Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
349
Views
0
Helpful
3
Replies

AS5300 VPN Remote Access Call Charges

kevin.ward
Level 1
Level 1

‎01-08-2003 08:11 AM - edited ‎03-02-2019 04:01 AM

We currently have a remote access environment that is incurring very high call costs. Users dial in to a freephone number via Async or BRI to AS5300. They then establish IPSEC connection to VPN3030.

Our supplier have configured dialer idle timeout but it doesn't appear to be disconnecting calls. Think there may be a problem in the way that access-lists are configured but not 100%.

Any suggestions greatly appreciated.

The following is the dialer config currently running on AS5300interface Group-Async1

ip unnumbered Loopback0

ip access-group 101 in

no ip proxy-arp

encapsulation ppp

dialer in-band

dialer idle-timeout 900

dialer-group 1

async mode interactive

peer default ip address pool 34 35 36

no fair-queue

no cdp enable

ppp authentication chap

ppp ipcp ignore-map

group-range 1 120

!

interface Dialer1

ip unnumbered Loopback0

ip access-group 102 in

no ip proxy-arp

encapsulation ppp

no ip mroute-cache

dialer in-band

dialer idle-timeout 900

dialer mult-map-same-name

dialer-group 1

peer default ip address pool 37 38 39

no fair-queue

no cdp enable

ppp ipcp ignore-map

!

access-list 100 deny udp any any range netbios-ns netbios-dgm

access-list 100 deny icmp any any administratively-prohibited

access-list 100 permit ip 10.248.32.0 0.0.15.255 host 192.168.60.2

access-list 100 permit ip host 192.168.60.2 10.248.32.0 0.0.15.255

access-list 101 permit ahp 10.248.32.0 0.0.15.255 host 192.168.60.2

access-list 101 permit esp 10.248.32.0 0.0.15.255 host 192.168.60.2

access-list 101 permit udp 10.248.32.0 0.0.15.255 host 192.168.60.2 eq isakmp

access-list 101 deny udp 10.248.32.0 0.0.15.255 any range netbios-ns netbios-d

gm

access-list 101 deny icmp 10.248.32.0 0.0.15.255 any administratively-prohibit

ed

access-list 102 permit ahp 10.248.32.0 0.0.15.255 host 192.168.60.2

access-list 102 permit esp 10.248.32.0 0.0.15.255 host 192.168.60.2

access-list 102 permit udp 10.248.32.0 0.0.15.255 host 192.168.60.2 eq isakmp

access-list 102 deny udp 10.248.32.0 0.0.15.255 any range netbios-ns netbios-d

gm

access-list 102 deny icmp 10.248.32.0 0.0.15.255 any administratively-prohibit

ed

dialer-list 1 protocol netbios deny

dialer-list 1 protocol ip list 100

Labels:
0 Helpful
3 Replies 3

jsedlacek
Level 1
Level 1

‎01-13-2003 08:16 AM

I think that problem could be in isakmp keepalives between client and VPN concentrater. You can try to disable the keepalives (In VPN 3000 configuration) or you can try to insert this line at the beginning of access-list 100:

access-list 100 deny udp any any eq isakmp

0 Helpful

tepatel
Cisco Employee
Cisco Employee
In response to jsedlacek

‎01-13-2003 04:37 PM

You can try to debug it using following command.

debug dialer packets

To know what kind of packets are resetting the idle-timeout back to max. for a connection.

0 Helpful

kevin.ward
Level 1
Level 1
In response to tepatel

‎01-15-2003 10:42 AM

I think I've made a lot of progress here - thanks. I've tightened down the dialer access list whereby the only traffic that resets idle timeout is inbound encrypted traffic to VPN.

However I am still seeing intermittent traffic (encrypted) that is managing to keep the remote access session up. I have now noticed that VPN concentrator is configured to send IKE keepalives which seems to be the culprit for prolonging calls. All users of this environment are either BRI or PSTN so not sure how relevant IKE Keepalives are to this type of usage.

0 Helpful
Customers Also Viewed These Support Documents