Revisited - Need help with IPSec tunnel periodically collapsing with 7206 to Linksys BEFVP41

Discussion in 'Cisco' started by Ted Mittelstaedt, Dec 10, 2004.

  1. Hi All,

    I am posting some followup information on a post I made back in Sun, 18
    Jul 2004 15:12:26 -0700,
    titled "Need help with IPSec tunnel periodically collapsing". message ID

    I have some followup information on this:

    Firat, we aren't using a VAM card in the 7206. I have also tried the most
    current IOS and the problem
    actually worsened. 12.1 seems to be the best release so far. I've tried
    this with both ip cef
    enabled or disabled, makes no difference.

    The ACL on the 7206 and the BEFVP41 match, and they are a permit ip
    statement, no permit
    tcp or any of that.

    The linksys does support keepalives and it is checked, it makes no
    difference though what the
    setting is.

    Now for the new information,

    I finally did setup a perl script that queries the remote linksys through
    the VPN, if it cannot reach it,
    the script sends the "clear crypto sa" command to the 7206. The script is
    called out of cron once a
    minute on a convenient UNIX system.

    I have discovered that what seems to be the problem is when the key expires
    (both the Linksys and
    the 7206 have a key lifetime set to 3600 seconds, ie: 1 hour) that MOST of
    the time the 7206
    and the Linksys do correctly renegotiate the key and the VPN does not go

    But, every once in a while the Cisco doesen't renegotiate it, and the VPN
    goes down - then a minute
    later my script is clearing the ca and then the two devices do their
    renegotiation and everything
    is fine again.

    It's an icky bandaid but it works. Here's the script in case anyone needs
    to do the same thing:

    #!/usr/bin/perl -w

    $mail{From} = 'Automated monitoring <>';
    $mail{To} = 'Support Desk<>';
    $server = '';

    use Net::Telnet;
    use Net::ping::External qw(ping);
    use Mail::Sendmail;

    if(ping(host => '', count => 5, size => 16, timeout => 3)){
    $telnet = new Net::Telnet ( Timeout=>10,
    $telnet->waitfor('/Username: $/i');
    $telnet->waitfor('/Password: $/i');
    $telnet->waitfor('/Password: $/i');
    $telnet->print('clear crypto sa');

    $mail{Smtp} = $server;
    $mail{Subject} = "Reinitialized crypto on 7206-rtr, message sent from
    Mail::Sendmail version $Mail::Sendmail::VERSION ";

    $mail{Message} = "On " . Mail::Sendmail::time_to_date() . " the Remote
    customer Linksys router\n";
    $mail{Message} .= "stopped responding, and crypto SA was reset on the\n";
    $mail{Message} .= "router. See for loginfo.\n";

    if (sendmail %mail) {
    print "content of \$Mail::Sendmail::log:\n$Mail::Sendmail::log\n";
    if ($Mail::Sendmail::error) {
    print "content of
    print "ok 2\n";
    else {
    print "\n!Error sending mail:\n$Mail::Sendmail::error\n";
    print "not ok 2\n";


    And of course, if anyone can make any suggestions for setting changes on the
    Linksys or Cisco that
    would be great.

    Now that Cisco owns Linksys maybe they will be more interested in fixing
    interoperability? (hint hint)


    Ted Mittelstaedt
    Ted Mittelstaedt, Dec 10, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.