Is there any continuous traffic flowing through that IPsec tunnel..? Or did you identify a pattern i.e after every 8 Hrs or 24 Hrs the tunnel is going down.
there isn't continuous traffic flowing down the tunnel. I haven't identifiy a specific pattern but it does seem to go down int he afternoon and is up again the next morning. I would be so concerned but none of the other tunnels configured similiar configuration and traffic
When there is no traffic traversing the tunnel, the tunnel will go down after it times out.
You can select an arbitrary private /30 network, and configure the IP addresses to the Tunnel Interfaces at the end of both tunnels.
IP on Tunnel Interface Endpoint A:
IP on Tunnel Interface Endpoint Z
If one of the two endpoints is the tunnel initiator, go to that endpoint. Select (Network> IPSec Tunnels: <Your Tunnel>)
(If the initiator was "Endpoint A" in our example...)
Once opened, mark the checkbox for "Tunnel Monitor". Enter the IP address of Endpoint Z. You can leave the Profile on None.
This will cause ICMP packets to be sent every few seconds, thus maintaining the tunnel up at all times.
You don't need to configure Tunnel Monitor at both ends, unless you need it. In some cases configuring it at both ends can cause the tunnel to flap.
I've had this problem before too. I worked through this doc (Dead Peer Detection and Tunnel Monitoring) and it seemed to help. Tunnel monitoring will use pings over the tunnel to monitor the other side. The ping traffic will keep the tunnel up.
I will take a look at the document, Its just odd that is up until the afternoon goes down and then is back up the next morning. The other tunnels are configured the same an they don't do this. I was also trying to bring the tunnel back up by running a test and that didn't work either
I understand the frustration. I had the exact same problem. It was only occurring on one tunnel and not the others. Its like the others are saying, the tunnel is "dying" because there isn't any traffic traversing it so it times out. Why it can't renegotiate after the timeout and come back up is beyond me. The cure is to keep it from dying and tunnel monitoring should resolve that. It will need to rekey once in a while but that should be transparent and nobody should notice any interruption in the tunnel. Also, if phase 1 is going down, but phase 2 is up...your traffic should still be able to cross the tunnel. Phase 1 sets up the agreements needed for phase 2. Phase 2 is used to determine encryption parameters for bulk data encryption. Phase 2 is the important phase, although phase 2 doesn't exist without phase 1. I hope this helps a little.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!