loading...

Share This Page