?
Solved

Cisco VPN Tunnel drops when no traffic pass

Posted on 2006-05-19
9
Medium Priority
?
1,888 Views
Last Modified: 2012-08-13
Cisco VPN Tunnel drops when no traffic pass on my cisco 2801.  What my problem can be?
0
Comment
Question by:AchillesP
  • 4
  • 4
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 16716995
IPSEC tunnel's are dynamic and only established if and when traffic is passing, until the set lifetime expires.
This is working as designed.
0
 

Author Comment

by:AchillesP
ID: 16717031
This is my running config.  Do you see any error?


!This is the running config of the router: 192.168.2.11
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco2801
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$B4SQ$Bc3dc8NV5nyqatpsHmJ1E0
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 2
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name Philippopoulos
ip name-server 194.219.227.2
ip name-server 193.92.150.3
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
crypto pki trustpoint TP-self-signed-4001756307
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4001756307
 revocation-check none
 rsakeypair TP-self-signed-4001756307
!
!
crypto pki certificate chain TP-self-signed-4001756307
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34303031 37353633 3037301E 170D3036 30353034 31353537
  34345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303137
  35363330 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B86D 601AF86A 0BA1546B ECD7A7E6 E93E85A9 389F8336 509DCC54 C04668F0
  A5525FBE 76546EF6 2589A782 D83958FD 19A8FBF7 098F2194 7431BD60 869C0540
  F6BBFD58 4E36E83A 90AF1BB7 047365DD 0E823842 0AC29479 A3DEBBDD B6C5E9DD
  9BA66001 32C07A5B 43E2D2DA E4F2500D 79E07DBF 75EE6BCB 8A769156 9ACEA4E4
  EBC10203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 149521C0 55DB421A CBCDB520 580E7548 53745F21
  1E301D06 03551D0E 04160414 9521C055 DB421ACB CDB52058 0E754853 745F211E
  300D0609 2A864886 F70D0101 04050003 81810065 996A7569 F38EF13E C92BD8B2
  904D7DA9 1103EF0C 44474E5A 0CC49D63 238F3060 6CA15CE2 B159DF1F 00A12125
  D80D6F68 CC3E6051 AE49C78E C02E7CA3 59B22802 E3BBBB4B 1B826855 94B6275A
  8D4B0594 DAE8E408 A5538E0F 9C19A44E 3F3755B1 A0092867 65EA385F 02BFA424
  B94BB10E 44036932 B2FC3CD8 12B38A6A 999A62
  quit
username xxxxxxx privilege 15 secret 5 $1$03SC$hz4cXHG4h8Lw0nODiodC2.
!
!
class-map match-any SDMVoice-Dialer1
 match protocol rtp audio
class-map match-any SDMTrans-Dialer1
 match protocol citrix
 match protocol finger
 match protocol notes
 match protocol novadigm
 match protocol pcanywhere
 match protocol secure-telnet
 match protocol sqlnet
 match protocol sqlserver
 match protocol ssh
 match protocol telnet
 match protocol xwindows
class-map match-any SDMScave-Dialer1
 match protocol napster
 match protocol fasttrack
 match protocol gnutella
class-map match-any SDMBulk-Dialer1
 match protocol exchange
 match protocol ftp
 match protocol irc
 match protocol nntp
 match protocol pop3
 match protocol printer
 match protocol secure-ftp
 match protocol secure-irc
 match protocol secure-nntp
 match protocol secure-pop3
 match protocol smtp
 match protocol tftp
class-map match-any SDMRout-Dialer1
 match protocol bgp
 match protocol egp
 match protocol eigrp
 match protocol ospf
 match protocol rip
 match protocol rsvp
class-map match-any SDMSignal-Dialer1
 match protocol h323
 match protocol rtcp
class-map match-any SDMManage-Dialer1
 match protocol dhcp
 match protocol dns
 match protocol imap
 match protocol kerberos
 match protocol ldap
 match protocol secure-imap
 match protocol secure-ldap
 match protocol snmp
 match protocol socks
 match protocol syslog
class-map match-any SDMIVideo-Dialer1
 match protocol rtp video
class-map match-any SDMSVideo-Dialer1
 match protocol cuseeme
 match protocol netshow
 match protocol rtsp
 match protocol streamwork
 match protocol vdolive
!
!
policy-map SDM-Pol-Dialer1
  class SDMSignal-Dialer1
  bandwidth remaining percent 40
  set dscp cs3
   compress header ip tcp
  class SDMRout-Dialer1
  bandwidth remaining percent 3
  set dscp cs6
  class SDMTrans-Dialer1
  bandwidth remaining percent 33
  set dscp af21
  class SDMVoice-Dialer1
  priority percent 70
  set dscp ef
   compress header ip
  class SDMManage-Dialer1
  bandwidth remaining percent 3
  set dscp cs2
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxx address 193.92.x.x 255.255.x.x
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to Thessaloniki
 set peer 193.92.x.x
 set transform-set ESP-3DES-SHA
 match address 100
 qos pre-classify
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description Athens LAN$ES_LAN$$ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
 ip address 192.168.2.11 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface ATM0/1/0
 description Forthnet 1024 VPN
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface ATM0/2/0
 description Forthnet 1024 VPN
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface ATM0/3/0
 description Forthnet 1024 Internet
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 3
 !
!
interface Dialer1
 description Forthnet VPN$FW_INSIDE$
 ip address 193.92.x.x 255.255.x.x
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp reliable-link
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxx
 ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
 ppp pap sent-username xxxxxxxxxxxxxxxxxxxxxxxxxx
 ppp ipcp dns request
 ppp ipcp wins request
 crypto map SDM_CMAP_1
 service-policy output SDM-Pol-Dialer1
 hold-queue 224 in
!
interface Dialer3
 description Forthnet Internet$FW_OUTSIDE$
 ip address 193.92.x.x 255.255.x.x
 ip access-group 102 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 3
 dialer-group 3
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxx
 ppp pap sent-username xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 ppp ipcp dns request
 ppp ipcp wins request
 hold-queue 224 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer3 permanent
ip route 192.168.0.0 255.255.255.0 Dialer1 permanent
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface Dialer3 overload
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 193.92.150.3 eq domain any
access-list 102 permit udp host 194.219.227.2 eq domain any
access-list 102 deny   ip 192.168.2.0 0.0.0.255 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
no cdp run
!
!
control-plane
!
banner login ^CCCCCCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
end


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16717106
Looks like you also need a separate route statement for your VPN peer if you want all traffic to go out the 2nd dsl line:

>set peer 193.92.x.x
Add:
  ip route 193.92.x.x 255.255.255.255 Dialer1

You don't really need this one:
 >ip route 192.168.0.0 255.255.255.0 Dialer1 permanent

0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 

Author Comment

by:AchillesP
ID: 16717259
>set peer 193.92.x.x (I HAVE IT ALREADY)
Add:
  ip route 193.92.x.x 255.255.255.255 Dialer1 (I ADD IT)

You don't really need this one:
 >ip route 192.168.0.0 255.255.255.0 Dialer1 permanent (IF I DELETE THIS ROUTE I CAN NOT PING THE OTHER SIDE)

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16717788
OK, so if you keep the route to 192.168.0.0, does the tunnel come up and work correctly?
What is status of "show cry is sa"
0
 

Author Comment

by:AchillesP
ID: 16717819
Yes if i keep the route 192.168.0.0 the tunnel work.

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
193.92.43.9     193.92.43.10    QM_IDLE           1001    0 ACTIVE

IPv6 Crypto ISAKMP SA
0
 
LVL 11

Accepted Solution

by:
prueconsulting earned 2000 total points
ID: 16720838
If the tunnel is dropping as lmoore said its by design when no traffic is being passed.

However if you want to keep it alive for whatever reason setup a job of sometype on a pc on teh lan side of the VPN to periodically sent a ping to a host on the other side. This will prevent the tunnel from tearing down.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16720865
So, if the tunnel is working and automatically comes back up whenever there is traffic to pass, then what is the issue? As I said, it is working as designed.
0
 

Author Comment

by:AchillesP
ID: 16733152
It was a problem of cisco 2801 rommon. I did the update and now the tunnel never drops. Thanks.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question