Solved

Cisco VPN Client disconnects irregularly

Posted on 2011-09-14
12
810 Views
Last Modified: 2012-05-12
Hello everyone

I have a client with four sites, of which two recently had Cisco 877 routers installed in order to provide site-to-site VPN connections.

All four sites have PCs which use the Cisco VPN Client software to dial in to an overseas headquarters network. The client advises me that since the 877s were installed, VPN Clients at those two sites only experience irregular error 412 (remote peer no longer responding) errors while the two sites with consumer-grade routers have stable VPN connections. After adding the ForceKeepAlive parameter to the VPN profile, dropouts now occur 2-3 times per working day (roughly 10 hours).

What can we do to stop the timeouts and ensure stable VPN connections?

Thanks!
David

Here is the 877 router config:

Current configuration : 12326 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 [snip]
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login local_authen local
aaa authorization exec default local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1475976959
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1475976959
 revocation-check none
 rsakeypair TP-self-signed-1475976959
!
!
crypto pki certificate chain TP-self-signed-1475976959
 certificate self-signed 01 [snip]
        quit
dot11 syslog
no ip source-route
ip dhcp excluded-address 192.168.30.1 192.168.30.99
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.30.0 255.255.255.0
   dns-server 192.168.30.3 139.130.4.4
   default-router 192.168.30.1
!
!
ip port-map user-ctcp-ezvpnsvr port tcp 10000
ip cef
no ip bootp server
ip domain name companyname.local
ip name-server 192.168.30.3
ip name-server 139.130.4.4
!
!
!
!
username [snip]
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vpnusers
 key [snip]
 dns 192.168.30.3
 domain companyname.local
 pool SDM_POOL_1
 acl 103
 save-password
 include-local-lan
 netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group vpnusers
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile ciscocp-ike-profile-1
!
!
crypto ctcp port 10000
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
 match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match protocol user-ctcp-ezvpnsvr
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
 match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect SDM_EASY_VPN_SERVER_PT
  pass
 class class-default
  drop
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  pass
 class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
 service-policy type inspect sdm-permit-ip
!
!
!
interface Loopback0
 ip address 10.0.0.138 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 zone-member security ezvpn-zone
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.30.1 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname [snip]
 ppp chap password 7 [snip]
 ppp pap sent-username [snip] password 7 [snip]
!
ip local pool SDM_POOL_1 192.168.31.100 192.168.31.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
ip access-list extended SDM_IP
 remark CCP_ACL Category=1
 permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.30.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit tcp 192.168.30.0 0.0.0.255 host 192.168.30.1 eq 22
access-list 101 permit tcp 192.168.30.0 0.0.0.255 host 192.168.30.1 eq 443
access-list 101 permit tcp 192.168.30.0 0.0.0.255 host 192.168.30.1 eq cmd
access-list 101 permit tcp 192.168.31.0 0.0.0.255 host 192.168.30.1 eq 22
access-list 101 permit tcp 192.168.31.0 0.0.0.255 host 192.168.30.1 eq 443
access-list 101 permit tcp 192.168.31.0 0.0.0.255 host 192.168.30.1 eq cmd
access-list 101 deny   tcp any host 192.168.30.1 eq telnet
access-list 101 deny   tcp any host 192.168.30.1 eq 22
access-list 101 deny   tcp any host 192.168.30.1 eq www
access-list 101 deny   tcp any host 192.168.30.1 eq 443
access-list 101 deny   tcp any host 192.168.30.1 eq cmd
access-list 101 deny   udp any host 192.168.30.1 eq snmp
access-list 101 permit ip any any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 192.168.30.0 0.0.0.255 any
access-list 102 permit ip 192.168.31.0 0.0.0.255 any
access-list 103 remark CCP_ACL Category=4
access-list 103 permit ip 192.168.30.0 0.0.0.255 any
access-list 103 permit ip 192.168.31.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
control-plane
!
banner exec ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 102 in
 authorization exec local_author
 login authentication local_authen
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window


And here is the affected VPN profile:

[main]
Description=HQ VPN Access
Host=[snip]
AuthType=1
GroupName=[snip]
GroupPwd=
enc_GroupPwd=[snip]
EnableISPConnect=0
ISPConnectType=0
ISPConnect=HQC
ISPPhonebook=C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
ISPCommand=
Username=[snip]
SaveUserPassword=0
UserPassword=
enc_UserPassword=
NTDomain=
EnableBackup=1
BackupServer=[snip],[snip]
EnableMSLogon=1
MSLogonType=0
EnableNat=1
TunnelingMode=0
TcpTunnelingPort=10000
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=[snip]
SendCertChain=0
PeerTimeout=90
EnableLocalLAN=1
ForceKeepAlives=1

Open in new window

0
Comment
Question by:davidiwharper
  • 7
  • 4
12 Comments
 
LVL 7

Expert Comment

by:CSorg
ID: 36534606
feels like a problem with your DSL connection. Have you monitored the line from inside and/or outside?
0
 

Author Comment

by:davidiwharper
ID: 36534785
I can get the client to check the DSL side of things, but the service is the same as what it was before the 877 was installed, which is why I have discounted that thus far.
0
 
LVL 9

Expert Comment

by:parparov
ID: 36540223
It might be useful to toggle VPN's used protocol from TCP to UDP or vice versa.
0
 

Author Comment

by:davidiwharper
ID: 36540580
Okay, will try.
0
 

Author Comment

by:davidiwharper
ID: 36714662
Sorry for the delay folks. Switching from UDP to TCP does not help.
0
 
LVL 7

Expert Comment

by:CSorg
ID: 36715581
what IOS version you running?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:davidiwharper
ID: 36715608

Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(24)T4, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Fri 03-Sep-10 17:16 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

router1 uptime is 4 weeks, 2 hours, 50 minutes
System returned to ROM by power-on
System image file is "flash:c870-advsecurityk9-mz.124-24.T4.bin"

Here it is. I have also asked the customer to implement auto reconnection as a possible workaround in the meantime.
0
 
LVL 7

Expert Comment

by:CSorg
ID: 36715688
have you setup a monitoring for in and outside, to see if perhaps the line itself is not stable?
0
 
LVL 7

Expert Comment

by:CSorg
ID: 36717723
i just had an issue with a 877 where the ATM refused to work properly (could not ppp authenticate correctly) ; the IOS was c870-advsecurityk9-mz.124-24.T5

recently I have issues as well with newer versions, so I went back to c870-advsecurityk9-mz.124-15.XY3 which in my case worked like a charm ; in this setup, the 877 sets up a site2site vpn to a 1841

So I would suggest bringing back an older (my suggestion would be the c870-advsecurityk9-mz.124-15.XY3 as well) IOS
0
 

Author Comment

by:davidiwharper
ID: 36908966
Okay, have arranged to go onsite but based on some new information provided by the customer it looks like an internal cabling issue. Which should have been made clearer at the beginning but that is how it goes sometimes :(

Will post more information as soon as it comes to hand.
0
 

Accepted Solution

by:
davidiwharper earned 0 total points
ID: 36914916
Hi all

This appears to have been a problem with the specific machine going to sleep at regular intervals. When that happens all Cisco VPN connections are terminated.

The customer, of course, reported that the whole network was going down when this wasn't the case at all - they even had other machines on site which still worked flawlessly.

Anyway, I guess we can chalk this one up to poor interpretation on my part.
0
 

Author Closing Comment

by:davidiwharper
ID: 36938233
The solution is to ensure that the affected machine does not go to sleep. The "High Performance" power mode in Windows has this setting by default.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now