Avatar of SpyderG
SpyderG
 asked on

Cisco VPN drops

I am experiencing a problem with a newly installed Cisco 1811 router which stops passing traffic over one VPN tunnel every day at the same time.  Here is the topology:
Site A: Cisco 1811 K9 with VPN tunnels to Site B and Site C
Site B: SonicWall Pro 4060 With VPN tunnels to Site A and Site C
Site C: SonicWall TZ 170 with VPN tunnels to Site A and Site B

The A-B and B-C tunnels are fine and when traffic stops over the A-C tunnel, both ends still show the tunnel as up.  So far our "fix" has been to restart the new Cisco.  

I'm not even sure how to start troubleshooting this.  So far we have tried restarting the Cisco at night to see if it effects the timing, but it doesn't.  Every day at the same time the tunnel stops.
VPNRouters

Avatar of undefined
Last Comment
SpyderG

8/22/2022 - Mon
MikeKane

I would 1st check that the rekey lifetimes on both endpoints match exactly along with the rekey for KB count.    Its very easy for 1 device to be set to infinite rekey and the 2nd to request a rekey every 24 hours....  

CAn you verify those settings?
SpyderG

ASKER
The Cisco config does not have a lifetime defined and I believe the default is 24 hours.  The SonicWall lifetime is 86400 seconds.  I am not familiar with the rekey for KB count and don't see a setting on either end.  Can you tell me where to look?

Thanks!
ASKER CERTIFIED SOLUTION
MikeKane

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
router_doctor

can you please include your config for us to look at.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
geergon

You said  "router which stops passing traffic" it means that you still see the tunnel UP, right?

Do you see it up on the SonicWall Status?
What do you see on the router at the moment of the issue?

clear crypto ipsec sa counters
Show crypto isakmp sa
Show crypto ipsec sa peer b.b.b.b
Show crypto ipsec sa peer c.c.c.c


Send the output.

If you still see the tunnel up, the problem is with the NAT bypass, make sure that you have something like this:

access-list 110 deny   ip local_net 0.0.0.255 remote_net 0.0.0.255
access-list 110 permit ip local_net 0.0.0.255 any

route-map nonat permit 10
  match ip address 110

ip nat inside source route-map nonat interface FastEthernet0/1 overload
SpyderG

ASKER
I'm having difficulty catching this in the act, but seem to now have some control over it.  I restarted the SonicWall and that changed the timing of when the connection goes down.  I will see if I can get the timing so that it happens after hours, then I can do some proper testing while it's not working.  In response to the above:
MikeKane: I did set the lifetimes and it didn't make a difference.
Router Doctor: Sorry, I can't post the entire config.  Is there a specific part you're interested in?
Geergon: I will run those commands when I'm able.  I don't understand how nat bypass would only affect us once a day at a certain time.  I do have the proper ACLs in as well.

Note that a clear crypto sa peer c.c.c.c brings the connection back immediately.

Thanks all.
SpyderG

ASKER
Although this was not the solution, I appreciate your help and it lead me to the cause.  The SonicWall had to be restarted to clear an SA that would not renew automatically for some reason.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.