troubleshooting Question

Cisco 1721 VPN Over DSL - IOS 12.3

Avatar of prodriveit
prodriveit asked on
VPN
2 Comments1 Solution1163 ViewsLast Modified:
Hi,

Could somebody look over the config below - this is one end of a point to point VPN connection with failover to a leased line as and when the remote gateway of the VPN cannot be reached. We will eventually change the leased line to a bonded ISDN as and when the VPN is reliable enough.

All of the VPN / Failover e.t.c. works fine, the problem I have (I believe) is related to MTU.

Basically, it presents it's self as Active Directory replication failing at various intervals and becoming increasingly unreliable over time. The second symptom is that SMTP communication is very unreliable (exchange servers have difficulty transferring mail across the sites e.t.c.). RDC, citrix and other communications are fine.

This only occurs when the line IP POLICY ROUTE-MAP 102 is in the config under interface FAST0 - this is the failover part and basically defaults the routing to go via the VPN unless it can't reach the remote gateway in which case it goes over the leased line. When I remove this line and force the traffic over the leased line, everything is ok.

I think I'm on the right track with the MTU but I don't have the expierience to know how to put the right config in - I've read a fair few of the articles in EE but none of them seem to have helped.

I have enabled the command CRYPTO IPSEC FRAG BEFORE as both a generic command and specifically under interface ETH0 on both routers.

Thanks in advance of any help....
DS

CONFIG
--------

Using 3164 out of 29688 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname **
!
boot-start-marker
boot-end-marker
!
enable secret 5 **
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
track 102 rtr 102 reachability
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key TESTPSK address w.w.w.w
crypto isakmp key TESTPSK address x.x.x.x
!
!
crypto ipsec transform-set TESTPSK-Tunnel esp-3des esp-md5-hmac
!
crypto map LOCAL_LANS local-address Ethernet0
crypto map LOCAL_LANS 20 ipsec-isakmp
 set peer x.x.x.x
 set transform-set TESTPSK-Tunnel
 match address 103
crypto map LOCAL_LANS 30 ipsec-isakmp
 set peer w.w.w.w
 set transform-set TESTPSK-Tunnel
 match address 101
!
!
!
interface Ethernet0
 ip address v.v.v.v 255.255.255.240
 ip mtu 1403
 ip tcp adjust-mss 1403
 no ip mroute-cache
 half-duplex
 no cdp enable
 crypto map LOCAL_LANS
 crypto ipsec fragmentation before-encryption
!
interface FastEthernet0
 description *** Ethernet LAN at London ***
 ip address 192.168.1.2 255.255.255.0
 ip policy route-map 102
 speed auto
 half-duplex
!
interface Serial0
 description *** Backup 256K Leased Line to Hampshire ***
 bandwidth 256
 ip address 192.168.254.2 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.23.11.0 255.255.255.0 192.168.1.1
ip route w.w.w.w 255.255.255.255 z.z.z.z
ip route 192.168.2.0 255.255.255.0 192.168.254.1
ip route 192.168.4.0 255.255.255.0 192.168.1.4
ip route 192.168.6.0 255.255.255.0 w.w.w.w
ip route x.x.x.x 255.255.255.255 z.z.z.z
ip route 194.129.160.0 255.255.255.0 x.x.x.x
ip route 194.129.163.72 255.255.255.252 x.x.x.x
ip route y.y.y.y 255.255.255.255 z.z.z.z
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 194.129.160.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 194.129.163.0 0.0.0.252
access-list 103 permit ip 10.23.11.0 0.0.0.255 192.168.2.0 0.0.0.255
dialer-list 1 protocol ip permit
!
route-map 102 permit 10
 match ip address 103
 set ip next-hop verify-availability z.z.z.z 1 track 102
!
!
control-plane
!
rtr responder
rtr 102
 type echo protocol ipIcmpEcho x.x.x.x
rtr schedule 102 life forever start-time now
!
line con 0
line aux 0
line vty 0 4
 password oilandgas
 login
!
!
end
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 2 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 2 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros