Solved: Re: HWIC-3G-HSPA-G and Crypto Issue?

nunnsby_2 · ‎03-15-2011

Hi There

Having problems with the HWIC-3G-HSPA-G cards and crypto tunnels. We have recently ordered the new HWIC-3G-HSPA-G cards and are suddenly seeing some very weird things across these cards, specifically wrt crypto and the card resetting constantly. We are based in South Africa, using Vodacom as a Service Provider. The cards are running on both 2801's and new 1921's. The IOS version has been changed to the latest version, 15.1(3)T on all devices. The HWIC-3G-HSPA-G card has been upgraded to Firmware: K2_0_7_19AP. We are using ip nhrp with a Tunnel config for the Crypto config.

We have a number of existing devices all 2801's with the older HWIC-3G-GSM cards, and they are working fine. Once the Tunnel is up on the GSM card, the link will stay up indefinitely. A simple 5000 repeat ping to the head end tunnel is 100% successful. No problems at all.

However, running the HWIC-3G-HSPA-G card, the tunnel comes up, but will periodically reset. I am seeing the following errors in the logs:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

*Mar 15 19:39:02.587: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down

*Mar 15 19:39:02.591: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF.

*Mar 15 19:39:04.591: %LINK-5-CHANGED: Interface Cellular0/3/0, changed state to reset...

*Mar 15 19:39:09.591: %LINK-3-UPDOWN: Interface Cellular0/3/0, changed state to down......

*Mar 15 19:39:22.603: %LINK-3-UPDOWN: Interface Cellular0/3/0, changed state to up..

*Mar 15 19:39:25.315: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON...

*Mar 15 19:39:32.599: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up.!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

This happens sporadically, for no reason. There is no issue on the head-end or anything else.

I can however ping an Internet Address just fine 100%. so it is purely a Crypto Problem with respect to the operation on the Card, and this same thing happens across multiple platforms running that card.

It appears the Tunnel breaks, then the Crypto gets torn down, not specifically the other way around.

Any ideas? Any debugs I can do to troubleshoot the cause of the issue.

Regards

mavespig · ‎03-15-2011

Hi Richard,

I'm not a VPN expert, so I can comment only on the 3G part here.

It seems from the logs that the card went down, causing the tunnel to go down as well.

One thing that would help is to test the cellular link without any additional vpn/tunnel over it. For example, if you have a router were you can do some tests, let it run with just the 3G configuration, and check if the interface remains always up.

I'd also suggest to capture a "show cellular x/x/x all" while the link is up and right after a reset.

You can also enable the following debugs, to see why the card got disconnected:

- deb ppp nego

- deb dialer

- deb chat

Hope this helps

Marco

View solution in original post

mavespig · ‎03-15-2011

Hi Richard,

I'm not a VPN expert, so I can comment only on the 3G part here.

It seems from the logs that the card went down, causing the tunnel to go down as well.

One thing that would help is to test the cellular link without any additional vpn/tunnel over it. For example, if you have a router were you can do some tests, let it run with just the 3G configuration, and check if the interface remains always up.

I'd also suggest to capture a "show cellular x/x/x all" while the link is up and right after a reset.

You can also enable the following debugs, to see why the card got disconnected:

- deb ppp nego

- deb dialer

- deb chat

Hope this helps

Marco

nunnsby_2 · ‎03-17-2011

Thanks Marco,

Right Answer! I had missed an idle-timeout 0 setting, and the ICMP was not seen as interesting traffic, so was tearing down the link.

Many thanks for your help.

Regards

ted reese · ‎11-13-2012

Hi Richard,

By setting the idle-timeout 0 the dialer won't dial out if the provider has maintenace. Just FYI.

Thank you.