Re: 1710 to Concentrator: 1710 hangs, req. reboot

drumrb0y · ‎08-04-2004

I have multiple remote sites that VPN into a 3000 Concentrator; each site has a 1710 router that uses PPPoE (save for one or two exceptions).

My issue is that on occasion (between several days to several weeks), the 1710 will either drop the tunnel and not re-negotiate until it is rebooted, or traffic will simply stop and not start up again until the tunnel is logged of manually and rebuilt.

The following is a sample config that uses PPPoE on the 1710s:

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname XXXXXXXX

!

logging queue-limit 100

logging buffered 4096 debugging

enable secret # ####################

!

username admin password # ######################

memory-size iomem 15

clock timezone EST -5

clock summer-time EDT recurring

aaa new-model

!

aaa authentication login default group tacacs+ local

aaa authentication login console local

aaa authorization exec default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa session-id common

ip subnet-zero

!

ip domain name #####.###

ip name-server ###.###.###.###

!

ip audit notify log

ip audit po max-events 100

ip ssh time-out 60

vpdn enable

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxx address ###.###.###.###

!

crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac

!

crypto map to_vpn 10 ipsec-isakmp

set peer ###.###.###.###

set transform-set to_vpn

match address 101

!

interface Ethernet0

description OUTSIDE INTERFACE (Untrusted)

no ip address

no ip route-cache

no ip mroute-cache

full-duplex

pppoe enable

pppoe-client dial-pool-number 1

no keepalive

no shut

!

interface FastEthernet0

description INSIDE INTERFACE (Trusted)

ip address ###.###.###.### 255.255.###.###

ip nat inside

speed 100

full-duplex

no keepalive

no shut

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer-group 1

no keepalive

ppp authentication chap callin

ppp chap hostname xxxxxxxxxxx

ppp chap password # XXXXXXXX

ppp pap sent-username xxxxxxxxxxxxxxx password 0 xxxxxxxxxxxx

crypto map to_vpn

no shut

!

ip nat inside source route-map nonat interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip tacacs source-interface FastEthernet0

no ip http server

no ip http secure-server

!

logging trap debugging

logging ###.###.###.###

access-list 1 permit ###.###.###.###

access-list 101 permit ip xx.xx.xx.0 0.0.0.255 any

access-list 110 deny ip xx.xx.xx.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

route-map nonat permit 10

match ip address 110

!

tacacs-server host ###.###.###.###

no tacacs-server directed-request

tacacs-server key ########

snmp-server community ########

snmp-server community SNMPv2c view ###########

snmp-server trap-source FastEthernet0

snmp-server location xxxxxxxxxxx

snmp-server contact ############

snmp-server enable traps snmp authentication linkdown linkup coldstart

snmp-server enable traps tty

snmp-server enable traps config

snmp-server enable traps entity

snmp-server host ###.###.###.### SNMPv2c

snmp-server host ###.###.###.### #######

radius-server authorization permit missing Service-Type

banner motd ^

Access to this device is limited to authorized persons only.

^

!

line con 0

session-timeout 7

line aux 0

exec-timeout 1 0

login authentication local

no exec

line vty 0 4

session-timeout 21

transport preferred telnet

transport input telnet ssh

!

no scheduler allocate

ntp clock-period 17169001

ntp source FastEthernet0

end

If I've missed something or misconfigured anything here, some insight would be appreciated.

Marc

spremkumar · ‎08-05-2004

Hi

Is ther any security-association lifetime values configured which may be the reason for dropping ?? or is it similar in all ur (1710) locations ??

Whts the current ios code u r running ??

regds

prem

drumrb0y · ‎08-06-2004

Almost all of the 1710's are running 12.3 (6b) code; I'm in the process of upgrading to 12.3(9). I'm hoping that alone does the trick. We're researching configuring keepalives and lifetime values, but this setup is a first and we're absorbing the technology still.

Marc

drumrb0y · ‎08-09-2004

UPDATE:

I've set up a test router with identical VPN settings on the concentrator; after upgrading the IOS code to 12.3 (9), I'm still getting the problem - more frequently on the test account! The tunnel seems to drop if there is a significant period of inactivity in the tunnel.

Logging is not enabled on these routers at this time, but I've copied some error messages in the log that appear when the tunnel closes and the connection fails to rebuild automatically; analysis via the Cisco Output Interpreter only says "contact the peer administrator" - since this is ME, there is no useful analysis from this source.

Any takers on what these error messages mean?

00:58:16: %CRYPTO-4-IKMP_NO_SA: IKE message from xx.xx.xxx.xxx has no SA and is not an initialization offer

00:58:28: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from xx.xx.xxx.xxxfailed its sanity check or is malformed

00:58:28: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at xx.xx.xxx.xxx

00:59:20: %CRYPTO-4-IKMP_NO_SA: IKE message from xx.xx.xxx.xxx has no SA and is not an initialization offer

The first/last error message will repeat indefinitely, until the router is rebooted; the tunnel fails to renegotiate on its own, from either end.

Should I configure IKE keepalives to alleviate this - and if so, how..?

Thanks for your input,

Marc