cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3994
Views
0
Helpful
10
Replies

L2TP VPN To Private Internet Access flapping (up and down in every 30 mins)

aprathore
Level 1
Level 1

Hi All,

 

I have a very simple configuration of L2TP tunnel to a vpn providers.

 

Source is internal IP (192.168.0.X) and destination to VPN provider server.

I have done a policy based routing where only on vlan traffic goes via VPN Virtual-PPP 1 interface.

All other is going straight to my internet provider.

 

I have for all tunnel and routing working - but my interface virtual-ppp1 is flapping (UP/DOWN) in every 30 mins for 5-10 seconds. It is doing precisely after 30 mins everytime.

 

 

Some logs:

*Nov 8 22:09:22.211: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-PPP1, changed state to down
*Nov 8 22:09:26.507: Vp1 PPP: Using default call direction
*Nov 8 22:09:26.507: Vp1 PPP: Treating connection as a dedicated line
*Nov 8 22:09:26.507: Vp1 PPP: Session handle[BC000005] Session id[1]
*Nov 8 22:09:28.579: Vp1 MS-CHAP-V2: I CHALLENGE id 45 len 26 from "l2tpd"
*Nov 8 22:09:28.579: Vp1 PPP: Sent MSCHAP_V2 SENDAUTH Request
*Nov 8 22:09:28.579: Vp1 PPP: Received SENDAUTH Response FAIL
*Nov 8 22:09:28.579: Vp1 MS CHAP V2: Using hostname from interface CHAP
*Nov 8 22:09:28.579: Vp1 MS CHAP V2: Using password from interface CHAP
*Nov 8 22:09:28.579: Vp1 MS-CHAP-V2: O RESPONSE id 45 len 62 from "x6531XXX"
*Nov 8 22:09:28.691: Vp1 MS-CHAP-V2: I SUCCESS id 45 len 46 msg is "S=AAFD623651341545757AE9CACB249F853B58ACA0"
*Nov 8 22:09:28.691: Vp1 MS CHAP V2 No Password found for : l2tpd
*Nov 8 22:09:28.691: Vp1 MS CHAP V2 Check AuthenticatorResponse Success for : x653XXX
*Nov 8 22:09:28.691: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-PPP1, changed state to up

 

*Nov 8 22:05:43.815: IPSEC(lifetime_expiry): SA lifetime threshold reached, expiring in 179 seconds
*Nov 8 22:05:43.815: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.0.100:4500, remote= 46.166.188.203:4500,
local_proxy= 192.168.0.100/255.255.255.255/17/0,
remote_proxy= 46.166.188.203/255.255.255.255/17/1701,
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x3B09B975(990493045), conn_id= 0, keysize= 256, flags= 0x0
*Nov 8 22:05:43.815: ISAKMP: set new node 0 to QM_IDLE
*Nov 8 22:05:43.815: SA has outstanding requests (local 3.150.7.176 port 4500, remote 3.150.7.148 port 4500)
*Nov 8 22:05:43.815: ISAKMP:(2001): sitting IDLE. Starting QM immediately (QM_IDLE )
*Nov 8 22:05:43.815: ISAKMP:(2001):beginning Quick Mode exchange, M-ID of 1107052943
*Nov 8 22:05:43.815: ISAKMP:(2001):QM Initiator gets spi
*Nov 8 22:05:43.815: ISAKMP:(2001): sending packet to 46.166.188.203 my_port 4500 peer_port 4500 (I) QM_IDLE
*Nov 8 22:05:43.815: ISAKMP:(2001):Sending an IKE IPv4 Packet.
*Nov 8 22:05:43.815: ISAKMP:(2001):Node 1107052943, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Nov 8 22:05:43.815: ISAKMP:(2001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Nov 8 22:05:43.839: ISAKMP (2001): received packet from 46.166.188.203 dport 4500 sport 4500 Global (I) QM_IDLE
*Nov 8 22:05:43.839: ISAKMP:(2001): processing HASH payload. message ID = 1107052943
*Nov 8 22:05:43.839: ISAKMP:(2001): processing SA payload. message ID = 1107052943
*Nov 8 22:05:43.839: ISAKMP:(2001):Checking IPSec proposal 1
*Nov 8 22:05:43.839: ISAKMP: transform 1, ESP_AES
*Nov 8 22:05:43.839: ISAKMP: attributes in transform:
*Nov 8 22:05:43.839: ISAKMP: key length is 256
*Nov 8 22:05:43.839: ISAKMP: authenticator is HMAC-SHA
*Nov 8 22:05:43.839: ISAKMP: encaps is 4 (Transport-UDP)
*Nov 8 22:05:43.839: ISAKMP: SA life type in seconds
*Nov 8 22:05:43.839: ISAKMP: SA life duration (basic) of 3600
*Nov 8 22:05:43.839: ISAKMP: SA life type in kilobytes
*Nov 8 22:05:43.839: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Nov 8 22:05:43.839: ISAKMP:(2001):atts are acceptable.
*Nov 8 22:05:43.839: IPSEC(validate_proposal_request): proposal part #1
*Nov 8 22:05:43.839: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.0.100:0, remote= 46.166.188.203:0,
local_proxy= 94.4.186.72/255.255.255.255/17/0,
remote_proxy= 46.166.188.203/255.255.255.255/17/1701,
protocol= ESP, transform= NONE (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Nov 8 22:05:43.839: Crypto mapdb : proxy_match
src addr : 192.168.0.100
dst addr : 46.166.188.203
protocol : 17
src port : 0
dst port : 1701
*Nov 8 22:05:43.839: ISAKMP:(2001): processing NONCE payload. message ID = 1107052943
*Nov 8 22:05:43.839: ISAKMP:(2001): processing ID payload. message ID = 1107052943
*Nov 8 22:05:43.839: ISAKMP:(2001): processing ID payload. message ID = 1107052943
*Nov 8 22:05:43.839: ISAKMP:received payload type 21
*Nov 8 22:05:43.839: ISAKMP:received payload type 21
*Nov 8 22:05:43.839: ISAKMP:(2001):Node 1107052943, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Nov 8 22:05:43.839: ISAKMP:(2001):Old State = IKE_QM_I_QM1 New State = IKE_QM_IPSEC_INSTALL_AWAIT
*Nov 8 22:05:43.843: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Nov 8 22:05:43.843: Crypto mapdb : proxy_match
src addr : 192.168.0.100
dst addr : 46.166.188.203
protocol : 17
src port : 0
dst port : 1701
*Nov 8 22:05:43.843: IPSEC(crypto_ipsec_create_ipsec_sas): Map found PIA_VPN
*Nov 8 22:05:43.843: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.0.100, sa_proto= 50,
sa_spi= 0xC7ACCBD2(3349990354),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 7
sa_lifetime(k/sec)= (4608000/3600)
*Nov 8 22:05:43.843: IPSEC(create_sa): sa created,
(sa) sa_dest= 46.166.188.203, sa_proto= 50,
sa_spi= 0xC8686DCD(3362287053),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 8
sa_lifetime(k/sec)= (4608000/3600)
*Nov 8 22:05:43.843: IPSEC(update_current_outbound_sa): updated peer 46.166.188.203 current outbound sa to SPI C8686DCD
*Nov 8 22:05:43.843: IPSEC: Expand action denied, notify RP
*Nov 8 22:05:43.843: ISAKMP: Failed to find peer index node to update peer_info_list
*Nov 8 22:05:43.843: ISAKMP:(2001):Received IPSec Install callback... proceeding with the negotiation
*Nov 8 22:05:43.843: ISAKMP:(2001): sending packet to 46.166.188.203 my_port 4500 peer_port 4500 (I) QM_IDLE
*Nov 8 22:05:43.843: ISAKMP:(2001):Sending an IKE IPv4 Packet.
*Nov 8 22:05:43.843: ISAKMP:(2001):deleting node 1107052943 error FALSE reason "No Error"
*Nov 8 22:05:43.843: ISAKMP:(2001):Node 1107052943, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Nov 8 22:05:43.843: ISAKMP:(2001):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_PHASE2_COMPLETE
*Nov 8 22:05:45.863: IPSEC(update_current_outbound_sa): updated peer 46.166.188.203 current outbound sa to SPI C8686DCD
*Nov 8 22:05:45.863: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 192.168.0.100, sa_proto= 50,
sa_spi= 0x3B09B975(990493045),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 5
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 192.168.0.100:0, remote= 46.166.188.203:0,
local_proxy= 192.168.0.100/255.255.255.255/17/0,
remote_proxy= 46.166.188.203/255.255.255.255/17/1701
*Nov 8 22:05:45.863: IPSEC(update_current_outbound_sa): updated peer 46.166.188.203 current outbound sa to SPI C8686DCD
*Nov 8 22:05:45.863: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 46.166.188.203, sa_proto= 50,
sa_spi= 0xCFEF1AFA(3488553722),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 6
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 192.168.0.100:0, remote= 46.166.188.203:0,
local_proxy= 192.168.0.100/255.255.255.255/17/0,
remote_proxy= 46.166.188.203/255.255.255.255/17/1701
*Nov 8 22:05:45.863: ISAKMP: set new node -1268993664 to QM_IDLE
*Nov 8 22:05:45.863: ISAKMP:(2001): sending packet to 46.166.188.203 my_port 4500 peer_port 4500 (I) QM_IDLE
*Nov 8 22:05:45.863: ISAKMP:(2001):Sending an IKE IPv4 Packet.
*Nov 8 22:05:45.863: ISAKMP:(2001):purging node -1268993664
*Nov 8 22:05:45.863: ISAKMP:(2001):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
*Nov 8 22:05:45.863: ISAKMP:(2001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

10 Replies 10

Hi @aprathore

Can you share your config or verify is command "dialer idle-timeout 1800" is in place?

 

 

 

-If I helped you somehow, please, rate it as useful.-

Hi,

My config below


pseudowire-class PIA_L2TP
encapsulation l2tpv2
ip local interface Vlan100
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key mysafety address 46.166.188.203 !PIVPN IP
!
!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
mode transport
!
!
!
crypto map PIA_VPN 10 ipsec-isakmp
set peer 46.166.188.203
set transform-set ESP-AES256-SHA1
match address PIA_EAST_US
!
!
!
!
!
interface Loopback0
no ip address
!
interface Cellular0
no ip address
encapsulation slip
!
interface FastEthernet0
description ***Internet CONNECTION****
switchport access vlan 100
no ip address
duplex full
speed 100
crypto map PIA_VPN
!
interface FastEthernet1
switchport access vlan 205
switchport trunk native vlan 205
switchport mode trunk
no ip address
!
interface FastEthernet2
switchport access vlan 205
no ip address
no cdp enable
!
interface FastEthernet3
switchport access vlan 305
switchport mode trunk
no ip address
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0.205
encapsulation dot1Q 999 native
!
interface Serial0
no ip address
shutdown
clock rate 2000000
!
interface Virtual-PPP1
description Tunnel to PIA EAST US
ip address negotiated
ip nat outside
ip virtual-reassembly in
keepalive 30
ppp eap refuse
ppp chap hostname XXXXXXX
ppp chap password 0 XXXXXX
ppp ipcp address accept
no cdp enable
pseudowire 46.166.188.203 1 pw-class PIA_L2TP
!
interface Vlan1
no ip address
!
interface Vlan100
ip address 192.168.0.100 255.255.255.0
ip nat outside
ip virtual-reassembly in
crypto map PIA_VPN
!
interface Vlan205
description home_lan
ip address 20.20.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map PBR
!
interface Vlan305
ip address 30.30.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map PBR
!
interface Vlan999
description managment vlan
ip address 90.90.90.1 255.255.255.0
ip policy route-map PBR
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source route-map PIA interface Virtual-PPP1 overload
ip nat inside source route-map SKY interface Vlan100 overload
ip route 0.0.0.0 0.0.0.0 10.10.1.1
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip route 46.166.188.203 255.255.255.255 192.168.0.1
ip route 192.168.0.0 255.255.255.0 192.168.0.1
!
ip access-list extended PIA_EAST_US
permit udp host 192.168.0.100 host 46.166.188.203
permit tcp host 192.168.0.100 host 46.166.188.203
!
access-list 10 permit 20.20.20.0 0.0.0.255
access-list 20 permit 30.30.30.0 0.0.0.255
access-list 20 permit 192.168.0.0 0.0.0.255
access-list 101 permit ip any any
!
route-map PBR permit 10
match ip address 10
set ip next-hop 10.10.1.1
!
route-map PBR permit 30
match ip address 20 101
set ip next-hop 192.168.0.1
!
route-map SKY permit 10
match ip address 20 101
match interface Vlan100
!
route-map PIA permit 10
match ip address 10
match interface Virtual-PPP1

Hi @aprathore

One thing that don't looks good is this:

 

ip route 0.0.0.0 0.0.0.0 10.10.1.1
ip route 0.0.0.0 0.0.0.0 192.168.0.1

 

When you have two default routing, router will load balance between them and this can cause problem.

 

-If I helped you somehow, please, rate it as useful.-

 

 

Understand - But if you see my route-maps I am doing policy based routing where I set the next destination address.

I want to route one VLN 305 via VPN tunnel (10.10.1.1) and all other via ISP (192xxxx).

What do you think the solution might be then?

Thanks

 

You could add a static route instead default route:

ip route 30.30.30.0 255.255.255.0 10.10.1.1

and keep the default router for 192xxxx

 

 

-If I helped you somehow, please, rate it as useful.-


30.30.30.1 is source network not the destination network.



ip route destination_network_# [subnet_mask] IP_address_of_next_hop_neighbor [administrative_distance] [permanent]

destination_network_#[subnet_mask]

This is the first parameter. It specifies the destination network address. We need to provide subnet mask if we are using sub-network. Sub-networks are the smaller networks created from one large network in subnetting. If we are not using sub-network then we can omit the subnet mask value. It will parse automatically.

You´re right. I made a mistake considering the 30.30.30.0 as the destination. 

On this case you probably are going to need source routing so that you can tell the router when the source it this send to that.

Let me see how can I help with that.

 

 

-If I helped you somehow, please, rate it as useful.- 

Yes and I already have that in the route-map where I add the next hop per VLAN.

So that is in place - not sure if there is something else which is dropping the connection

So when you say you have the route-map in place... are you using PBR?  You would use an ACL to match traffic that you want and set the next-hop value in the route-map.  You need to make sure you have that applied to the ingress interface... so if you have SVIs for your VLANs, then you'd do something like 

 

int vlan 333

  ip policy-route blahblah in

 

Note that I'm doing this from memory and this would be the config for a router.  If you're using an ASA I know there's something in the GUI to set up PBR.

 

On another note... I wouldn't think routing would make your tunnel drop every 30 minutes.  If there was a routing issue, if wouldn't be noticed in such a steady pattern.

After I posted that, I realized your config was up there.  Your config looks fine.

 

Hopefully you never need to access a public website on the 20.20.20.0/24, 30.30.30.0/24, or 90.90.90.0/24 subnets.

 

Setting a lifetime on your isakmp policy might do something.  Might not.

Review Cisco Networking for a $25 gift card