Even, if it receives the same IP address, at the second there is no IP address and hence that might be the reason.
With regards Kings On Thu, Jun 21, 2012 at 2:17 PM, Eugene Pefti <[email protected]>wrote: > I was monitoring few routers and confirmed that they receive the same IP > address. > Pasting "show dhcp lease" taken from one of them and confirming that it > gets the same IP: > > *112_Yaletown#sh dhcp lease* > > *Temp IP addr: XXX.XXX.166.74 for peer on Interface: FastEthernet4* > > *Temp sub net mask: 255.255.224.0* > > * DHCP Lease server: XXX.XXX.160.1, state: 5 Bound* > > * DHCP transaction id: 193* > > * Lease: 7200 secs, Renewal: 3600 secs, Rebind: 6300 secs* > > *Temp default-gateway addr: XXX.XXX.160.1* > > * Next timer fires after: 00:00:21* > > * Retry count: 0 Client-ID: cisco-0023.5ef3.3363-Fa4* > > * Client-ID hex dump: 636973636F2D303032332E356566332E* > > * 333336332D466134* > > *** *** > > *112_Yaletown#sh dhcp lease* > > *Temp IP addr: XXX.XXX.166.74 for peer on Interface: FastEthernet4* > > *Temp sub net mask: 255.255.224.0* > > * DHCP Lease server: XXX.XXX.160.1, state: 7 Renewing* > > * DHCP transaction id: 193* > > * Lease: 7200 secs, Renewal: 3600 secs, Rebind: 6300 secs* > > *Temp default-gateway addr: XXX.XXX.160.1* > > * Next timer fires after: 00:00:27* > > * Retry count: 1 Client-ID: cisco-0023.5ef3.3363-Fa4* > > * Client-ID hex dump: 636973636F2D303032332E356566332E* > > * 333336332D466134* > > * Hostname: 112_Yaletown* > > *** *** > > *During this short hiccup the VPN tunnel goes down and up:* > > *** *** > > *And then we are back to the previous DHCP state – 5 Bound and the new > lease timer starts counting down.* > > *** *** > > *112_Yaletown#sh dhcp lease* > > *Temp IP addr: XXX.XXX.166.74 for peer on Interface: FastEthernet4* > > *Temp sub net mask: 255.255.224.0* > > * DHCP Lease server: XXX.XXX.160.1, state: 5 Bound* > > * DHCP transaction id: 193* > > * Lease: 7200 secs, Renewal: 3600 secs, Rebind: 6300 secs* > > *Temp default-gateway addr: XXX.XXX.160.1* > > * Next timer fires after: 00:59:29* > > * Retry count: 0 Client-ID: cisco-0023.5ef3.3363-Fa4* > > * Client-ID hex dump: 636973636F2D303032332E356566332E* > > * 333336332D466134* > > * Hostname: 112_Yaletown***** > > ** ** > > From: Kingsley Charles <[email protected]> > Date: Thursday, June 21, 2012 1:35 AM > To: Eugene Pefti <[email protected]> > Cc: "[email protected]" <[email protected] > > > Subject: Re: [OSL | CCIE_Security] IPSec VPN tunnel goes down when EzVPN > client renews IP via DHCP > > If a new IP address is obtained, then the SA should be modified > accordingly. That could be the reason. > > With regards > Kings > > On Thu, Jun 21, 2012 at 1:35 PM, Eugene Pefti <[email protected]>wrote: > >> Guys, >> I understand that I ask for impossible but still would like to hear if >> there's a chance to do something to prevent it. >> Our client's 871 routers run as EzVPN remote while having ASA as VPN >> headend and the majority of routers are connected to Internet via DHCP. >> DHCP lease time is different and at some locations it is 600 seconds >> which is absolutely stupid and insane. >> Every time the router renews the IP the tunnel goes down and breaks few >> critical applications. >> The interval of 10 seconds during the tunnel re-establishment is high to >> make it noticeable >> >> 031576: .Jun 20 23:32:21.555: %CRYPTO-6-EZVPN_CONNECTION_DOWN: >> (Client) User=Store112 Group=Stores Server_public_addr=XXX.XXX.XXX.145 >> **** >> >> 031577: .Jun 20 23:32:31.153: %CRYPTO-4-IKMP_NO_SA: IKE message from >> XXX.XXX.XXX.145 has no SA and is not an initialization offer**** >> >> 031578: .Jun 20 23:32:31.838: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) >> User=Store112 Group=Stores Client_public_addr=173.180.166.74 >> Server_public_addr=XXX.XXX.XXX.145 NEM_Remote_Subnets= >> 10.1.12.128/255.255.255.128 10.1.12.0/255.255.255.128 >> >> The router IPSec client profile setup is traditional: >> >> crypto ipsec client ezvpn TEST >> connect auto >> group TestVpn key ****** >> mode network-extension >> peer YYY.YYY.YYY.YYY >> username store111 password 6 ******* >> xauth userid mode local >> >> I'm just wondering if I were to do it with virtual-template and then >> the virtual-access interface will use the physical routers interface as the >> source will the tunnel stay up during the DHCP renewal? >> >> Eugene >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
