Ta-da...!!!
I did build a lab with my CCIE Cisco gear and was surprised that my Ezvpn
remote router stays connected without dropping the tunnel.
Now I'm starting thinking if it has to do with ISP DHCP server otherwise
everything else is more or less identical. I don't think it could be the
platform as I used 1841 in my lab and the customer routers are 871.
My topology:
R4-----------------SW-----------------ASA
(DHCP server)
The DHCP server lease is set to be 5 minutes and I saw the DHCP client on the
router go through the same Bound and Renewing stages gets the same IP address
and stays connected
Here's my DHCP debug from the router:
R4#debug dhcp detail
DHCP client activity debugging is on (detailed)
R4#
*Jun 21 20:31:58.721: DHCP: QScan: Renewal..T2 fired..Rebinding
*Jun 21 20:31:58.721: DHCP: SRequest attempt # 1 for entry:
*Jun 21 20:31:58.721: Temp IP addr: 100.0.0.3 for peer on Interface:
FastEthernet0/1
*Jun 21 20:31:58.721: Temp sub net mask: 255.255.255.0
*Jun 21 20:31:58.721: DHCP Lease server: 100.0.0.2, state: 6 Rebinding
*Jun 21 20:31:58.721: DHCP transaction id: 422
*Jun 21 20:31:58.721: Lease: 300 secs, Renewal: 150 secs, Rebind: 262 secs
*Jun 21 20:31:58.721: Next timer fires after: 00:00:39
*Jun 21 20:31:58.721: Retry count: 1 Client-ID: cisco-0026.cb29.f6c7-Fa0/1
*Jun 21 20:31:58.721: Client-ID hex dump: 636973636F2D303032362E636232392E
*Jun 21 20:31:58.721: 663663372D4661302F31
*Jun 21 20:31:58.721: Hostname: R4
*Jun 21 20:31:58.721: DHCP: SRequest - ciaddr: 100.0.0.3
*Jun 21 20:31:58.721: DHCP: SRequest placed lease len option: 300
*Jun 21 20:31:58.721: DHCP: SRequest placed class-id option:
64736C666F72756D2E6F7267
*Jun 21 20:31:58.721: DHCP: SRequest: 311 bytes
*Jun 21 20:31:58.721: DHCP: SRequest: 311 bytes
*Jun 21 20:31:58.721: B'cast on FastEthernet0/1 interface from
100.0.0.3
*Jun 21 20:31:58.725: DHCP: Received a BOOTREP pkt
*Jun 21 20:31:58.725: DHCP: Scan: Message type: DHCP Ack
*Jun 21 20:31:58.725: DHCP: Scan: Server ID Option: 100.0.0.2 = 64000002
*Jun 21 20:31:58.725: DHCP: Scan: Lease Time: 300
*Jun 21 20:31:58.725: DHCP: Scan: Renewal time: 150
*Jun 21 20:31:58.725: DHCP: Scan: Rebind time: 262
*Jun 21 20:31:58.725: DHCP: Scan: Subnet Address Option: 255.255.255.0
*Jun 21 20:31:58.725: DHCP: rcvd pkt source: 100.0.0.2, destination: 100.0.0.3
*Jun 21 20:31:58.725: UDP sport: 43, dport: 44, length: 308
*Jun 21 20:31:58.725: DHCP op: 2, htype: 1, hlen: 6, hops: 0
*Jun 21 20:31:58.725: DHCP server identifier: 100.0.0.2
*Jun 21 20:31:58.725: xid: 422, secs: 0, flags: 0
*Jun 21 20:31:58.725: client: 100.0.0.3, your: 100.0.0.3
*Jun 21 20:31:58.725: srvr: 0.0.0.0, gw: 0.0.0.0
*Jun 21 20:31:58.725: options block length: 60
*Jun 21 20:31:58.725: DHCP Ack Message
*Jun 21 20:31:58.725: DHCP: Lease Seconds: 300 Renewal secs: 150 Rebind
secs: 262
*Jun 21 20:31:58.725: DHCP: Server ID Option: 100.0.0.2
*Jun 21 20:31:58.725: DHCP: Releasing ipl options:
*Jun 21 20:31:58.725: DHCP: Applying DHCP options:
*Jun 21 20:31:58.725: DHCP Client Pooling: ***Allocated IP address: 100.0.0.3
From: Alexei Monastyrnyi [mailto:[email protected]]
Sent: Thursday, June 21, 2012 3:11 AM
To: Eugene Pefti
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] IPSec VPN tunnel goes down when EzVPN client
renews IP via DHCP
Eugene,
can you snoop a bit on your DHCP traffic from the client router to see how
exactly it renews its DHCP address?
If you have a chance to build a lab, you can also try and put an extra device
in front of your router to take the hit of changing IP address.
HTH
A.
On 6/21/2012 6:05 PM, Eugene Pefti wrote:
Guys,
I understand that I ask for impossible but still would like to hear if there's
a chance to do something to prevent it.
Our client's 871 routers run as EzVPN remote while having ASA as VPN headend
and the majority of routers are connected to Internet via DHCP.
DHCP lease time is different and at some locations it is 600 seconds which is
absolutely stupid and insane.
Every time the router renews the IP the tunnel goes down and breaks few
critical applications.
The interval of 10 seconds during the tunnel re-establishment is high to make
it noticeable
031576: .Jun 20 23:32:21.555: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)
User=Store112 Group=Stores Server_public_addr=XXX.XXX.XXX.145
031577: .Jun 20 23:32:31.153: %CRYPTO-4-IKMP_NO_SA: IKE message from
XXX.XXX.XXX.145 has no SA and is not an initialization offer
031578: .Jun 20 23:32:31.838: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client)
User=Store112 Group=Stores Client_public_addr=173.180.166.74
Server_public_addr=XXX.XXX.XXX.145
NEM_Remote_Subnets=10.1.12.128/255.255.255.128 10.1.12.0/255.255.255.128
The router IPSec client profile setup is traditional:
crypto ipsec client ezvpn TEST
connect auto
group TestVpn key ******
mode network-extension
peer YYY.YYY.YYY.YYY
username store111 password 6 *******
xauth userid mode local
I'm just wondering if I were to do it with virtual-template and then the
virtual-access interface will use the physical routers interface as the source
will the tunnel stay up during the DHCP renewal?
Eugene
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com<http://www.ipexpert.com>
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
