In production, we have another problem witch connect vyatta/vyos to cisco router in ipscec + vti.
We have around 250 remote office, and no reasone some tunnel is down… In Cisco site, status is up, a vyos site status is down. We try many configuration witch phase 1 and 2 witch on vyos and no result.
Problem occurs, when remote office, lose internet connection, and some reasons tunnel don’t up in vyos site, but in cisco site tunnel is UP.
So we write another script :),
Script list not working tunnel witch status A/D, and reset, he is related witch correct dyndns name.
Hello Biedron,
sorry for the trivial suggestion, did you try enabling [font=Courier]dead-peer-detection[/font] which implements RFC 3706 to reconnect disconnected tunnels?
I mean a configuration like this (please note, you have to change [font=Courier]your-group-here[/font] with your IKE group name).
set vpn ipsec ike-group your-group-here dead-peer-detection action 'restart'
set vpn ipsec ike-group your-group-here dead-peer-detection interval '30'
set vpn ipsec ike-group your-group-here dead-peer-detection timeout '30'
Yes ofcourse :). But no reason, tunnel in one of site is down ( some times on vyos site, some times in cisco, but more on vyos ). I analyze log and, phase 1 is connect, but no transfer in phase 2. The strange thing is, all remote routers is simillar, and have identical configuration. For 250 office, maybe 5% is problem witch connection. So we write this script, and to day working ok.
Hello Biedron,
I had a similar issue in the past: did you try to reduce just for that tunnel (so assigning it to a different IKE Group) a very low lifetime value?
I had a similar issue, even with dead-peer-detection. I ended up installing cron and scheduling this script to run every minute:
#!/bin/bash
curl -s -o /dev/null --connect-timeout 2 [REMOTE_SERVER] 2>&1
if [[ $? != 0 ]] ; then
vbash -ic 'restart vpn'
fi
where [REMOTE-SERVER] is a webserver on the other side of the tunnel (ping would be better for this, but I can’t seem to get a non-0 return value from the included ping).
Adriano -> I guess I have not tried this approach, because i wanted fixed this problem in global, on vytta/vyos site, and that time, change configuration in all cisco router is problematic, but soon i testing your idea.
mcowart -> This solution is ok, but if you have multi site to connect to one site, this is problem, when you restart ipsec process, and we have many “main links” to connect witch edge router, and when restart “ipsec process” we loose connection.
About 6 months ago while doing some trouble shooting with IPSec VPNs to a Cisco ASA, I discovered that Cisco has a 4GB limit at which time the tunnel is reset. The tunnel will sudo appear to be up, but there will be no traffic. DPD does not solve this as the Tunnel is actually up. Restarting the tunnel did fix the issue.
By setting the lifetimes very low the tunnels are reestablished before that magical 4GB of transfer is encountered.
Cisco has since then corrected this behavior in there newer versions of software for the ASA.
That’s true. The VyOS VM I have running is on the edge site (my house) that connects back to an ASA at the office, so it only has the single tunnel to deal with.