I have one of the most perplexing problems I have run across in a long time. I am trying to rollout some Wyse thin clients to some home users, using an 831 router connected to a cable internet service with a IPSEC VPN connection back to 3030 concentrator.
Every 60 minutes the ipsec tunnel goes down between the 831 and the3030. First I thought it was a keep alive issue since it was so consistent in happening every 60 mins. I adjusted just about any values I could find on the 3030 that mentioned 3600 seconds to something greater to see if that changed anything in order to narrow down the problem.
Nothing I did on the concentrator seemed to affect the outcome of the tunnel and this problem.
I then looked at the router and found nothing that stood out that would affect the tunnel going down every 60 mins.
I finally opened a TAC issues this past friday and was told to try these commands on the 831:
crypto isakmp keepalives 10 crypto isakmp invalid-spi-recovery
Did that and still no change. Tunnel goes down every 60 mins.
Late friday I had to move stuff around in my test environment and took the WYSE thin client off the 831. So I was left with the 831 router with a ipsec vpn tunnel back to my 3030 via a cable internet service. I also had a 7940 ip phone connected and working on the 831 but no WYSE thin client.
This morning I noticed the vpn tunnel had not gone down since removing the thin client from the router. I wondered if this was a fluke and immediately went into the office today and plugged the thin client back in to the 831. Sure enough 60 mins later the vpn tunnel went down. I then waited a few more hours and watched and sure enough just about every 60 mins on the dot the tunnel just goes down, eventually it comes back up in about 5 mins. I can make it come back up sooner if I logout the session on the 3030 concentrator.
So, the problem seems to be directly related to having the thin client connected. If I dont plug the thin client into the 831 the tunnel stays up and I have no problems. I even have tested with the 7940 phone and all works fine as long as the thin client is not connected.
And that is why I am here, I just dont get what could be going on. I mean its one thing if the thin clients session with the terminal server would time out every 60 mins (which it does not) but I dont see how the thin client can in any way affect the vpn tunnel resetting every 60 mins.
So then I say its got to be a router or concentrator issue. But I dont see how that can be given that the tunnel works and stays up as long as the thin client is not connected.
By the way the thin client is using RDP and not ICA. I am going to test later if the same issue happens by using ICA on the thin client as opposed to RDP.
I have done the same results on three different 831 routers, connected to three different cable and dsl providers.
I am dying to resolve this issue or at least understand why its happening as I am suppose to be rolling out quite a few of these things to users that will soon start working from home.