IPSEC Tunnels keep dropping
-
I upgraded yesterday and my IPSEC tunnels keep dropping. I can restart ipsec and the tunnels come right back up.
RC -
The do not drop option is not working. I got a constant ping running from my server to the router on the other end to keep the tunnels up.
RC -
Ok, I done plently of testing and can't figure out for the life of me why the IPSEC tunnels keep dropping. The only what i can get them back up is to restart IPSEC. This is causing me some issues.
I don;t want to go backwards to a older version because of the performance increases and functionial. So what is the scoop on the tunnels dropping.
I have change the DPD to 5 seconds to see if it will help
Interface issuse: There are about 3 to 5 character out of place. I only see the W in WAN. I can't see any of the settings for pefect security. I see part of the A in AES. All of the menu throughout the interface are off by that much.
RC
-
IPsec logs would be helpful. Impossible to say without that.
-
I have been able to keep the tunnels up for moe than a hour by changing DPD time to 5 and running a constant ping of 128 bytes.
I will turn the ping off and try to capture a log entry and post that in a little while.
RC -
This is a example of a timeout:
Reply from 192.168.xx.10: bytes=128 time=456ms TTL=127
Reply from 192.168.xx.10: bytes=128 time=501ms TTL=127
Reply from 205.244.203.58: TTL expired in transit.
Reply from 205.244.203.58: TTL expired in transit.
Reply from 205.244.203.58: TTL expired in transit.
Reply from 205.244.203.58: TTL expired in transit.
Reply from 205.244.203.58: TTL expired in transit.
Reply from 205.244.203.58: TTL expired in transit.
Reply from 205.244.203.58: TTL expired in transit.
Reply from 205.244.203.58: TTL expired in transit.
Reply from 205.244.203.58: TTL expired in transit.
Reply from 205.244.203.58: TTL expired in transit.
Reply from 205.244.203.58: TTL expired in transit.
Reply from 205.244.203.58: TTL expired in transit.
Reply from 205.244.203.58: TTL expired in transit.
Request timed out.
Reply from 205.244.203.58: TTL expired in transit.
Reply from 205.244.203.58: TTL expired in transit.
Reply from 192.168.xx.10: bytes=128 time=393ms TTL=127
Reply from 192.168.xx.10: bytes=128 time=455ms TTL=127Here are log entries:
Trying to catch those now. -
I change DPD time to 5, and the tunnels seems to staying up. They have not dropped all weekend. What should a normal DPD time be?
RC -
Depends on the specifics of your environment, and the quality of the Internet connections. 5 seconds is pretty low, may cause unnecessary renegotiation.