Cisco PIX to Cisco 1841 IPSEC VPN issues

ogexperts
ogexperts used Ask the Experts™
on
Dear Experts

My setup is as follows:

HQ:
Cisco PIX 515
Subnet: 172.20.0.0/16

Branch office:
Cisco 1841 router with Advanced Security feature set
Subnet: 172.22.0.0/16


My HQ also has other branch offices connected via MPLS.
Subnets:
172.17.0.0/16
172.18.0.0/16
172.19.0.0/16
172.21.0.0/16
172.23.0.0/16

I have onfigured IPSEC VPN connectivity between the PIX and the 1841 router.

Initially, I configured the PIX and 1841 to only route the connected subnets (172.20.0.0/16 & 172.22.0.0/16) across the runnel and everything was working fine.

Second step, I added 172.19.0.0/16 to also be available across the VPN from my branch office. Everything was still working fine.

Next step, I also added 172.21.0.0/16 to be available from the branch office. That's when my problems started.
Immediately, the VPN tunnel became very unstable. Frequently, the tunnel would go down and no traffic would be routed across.
As soon as I removed 172.21.0.0/16 from the tunnel, it stabilized again.


Are there any limitations in how much traffic the 1841 router can handle, or am I missing something on the configuration?

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Syed_M_UsmanSystem Administrator
Top Expert 2011

Commented:
with regards to subnet, look fine.

could you please check Lan subnet, LAN IP, ip route configration @ remote site ( 172.21.0.0/16 )

i would like to know you are using 1 lease line or multuple, and are you using serial interface or Ethernet ? on wan

Author

Commented:
Thanks for your reply.

I have a MPLS network with a single link in to my HQ which connects to my other remote sites. I have a fibre link in to my HQ from my local Telco. My other locations have a mix of serial and Ethernet ports to the MPLS network.

My PIX is sitting on a dedicated internet link (not internet through my MPLS network).

As for routing, I am able to route to all branch offices from my HQ.
My Branch Office (with the 1841 router) is able to trace to my HQ as well as the 172.19.0.0/24 network via the MPLS network.

Routing should be correct on the 172.21.0.0/16. I have verified that there is a local route to 172.22.0.0/16 over the MPLS network.
Syed_M_UsmanSystem Administrator
Top Expert 2011

Commented:
i assumed that you are sitting @ HQ

i face similar type of issue in my network but that was due to wrong LAN subnet @ remote site, and dozen times remote IT confirm me that LAN subnet is fine.

your rmote is connected to any other site ? if yes have you checked STP blocl port @ core switch.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Yes, i am sitting at HQ, but I also manage the branch office in question.

The only connection from this branch office back to HQ is via this VPN link. There are no other connections to this branch office.
Everything is working fine at the branch office.

As mentioned initially, routing over the VPN via HQ to 172.19.0.0/16 works fine. It is just when I add any other of the remaining subnets I need to make available over the VPN, that the problems starts.

This makes me believe that there are some limitaitons in the 1841 router.
Syed_M_UsmanSystem Administrator
Top Expert 2011

Commented:
no i dout, since HQ is managaing all VPN's, 1841 will handle only one. could you please give me 1841 part # you are using. i will also try to see if there is any limitations.

just for your info i setup 1841 back in 2008, and setup VPN as well but i dont know what was the model & part #.

Author

Commented:
I am using a Cisco 1841 (revision 7.0) C1841-ADVSECURITYK9-M.
IOS version is: 12.4(25e)

And just to clarify: I am only running one single VPN tunnel back to HQ.
Syed_M_UsmanSystem Administrator
Top Expert 2011

Commented:
Dear, please visit below link,

http://www.cisco.com/en/US/prod/collateral/routers/ps5854/prod_qas0900aecd80516d81_ps5855_Products_Q_and_A_Item.html

what encryption you are using, i found some compatibility issues over encryption. meantime if you can give me ASA model & part # i will try to look compatibility.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Could you also post the sanitized configurations over here so we can have a look at that?
All

Sorry for the delay. I was doing some troubleshooting and found out I was using the wrong cryptomap at my HQ. So when I updated the access list at my branch office and wanted to route traffic across the tunnel, it was not configured correctly at my HQ and therefore brought down the tunnel.
Once I updated the correct cryptomap, traffic was flowing as it should.

Anyway, thanks a lot for your taking time to assist with this.
Syed_M_UsmanSystem Administrator
Top Expert 2011

Commented:
i have told you check your encrption settings, good luck

Author

Commented:
Misconfiguration on my HQ PIX

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial