Cisco 2901 VPN tunnels struggling to start on reload

Laz Peterson · ‎06-11-2013

Hello there,

So, I've got my Cisco 2901 with Security license setup and running (seemlingly) great ... However, with one issue that's scaring me a little bit.

After a reload or power-on, the router starts up and begins trying to negotiate the three VPN connections. All three connections are to SonicWALL routers (1 NSA-2400 and 2 TZ-100), and those are configured with "Keep Alive" enabled.

The problem that I'm having is that the VPN connections do not come up. When I do a 'show crypt session', it shows all IKEv1 SA as DOWN-NEGOTIATING. It will stay this way indefinitely. Even a 'clear crypt sa' will not help. The only thing I can do that works is to log into each respective SonicWALL, disable the particular VPN policy, then re-enable -- and then it works no problem.

What am I doing wrong? It is very confusing to me right now, since there truly seems to be nothing out of the ordinary. The only thing I can think of that might be affecting the success would be the "Keep Alive" enabled on the SonicWALLs ... But at this point, I'd rather not disable that until I know more about what may be the cause. (Definitely can't take down a tunnel or play around during production hours for testing.)

Also, for those who read this, please advise if there is anything else I may have done incorrectly. There is some random stuff in there too, as I was attempting to provide access for myself when remote through VPN (which is another task I need help with, for another post at another time). Here is my current running configuration:

(Note, I have changed the IP addresses and other random information.)

!

! No configuration change since last restart

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 ##############################

enable password ##############

!

aaa new-model

!

aaa authentication login default local

aaa authentication login user-auth local

aaa authorization exec default local

aaa authorization network group-auth local

!

aaa session-id common

!

ip cef

!

no ip bootp server

ip domain name mydomain.com

no ipv6 cef

!

multilink bundle-name authenticated

!

crypto pki trustpoint tp-ss-cert

enrollment selfsigned

subject-name cn=Router-SSCert

revocation-check none

rsakeypair tp-ss-cert

!

crypto pki certificate chain tp-ss-cert

certificate self-signed 01

######## ######## ######## ######## ######## ######## ######## ########

######## ######## ######## ##

quit

license udi pid CISCO2901/K9 sn FTX#######S

!

username adminuser privilege 15 password 0 ##############

!

redundancy

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp key ########## address 1.1.1.1

crypto isakmp key ########## address 2.2.2.2

crypto isakmp key ########## address 3.3.3.3

!

crypto ipsec transform-set strong esp-3des esp-md5-hmac

mode tunnel

!

crypto dynamic-map vpn-tunnels 101

set transform-set strong

!

crypto map vpn-tunnels 1 ipsec-isakmp

description Tunnel to Site 1

set peer 1.1.1.1

set transform-set strong

match address 100

crypto map vpn-tunnels 2 ipsec-isakmp

description Tunnel to Site 2

set peer 2.2.2.2

set transform-set strong

match address 104

crypto map vpn-tunnels 3 ipsec-isakmp

description Tunnel to Site 3

set peer 3.3.3.3

set transform-set strong

match address 105

!

interface Embedded-Service-Engine0/0

ip address 10.0.1.1 255.255.255.0

shutdown

!

interface GigabitEthernet0/0

ip address 10.0.1.1 255.255.255.0

ip access-group 101 in

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

ip address 179.9.9.106 255.255.255.0 secondary

ip address 179.9.9.107 255.255.255.0 secondary

ip address 179.9.9.108 255.255.255.0 secondary

ip address 179.9.9.109 255.255.255.0 secondary

ip address 179.9.9.110 255.255.255.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

crypto map vpn-tunnels

!

ip forward-protocol nd

!

no ip http server

ip http access-class 2

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat pool general-use 179.9.9.110 179.9.9.110 prefix-length 24

ip nat inside source route-map in-to-out-rmap pool general-use overload

ip nat inside source static tcp 10.0.1.13 25 179.9.9.107 25 route-map no-internal-nat extendable

ip nat inside source static tcp 10.0.1.13 587 179.9.9.107 587 route-map no-internal-nat extendable

ip nat inside source static tcp 10.0.1.13 993 179.9.9.107 993 route-map no-internal-nat extendable

ip nat inside source static tcp 10.0.1.13 21 179.9.9.108 21 route-map no-internal-nat extendable

ip nat inside source static tcp 10.0.1.13 80 179.9.9.108 80 route-map no-internal-nat extendable

ip nat inside source static tcp 10.0.1.13 443 179.9.9.108 443 route-map no-internal-nat extendable

ip nat inside source static tcp 10.0.1.32 443 179.9.9.109 443 route-map no-internal-nat extendable

ip route 0.0.0.0 0.0.0.0 179.9.9.1

!

ip sla auto discovery

access-list 1 permit 10.0.1.0 0.0.0.255

access-list 2 permit 10.0.1.0 0.0.0.255

access-list 10 permit 10.0.1.1

access-list 20 deny 10.0.0.0 0.255.255.255

access-list 20 permit any

access-list 100 permit ip 10.0.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 101 permit tcp 10.0.0.0 0.255.255.255 host 10.0.1.1 eq 22

access-list 101 permit tcp 10.0.0.0 0.255.255.255 host 10.0.1.1 eq www

access-list 101 permit tcp 10.0.0.0 0.255.255.255 host 10.0.1.1 eq 443

access-list 101 permit tcp 10.0.0.0 0.255.255.255 host 10.0.1.1 eq cmd

access-list 101 permit udp 10.0.0.0 0.255.255.255 host 10.0.1.1 eq snmp

access-list 101 deny tcp any host 10.0.1.1 eq telnet

access-list 101 deny tcp any host 10.0.1.1 eq 22

access-list 101 deny tcp any host 10.0.1.1 eq www

access-list 101 deny tcp any host 10.0.1.1 eq 443

access-list 101 deny tcp any host 10.0.1.1 eq cmd

access-list 101 deny udp any host 10.0.1.1 eq snmp

access-list 101 permit ip any any

access-list 102 permit ip 10.0.1.0 0.0.0.255 any

access-list 103 deny ip 10.0.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 103 deny ip 10.0.1.0 0.0.0.255 10.1.3.0 0.0.0.255

access-list 103 deny ip 10.0.1.0 0.0.0.255 10.2.0.0 0.0.255.255

access-list 103 deny ip 10.0.1.0 0.0.0.255 10.5.5.0 0.0.0.255

access-list 103 permit ip 10.0.1.0 0.0.0.255 any

access-list 104 permit ip 10.0.1.0 0.0.0.255 10.1.3.0 0.0.0.255

access-list 105 permit ip 10.0.1.0 0.0.0.255 10.2.0.0 0.0.255.255

access-list 105 permit ip 10.0.1.0 0.0.0.255 10.5.5.0 0.0.0.255

access-list 106 permit ip host 10.0.1.1 any

access-list 106 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

access-list 106 permit ip 10.0.0.0 0.255.255.255 any

!

route-map in-to-out-rmap permit 1

match ip address 103

!

route-map no-internal-nat permit 10

match ip address 106

!

snmp-server community public RO

snmp-server location Datacenter

snmp-server contact Router Admin

snmp-server enable traps entity-sensor threshold

!

control-plane

!

line con 0

line aux 0

line 2

access-class 10 in

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 1 in

exec-timeout 30 0

password ##############

transport preferred ssh

transport input ssh

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server 10.0.1.11 source GigabitEthernet0/0

!

end

Laz Peterson · ‎06-23-2013

So much for trying to fix it. Seems there was no issue. After the first handful of tests had trouble, all subsequent production 'reloads' worked great. No idea what the issue was.