Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
1
Replies

DPD problem with 837 router.

ilyaskhan
Level 1
Level 1

‎12-10-2004 09:56 AM

Hi,i implemented a project about a week back,the scenario for which went something like this:A head office site where a PIX515E is installed having a static public IP on its outside interface.Three remote sites,each having connection to the internet through 837 ADSL routers having a dynamic public IP. I configured the firewall and the routers for EzVPN(router is configured in client mode)and the VPN tunnel comes up and it works fine.Ofcourse when there is no interesting traffic going through the tunnel, and the idle timer on the PIX expires, the tunnel goes down.Thats also fine.The problem is once the tunnel goes down,it doesnt come up again automatically when interesting traffic goes through the router(which it is suppose to). I use the console and ran debug on one of the routers and noticed that once the tunnel goes down and the router tries to bring it up again, it gives the message:

"Key pair for this "XXX.XX.XX.XX/XX" mask already exists". Then when i give the command "clear crypto isakmp sa", the tunnel comes up immediately. One of my friends said it has something to do with the Dead Peer Detection system on the PIX and the router.Can someone please help with this?

Also,If you can answer two additional questions:

1)In the current scenario,PCs at remote site can access PCs at Head office with private IP.Is there a way that the PCs at Head Office can access the devices at Remote Office with private IP?Please note that i can only run EzVPN on client mode and not network extension mode because PAT cannot be disabled due to the dynamic ADSL public IP.

2)Is it possible and if yes, what would i need to do to let PCs on one remote office connect to PCs at another remote office through private IP.Can i put a router at the head office and route the traffic between remote offices through the head office through VPN tunnels.

Labels:
0 Helpful
1 Reply 1

d-garnett
Level 3
Level 3

‎12-10-2004 03:36 PM

I have run into your same issues and I am in the same boat.....

You need at least 12.3(7)T for Dead Peer Detection to work and send keepalives at the interval that you desire.

crypto isakmp keepalive [interval][secs til counted dead] periodic

i.e.,

crypto isakmp keepalive 15 5 periodic

Per Your Questions.........

"1)In the current scenario,PCs at remote site can access PCs at Head office with private IP.Is there a way that the PCs at Head Office can access the devices at Remote Office with private IP?Please note that i can only run EzVPN on client mode and not network extension mode because PAT cannot be disabled due to the dynamic ADSL public IP. "

Yes, you need at least 12.3(11)T for NAT/PAT to be able to be configured in conjuction to EzVPN. But i can not get this stuff to work correctly. I asked this question a few days ago and got no solution yet (here's my post, which includes the entire config http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd6d3ad ).

"2)Is it possible and if yes, what would i need to do to let PCs on one remote office connect to PCs at another remote office through private IP.Can i put a router at the head office and route the traffic between remote offices through the head office through VPN tunnels. "

What i do is (or at least tried to do)............

1) Allow (in ACL) our headend site to hit

the remote routers outside interface at certain ports

2) Redirect these ports to internal computers

In other words, I do nothing to the Remote PCs. I just hit the remote router's Public IP (DHCP) on whatever port I have redirected to an internal(remote) PC. If 12.3.4.5 is acquire through DHCP, then I try to hit 12.3.4.5 at port 33102.

This traffic does not go through the VPN Tunnel this is out of band (but the traffic we would send is AES encrypted anyway).

I need to do this in order for our Tech support staff to use PC Remote Control Software to log into remote PC's for troubleshooting purposes.

I can not get this to work unless I constantly cut and paste the same NAT commands in over and over. Once the router reboots, it does not work right (although I save the config, "write memory", and the commands ARE present after the reboot). I am not sure if this is a bug or something that I am just not doing right but it works until the router is rebooted.

also.......

if you are looking to send through IPSec to your remotes, check this out: http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008032b637.shtml

0 Helpful
Customers Also Viewed These Support Documents