Link to home
Create AccountLog in
Avatar of SpyderG

asked on

Cisco VPN drops

I am experiencing a problem with a newly installed Cisco 1811 router which stops passing traffic over one VPN tunnel every day at the same time.  Here is the topology:
Site A: Cisco 1811 K9 with VPN tunnels to Site B and Site C
Site B: SonicWall Pro 4060 With VPN tunnels to Site A and Site C
Site C: SonicWall TZ 170 with VPN tunnels to Site A and Site B

The A-B and B-C tunnels are fine and when traffic stops over the A-C tunnel, both ends still show the tunnel as up.  So far our "fix" has been to restart the new Cisco.  

I'm not even sure how to start troubleshooting this.  So far we have tried restarting the Cisco at night to see if it effects the timing, but it doesn't.  Every day at the same time the tunnel stops.
Avatar of MikeKane
Flag of United States of America image

I would 1st check that the rekey lifetimes on both endpoints match exactly along with the rekey for KB count.    Its very easy for 1 device to be set to infinite rekey and the 2nd to request a rekey every 24 hours....  

CAn you verify those settings?
Avatar of SpyderG


The Cisco config does not have a lifetime defined and I believe the default is 24 hours.  The SonicWall lifetime is 86400 seconds.  I am not familiar with the rekey for KB count and don't see a setting on either end.  Can you tell me where to look?

Avatar of MikeKane
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
can you please include your config for us to look at.
You said  "router which stops passing traffic" it means that you still see the tunnel UP, right?

Do you see it up on the SonicWall Status?
What do you see on the router at the moment of the issue?

clear crypto ipsec sa counters
Show crypto isakmp sa
Show crypto ipsec sa peer b.b.b.b
Show crypto ipsec sa peer c.c.c.c

Send the output.

If you still see the tunnel up, the problem is with the NAT bypass, make sure that you have something like this:

access-list 110 deny   ip local_net remote_net
access-list 110 permit ip local_net any

route-map nonat permit 10
  match ip address 110

ip nat inside source route-map nonat interface FastEthernet0/1 overload
Avatar of SpyderG


I'm having difficulty catching this in the act, but seem to now have some control over it.  I restarted the SonicWall and that changed the timing of when the connection goes down.  I will see if I can get the timing so that it happens after hours, then I can do some proper testing while it's not working.  In response to the above:
MikeKane: I did set the lifetimes and it didn't make a difference.
Router Doctor: Sorry, I can't post the entire config.  Is there a specific part you're interested in?
Geergon: I will run those commands when I'm able.  I don't understand how nat bypass would only affect us once a day at a certain time.  I do have the proper ACLs in as well.

Note that a clear crypto sa peer c.c.c.c brings the connection back immediately.

Thanks all.
Avatar of SpyderG


Although this was not the solution, I appreciate your help and it lead me to the cause.  The SonicWall had to be restarted to clear an SA that would not renew automatically for some reason.