cdesk458
asked on
Cisco IPSEC vpn timeout??
We have overseas developers connecting to our network via a IPSEC VPN. For the most part everything works, but periodically, they say they cant connect... This usually happens in their morning, or at 6am EST our time.
There using this VPN client
These lines are repeated over and over in their VPN client log file
Our router is a Cisco 1841 - IOS 12.4(24)T2
Now, CPU usage is 6% memory usage is 15%
These are the lines in the running-config the appear to relate to the vpn
I see this message appearing in the syslog file:
We had a consultant setup the router for us. We're not network guys but do know enough to telnet into the router and make some changes.
Question: Im wondering if there are any settings i can change on the vpn that would make if more tolerant to timeouts?
There using this VPN client
Cisco Systems VPN Client Version 5.0.06.0160
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
These lines are repeated over and over in their VPN client log file
61 16:41:51.068 04/04/11 Sev=Warning/2	IKE/0xE3000023
No private IP address was assigned by the peer
62 16:41:51.068 04/04/11 Sev=Warning/2	IKE/0xE300009B
Failed to process ModeCfg Reply (NavigatorTM:175)
Our router is a Cisco 1841 - IOS 12.4(24)T2
Now, CPU usage is 6% memory usage is 15%
These are the lines in the running-config the appear to relate to the vpn
crypto ipsec transform-set common-set esp-aes esp-sha-hmac
crypto ipsec transform-set CDNET esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 10800
set transform-set common-set
set isakmp-profile sdm-ike-profile-2
!
crypto ipsec profile SDM_Profile2
set security-association idle-time 10800
set transform-set CDNET
set isakmp-profile sdm-ike-profile-3
!
crypto ipsec profile SDM_Profile6
set security-association idle-time 14400
set transform-set ESP-3DES-SHA3
set isakmp-profile sdm-ike-profile-7
!
!
crypto ctcp port 10000
I see this message appearing in the syslog file:
decaps:rec'd IPSEC packet has invalid spi for dest address-x.x.x.x, prot=50, spi=0x0FFAAAAAA(xxxxxxxxx) srcaddr=y.y.y.y.y
I've asked them to do a tracert at the same time. Today, I see that one hop away from us there was a router reporting 1850ms delay. We had a consultant setup the router for us. We're not network guys but do know enough to telnet into the router and make some changes.
Question: Im wondering if there are any settings i can change on the vpn that would make if more tolerant to timeouts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Agree with Qlemo . . . check to make sure you have a sufficient range of IP addresses in the pool.
Good luck,
SteveJ
Good luck,
SteveJ
ASKER
Few issues:
1) There are two VPN gropus xxxx-External and dmz-080110 that share the same pool SDM_POOL_2. Is that a problem? There are 20 addresses in that pool..
2) No one is using SDM_POOL_1 which overlaps with SDM_POOL_2
1) There are two VPN gropus xxxx-External and dmz-080110 that share the same pool SDM_POOL_2. Is that a problem? There are 20 addresses in that pool..
2) No one is using SDM_POOL_1 which overlaps with SDM_POOL_2
ip local pool SDM_POOL_3 10.1.4.10 10.1.4.219
ip local pool SDM_POOL_4 10.1.4.220 10.1.4.254
ip local pool SDM_POOL_1 10.1.20.230 10.1.20.250
ip local pool SDM_POOL_2 10.2.20.230 10.2.20.250
crypto isakmp client configuration group xxxx-External
dns 10.2.20.3
domain dev.xxxx.net
pool SDM_POOL_2
acl 104
include-local-lan
banner ^CYou are now Connected to xxxx network with limited Access
crypto isakmp client configuration group dmz-080110
key 6 xxxxx
dns 10.2.20.3
domain dev.xxxxx.net
pool SDM_POOL_2
acl 104
banner ^CConnected to xxxx DMZ - Temporary Certificate ^C
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
ASKER