We have two Cisco 1811 routers running a L2L VPN over Centurylink DSL broadband connections. Original DSL configuration was with Westell 6100 units operating in Bridge mode. Never had any issues with our Windows domain or LAN traffic using this configuration. Primary site DSL speed was upgraded requiring a bonded DSL connection and implementation of a Cisco DDR2200 Residential Gateway in place of the original Westell 6100. Centurylink claims the DDR2200 is configured to operate in Bridge mode. Problem is our LAN to LAN communication intermittantly ceases to function. Internet connectivity at both sites never hangs or drops. CenturyLink has replaced the DDR2200 with no effect. I have tried various debug settings and still can't figure this out. Below is the session status of both routers during the communication failure: ACI1811#show crypto sess det Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication Interface: FastEthernet0 Session status: UP-ACTIVE Peer: 188.8.131.52 port 1070 fvrf: (none) ivrf: (none) Phase1_id: 184.108.40.206 Desc: (none) IKE SA: local 220.127.116.11/4500 remote 18.104.22.168/1070 Active Capabilities:N connid:2111 lifetime:05:21:42 IPSEC FLOW: permit ip 192.168.100.0/255.255.255.0 10.1.100.0/255.255.255.0 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 14147319 drop 1 life (KB/Sec) 4484024/2036 Outbound: #pkts enc'ed 13695568 drop 2340 life (KB/Sec) 4484640/2036 APE1811#show crypto sess det Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication Interface: FastEthernet0 Session status: UP-ACTIVE Peer: 22.214.171.124 port 4500 fvrf: (none) ivrf: (none) Phase1_id: 126.96.36.199 Desc: (none) IKE SA: local 188.8.131.52/4500 remote 184.108.40.206/4500 Active Capabilities:N connid:2090 lifetime:05:22:49 IPSEC FLOW: permit ip 10.1.100.0/255.255.255.0 192.168.100.0/255.255.255.0 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 501433 drop 0 life (KB/Sec) 4378840/2101 Outbound: #pkts enc'ed 516696 drop 3 life (KB/Sec) 4377974/2101 The ACI1811 IKE SA remote port always changes from 4500 to another undocumented port like 1070 (per this example) I have also noticed on occasion both routers communicating IKE SA over port 500 with no NAT Traversal and good LAN 2 LAN communication. The LAN 2 LAN communication problem sometimes does not occur for 3 days and other times occurs multiple times in one day. A "CLEAR CRYPTO SESSION" command issued on APE1811 usually restarts communication. Occasionally multiple "CLEAR CRYPTO SESSION" commands need to be issued on APE1811 or a "CLEAR CRYPTO SA". On very rare occasions, I have to reload both 1811 routers. Below are the current hardware and software versions of the equipment: Both 1811 devices: Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(6)T11, RELEASE SOFTWARE (fc2) DDR2200 Hardware Version V06 Software Version DDR2200B-NA-AnnexA-FCC-V00.00.03.40.5EP Any assistance with how to obtain relevent debug data or configuratioin modification suggestionis will be greatly appreciated.
... View more