08-04-2004 05:40 AM - edited 02-20-2020 11:32 PM
I have multiple remote sites that VPN into a 3000 Concentrator; each site has a 1710 router that uses PPPoE (save for one or two exceptions).
My issue is that on occasion (between several days to several weeks), the 1710 will either drop the tunnel and not re-negotiate until it is rebooted, or traffic will simply stop and not start up again until the tunnel is logged of manually and rebuilt.
The following is a sample config that uses PPPoE on the 1710s:
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXXXXX
!
logging queue-limit 100
logging buffered 4096 debugging
enable secret # ####################
!
username admin password # ######################
memory-size iomem 15
clock timezone EST -5
clock summer-time EDT recurring
aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa authorization exec default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa session-id common
ip subnet-zero
!
ip domain name #####.###
ip name-server ###.###.###.###
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxx address ###.###.###.###
!
crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac
!
crypto map to_vpn 10 ipsec-isakmp
set peer ###.###.###.###
set transform-set to_vpn
match address 101
!
interface Ethernet0
description OUTSIDE INTERFACE (Untrusted)
no ip address
no ip route-cache
no ip mroute-cache
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
no keepalive
no shut
!
interface FastEthernet0
description INSIDE INTERFACE (Trusted)
ip address ###.###.###.### 255.255.###.###
ip nat inside
speed 100
full-duplex
no keepalive
no shut
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
no keepalive
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxx
ppp chap password # XXXXXXXX
ppp pap sent-username xxxxxxxxxxxxxxx password 0 xxxxxxxxxxxx
crypto map to_vpn
no shut
!
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip tacacs source-interface FastEthernet0
no ip http server
no ip http secure-server
!
logging trap debugging
logging ###.###.###.###
access-list 1 permit ###.###.###.###
access-list 101 permit ip xx.xx.xx.0 0.0.0.255 any
access-list 110 deny ip xx.xx.xx.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 110
!
tacacs-server host ###.###.###.###
no tacacs-server directed-request
tacacs-server key ########
snmp-server community ########
snmp-server community SNMPv2c view ###########
snmp-server trap-source FastEthernet0
snmp-server location xxxxxxxxxxx
snmp-server contact ############
snmp-server enable traps snmp authentication linkdown linkup coldstart
snmp-server enable traps tty
snmp-server enable traps config
snmp-server enable traps entity
snmp-server host ###.###.###.### SNMPv2c
snmp-server host ###.###.###.### #######
radius-server authorization permit missing Service-Type
banner motd ^
Access to this device is limited to authorized persons only.
^
!
line con 0
session-timeout 7
line aux 0
exec-timeout 1 0
login authentication local
no exec
line vty 0 4
session-timeout 21
transport preferred telnet
transport input telnet ssh
!
no scheduler allocate
ntp clock-period 17169001
ntp source FastEthernet0
end
If I've missed something or misconfigured anything here, some insight would be appreciated.
Marc
08-05-2004 10:31 PM
Hi
Is ther any security-association lifetime values configured which may be the reason for dropping ?? or is it similar in all ur (1710) locations ??
Whts the current ios code u r running ??
regds
prem
08-06-2004 04:57 AM
Almost all of the 1710's are running 12.3 (6b) code; I'm in the process of upgrading to 12.3(9). I'm hoping that alone does the trick. We're researching configuring keepalives and lifetime values, but this setup is a first and we're absorbing the technology still.
Marc
08-09-2004 01:08 PM
UPDATE:
I've set up a test router with identical VPN settings on the concentrator; after upgrading the IOS code to 12.3 (9), I'm still getting the problem - more frequently on the test account! The tunnel seems to drop if there is a significant period of inactivity in the tunnel.
Logging is not enabled on these routers at this time, but I've copied some error messages in the log that appear when the tunnel closes and the connection fails to rebuild automatically; analysis via the Cisco Output Interpreter only says "contact the peer administrator" - since this is ME, there is no useful analysis from this source.
Any takers on what these error messages mean?
00:58:16: %CRYPTO-4-IKMP_NO_SA: IKE message from xx.xx.xxx.xxx has no SA and is not an initialization offer
00:58:28: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from xx.xx.xxx.xxxfailed its sanity check or is malformed
00:58:28: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at xx.xx.xxx.xxx
00:59:20: %CRYPTO-4-IKMP_NO_SA: IKE message from xx.xx.xxx.xxx has no SA and is not an initialization offer
The first/last error message will repeat indefinitely, until the router is rebooted; the tunnel fails to renegotiate on its own, from either end.
Should I configure IKE keepalives to alleviate this - and if so, how..?
Thanks for your input,
Marc
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide