Cisco 1720 stops forwarding VPN packets to 2k3 VPN server

We have a Cisco 1720 for an edge router.  Our config looks like this.

                                  1720
                                     |
                           Intel 12 port Hub
             --------------------------------------------
             |                       |                            |
      2k3 VPN server     Sonic Firewall            Other
                                      |
                               Lan switch


At first the 2k3 VPN server works fine and VPN users can connect and access the network.  After an hour or 2 VPN users can no longer connect and get an error 800.  Connected users are still OK.  If I plug a laptop into the Intel hub after people start getting the error 800, the laptop is able to connect to the VPN server fine.  Rebooting the VPN server lets users connect again for a while.  Can anyone tell me what might be wrong with the 1720 and why it might stop forwarding traffic to the 2k3 server?  I can post the config if you need it.

Thanks for any help.
deloriAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
lrmooreConnect With a Mentor Commented:
Disable proxy arp on the Sonicwall
0
 
-Leo-Commented:
1. See router CPU and memory usage
2. Update router IOS for the latest one
0
 
minmeiCommented:
Post config please.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
deloriAuthor Commented:
OK, here's the config.

Building configuration...

Current configuration : 1142 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname internet-t1
!
enable password *********
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
no ip finger
ip domain-name ALTER.NET
ip name-server 198.6.1.5
!
!
!
!
interface Serial0
 description To UUNET
 bandwidth 1536
 no ip address
 encapsulation frame-relay IETF
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 bandwidth 1536
 ip unnumbered FastEthernet0
 frame-relay interface-dlci 500 IETF
!
interface BRI0
 no ip address
 shutdown
!
interface FastEthernet0
 description To Office FastEthernet
 ip address xxx.xxx.xxx.33 255.255.255.224
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.1
no ip http server
!
snmp-server community 44b926570d RO
snmp-server enable traps snmp
!
line con 0
 password *********
 login
 transport preferred none
 transport input none
line aux 0
 password *******
 login
 modem InOut
 transport preferred none
 transport input all
 stopbits 1
 flowcontrol hardware
line vty 0 4
 password ******
 login
 transport preferred none
!
end

After further testing this morning, here's what is going on.

I monitor this problem by pinging the external IP address of the VPN server from my home PC and emailing me when it fails.  When the ping times out, we get an error 800 trying to connect to the VPN server from the outside world.  I can ping the address and connect from our LAN ports on our network.  Also, If I connect a laptop to the switch inbetween the Cisco and the VPN server, I can ping and connect to the VPN just fine with the IP address.  (The laptop is configured with another of our external IPs)

When pings fail and outside users cannot connect, stopping and start  RRAS on the VPN server fixes the problem and outside users can connect again.

This is really got me pulling my hair out.  What would resetting RRAS on a server to a router to make it work again?

Any help would be great!  could it be possible that the Sonic is somehow taking over and pulling the traffic for our VPN server?


Thanks again,
0
 
minmeiConnect With a Mentor Commented:
What lrmoore is getting at still may be the trick.

Proxy ARP is used so that when the router has to get a message to an IP address the SonicWall may be running NAT for, the ARP broadcast the router will send to deliver traffic will be answered by the SonicWall (if it has Proxy ARP configured and is NATting for the range of addresses outside it behind the router.) When this happens, the router thinks traffic going to the VPN server should go to the firewall, instead.

0
 
deloriAuthor Commented:
OK, So we moved the Intel hub to the DMZ port on the sonic and configured the DMZ ports.  So far it's been up 16 hours with no drops...


Thanks for your help.
0
All Courses

From novice to tech pro — start learning today.