Using the documentation from Cisco to setup a teleworker using the 871 and UC500, you have to initiate the VPN tunnel from the 871 side with a workstation. If you unplug the workstation from the network, the VPN tunnel terminates after a certain time. Is there any way to add some kind of keepalive command on the 871 so once the tunnel is up, it stays up? |
|||
 |
UC500.comCisco Communication Manager Express, UC520, SMB VOIP reference and community |
IP SLA
1) Turn off xauth
2) enable an sla ping between the routers to keep the connection alive
EEM could be used too
Sample config below:
event manager session cli username "cisco"
event manager applet vpn-pinger
event timer watchdog time 120
action 1.0 cli command "enable"
action 2.0 cli command "ping ip x.x.x.x source BVI1 repeat 1"
But really “crypto isakmp keepalive periodic” should serve the same purpose. Note that “periodic” keyword is not the default value and has to be configured and it means that it will keep sending the keepalives irrespective of any actual data being passed or not.
Marcos
I tried the event manager
I tried the event manager commands yesterday but that did not work.
I am trying the crypto command today.
Thanks for the help.
Strange
The only issue I am aware of is when there are no devices connected to the LAN switch on the UC500, the tunnel may not be able to start and presumably would be more apt to drop. Maybe that is what you saw?
The tunnel does not seem to
The tunnel does not seem to start without initiating it with a workstation. The problem I am trying to solve is keeping the tunnel up after you remove the workstation.
A cisco rep gave me this to try:
crypto isakmp keepalive 60 10 periodic <--- this is the CLI from the BU
!
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
connect auto
group EZVPN_GROUP_1 key cisco123
mode client
peer 64.102.88.173
idletime 300 <--- I set this to 300 seconds and disconnected my PC so I dont have to wait overnight (default is 86400 seconds)
xauth userid mode http-intercept
It did not seem to work but I still need to look at the 871 to make sure it is correct.
vpn
I just use normal site-to-site VPNs. I don't like EZVPN for reasons just like this. In fact, I am probably missing something, but EZVPN seems just about useless to me. DMVPN is sooo much better (if you have advipsvcs) and normal site-to-site VPN works just fine for small deployments.
I would ditch EZVPN and create a standard site-to-site VPN between your UC520 and the 871
Thanks for the idea. Do you
Thanks for the idea. Do you have any kind of instructions to set it up?
docs
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_e...
and if you have a site with a dynamic IP,
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_e...
One easy way to get the config is to load and use SDM on your 871, then use the wizard to create the site-to-site VPN. then you can just mirror all the settings it uses on the UC520.