prodriveit
asked on
Cisco 1721 VPN Over DSL - IOS 12.3
Hi,
Could somebody look over the config below - this is one end of a point to point VPN connection with failover to a leased line as and when the remote gateway of the VPN cannot be reached. We will eventually change the leased line to a bonded ISDN as and when the VPN is reliable enough.
All of the VPN / Failover e.t.c. works fine, the problem I have (I believe) is related to MTU.
Basically, it presents it's self as Active Directory replication failing at various intervals and becoming increasingly unreliable over time. The second symptom is that SMTP communication is very unreliable (exchange servers have difficulty transferring mail across the sites e.t.c.). RDC, citrix and other communications are fine.
This only occurs when the line IP POLICY ROUTE-MAP 102 is in the config under interface FAST0 - this is the failover part and basically defaults the routing to go via the VPN unless it can't reach the remote gateway in which case it goes over the leased line. When I remove this line and force the traffic over the leased line, everything is ok.
I think I'm on the right track with the MTU but I don't have the expierience to know how to put the right config in - I've read a fair few of the articles in EE but none of them seem to have helped.
I have enabled the command CRYPTO IPSEC FRAG BEFORE as both a generic command and specifically under interface ETH0 on both routers.
Thanks in advance of any help....
DS
CONFIG
--------
Using 3164 out of 29688 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname **
!
boot-start-marker
boot-end-marker
!
enable secret 5 **
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
track 102 rtr 102 reachability
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key TESTPSK address w.w.w.w
crypto isakmp key TESTPSK address x.x.x.x
!
!
crypto ipsec transform-set TESTPSK-Tunnel esp-3des esp-md5-hmac
!
crypto map LOCAL_LANS local-address Ethernet0
crypto map LOCAL_LANS 20 ipsec-isakmp
set peer x.x.x.x
set transform-set TESTPSK-Tunnel
match address 103
crypto map LOCAL_LANS 30 ipsec-isakmp
set peer w.w.w.w
set transform-set TESTPSK-Tunnel
match address 101
!
!
!
interface Ethernet0
ip address v.v.v.v 255.255.255.240
ip mtu 1403
ip tcp adjust-mss 1403
no ip mroute-cache
half-duplex
no cdp enable
crypto map LOCAL_LANS
crypto ipsec fragmentation before-encryption
!
interface FastEthernet0
description *** Ethernet LAN at London ***
ip address 192.168.1.2 255.255.255.0
ip policy route-map 102
speed auto
half-duplex
!
interface Serial0
description *** Backup 256K Leased Line to Hampshire ***
bandwidth 256
ip address 192.168.254.2 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.23.11.0 255.255.255.0 192.168.1.1
ip route w.w.w.w 255.255.255.255 z.z.z.z
ip route 192.168.2.0 255.255.255.0 192.168.254.1
ip route 192.168.4.0 255.255.255.0 192.168.1.4
ip route 192.168.6.0 255.255.255.0 w.w.w.w
ip route x.x.x.x 255.255.255.255 z.z.z.z
ip route 194.129.160.0 255.255.255.0 x.x.x.x
ip route 194.129.163.72 255.255.255.252 x.x.x.x
ip route y.y.y.y 255.255.255.255 z.z.z.z
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 194.129.160.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 194.129.163.0 0.0.0.252
access-list 103 permit ip 10.23.11.0 0.0.0.255 192.168.2.0 0.0.0.255
dialer-list 1 protocol ip permit
!
route-map 102 permit 10
match ip address 103
set ip next-hop verify-availability z.z.z.z 1 track 102
!
!
control-plane
!
rtr responder
rtr 102
type echo protocol ipIcmpEcho x.x.x.x
rtr schedule 102 life forever start-time now
!
line con 0
line aux 0
line vty 0 4
password oilandgas
login
!
!
end
Could somebody look over the config below - this is one end of a point to point VPN connection with failover to a leased line as and when the remote gateway of the VPN cannot be reached. We will eventually change the leased line to a bonded ISDN as and when the VPN is reliable enough.
All of the VPN / Failover e.t.c. works fine, the problem I have (I believe) is related to MTU.
Basically, it presents it's self as Active Directory replication failing at various intervals and becoming increasingly unreliable over time. The second symptom is that SMTP communication is very unreliable (exchange servers have difficulty transferring mail across the sites e.t.c.). RDC, citrix and other communications are fine.
This only occurs when the line IP POLICY ROUTE-MAP 102 is in the config under interface FAST0 - this is the failover part and basically defaults the routing to go via the VPN unless it can't reach the remote gateway in which case it goes over the leased line. When I remove this line and force the traffic over the leased line, everything is ok.
I think I'm on the right track with the MTU but I don't have the expierience to know how to put the right config in - I've read a fair few of the articles in EE but none of them seem to have helped.
I have enabled the command CRYPTO IPSEC FRAG BEFORE as both a generic command and specifically under interface ETH0 on both routers.
Thanks in advance of any help....
DS
CONFIG
--------
Using 3164 out of 29688 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname **
!
boot-start-marker
boot-end-marker
!
enable secret 5 **
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
track 102 rtr 102 reachability
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key TESTPSK address w.w.w.w
crypto isakmp key TESTPSK address x.x.x.x
!
!
crypto ipsec transform-set TESTPSK-Tunnel esp-3des esp-md5-hmac
!
crypto map LOCAL_LANS local-address Ethernet0
crypto map LOCAL_LANS 20 ipsec-isakmp
set peer x.x.x.x
set transform-set TESTPSK-Tunnel
match address 103
crypto map LOCAL_LANS 30 ipsec-isakmp
set peer w.w.w.w
set transform-set TESTPSK-Tunnel
match address 101
!
!
!
interface Ethernet0
ip address v.v.v.v 255.255.255.240
ip mtu 1403
ip tcp adjust-mss 1403
no ip mroute-cache
half-duplex
no cdp enable
crypto map LOCAL_LANS
crypto ipsec fragmentation before-encryption
!
interface FastEthernet0
description *** Ethernet LAN at London ***
ip address 192.168.1.2 255.255.255.0
ip policy route-map 102
speed auto
half-duplex
!
interface Serial0
description *** Backup 256K Leased Line to Hampshire ***
bandwidth 256
ip address 192.168.254.2 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.23.11.0 255.255.255.0 192.168.1.1
ip route w.w.w.w 255.255.255.255 z.z.z.z
ip route 192.168.2.0 255.255.255.0 192.168.254.1
ip route 192.168.4.0 255.255.255.0 192.168.1.4
ip route 192.168.6.0 255.255.255.0 w.w.w.w
ip route x.x.x.x 255.255.255.255 z.z.z.z
ip route 194.129.160.0 255.255.255.0 x.x.x.x
ip route 194.129.163.72 255.255.255.252 x.x.x.x
ip route y.y.y.y 255.255.255.255 z.z.z.z
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 194.129.160.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 194.129.163.0 0.0.0.252
access-list 103 permit ip 10.23.11.0 0.0.0.255 192.168.2.0 0.0.0.255
dialer-list 1 protocol ip permit
!
route-map 102 permit 10
match ip address 103
set ip next-hop verify-availability z.z.z.z 1 track 102
!
!
control-plane
!
rtr responder
rtr 102
type echo protocol ipIcmpEcho x.x.x.x
rtr schedule 102 life forever start-time now
!
line con 0
line aux 0
line vty 0 4
password oilandgas
login
!
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am working on a similar problem with a PIX vpn link after discussing with the customer the MTU issue he decided to reduce the tcm mss to 1300 as well as the mtu of his external interface to 1400 - this actually made things worse because the internal MTU of the gateway was still at 1500.
When we changed the MTU of the external interface back to 1500 everything worked ok.
Therefor, I set my IP MTU to 1500 and the TCP MSS to 1300 and all looks good so far.
Thanks for your help.
DS