Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
173
Views
5
Helpful
1
Replies

VPN tunnels Disconnection

GRANT3779
Spotlight
Spotlight

‎09-11-2014 04:01 AM

Hi,

I have multiple VPN tunnels hanging off a router. The Outside Interface for these tunnels plugs into our core switch which was rebooted, obviously causing the Internet link to go down.

When the Core switch came back online, along with the VPN outside interface, none of the VPNs came back at all. They stayed down. They were all in MM_no_state.
Over an hour passed and they still did not come back up.I ended up rebooting the whole VPN router. Once it came back online all the tunnels came up. Is there some sort of timer initially that was the cause of my tunnels not coming up in the first instance? I understand that on initial reboot of core VPNs went down due to losing Internet line, but would have expected them to come back up when it was available again without having to reboot the whole router. Was this to do with negotiation timers between the 2 peers?

Thanks

 

Labels:
0 Helpful
1 Reply 1

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎09-12-2014 06:07 PM

Hi ,

 

Ideally , if the traffic is passing through the VPN device , the tunnel should come up instantly.
It is evident that the tunnels went down when you restarted the next hop device but they should have come up as soon as connectivity was restored.
What might be interesting in this case is whether you were initiating the traffic from your side or not.
Because when the switch was rebooted , there was disruption in the connectivity. Now , either the remote side might be trying to send the packets and they were not reaching the router (less likely) or the packets were reaching but since the remote side is using the older security associations and router has deleted those SAs thus it would create conflict with VPN establishment. If the traffic is initiated from your side , then it might let the remote side know that router is negotiating a new VPN tunnel thus they would have to tear down the old tunnel.

This tunnel termination will also depend on the keepalive mechanism. If the keepalive packets do not reach in specified time interval , then the VPN tunnel goes down. In such cases, the debugs usually give a clear picture of what is preventing the VPN tunnel to come up.

Refer this document (command reference for crypto ipsec security-association idle-timer ) for more reading on the timers for IKE and IPSec sessions.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
Customers Also Viewed These Support Documents