I was monitoring few routers and confirmed that they receive the same IP
address.
Pasting "show dhcp lease" taken from one of them and confirming that it gets
the same IP:
112_Yaletown#sh dhcp lease
Temp IP addr: XXX.XXX.166.74 for peer on Interface: FastEthernet4
Temp sub net mask: 255.255.224.0
DHCP Lease server: XXX.XXX.160.1, state: 5 Bound
DHCP transaction id: 193
Lease: 7200 secs, Renewal: 3600 secs, Rebind: 6300 secs
Temp default-gateway addr: XXX.XXX.160.1
Next timer fires after: 00:00:21
Retry count: 0 Client-ID: cisco-0023.5ef3.3363-Fa4
Client-ID hex dump: 636973636F2D303032332E356566332E
333336332D466134
112_Yaletown#sh dhcp lease
Temp IP addr: XXX.XXX.166.74 for peer on Interface: FastEthernet4
Temp sub net mask: 255.255.224.0
DHCP Lease server: XXX.XXX.160.1, state: 7 Renewing
DHCP transaction id: 193
Lease: 7200 secs, Renewal: 3600 secs, Rebind: 6300 secs
Temp default-gateway addr: XXX.XXX.160.1
Next timer fires after: 00:00:27
Retry count: 1 Client-ID: cisco-0023.5ef3.3363-Fa4
Client-ID hex dump: 636973636F2D303032332E356566332E
333336332D466134
Hostname: 112_Yaletown
During this short hiccup the VPN tunnel goes down and up:
And then we are back to the previous DHCP state – 5 Bound and the new lease
timer starts counting down.
112_Yaletown#sh dhcp lease
Temp IP addr: XXX.XXX.166.74 for peer on Interface: FastEthernet4
Temp sub net mask: 255.255.224.0
DHCP Lease server: XXX.XXX.160.1, state: 5 Bound
DHCP transaction id: 193
Lease: 7200 secs, Renewal: 3600 secs, Rebind: 6300 secs
Temp default-gateway addr: XXX.XXX.160.1
Next timer fires after: 00:59:29
Retry count: 0 Client-ID: cisco-0023.5ef3.3363-Fa4
Client-ID hex dump: 636973636F2D303032332E356566332E
333336332D466134
Hostname: 112_Yaletown
From: Kingsley Charles
<[email protected]<mailto:[email protected]>>
Date: Thursday, June 21, 2012 1:35 AM
To: Eugene Pefti <[email protected]<mailto:[email protected]>>
Cc:
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Subject: Re: [OSL | CCIE_Security] IPSec VPN tunnel goes down when EzVPN client
renews IP via DHCP
If a new IP address is obtained, then the SA should be modified accordingly.
That could be the reason.
With regards
Kings
On Thu, Jun 21, 2012 at 1:35 PM, Eugene Pefti
<[email protected]<mailto:[email protected]>> wrote:
Guys,
I understand that I ask for impossible but still would like to hear if there's
a chance to do something to prevent it.
Our client's 871 routers run as EzVPN remote while having ASA as VPN headend
and the majority of routers are connected to Internet via DHCP.
DHCP lease time is different and at some locations it is 600 seconds which is
absolutely stupid and insane.
Every time the router renews the IP the tunnel goes down and breaks few
critical applications.
The interval of 10 seconds during the tunnel re-establishment is high to make
it noticeable
031576: .Jun 20 23:32:21.555: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)
User=Store112 Group=Stores Server_public_addr=XXX.XXX.XXX.145
031577: .Jun 20 23:32:31.153: %CRYPTO-4-IKMP_NO_SA: IKE message from
XXX.XXX.XXX.145 has no SA and is not an initialization offer
031578: .Jun 20 23:32:31.838: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client)
User=Store112 Group=Stores Client_public_addr=173.180.166.74
Server_public_addr=XXX.XXX.XXX.145
NEM_Remote_Subnets=10.1.12.128/255.255.255.128<http://10.1.12.128/255.255.255.128>
10.1.12.0/255.255.255.128<http://10.1.12.0/255.255.255.128>
The router IPSec client profile setup is traditional:
crypto ipsec client ezvpn TEST
connect auto
group TestVpn key ******
mode network-extension
peer YYY.YYY.YYY.YYY
username store111 password 6 *******
xauth userid mode local
I'm just wondering if I were to do it with virtual-template and then the
virtual-access interface will use the physical routers interface as the source
will the tunnel stay up during the DHCP renewal?
Eugene
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com<http://www.ipexpert.com>
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
