10-31-2013 01:31 PM - edited 03-07-2019 04:21 PM
I've got a few remote sites running the below config, they stay connected over PPPoE but the VPN tunnel keeps dropping, or flaps up and down and ultimately stabilises or drops.
Where have I gone wrong?
Show version:
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(24)T6, RELEASE SOFTWARE (fc2)
Config:
Current configuration : 3666 bytes
!
! No configuration change since last restart
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ITTest
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret PASSWORD
enable password PASSWORD
!
no aaa new-model
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
!
dot11 syslog
ip source-route
!
!
ip cef
ip domain name gratte.com
ip name-server 172.20.0.221
ip name-server 172.20.0.222
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key PRESHAREDKEY address XXX.XXX.XXX.XXX no-xauth
!
!
crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
!
crypto ipsec profile IPSEC-VPN
set transform-set 3DESSHA
!
!
archive
log config
hidekeys
!
!
!
!
!
interface Tunnel0
description --- IPSec Tunnel to KX ---
ip address 172.29.0.1 255.255.255.252
ip ospf mtu-ignore
load-interval 30
tunnel source Dialer0
tunnel destination XXX.XXX.XXX.XXX
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-VPN
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 172.29.0.10 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp chap hostname USERNAME
ppp chap password PASSWORD
ppp pap sent-username USERNAME password PASSWORD
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.16.0.0 255.240.0.0 Tunnel0
ip route 172.29.0.0 255.255.0.0 Vlan1
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 100 interface FastEthernet0 overload
!
access-list 100 deny ip 172.29.0.0 0.0.255.255 172.16.0.0 0.0.240.255
access-list 100 permit ip 172.29.0.0 0.0.255.255 any
!
!
!
snmp-server community public RO
!
control-plane
!
!
line con 0
password PASSWORD
login
no modem enable
line aux 0
line vty 0 4
password PASSWORD
login
!
scheduler max-task-time 5000
ntp server 172.20.0.221
ntp server 172.20.0.222
end
When I originally made this config, I was familiar with cisco switches, and had to learn all the router stuff.
Now I have more knowledge; I've tried to make a new config, the problem with that is I can't even get the VPN tunnel up to start with... that config is below (same h/w and f/w)
ITTest#show run
Building configuration...
Current configuration : 6053 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service sequence-numbers
!
hostname ITTest
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 10240
logging console critical
!
no aaa new-model
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
!
dot11 syslog
ip source-route
ip dhcp excluded-address 172.30.58.1 172.30.58.99
!
ip dhcp pool dhcppool
import all
network 172.30.58.0 255.255.255.0
default-router 172.30.58.1
dns-server 172.30.58.1 172.20.0.221 172.20.0.222
domain-name gratte.com
lease 7
update arp
!
!
ip cef
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall sip
ip inspect name firewall esmtp max-data 52428800
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall netshow
ip inspect name firewall rtsp
ip inspect name firewall pptp
ip inspect name firewall skinny
no ip bootp server
no ip domain lookup
ip domain name gratte.com
ip name-server 172.20.0.121
ip name-server 172.20.0.120
!
!
!
!
file verify auto
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key PRESHAREDKEY address XXX.XXX.XXX.XXX no-xauth
!
!
crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
!
crypto map cm-cryptomap 110 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set 3DESSHA
match address 110
!
archive
log config
hidekeys
path flash:config
write-memory
!
!
ip tcp selective-ack
ip tcp timestamp
!
!
!
interface ATM0
no ip address
ip nat outside
ip virtual-reassembly
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 172.30.58.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
ip mtu 1492
ip inspect firewall out
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp chap hostname USERNAME
ppp chap password PASSWORD
ppp ipcp dns request
ppp ipcp route default
crypto map cm-cryptomap
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat pool pool1 172.30.58.0 172.30.59.0 netmask 0.0.0.255
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 105 interface Dialer0 overload
!
access-list 1 permit 172.30.58.0 0.0.0.255
access-list 1 remark The local LAN.
access-list 2 remark Where management can be done from.
access-list 2 permit 172.30.58.0 0.0.0.255
access-list 2 permit 172.20.0.0 0.0.255.255
access-list 3 remark Traffic not to check for intrustion detection.
access-list 3 deny 172.20.0.0 0.0.0.255
access-list 3 permit any
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 permit ip 172.20.0.0 0.0.0.255 172.30.58.0 0.0.0.255
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 permit ip any host 172.30.58.1
access-list 102 deny ip any host 172.30.58.255
access-list 102 deny udp any any eq tftp log
access-list 102 permit ip 172.30.58.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 102 deny ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny udp any any eq 135 log
access-list 102 deny tcp any any eq 135 log
access-list 102 deny udp any any eq netbios-ns log
access-list 102 deny udp any any eq netbios-dgm log
access-list 102 deny tcp any any eq 445 log
access-list 102 permit ip 172.30.58.0 0.0.0.255 any
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny ip any any log
access-list 105 remark Traffic to NAT
access-list 105 deny ip 172.30.58.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 105 permit ip 172.30.58.0 0.0.0.255 any
access-list 110 remark Site to Site VPN
access-list 110 permit ip 172.30.58.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 110 deny ip 172.30.58.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
snmp-server community blooby RW
snmp-server community public RO
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
!
scheduler max-task-time 5000
end
Any suggestions on either the above configs would be greatly appreciated!
Thanks!
-Damo.
Solved! Go to Solution.
11-01-2013 08:29 PM
xDSL has a major flaw. If you have a faulty xDSL copper towards your premises you get very bad line speed and synch.
Look at here in Australia. Our copper cabling to the premises to the property (business or residences) is so bad that everytime it rains, water goes into the cracks of the cable and causes issues. Unfortunately, our Telco's don't want to repair these cables because they just want to take our money.
Same goes with you. Take the results that you've posted and show it to your telco and demand to get the lines fixed.
10-31-2013 02:28 PM
All this time and your DSL link stays up?
Can you post the output to the command "sh dsl atm"?
10-31-2013 03:36 PM
Yes, I had to reload the router earlier to bring the VPN back up, but both DSL and VPN are up currently on the below example:
ITTest#show dsl int atm0
ATM0
Alcatel 20190 chipset information
ATU-R (DS) ATU-C (US)
Modem Status: Showtime (DMTDSL_SHOWTIME)
DSL Mode: ITU G.992.3 (ADSL2) Annex A
ITU STD NUM: 0x03 0x2
Chip Vendor ID: 'STMI' 'IFTN'
Chip Vendor Specific: 0x0000 0x71C8
Chip Vendor Country: 0x0F 0xB5
Modem Vendor ID: 'CSCO' ' '
Modem Vendor Specific: 0x0000 0x0000
Modem Vendor Country: 0xB5 0x00
Serial Number Near: FCZ1519C4H 877-K9 12.4
Serial Number Far: Chip ID: C196P (1)
DFE BOM: DFE3.0 Annex A (1)
Capacity Used: 99% 100%
Noise Margin: 3.0 dB 6.0 dB
Output Power: 18.0 dBm 12.5 dBm
Attenuation: 49.0 dB 27.0 dB
FEC ES Errors: 0 0
ES Errors: 757 0
SES Errors: 9 0
LOSES Errors: 1 0
UES Errors: 0 0
Defect Status: None None
Last Fail Code: None
Watchdog Counter: 0x48
Watchdog Resets: 0
Selftest Result: 0x00
Subfunction: 0x00
Interrupts: 23931 (0 spurious)
PHY Access Err: 0
Activations: 1
LED Status: ON
LED On Time: 100
LED Off Time: 100
Init FW: init_3.0.33_nobist.bin
Operation FW: AMR-3.0.033.bin
FW Source: external
FW Version: 3.0.33
DS Channel1 DS Channel0 US Channel1 US Channel0
Speed (kbps): 0 2255 0 996
Cells: 0 6223653 0 119336458
Reed-Solomon EC: 0 0 0 0
CRC Errors: 0 1086 0 0
Header Errors: 0 588 0 0
Total BER: 0E-0 8389E-10
Leakage Average BER: 0E-0 3688E-10
Interleave Delay: 0 13 0 63
ATU-R (DS) ATU-C (US)
Bitswap: enabled enabled
Bitswap success: 0 0
Bitswap failure: 0 0
LOM Monitoring : Disabled
DMT Bits Per Bin
000: 0 0 0 0 0 0 6 8 9 A B C C C C C
010: C C C B B B B B A A A A A 9 8 7
020: 0 6 7 7 7 7 7 7 7 7 7 7 6 7 6 6
030: 6 5 5 5 5 5 6 6 6 5 5 6 5 5 5 6
040: 5 6 5 5 6 5 5 6 5 6 6 6 6 6 6 6
050: 7 7 7 7 7 8 8 8 8 8 2 8 8 7 7 7
060: 7 6 6 6 6 5 5 5 4 4 4 4 4 2 2 2
070: 2 2 2 2 2 2 2 2 2 2 1 1 1 0 0 0
080: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
090: 0 0 0 0 1 1 1 1 0 2 2 2 2 2 2 2
0A0: 2 2 2 2 2 2 3 4 4 4 4 4 5 5 5 5
0B0: 5 5 5 5 5 5 5 5 4 4 4 4 4 4 4 2
0C0: 2 2 2 2 1 0 0 0 0 0 0 0 0 0 0 0
0D0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0E0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0F0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
DSL: Training log buffer capability is not enabled
10-31-2013 03:52 PM
Attenuation: 49.0 dB 27.0 dBNoise Margin: 3.0 dB 6.0 dB
Your issue, I believe, has got nothing to do with your router. Your Attenuation is too high (20.0 dB and lower). Noise Margin is no better.
10-31-2013 04:04 PM
This is another router on an entirely different site, show dsl int atm0 output is:
StGeorgesDATA#show dsl int atm0
ATM0
Alcatel 20190 chipset information
ATU-R (DS) ATU-C (US)
Modem Status: Showtime (DMTDSL_SHOWTIME)
DSL Mode: ITU G.992.5 (ADSL2+) Annex A
ITU STD NUM: 0x03 0x2
Chip Vendor ID: 'STMI' 'IFTN'
Chip Vendor Specific: 0x0000 0x71C8
Chip Vendor Country: 0x0F 0xB5
Modem Vendor ID: 'CSCO' ' '
Modem Vendor Specific: 0x0000 0x0000
Modem Vendor Country: 0xB5 0x00
Serial Number Near: FCZ160290S 877-M-K9 12.4
Serial Number Far: Chip ID: C196P (1) capability-enabled
DFE BOM: DFE3.0 Annex M (3)
Capacity Used: 97% 99%
Noise Margin: 3.0 dB 7.0 dB
Output Power: 20.0 dBm 11.0 dBm
Attenuation: 20.0 dB 5.0 dB
FEC ES Errors: 0 28474
ES Errors: 0 7
SES Errors: 0 1
LOSES Errors: 0 1
UES Errors: 0 0
Defect Status: None None
Last Fail Code: None
Watchdog Counter: 0x4E
Watchdog Resets: 0
Selftest Result: 0x00
Subfunction: 0x00
Interrupts: 24585 (0 spurious)
PHY Access Err: 0
Activations: 1
LED Status: ON
LED On Time: 100
LED Off Time: 100
Init FW: init_3.0.33_nobist.bin
Operation FW: AMR-3.0.033.bin
FW Source: external
FW Version: 3.0.33
DS Channel1 DS Channel0 US Channel1 US Channel0
Speed (kbps): 0 18825 0 1242
Cells: 0 96888503 0 150258020
Reed-Solomon EC: 0 42660 0 77263
CRC Errors: 0 7 0 7
Header Errors: 0 4 0 84
Total BER: 0E-0 5591E-12
Leakage Average BER: 0E-0 1762E-13
ATU-R (DS) ATU-C (US)
Bitswap: enabled enabled
LOM Monitoring : Disabled
DMT Bits Per Bin
Not able to get complete DMT bin information.Please retry "show dsl" after few s
econds.
DSL: Training log buffer capability is not enabled
Attenuation is much lower; what would you say in response to the above? Or do they both point to bad lines/too far from the exchange?
10-31-2013 08:47 PM
Attenuation: 20.0 dB 5.0 dB
Looks good. 20.0 dB and the lower value the better.
Noise Margin: 3.0 dB 7.0 dB
Ooopps. That's not nice. Should be higher than 20 dB (higher value the better).
11-01-2013 12:27 AM
So potentially I'm looking at two different issues.
I am aware that the first example above is quite a distance from where the aDSL line is presented, the second example isn't though, what could be the cause of the bad noise margin? Bad cabling? I'd expect not as we have two 877 routers on two seperate lines at that site, both have the same symptoms.
Thanks.
11-01-2013 08:29 PM
xDSL has a major flaw. If you have a faulty xDSL copper towards your premises you get very bad line speed and synch.
Look at here in Australia. Our copper cabling to the premises to the property (business or residences) is so bad that everytime it rains, water goes into the cracks of the cable and causes issues. Unfortunately, our Telco's don't want to repair these cables because they just want to take our money.
Same goes with you. Take the results that you've posted and show it to your telco and demand to get the lines fixed.
11-07-2013 03:14 AM
I've got BT on to the case of the poor attenuation site, we are trying to move it to a closer cabinet to the premises.
I still have an issue with noise margin, BT (telecomms company) can't see any faults with the line, I've replaced micro filts, replaced cabling, and I've still got a poor noise margin.
Is there anything I can adjust on the routers to compensate this?
Example:
Noise Margin: 6.0 dB 6.5 dB
Output Power: 21.0 dBm 12.0 dBm
Attenuation: 24.0 dB 11.0 dB
Thanks,
11-07-2013 03:18 PM
Is there anything I can adjust on the routers to compensate this?
No there is none.
11-11-2013 08:23 AM
With the majority of our sites it now seems to be an inconsistency with the 877 hardware and the cabinets that BT are connecting them to in the exchange, we've fixed this by using the ISP provider router/modem and just using the 877 to create the tunnel from behind it.
With one of the sites, it is infact terrible wiring from the ISP.
Thanks for your help Leo.
11-11-2013 02:12 PM
Glad to be of some assistance, Damien.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide