• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 516
  • Last Modified:

Cisco Router VPN dropping intermittently

Have a VPN setup between ISA2004 (head office) and a Cisco 877 (remote site). For some reason when the VPN is down trying to send traffic from the remote site to the Head Office the VPN will not come up. Although sending traffic from the Head office to the remote site will bring the VPN up.

Head office private IP range : 192.168.130.x
Remote office private IP Range: 192.168.134.x

This is the following cisco config, editied 123.123.123.123 is a bogus External IP for the ISA server:

Building configuration...

Current configuration : 8032 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname AK4M001
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
logging console emergencies
enable secret 5 XXXXXXXXXXXXXXX
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 12
clock summer-time PCTime date Mar 16 2003 3:00 Oct 5 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.134.1 192.168.134.99
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.134.0 255.255.255.0
   default-router 192.168.134.1
!
!
ip tcp synwait-time 10
ip tcp path-mtu-discovery
no ip bootp server
ip domain name dsl.blue.bizoservices.com
ip name-server 210.48.65.2
ip name-server 210.48.66.2
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip ips notify SDEE
!
!
crypto pki trustpoint TP-self-signed-3082901174
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3082901174
 revocation-check none
 rsakeypair TP-self-signed-3082901174
!
!
crypto pki certificate chain TP-self-signed-3082901174
 certificate self-signed 01
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  quit
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key XXXXXXX address 123.123.123.123
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to123.123.123.123
 set peer 123.123.123.123
 set security-association lifetime kilobytes 1000000
 set transform-set ESP-3DES-SHA
 set pfs group2
 match address 102
!
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.134.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username XXXXXXXXXXXX password 7 XXXXXXXXXXXXXXX
861
 crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 192.168.134.102 3389 interface Dialer0 3389
!
logging trap emergencies
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.134.0 0.0.0.255
access-list 100 remark auto-generated by Cisco SDM Express firewall configuratio
n
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto-generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.130.0 0.0.0.255 192.168.134.0 0.0.0.255
access-list 101 permit tcp any any eq 3389
access-list 101 permit udp any any
access-list 101 permit tcp any any
access-list 101 permit udp host 123.123.123.123 any eq non500-isakmp
access-list 101 permit udp host 123.123.123.123 any eq isakmp
access-list 101 permit esp host 123.123.123.123 any
access-list 101 permit ahp host 123.123.123.123 any
access-list 101 permit udp host 234.234.234.234 eq domain any
access-list 101 remark BIZAK Management
access-list 101 permit tcp host XXX.XXX.XXX.XXX any eq www
access-list 101 remark BIZAK Management
access-list 101 permit tcp host XXX.XXX.XXX.XXX any eq telnet
access-list 101 permit udp host XXX.XXX.XXX.XXX eq domain any
access-list 101 deny   ip 192.168.134.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 101 permit gre any any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.134.0 0.0.0.255 192.168.130.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.134.0 0.0.0.255 192.168.130.0 0.0.0.255
access-list 103 permit ip 192.168.134.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end


Can any cisco guru's see anything wrong with this config?
0
precisenz
Asked:
precisenz
  • 3
  • 2
  • 2
  • +1
1 Solution
 
mikebernhardtCommented:
Based on what you're describing, I suspect the problem may be related to your dialing or ppp config. The question is, is the dialer interface bringing up the circuit when it should? Try this:
debug dialer

and watch what the router does when you try to send traffic that should initiate the VPN. If that looks OK, try
debug ppp authentication

and see if that is working. Be sure to turn all all debugging when you're finished as it's CPU-intensive. "u all" will do it.
0
 
ASILVA0421Commented:
Where is your:

isakmp enable outside

just a thought!

AS
0
 
precisenzAuthor Commented:
Thanks for the suggestions. Will try debugging the router. Does the

isakmp enable outside

need to be set on the dialer0 interface? What does this command tell the dsl router to do?

- I'm very new to cisco so don't know what this will do to resolve the issue. Can you explain it before I try apply it?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
ASILVA0421Commented:
No...you don't set it on the interface.....dialer0.

it a root command.

en
Config t
isakmp enable outside


...it tells the router that isakmp is enabled on the outside interface.
0
 
precisenzAuthor Commented:
isakmp enable outside

might not be a command supported by the router.. Comes back with

--------------------------------------------
ROUTER(config)#isakmp enable outside
                         ^
% Invalid input detected at '^' marker.
--------------------------------------------

the only commands starting with "i" that I can use are :

identity  interface  ip  ipv6
0
 
mikebernhardtCommented:
I still think you should check out your dialer before you spend effort modifying your VPN policy. But anything to do with isakmp will start with "crypto."
0
 
precisenzAuthor Commented:
Issue seems to have been at the ISA end. Replaced ISA with a Cisco VPN concentrator on the other end and we don't have any issues with the VPN's dropping out anymore. Strange thing is setting for setting was compared with ISA such as key lifetimes, encryption settings etc all matched.
0
 
Computer101Commented:
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now