Re: VPN reconnect - dslreports.com

Author	All Replies
maxusa Premium join:2004-05-05 USA 4 edits	reply to adiinfo Re: VPN reconnect In the newer Z5/35/70 series, there are several timers for IPsec: input and output. Also, look into nailed-up for auto renegotiation. A combination of these on both ends shall provide the answer. >ipsec timer chk_conn >ipsec timer chk_input Your units might not have these in the GUI, so test-run them from the CLI and then add the necessary lines into autoexec.net to persist. EDIT: ZyXEL engineers are on record to be screwing around with these timers. They have changed timer ranges, ability to turn-off, relationship to nailed-up, etc. It has been a moving target (royal pain). Currently, the way things settled in V4.0 seems to be: •chk_conn a.k.a. output idle timer. Checks for replies after sending something to the remote routers. If no reply is received after the specified time, the router will verify the suspected tunnel and, if found dead, will drop it. Number of seconds between 120 and 3600. Can not disable. Default is 3600.•chk_input a.k.a. input idle timer. If no inbound traffic is received for the specified time, the tunnel is deemed suspected. The router will verify the vitals and, if found truly dead, drop the tunnel. Number of seconds between 30 and 3600. Enter 0 to disable.•nailed-up will renegotiate the tunnel when SA is expired and/or when above timers knock the tunnel down. You may want to consult the user guide or firmware release notes for details. Beware of inconsistencies. For example, the chk_conn timer is always on, but some docs claim 0 will disable it. You need to experiment as different firmware releases and different products behave differently. Also, your solution now may not be forward-compatible with the next firmware release. To add insult to injury, most firmware circa late 2004 through early 2005 had bugs in these timers knocking tunnels down regardless of the traffic. See your IKE logs for constant tunnel reset/renegotiation. Timers work better now (Z5/35/70). Sounds like fun? Good luck. Hope this helps.
maxusa Premium join:2004-05-05 USA 4 edits	to forum · permalink · · 2005-11-02 18:37:27 ·
maxusa Premium join:2004-05-05 USA	To continue on the subject, you may want to see other IPsec-related commands: "ipsec timer chk_my_ip", "ipsec timer update_peer", and "ipsec config keepAlive". They may improve the dis/reconnect rate in some cases (like DDNS).
maxusa Premium join:2004-05-05 USA	to forum · permalink · · 2005-11-03 03:56:35 ·
ttgpm join:2005-05-30 UK	no such commands as "ipsec timer chk_my_ip" or "ipsec config keepAlive" on the Z5...?!
ttgpm join:2005-05-30 UK	to forum · permalink · · 2005-11-03 06:21:50 ·
maxusa Premium join:2004-05-05 USA	Sorry, I did not mention... some commands are for the Prestige line. Since IPsec is a collaborative effort, one needs to configure both end points for best results. Please see the corresponding product guide for the supported CLI commands.
maxusa Premium join:2004-05-05 USA	to forum · permalink · · 2005-11-03 13:49:52 ·


Thursday, 26-Nov 09:02:23	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF