cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1815
Views
0
Helpful
4
Replies

UC560 Site-to-Site VPN traffic stops after 45 minutes

Following the directions in the following post, I was able to get remote phones working with a UC560 and SA520W over a VPN connection.

https://supportforums.cisco.com/message/3734746#3734746

The issue I am coming across is that after about 45 minutes, even though the tunnels are still up, the phones lose connection to the UC560. When this happens I am still able to connect across the VPN to the SA520W's management page to reboot the device. After rebooting it, the phones are able to register again for another 45 minutes or so.

Testing has revealed that from the UC560 side of the tunnel I can ping the SA520W. From the SA520W side I cannot ping the UC560's LAN address, nor the voice IP (10.1.1.1), but I can ping the 10.1.10.1 IP.

Does anyone have any ideas what could be causing the traffic to stop across the VPN?

4 Replies 4

Hello Gregory,

Could you please share the configurations on both sides after removing/changing the private information.

Best regards,

Alex

SA520W:

UC560:


!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp router-traffic
ip inspect name SDM_LOW udp router-traffic
ip inspect name SDM_LOW vdolive
no ipv6 cef
!
!

!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 1800
crypto isakmp key ############# address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map multisite 1 ipsec-isakmp
description Remote-Site
set peer xxx.xxx.xxx.xxx
set transform-set ESP-3DES-SHA
match address 105
qos pre-classify
!
!
!
!
!
interface GigabitEthernet0/0
description $FW_OUTSIDE$
ip address xxx.xxx.xxx.xxx 255.255.255.224
ip access-group 104 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
crypto map multisite
!
!
interface Integrated-Service-Engine0/0
description Interface used to manage integrated application modulecue is initialized with default IMAP group
ip unnumbered Vlan90
ip nat inside
ip virtual-reassembly
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
!
!
interface GigabitEthernet0/1/0
switchport mode trunk
macro description cisco-switch
!
!
interface GigabitEthernet0/1/1
switchport mode trunk
macro description cisco-switch
!
!
interface GigabitEthernet0/1/2
macro description cisco-desktop
spanning-tree portfast
!
!
interface GigabitEthernet0/1/3
description Interface used to communicate with integrated service module
switchport access vlan 90
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
!
!

!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.102.30 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
!
interface Vlan90
description $FW_INSIDE$
ip address 10.1.10.2 255.255.255.252
ip access-group 103 in
ip nat inside
ip virtual-reassembly
!
!
interface Vlan100
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
!
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
ip route 10.1.10.1 255.255.255.255 Vlan90
!
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 192.168.10.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_6##
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip xxx.xxx.xxx.xxx 0.0.0.31 any
access-list 101 deny   ip 10.1.10.0 0.0.0.3 any
access-list 101 deny   ip 10.1.1.0 0.0.0.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration##NO_ACES_8##
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 102 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 102 deny   ip xxx.xxx.xxx.xxx 0.0.0.31 any
access-list 102 deny   ip 192.168.102.0 0.0.0.255 any
access-list 102 deny   ip 10.1.10.0 0.0.0.3 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration##NO_ACES_8##
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 103 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 103 deny   ip xxx.xxx.xxx.xxx 0.0.0.31 any
access-list 103 deny   ip 192.168.102.0 0.0.0.255 any
access-list 103 deny   ip 10.1.1.0 0.0.0.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_22##
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 192.168.103.0 0.0.0.255 192.168.102.0 0.0.0.255
access-list 104 permit udp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq non500-isakmp
access-list 104 permit udp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx eq isakmp
access-list 104 permit esp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
access-list 104 permit ahp host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
access-list 104 deny   ip 192.168.102.0 0.0.0.255 any
access-list 104 deny   ip 10.1.10.0 0.0.0.3 any
access-list 104 deny   ip 10.1.1.0 0.0.0.255 any
access-list 104 permit udp host 8.8.8.8 eq domain any
access-list 104 permit udp host 8.8.4.4 eq domain any
access-list 104 permit icmp any host xxx.xxx.xxx.xxx echo-reply
access-list 104 permit icmp any host xxx.xxx.xxx.xxx time-exceeded
access-list 104 permit icmp any host xxx.xxx.xxx.xxx unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
access-list 105 remark CryptoACL for DFAIT
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.102.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 105 permit ip 10.1.10.0 0.0.0.3 192.168.103.0 0.0.0.255
access-list 106 remark SDM_ACL Category=2
access-list 106 deny   ip 10.1.10.0 0.0.0.3 192.168.103.0 0.0.0.255
access-list 106 deny   ip 10.1.1.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 106 deny   ip 192.168.102.0 0.0.0.255 192.168.103.0 0.0.0.255
access-list 106 permit ip 10.1.10.0 0.0.0.3 any
access-list 106 permit ip 192.168.102.0 0.0.0.255 any
access-list 106 permit ip 10.1.1.0 0.0.0.255 any
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 106
!
!
ntp master
event manager session cli username "pingerID"
event manager applet vpn-pinger
event timer watchdog time 120 maxrun 100
action 1.0     cli command "enable"
action 2_Remote-Site cli command "ping ip  192.168.103.1  source Vlan1 repeat 2 timeout 5"
!
end

can you try this.

- save the configuration on both side.

- create VPN with one consolidate SA like "192.168.103.0 any", which means just 1 VPN session establish

- and also have to update UC500 side accordingly.

I have resolved the issue. Strange as it may seem, as soon as I installed the Cisco switch we will be using at the main site, the remote site phones all registered and have been solid ever since.