Revisited - Need help with IPSec tunnel periodically collapsing with 7206 to Linksys BEFVP41

Hi All,

I am posting some followup information on a post I made back in Sun, 18
Jul 2004 15:12:26 -0700,
titled "Need help with IPSec tunnel periodically collapsing". message ID
newscache$j0j21i$qs5$

I have some followup information on this:

Firat, we aren't using a VAM card in the 7206. I have also tried the most
current IOS and the problem
actually worsened. 12.1 seems to be the best release so far. I've tried
this with both ip cef
enabled or disabled, makes no difference.

The ACL on the 7206 and the BEFVP41 match, and they are a permit ip
statement, no permit
tcp or any of that.

The linksys does support keepalives and it is checked, it makes no
difference though what the
setting is.

Now for the new information,

I finally did setup a perl script that queries the remote linksys through
the VPN, if it cannot reach it,
the script sends the "clear crypto sa" command to the 7206. The script is
called out of cron once a
minute on a convenient UNIX system.

I have discovered that what seems to be the problem is when the key expires
(both the Linksys and
the 7206 have a key lifetime set to 3600 seconds, ie: 1 hour) that MOST of
the time the 7206
and the Linksys do correctly renegotiate the key and the VPN does not go
down.

But, every once in a while the Cisco doesen't renegotiate it, and the VPN
goes down - then a minute
later my script is clearing the ca and then the two devices do their
renegotiation and everything
is fine again.

It's an icky bandaid but it works. Here's the script in case anyone needs
to do the same thing:

#!/usr/bin/perl -w

$mail{From} = 'Automated monitoring <>';
$mail{To} = 'Support Desk<>';
$server = 'mail.eatme.net';

use Net::Telnet;
use Net:ing::External qw(ping);
use Mail::Sendmail;

if(ping(host => '192.168.168.168', count => 5, size => 16, timeout => 3)){
exit;
}
$telnet = new Net::Telnet ( Timeout=>10,
Errmode=>'die');
$telnet->open('7206-rtr.eatme.net');
$telnet->waitfor('/Username: $/i');
$telnet->print('tedm');
$telnet->waitfor('/Password: $/i');
$telnet->print('eatme');
$telnet->waitfor('/\>$/i');
$telnet->print('en');
$telnet->waitfor('/Password: $/i');
$telnet->print('eatme');
$telnet->waitfor('/\#$/i');
$telnet->print('clear crypto sa');
$telnet->print('');


$mail{Smtp} = $server;
$mail{Subject} = "Reinitialized crypto on 7206-rtr, message sent from
Mail::Sendmail version $Mail::Sendmail::VERSION ";

$mail{Message} = "On " . Mail::Sendmail::time_to_date() . " the Remote
customer Linksys router\n";
$mail{Message} .= "stopped responding, and crypto SA was reset on the
7206-rtr.eatme.net\n";
$mail{Message} .= "router. See http://vpn.biteme.com:8080/ for loginfo.\n";

if (sendmail %mail) {
print "content of \$Mail::Sendmail::log:\n$Mail::Sendmail::log\n";
if ($Mail::Sendmail::error) {
print "content of
\$Mail::Sendmail::error:\n$Mail::Sendmail::error\n";
}
print "ok 2\n";
}
else {
print "\n!Error sending mail:\n$Mail::Sendmail::error\n";
print "not ok 2\n";
}

exit;


And of course, if anyone can make any suggestions for setting changes on the
Linksys or Cisco that
would be great.

Now that Cisco owns Linksys maybe they will be more interested in fixing
interoperability? (hint hint)

Thanks,

Ted Mittelstaedt