Major problems in Geneva due to crashes of the Cisco IPSec tunnel gateway

 

Switzernet

2007-07-09

 

Site: Uunet-(gva2)/mci, CH-1228 Geneva

 

Today, on 2007-07-09 we lost the SIP connection of our Geneva servers due to problems with IPSec tunnel. The first lost of connectivity occurred within the time window between 11:30 and 13:00. The problem was solved by a hard reboot of the IPSec tunnel gateway. The second crash occurred at about 16:00. The hard reboot did not help. The network interface (NM-4E) was replaced. The connection was re-established at about 19:30. The crashes times can be identified in the histogram displaying the load of calls passing through the servers of Geneva.

 

The presence of a light load of calls during crash times is present since the RTP streams were not affected by the crash (crash only affected the SIP signalling between the two Geneva servers and the servers in Brussels and London, the SIP being further converted into SS7)

 

The crash affected the SIP signalling of both redundant servers in Geneva. The incoming calls, and the outgoing calls were blocked (outgoing calls were re-routed during the crash but CLI was not guaranteed).

 

Important note: IPSec tunnel gateway in Geneva is a vulnerable point and the redundancy on the level of SIP server is useless in case of problems with the tunnel end point.

 

Conclusion: redundant IPSec connection is required in Geneva.

 

*   *   *