cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
424
Views
0
Helpful
0
Replies
Highlighted

LAN to LAN 1811 VPN with DDR2200 Gateway

We have two Cisco 1811 routers running a L2L VPN over Centurylink DSL broadband connections. Original DSL configuration was with Westell 6100 units operating in Bridge mode. Never had any issues with our Windows domain or LAN traffic using this configuration. Primary site DSL speed was upgraded requiring a bonded DSL connection and implementation of a Cisco DDR2200 Residential Gateway in place of the original Westell 6100. Centurylink claims the DDR2200 is configured to operate in Bridge mode. Problem is our LAN to LAN communication intermittantly ceases to function. Internet connectivity at both sites never hangs or drops. CenturyLink has replaced the DDR2200 with no effect. I have tried various debug settings and still can't figure this out.

Below is the session status of both routers during the communication failure:

ACI1811#show crypto sess det

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: FastEthernet0

Session status: UP-ACTIVE

Peer: 207.118.195.164 port 1070 fvrf: (none) ivrf: (none)

      Phase1_id: 207.118.195.164

      Desc: (none)

  IKE SA: local 207.118.197.211/4500 remote 207.118.195.164/1070 Active

          Capabilities:N connid:2111 lifetime:05:21:42

  IPSEC FLOW: permit ip 192.168.100.0/255.255.255.0 10.1.100.0/255.255.255.0

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 14147319 drop 1 life (KB/Sec) 4484024/2036

        Outbound: #pkts enc'ed 13695568 drop 2340 life (KB/Sec) 4484640/2036

APE1811#show crypto sess det

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: FastEthernet0

Session status: UP-ACTIVE

Peer: 207.118.197.211 port 4500 fvrf: (none) ivrf: (none)

      Phase1_id: 207.118.197.211

      Desc: (none)

  IKE SA: local 207.118.195.164/4500 remote 207.118.197.211/4500 Active

          Capabilities:N connid:2090 lifetime:05:22:49

  IPSEC FLOW: permit ip 10.1.100.0/255.255.255.0 192.168.100.0/255.255.255.0

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 501433 drop 0 life (KB/Sec) 4378840/2101

        Outbound: #pkts enc'ed 516696 drop 3 life (KB/Sec) 4377974/2101

The ACI1811 IKE SA remote port always changes from 4500 to another undocumented port like 1070 (per this example)

I have also noticed on occasion both routers communicating IKE SA over port 500 with no NAT Traversal and good LAN 2 LAN communication.

The LAN 2 LAN communication problem sometimes does not occur for 3 days and other times occurs multiple times in one day.

A "CLEAR CRYPTO SESSION" command issued on APE1811 usually restarts communication. Occasionally multiple "CLEAR CRYPTO SESSION" commands need to be issued on APE1811 or a "CLEAR CRYPTO SA". On very rare occasions, I have to reload both 1811 routers.

Below are the current hardware and software versions of the equipment:

Both 1811 devices:

Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(6)T11, RELEASE SOFTWARE (fc2)

DDR2200

Hardware Version          V06

Software Version           DDR2200B-NA-AnnexA-FCC-V00.00.03.40.5EP

Any assistance with how to obtain relevent debug data or configuratioin modification suggestionis will be greatly appreciated.

Everyone's tags (4)