Guys, I understand that I ask for impossible but still would like to hear if there's a chance to do something to prevent it. Our client's 871 routers run as EzVPN remote while having ASA as VPN headend and the majority of routers are connected to Internet via DHCP. DHCP lease time is different and at some locations it is 600 seconds which is absolutely stupid and insane. Every time the router renews the IP the tunnel goes down and breaks few critical applications. The interval of 10 seconds during the tunnel re-establishment is high to make it noticeable
031576: .Jun 20 23:32:21.555: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=Store112 Group=Stores Server_public_addr=XXX.XXX.XXX.145 031577: .Jun 20 23:32:31.153: %CRYPTO-4-IKMP_NO_SA: IKE message from XXX.XXX.XXX.145 has no SA and is not an initialization offer 031578: .Jun 20 23:32:31.838: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=Store112 Group=Stores Client_public_addr=173.180.166.74 Server_public_addr=XXX.XXX.XXX.145 NEM_Remote_Subnets=10.1.12.128/255.255.255.128 10.1.12.0/255.255.255.128 The router IPSec client profile setup is traditional: crypto ipsec client ezvpn TEST connect auto group TestVpn key ****** mode network-extension peer YYY.YYY.YYY.YYY username store111 password 6 ******* xauth userid mode local I'm just wondering if I were to do it with virtual-template and then the virtual-access interface will use the physical routers interface as the source will the tunnel stay up during the DHCP renewal? Eugene
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
