15 minute continuous clock on cisco with vpn?

xblade258 · ‎02-10-2011

Hi,

We have something really strange going on. We have a Cisco 3845 router that is hooked up for a VPN connection back to our office. Right now, it is configured for static IP from the cable modem. The VPN will stay up for exactly 15 minutes, and then it gets disconnected. It will only re-connect if the physical cable is un-plugged then plugged back in. If the cable is disconnected for 10 minutes, after the origional disconnect, it will only last 5 more minutes. There seems to be a unlimted 15 minute clock that keeps rolling over and disconnecting us. We ruled out the cable modem after hours of troubleshooting. Any help or further troubleshooting ideas would be appreciated!!

Federico Coto Fajardo · ‎02-10-2011

Hi Amy,

You have a Site-to-Site tunnel from the 3845 to other site?

Can you check if after 15 minutes you lose connectivity to the other side IP (where the VPN establishes)?

For example:

LAN -- 3845 --- Internet --- XXX --- LAN

If the tunnel is between the 3845 and XXX, check if after 15 minutes you cannot PING XXX from 3845.

If this happens then we know that's why the VPN is going down.

If you don't lose IP connectivity between both sides, then the problem could be the ISAKMP SA lifetime set to 15 minutes or something else in the configuration.

Federico.

xblade258 · ‎02-10-2011

Hi,

Thanks for replying, we actually did test that out. When we lost connectivity, we were able to ping the gateway, but not out to the internet. We dont lose IP connectivity on both sides, only on the outside VPN that is coming into the office.

Federico Coto Fajardo · ‎02-10-2011

Amy,

You're saying that when this happens you can still PING the gateway (cable modem) but not the Internet?
If the PINGs die on the gateway why did you ruled the cable modem out of the problem?

Federico.

xblade258 · ‎02-10-2011

When we put a switch in between the router and the cable modem, the pcs on the switch stayed connected while the router lost connection every 15 minutes. We also hard IP'ed a laptop and did a continuous ping out to the internet off the modem which stayed up while the router went down.

Federico Coto Fajardo · ‎02-10-2011

If I understand then, when this happens (after 15 minutes) everything continue to work but the 3845 which can only PING the gateway but nothing else (this cause VPN problems as well).

I don't see why the router will continue to work (PING the gateway) but nothing else every 15 minutes.... unless there's something else interfering in the network...

Have you tested if the problem is with the 3845's IP?

I mean assigning this IP to a laptop does not cause the laptop problems after 15 minutes?

Federico.

xblade258 · ‎02-10-2011

correct, we IPed the laptop with this IP and it does not lose or drop connectivity at all. we tested this well over 15 minutes. Also, we tried using different IPs, (scope of 5) and they all failed after 15 minutes.

Federico Coto Fajardo · ‎02-10-2011

So, it doesn't matter which IP is assigned to the 3845 it fails after 15 minutes... and nothing else fails on the LAN...

You mentioned the 3845 is not rebooting or crashing (it actually continue to PING the gateway and this never fails).

I still don't think is a problem with the router if it continue to PING the gateway...

After 15 minutes, is the 3845 still able to work internally (PING everything in the local LAN)? The problem is just getting past the gateway?

Federico.

xblade258 · ‎02-10-2011

As far as we know, the router IS working fine, but there seems to be some command or something that is triggering a disconnect after 15 minutes. It is seriously 15 minutes to the second every time. And all it takes to come back up on the VPN is tunnel is to disconnect and reconnect the cable. The cable modem is stripped and it a straight bridge to a static IP which has had 100% uptime for the past 48 hours. NAT is off, no ports are being blocked. We havent seen any errors on it either. We do not have to reset the modem when we go down.

Federico Coto Fajardo · ‎02-10-2011

Amy,

Let me get something straight.
Afte 15 minutes the VPN goes down and also Internet?

What kind of VPN configuration do you have?
- Site-to-Site VPN?
- EzVPN?

Can you confirm this test?
- PING the peer VPN address from the 3845.
- After 15 minutes, check if only the VPN traffic is down or you cannot PING that peer IP anymore either.

Federico.

xblade258 · ‎02-10-2011

After 15 minutes, only the VPN goes down. Internet stays up and has been up for 48 hours.

Site to Site is correct. L2LTP

After 15 minutes, we can still ping the peer.

Federico Coto Fajardo · ‎02-10-2011

In your configuration for ISAKMP do you have the lifetime set to 900 seconds?

crypto isakmp policy 10 --> Policy number could be something else
lifetime 900

Or for the crypto map

set security-association lifetime seconds 900

Federico.

xblade258 · ‎02-10-2011

this is what i have..

Global IKE policy
Protection suite of priority 1
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Message Digest 5
        authentication method: Pre-Shared Key
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit

Federico Coto Fajardo · ‎02-10-2011

Ok, that's the default value for phase 1, but what about phase 2?

Check the lifetime for the IPsec SA applied to the crypto map.

Federico.

xblade258 · ‎02-10-2011

Crypto Map "xxxxL2L" 140 ipsec-isakmp
        Description: VPNTruck
        Peer = 192.x.x.x        Extended IP access list 100
            access-list 100 permit gre host x.xx.x.xhost x.x.x.x.x

Current peer: x.x.x.x

        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                xxx_L2L: { esp-3des esp-md5-hmac } ,
        }
        Interfaces using crypto map xxxL2L:
                GigabitEthernet2/0.5

GigabitEthernet0/1

How do i show phase 2?