Link to home
Get AccessLog in
Avatar of ogexperts
ogexperts

asked on

Cisco PIX to Cisco 1841 IPSEC VPN issues

Dear Experts

My setup is as follows:

HQ:
Cisco PIX 515
Subnet: 172.20.0.0/16

Branch office:
Cisco 1841 router with Advanced Security feature set
Subnet: 172.22.0.0/16


My HQ also has other branch offices connected via MPLS.
Subnets:
172.17.0.0/16
172.18.0.0/16
172.19.0.0/16
172.21.0.0/16
172.23.0.0/16

I have onfigured IPSEC VPN connectivity between the PIX and the 1841 router.

Initially, I configured the PIX and 1841 to only route the connected subnets (172.20.0.0/16 & 172.22.0.0/16) across the runnel and everything was working fine.

Second step, I added 172.19.0.0/16 to also be available across the VPN from my branch office. Everything was still working fine.

Next step, I also added 172.21.0.0/16 to be available from the branch office. That's when my problems started.
Immediately, the VPN tunnel became very unstable. Frequently, the tunnel would go down and no traffic would be routed across.
As soon as I removed 172.21.0.0/16 from the tunnel, it stabilized again.


Are there any limitations in how much traffic the 1841 router can handle, or am I missing something on the configuration?

Avatar of Syed Muhammad Usman
Syed Muhammad Usman
Flag of Bahrain image

with regards to subnet, look fine.

could you please check Lan subnet, LAN IP, ip route configration @ remote site ( 172.21.0.0/16 )

i would like to know you are using 1 lease line or multuple, and are you using serial interface or Ethernet ? on wan
Avatar of ogexperts
ogexperts

ASKER

Thanks for your reply.

I have a MPLS network with a single link in to my HQ which connects to my other remote sites. I have a fibre link in to my HQ from my local Telco. My other locations have a mix of serial and Ethernet ports to the MPLS network.

My PIX is sitting on a dedicated internet link (not internet through my MPLS network).

As for routing, I am able to route to all branch offices from my HQ.
My Branch Office (with the 1841 router) is able to trace to my HQ as well as the 172.19.0.0/24 network via the MPLS network.

Routing should be correct on the 172.21.0.0/16. I have verified that there is a local route to 172.22.0.0/16 over the MPLS network.
i assumed that you are sitting @ HQ

i face similar type of issue in my network but that was due to wrong LAN subnet @ remote site, and dozen times remote IT confirm me that LAN subnet is fine.

your rmote is connected to any other site ? if yes have you checked STP blocl port @ core switch.
Yes, i am sitting at HQ, but I also manage the branch office in question.

The only connection from this branch office back to HQ is via this VPN link. There are no other connections to this branch office.
Everything is working fine at the branch office.

As mentioned initially, routing over the VPN via HQ to 172.19.0.0/16 works fine. It is just when I add any other of the remaining subnets I need to make available over the VPN, that the problems starts.

This makes me believe that there are some limitaitons in the 1841 router.
no i dout, since HQ is managaing all VPN's, 1841 will handle only one. could you please give me 1841 part # you are using. i will also try to see if there is any limitations.

just for your info i setup 1841 back in 2008, and setup VPN as well but i dont know what was the model & part #.
I am using a Cisco 1841 (revision 7.0) C1841-ADVSECURITYK9-M.
IOS version is: 12.4(25e)

And just to clarify: I am only running one single VPN tunnel back to HQ.
Dear, please visit below link,

http://www.cisco.com/en/US/prod/collateral/routers/ps5854/prod_qas0900aecd80516d81_ps5855_Products_Q_and_A_Item.html

what encryption you are using, i found some compatibility issues over encryption. meantime if you can give me ASA model & part # i will try to look compatibility.
Could you also post the sanitized configurations over here so we can have a look at that?
ASKER CERTIFIED SOLUTION
Avatar of ogexperts
ogexperts

Link to home
membership
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access
i have told you check your encrption settings, good luck
Misconfiguration on my HQ PIX