?
Solved

Site-To-Site VPN using ADSL and Cisco router drops quite frequently

Posted on 2006-04-27
7
Medium Priority
?
397 Views
Last Modified: 2008-01-09
Hello Experts:

I am really puzzled on this on . I have a customer who has a site to site VPN and we are using SBC (ATT) ADsl to run our internet. We have two VPN tunnels the first one goes to the main office and the second goes to another facility. The problem we are having is that the VPN tunnel to the main facility keeps droping but we maintain Internet and connectivity on the second VPN tunnel. We have created a trouble ticket with SBC and they claim the line is perfect. We have had this configuration for the past 18 months and no changes have been made it recently started happening. I have tried all steps to correct it but with no avail.

Thanks in advance, here ist the config on the DSL router there is no modem the router is doing modem functions with a WIC1 ADSl card


Current configuration : 2766 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname caldwellep
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$cTnD$P7HuEncgSTxNIZhTnfMZt/
enable password calep15
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 200.1.6.1 200.1.6.100
ip dhcp excluded-address 200.1.6.200 200.1.6.254
!
ip dhcp pool local
   network 200.1.6.0 255.255.255.0
   default-router 200.1.6.200
   dns-server 151.164.73.201 151.164.1.8
!
ip audit po max-events 100
vpdn enable

!
vpdn-group pppoe
 request-dialin
  protocol pppoe
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
 lifetime 3600
!
crypto isakmp policy 2
 hash md5
 authentication pre-share
 lifetime 3600
crypto isakmp key elpaso address xx.xx.xx.xx
crypto isakmp key juarez address xx.xx.xx.xx
!
crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac
crypto ipsec transform-set cm-transformset-2 esp-des esp-md5-hmac
!
crypto map cm-cryptomap local-address Dialer1
crypto map cm-cryptomap 1 ipsec-isakmp
 set peer xx.xx.xx.xx
 set transform-set cm-transformset-1
 match address 101
crypto map cm-cryptomap 2 ipsec-isakmp
 set peer xx.xx.xx.xx
 set transform-set cm-transformset-2
 match address 102
!
!
!
!
interface ATM0/0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/35
  pppoe-client dial-pool-number 1
 !
!
interface Ethernet0/0
 ip address 200.1.6.200 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1452
 full-duplex
!
interface Dialer1
 mtu 1492
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 ppp chap hostname XXXXXXX@sbcglobal.net
 ppp chap password XXXXXX
 ppp pap sent-username XXXXXXXX@sbcglobal.net password 0 XXXXXXX
 crypto map cm-cryptomap
!
ip nat inside source route-map nonat interface Dialer1 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 1 permit 200.1.6.0 0.0.0.255
access-list 101 permit ip 200.1.6.0 0.0.0.255 200.1.1.0 0.0.0.255
access-list 101 permit ip 200.1.6.0 0.0.0.255 200.1.2.0 0.0.0.255
access-list 101 permit ip 200.1.6.0 0.0.0.255 200.1.4.0 0.0.0.255
access-list 102 permit ip 200.1.6.0 0.0.0.255 200.1.5.0 0.0.0.255
access-list 110 deny   ip 200.1.6.0 0.0.0.255 200.1.1.0 0.0.0.255
access-list 110 deny   ip 200.1.6.0 0.0.0.255 200.1.2.0 0.0.0.255
access-list 110 deny   ip 200.1.6.0 0.0.0.255 200.1.4.0 0.0.0.255
access-list 110 deny   ip 200.1.6.0 0.0.0.255 200.1.5.0 0.0.0.255
access-list 110 permit ip 200.1.6.0 0.0.0.255 any
!
route-map nonat permit 10
 match ip address 110
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password XXXX
 login
!
!
end
0
Comment
Question by:amanytx
  • 4
  • 3
7 Comments
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16561985
You might wan to try to isolate the problem with a little utility called IPMonitor. IPMonitor is basically a ping tool that can be set up to ping multiple sites and monitor connectivity. Any break in the connection is logged and you can have it notify you visually, audibly or by e-mail if you wish. I have used this as ammunition with service providers from time to time. The odd part is your connection seems to be maintained but not the VPN. Perhaps the Cisco "experts" here can help you with that. Is there perhaps an auto re-connect "switch" that is not enabled.
I too am currently having problems with SBC at one site in New York. IPMonitor indicates the connection is broken for only a minute up to 3 times a day. The users don't notice as it usually just appears as a slow link, but when the VPN connection breaks the VoIP phones instantly reboot and hang each time it happens. The VPN reconnects but the phones themselves have some re-connection "issues".
http://ipmonitor.tsarfin.com/
0
 
LVL 1

Author Comment

by:amanytx
ID: 16607139
Thanks we have tried a bunch of things. even reloaded the router with a new image and config from scratch (no backup config!)Rewrote the whole config and the problem keeps happening
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16607230
Personally I would suspect a brief disconnect by the ISP at the main office since the second VPN at the remote site stays up. Do they have any other services at the main office, such as a second tunnel running, that they loose? If just Internet usage they might not notice as it would only appear as a slow link, if they are brief disconnects. This is where IPMonitor comes in handy. You may discover more frequent breaks at a particular site than you realize.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 1

Author Comment

by:amanytx
ID: 16607786
The main office has a sprint T1 connection. They have about 7 other tunnels and it only happnes to this tunnel also. I have been running ip monitor and it does report everybreak I set it to 1 min intervals. I AM EXTREMELY PUZZLED!

THANKS
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 1500 total points
ID: 16607858
>>"They have about 7 other tunnels"
Then I agree it is not them. I'm stumped, if your other VPN stays up at the remote location. Perhaps post a 20 point "pointer question" in the routers topic area. There are a lot more Cisco guys there. I have no Cisco training. Perhaps they will have a suggestion.
0
 
LVL 1

Author Comment

by:amanytx
ID: 16684232
Thanks But I have had no luck with help
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16686115
Thanks amanytx , sorry you were not we were not of some help.
--Rob
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question