|
Posted by Ted Mittelstaedt on December 10, 2004, 12:08 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi All,
I am posting some followup information on a post I made back in Sun, 18
Jul 2004 15:12:26 -0700,
titled "Need help with IPSec tunnel periodically collapsing". message ID
newscache$j0j21i$qs5$1@news.ipinc.net
I have some followup information on this:
Firat, we aren't using a VAM card in the 7206. I have also tried the most
current IOS and the problem
actually worsened. 12.1 seems to be the best release so far. I've tried
this with both ip cef
enabled or disabled, makes no difference.
The ACL on the 7206 and the BEFVP41 match, and they are a permit ip
statement, no permit
tcp or any of that.
The linksys does support keepalives and it is checked, it makes no
difference though what the
setting is.
Now for the new information,
I finally did setup a perl script that queries the remote linksys through
the VPN, if it cannot reach it,
the script sends the "clear crypto sa" command to the 7206. The script is
called out of cron once a
minute on a convenient UNIX system.
I have discovered that what seems to be the problem is when the key expires
(both the Linksys and
the 7206 have a key lifetime set to 3600 seconds, ie: 1 hour) that MOST of
the time the 7206
and the Linksys do correctly renegotiate the key and the VPN does not go
down.
But, every once in a while the Cisco doesen't renegotiate it, and the VPN
goes down - then a minute
later my script is clearing the ca and then the two devices do their
renegotiation and everything
is fine again.
It's an icky bandaid but it works. Here's the script in case anyone needs
to do the same thing:
#!/usr/bin/perl -w
$server = 'mail.eatme.net';
use Net::Telnet;
use Net::Ping::External qw(ping);
use Mail::Sendmail;
if(ping(host => '192.168.168.168', count => 5, size => 16, timeout => 3)){
exit;
}
$telnet = new Net::Telnet ( Timeout=>10,
Errmode=>'die');
$telnet->open('7206-rtr.eatme.net');
$telnet->waitfor('/Username: $/i');
$telnet->print('tedm');
$telnet->waitfor('/Password: $/i');
$telnet->print('eatme');
$telnet->waitfor('/\>$/i');
$telnet->print('en');
$telnet->waitfor('/Password: $/i');
$telnet->print('eatme');
$telnet->waitfor('/\#$/i');
$telnet->print('clear crypto sa');
$telnet->print('');
$mail = $server;
$mail = "Reinitialized crypto on 7206-rtr, message sent from
Mail::Sendmail version $Mail::Sendmail::VERSION ";
$mail = "On " . Mail::Sendmail::time_to_date() . " the Remote
customer Linksys router\n";
$mail .= "stopped responding, and crypto SA was reset on the
7206-rtr.eatme.net\n";
$mail .= "router. See http://vpn.biteme.com:8080/ for loginfo.\n";
if (sendmail %mail) {
print "content of $Mail::Sendmail::log:\n$Mail::Sendmail::log\n";
if ($Mail::Sendmail::error) {
print "content of
$Mail::Sendmail::error:\n$Mail::Sendmail::error\n";
}
print "ok 2\n";
}
else {
print "\n!Error sending mail:\n$Mail::Sendmail::error\n";
print "not ok 2\n";
}
exit;
And of course, if anyone can make any suggestions for setting changes on the
Linksys or Cisco that
would be great.
Now that Cisco owns Linksys maybe they will be more interested in fixing
interoperability? (hint hint)
Thanks,
Ted Mittelstaedt
tedm@toybox.placo.com
|
| Similar Threads | Posted | | Need help with IPSec tunnel periodically collapsing | July 18, 2004, 3:12 pm |
| Linksys BEFVP41 to Cisco Pix 506E | July 21, 2005, 7:50 am |
| IPSEC Tunnel - LAN TO LAN - 3DES - SHA1 - 3K CONCENTRATOR to BEFSX41 ( LINKSYS ) | September 11, 2006, 12:54 pm |
| Content Filtering revisited | December 5, 2007, 11:24 am |
| linksys ipsec with pix 501 6.3 anyone? | October 3, 2005, 6:47 am |
| Cisco PIX 515E and Linksys WRV 200 VPN Tunnel | November 28, 2006, 4:09 am |
| PIX 501 -> Linksys BEFSX41 via IPSec | October 11, 2005, 12:11 pm |
| Cisco 837 IPSEC Linksys WAG54g | July 11, 2005, 4:37 pm |
| One IPsec tunnel and no ISAKMP tunnel. | December 29, 2004, 8:54 pm |
| linksys rv042 +cisco 2600 +ipsec +two subnets | April 21, 2006, 9:14 am |
|
|