IPSEC Intermitency

DANMOH009

Not really sure if this is a CCNA security level question, but i thought this would be the best place to put it as i recently passed this exam and feel im at this level.

Im currently working for an ISP managing customer equipment and Ive noticed from time to time we come across a few intermittent ipsec problems. Majority of the time its a fault with the physical connection.

However there are times when the physcial connection is solid no errors and perfect, i was wondering in this scenario where would you look?

I mean the config will be the same on both sides of the tunnel, as its established, and if the routing is fine, are there others areas you can look??

I appreciate the uestion is very vague im just wondering if people who do diagnose issues like this day to day, do you guys have a specific troubleshooting process.

Thanks in advance.

TheNewITGuy

Is it timing out? stopped passing traffic? what do the encaps/decaps look like when the issue is occuring along with your errors and discarded packet count in show crypto ipsec sa?

DANMOH009

Its not a specific issue as such, and majority of the time is between a cisco and another vendor. I just dont really know where to look.

You say a show crypto ipsec sa - Am i just looking if the traffic is being encapsulated here? coz if so then yes i can see it encapsulated then all of a sudden traffic just stops, and its not physical connection related.

xXErebuS

TheNewITGuy wrote: »

Is it timing out? stopped passing traffic? what do the encaps/decaps look like when the issue is occuring along with your errors and discarded packet count in show crypto ipsec sa?

Cisco default tunnel time is 24hrs; after that it will drop.

We had a site to site VPN where the vendor refused to change keepalive so we said f it and created a ping batch script on it to generate traffic to keep it alive.