Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1224
Views
0
Helpful
1
Replies

CISCO disconnecting VPN site to site

maciejewski.m
Level 1
Level 1

‎11-20-2012 08:18 AM

HI,

Im new on this forum and in VPN topic.

I can create a VPN connection between two Cisco 861 routers. But after a random (30 mins - 24 hours) time VPN is disconnected (When I try to ping from one location to the other internal network does not work, and vice versa). After rebooting Cisco1, VPN connection is working properly. Cisco1 has external IP address. Cisco2 is on DMZ (connected to Comcast modem).

I have not found any solution to this problem (maybe for the fact that I do not know where to look for )

Here are my configurations:

Cisco1 Config

Current configuration : 3975 bytes
!
! No configuration change since last restart
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Harlem
!
boot-start-marker
boot system flash flash:c860-universalk9-mz.150-1.M4.bin
boot-end-marker
!
logging buffered 4096
!
no aaa new-model
memory-size iomem 10
clock timezone CST -6
!
crypto pki trustpoint TP-self-signed-2129202485
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2129202485
 revocation-check none
 rsakeypair TP-self-signed-2129202485
!
!
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.2.100
ip dhcp excluded-address 192.168.2.250
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.50
!
ip dhcp pool 192.168.2.0/24
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
   dns-server 75.75.75.75 76.76.76.76
   option 66 ascii "tftp://192.168.1.11"
!
!
ip cef
ip domain name yourdomain.com
ip name-server 75.75.75.75
!
!
license udi pid []
!
!
archive
 log config
  hidekeys
username XXXX privilege 15 secret 5 XXXX.
!
!
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key XXXX address 74.94.123.xxx
crypto isakmp keepalive 60 3 periodic
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map dynmap 10 ipsec-isakmp
 set peer 74.94.123.xxx
 set transform-set myset
 match address 101
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address 75.145.179.xxx 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map dynmap
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool PORTFWD 192.168.2.11 192.168.2.11 netmask 255.255.255.0 type rotary
ip nat inside source route-map nonat interface FastEthernet4 overload
ip nat inside source static tcp 192.168.2.200 21 75.145.179.xxx 21 extendable
ip nat inside source static tcp 192.168.2.11 22 75.145.179.xxx 2022 route-map nonat extendable
ip nat inside source static tcp 192.168.2.11 5060 75.145.179.xxx 5060 route-map nonat extendable
ip nat inside source static udp 192.168.2.11 5060 75.145.179.xxx 5060 route-map nonat extendable
ip nat inside source static tcp 192.168.2.11 80 75.145.179.xxx 8080 route-map nonat extendable
ip nat inside destination list 190 pool PORTFWD
ip route 0.0.0.0 0.0.0.0 75.145.179.xxx
!
ip access-list extended nonat
 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip any any
!
logging trap debugging
logging 66.103.31.xxx
access-list 10 permit 64.103.25.xxx
access-list 23 permit 66.103.31.0 0.0.0.255
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit 74.94.123.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 123 permit udp host 74.94.123.xxx host 75.145.179.xxx eq isakmp
access-list 123 permit udp host 74.94.123.xxx host 75.145.179.xxx eq non500-isakmp
access-list 123 permit esp host 74.94.123.xxx host 75.145.179.xxx
access-list 175 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 any
access-list 190 permit udp any any range 10000 20000
no cdp run
route-map nonat permit 10
 match ip address 175
!
!
control-plane
!
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 216.234.161.xxx
ntp server 208.38.65.xxx
sntp server 216.234.161.xxx
sntp server 208.38.65.xxx
end

Cisco2 Config

Current configuration : 3676 bytes
!
! Last configuration change at 12:57:17 CST Wed Nov 14 2012 by xxx
! NVRAM config last updated at 12:57:18 CST Wed Nov 14 2012 by xxx
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MainOffice
!
boot-start-marker
boot-end-marker
!
logging buffered 512000
!
no aaa new-model
memory-size iomem 10
clock timezone CST -6
!
crypto pki trustpoint TP-self-signed-2129202485
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2129202485
 revocation-check none
 rsakeypair TP-self-signed-2129202485
!
!
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.100
ip dhcp excluded-address 192.168.1.250
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.50
ip dhcp excluded-address 192.168.1.7
ip dhcp excluded-address 192.168.1.11
ip dhcp excluded-address 192.168.1.1 192.168.1.60
!
ip dhcp pool 192.168.1.0/24
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 75.75.75.75 76.76.76.76
   option 66 ascii "tftp://192.168.2.11"
!
!
no ip cef
ip domain name yourdomain.com
ip name-server 75.75.75.75
!
!
license udi pid []
!
!
archive
 log config
  hidekeys
username xxx privilege 15 secret 5 xxx.
!
!
ip ftp username xxx
ip ftp password xxx
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key xxx address 75.145.179.xxx
crypto isakmp keepalive 60 3 periodic
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map dynmap 10 ipsec-isakmp
 set peer 75.145.179.xxx
 set transform-set myset
 match address 101
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address 10.10.10.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map dynmap
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map nonat interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.11 22 74.94.123.xxx 2022 route-map nonat extendable
ip nat inside source static udp 192.168.1.11 5060 74.94.123.xxx 5060 route-map nonat extendable
ip nat inside source static tcp 192.168.1.11 80 74.94.123.xxx 8080 route-map nonat extendable
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
ip access-list extended nonat
 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip any any
!
logging trap debugging
logging 66.103.31.20
access-list 10 permit 64.103.25.xxx
access-list 23 permit 66.103.31.0 0.0.0.255
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
route-map TEST permit 10
 match ip address 102
!
route-map nonat permit 10
 match ip address 175
!
!
control-plane
!
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 216.234.161.xxx
ntp server 208.38.65.xxx
sntp server 216.234.161.xxx
sntp server 208.38.65.xxx
end

Harlem#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
74.94.123.xxx   75.145.179.xx   QM_IDLE           2001 ACTIVE
IPv6 Crypto ISAKMP SA

A little help will be welcome. Thank you very much in advance.

Labels:
0 Helpful
1 Reply 1

rohaverm
Level 1
Level 1

‎11-20-2012 10:17 AM

Take the debugs (debug cry isakmp & debug cry ipsec) and check which side is initiating the tear down of the tunnel. You can configure syslog to captures the debugs.

Once we have the debugs of the time of issue it would be easier to proceed further.

0 Helpful
Customers Also Viewed These Support Documents