11-20-2012 08:18 AM
HI,
Im new on this forum and in VPN topic.
I can create a VPN connection between two Cisco 861 routers. But after a random (30 mins - 24 hours) time VPN is disconnected (When I try to ping from one location to the other internal network does not work, and vice versa). After rebooting Cisco1, VPN connection is working properly. Cisco1 has external IP address. Cisco2 is on DMZ (connected to Comcast modem).
I have not found any solution to this problem (maybe for the fact that I do not know where to look for )
Here are my configurations:
Cisco1 Config
Current configuration : 3975 bytes
!
! No configuration change since last restart
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Harlem
!
boot-start-marker
boot system flash flash:c860-universalk9-mz.150-1.M4.bin
boot-end-marker
!
logging buffered 4096
!
no aaa new-model
memory-size iomem 10
clock timezone CST -6
!
crypto pki trustpoint TP-self-signed-2129202485
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2129202485
revocation-check none
rsakeypair TP-self-signed-2129202485
!
!
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.2.100
ip dhcp excluded-address 192.168.2.250
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.50
!
ip dhcp pool 192.168.2.0/24
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 75.75.75.75 76.76.76.76
option 66 ascii "tftp://192.168.1.11"
!
!
ip cef
ip domain name yourdomain.com
ip name-server 75.75.75.75
!
!
license udi pid []
!
!
archive
log config
hidekeys
username XXXX privilege 15 secret 5 XXXX.
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key XXXX address 74.94.123.xxx
crypto isakmp keepalive 60 3 periodic
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map dynmap 10 ipsec-isakmp
set peer 74.94.123.xxx
set transform-set myset
match address 101
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 75.145.179.xxx 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map dynmap
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool PORTFWD 192.168.2.11 192.168.2.11 netmask 255.255.255.0 type rotary
ip nat inside source route-map nonat interface FastEthernet4 overload
ip nat inside source static tcp 192.168.2.200 21 75.145.179.xxx 21 extendable
ip nat inside source static tcp 192.168.2.11 22 75.145.179.xxx 2022 route-map nonat extendable
ip nat inside source static tcp 192.168.2.11 5060 75.145.179.xxx 5060 route-map nonat extendable
ip nat inside source static udp 192.168.2.11 5060 75.145.179.xxx 5060 route-map nonat extendable
ip nat inside source static tcp 192.168.2.11 80 75.145.179.xxx 8080 route-map nonat extendable
ip nat inside destination list 190 pool PORTFWD
ip route 0.0.0.0 0.0.0.0 75.145.179.xxx
!
ip access-list extended nonat
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
!
logging trap debugging
logging 66.103.31.xxx
access-list 10 permit 64.103.25.xxx
access-list 23 permit 66.103.31.0 0.0.0.255
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit 74.94.123.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 123 permit udp host 74.94.123.xxx host 75.145.179.xxx eq isakmp
access-list 123 permit udp host 74.94.123.xxx host 75.145.179.xxx eq non500-isakmp
access-list 123 permit esp host 74.94.123.xxx host 75.145.179.xxx
access-list 175 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 any
access-list 190 permit udp any any range 10000 20000
no cdp run
route-map nonat permit 10
match ip address 175
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 216.234.161.xxx
ntp server 208.38.65.xxx
sntp server 216.234.161.xxx
sntp server 208.38.65.xxx
end
Cisco2 Config
Current configuration : 3676 bytes
!
! Last configuration change at 12:57:17 CST Wed Nov 14 2012 by xxx
! NVRAM config last updated at 12:57:18 CST Wed Nov 14 2012 by xxx
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MainOffice
!
boot-start-marker
boot-end-marker
!
logging buffered 512000
!
no aaa new-model
memory-size iomem 10
clock timezone CST -6
!
crypto pki trustpoint TP-self-signed-2129202485
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2129202485
revocation-check none
rsakeypair TP-self-signed-2129202485
!
!
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.100
ip dhcp excluded-address 192.168.1.250
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.50
ip dhcp excluded-address 192.168.1.7
ip dhcp excluded-address 192.168.1.11
ip dhcp excluded-address 192.168.1.1 192.168.1.60
!
ip dhcp pool 192.168.1.0/24
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 75.75.75.75 76.76.76.76
option 66 ascii "tftp://192.168.2.11"
!
!
no ip cef
ip domain name yourdomain.com
ip name-server 75.75.75.75
!
!
license udi pid []
!
!
archive
log config
hidekeys
username xxx privilege 15 secret 5 xxx.
!
!
ip ftp username xxx
ip ftp password xxx
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key xxx address 75.145.179.xxx
crypto isakmp keepalive 60 3 periodic
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map dynmap 10 ipsec-isakmp
set peer 75.145.179.xxx
set transform-set myset
match address 101
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 10.10.10.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map dynmap
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map nonat interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.11 22 74.94.123.xxx 2022 route-map nonat extendable
ip nat inside source static udp 192.168.1.11 5060 74.94.123.xxx 5060 route-map nonat extendable
ip nat inside source static tcp 192.168.1.11 80 74.94.123.xxx 8080 route-map nonat extendable
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
ip access-list extended nonat
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip any any
!
logging trap debugging
logging 66.103.31.20
access-list 10 permit 64.103.25.xxx
access-list 23 permit 66.103.31.0 0.0.0.255
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
route-map TEST permit 10
match ip address 102
!
route-map nonat permit 10
match ip address 175
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 216.234.161.xxx
ntp server 208.38.65.xxx
sntp server 216.234.161.xxx
sntp server 208.38.65.xxx
end
Harlem#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
74.94.123.xxx 75.145.179.xx QM_IDLE 2001 ACTIVE
IPv6 Crypto ISAKMP SA
A little help will be welcome. Thank you very much in advance.
11-20-2012 10:17 AM
Take the debugs (debug cry isakmp & debug cry ipsec) and check which side is initiating the tear down of the tunnel. You can configure syslog to captures the debugs.
Once we have the debugs of the time of issue it would be easier to proceed further.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide