Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[tylan]

I have 2 DFL-210 Routers connected with a L2L tunnel.  I followed the documents on the Dlink FAQs.  The networks are 192.168.0.x and 192.168.100.x.  The users on the 192.168.100.x network connected via remote desktop to a server on the 192.168.0.x network.  They claim that the get kicked off daily.  Then they are able to get back on almost immediately.  I checked and the router has not been rebooted / shutdown recently.  I think that they are getting kicked off when the tunnels re-negotiate.  I sent the configs to dlink a few months back when they initially complained.  Dlink found nothing wrong.  Can I up the time the tunnels go w/o re-negotiating?  Is there anything else I can check?

Any ideas?

Tylan

[tylan]

I may have phrased my post in a complicated paragraph...

Here's what I'm really looking for:
1) When a L2L tunnel renegotiates daily, would the connections through the tunnel be interrupted?

2) Can I up the time a tunnel stays alive so that this issue could be avoided?

Thanks in advance!
Tylan

[Fatman]

Sessions ideally should not be dropped when renigotiations happens, assuming it goes through without a hitch.

What are your timeouts?
Do you have a data based timeout?
Do you use a keep alive?
Do you use DPD?

[tylan]

--IKE Lifetime 28800
--IPSEC Lifetime 3600
--Keep-alive set to auto

I'm not sure what you mean by DPD or data based timeout...  Sorry.

Here is the doc I used to configure the tunnels:
http://www.dlink.com/support/faqDetail/?prod_id=2783&print=1

Thanks for your reply,
Tylan

[Fatman]

DPD Is a setting on the IKE tab.

Data based timeout referred to an IPsec lifetime based on a number of kilobytes.

I believe this document will be revised in the near future, if followed perfectly it could cause some problems.  Specifically you are going to have 2 routing entries for the same tunnel which could be causing your problem.

Uncheck the box that says Dynamically add route to the remote network when a tunnel is established.

[tylan]

--DPD is checked.
--The IPSEC lifetime is set to 0 kilobytes.

I don't see any duplicate routes in the routing table.  Are you referring to a duplicate route that doesn't actually show in the tables.  I'd post a screenshot, but I'm not sure how to do it.

[Fatman]

Eureka!

DPD (Dead Peer Detection) is the mortal enemy of Keep Alive, using both at once is a problem of sizeable scale.  Since you don't want your tunnel going down ever remove DPD.

You would see it in Status->Routes, but only while the tunnel is up.  A better place to check would be if you have both that check box, and the automatically add route box on the advanced tab checked.

As this is a L2L installation you should have the one on the advanced tab only and not the one on the routing tab.

[tylan]

I see what you are talking about now.  There are two settings about adding the route.  I cleared the dynamic add route box on the routing tab, and left the one on the advanced tab checked.  I also cleared the dead peer detection box.

Anything else I should check, or just sit back and wait for the customer to NOT complain about the tunnel dropping!

Thanks

[Fatman]

Well lets hope it is sitting back and waiting for the customer to not complain.

[tylan]

Then I'll inform them that I've adjusted some settings on the L2L Tunnel and we'll see what happens.

Thanks,
Tylan