Re: [OSL | CCIE_Security] IPSec VPN tunnel goes down when EzVPN client renews IP via DHCP

Thu, 21 Jun 2012 03:11:18 -0700 

Eugene,
can you snoop a bit on your DHCP traffic from the client router to see how exactly it renews its DHCP address? 


If you have a chance to build a lab, you can also try and put an extra 
device in front of your router to take the hit of changing IP address.


HTH
A.


On 6/21/2012 6:05 PM, Eugene Pefti wrote:

Guys,

I understand that I ask for impossible but still would like to hear if 
there's a chance to do something to prevent it.
Our client's 871 routers run as EzVPN remote while having ASA as VPN 
headend and the majority of routers are connected to Internet via DHCP.
DHCP lease time is different and at some locations it is 600 seconds 
which is absolutely stupid and insane.
Every time the router renews the IP the tunnel goes down and breaks 
few critical applications.
The interval of 10 seconds during the tunnel re-establishment is high 
to make it noticeable



031576: .Jun 20 23:32:21.555: %CRYPTO-6-EZVPN_CONNECTION_DOWN: 
(Client) User=Store112  Group=Stores Server_public_addr=XXX.XXX.XXX.145



031577: .Jun 20 23:32:31.153: %CRYPTO-4-IKMP_NO_SA: IKE message from 
XXX.XXX.XXX.145 has no SA and is not an initialization offer



031578: .Jun 20 23:32:31.838: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) 
User=Store112  Group=Stores Client_public_addr=173.180.166.74 
Server_public_addr=XXX.XXX.XXX.145 
NEM_Remote_Subnets=10.1.12.128/255.255.255.128 10.1.12.0/255.255.255.128



The router IPSec client profile setup is traditional:

crypto ipsec client ezvpn TEST
 connect auto
 group TestVpn key ******
 mode network-extension
 peer YYY.YYY.YYY.YYY
 username store111 password 6 *******
 xauth userid mode local


I'm just wondering if I were to do it with virtual-template and then 
the virtual-access interface will use the physical routers interface 
as the source will the tunnel stay up during the DHCP renewal?


Eugene


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com




_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com





















					Reply via email to