10-12-2012 08:23 AM
I have couple of issues with my EasyVPN server and Cisco VPN Client on Win7.
1: VPN Client establishes the connection, traffic flow, destination network can be pinged. After a few minutes traffic stops passing the VPN. No ping to IP or DNS names can be made. In order to resole it. Users have to re-establish the VPN again. Occastioanl it stays and continue to work.
2: VPN Clients don't pick the same IP address from local address pool even though I specified "RECYLE" option in the IP local pool command.
I would apprecaite if someone look at my configuration and advise any mis-config or anything that needs to be corrected.
Thank you so much.
Configuration:
##############################################################################
TQI-WN-RT2911#sh run
Building configuration...
Current configuration : 7420 bytes
!
! Last configuration change at 14:49:13 UTC Fri Oct 12 2012 by admin
! NVRAM config last updated at 14:49:14 UTC Fri Oct 12 2012 by admin
! NVRAM config last updated at 14:49:14 UTC Fri Oct 12 2012 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TQI-WN-RT2911
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp remember
!
!
ip domain name telquestintl.com
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2562258950
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2562258950
revocation-check none
rsakeypair TP-self-signed-2562258950
!
!
crypto pki certificate chain TP-self-signed-2562258950
certificate self-signed 01
#########
quit
license udi pid CISCO2911/K9 sn ##############
!
!
!
redundancy
!
!
!
!
!
track 1 ip sla 1 reachability
delay down 10 up 20
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ############## address 173.161.255.###
255.255.255.240
!
crypto isakmp client configuration group EASY_VPN
key ##############
dns 10.10.0.241 10.0.0.241
domain domain.com
pool EZVPN-POOL
acl VPN+ENVYPTED_TRAFFIC
save-password
max-users 50
max-logins 10
netmask 255.255.255.0
crypto isakmp profile EASY_VPN_IKE_PROFILE1
match identity group EASY_VPN
client authentication list default
isakmp authorization list default
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile EASY_VPN_IPSec_PROFILE1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile EASY_VPN_IKE_PROFILE1
!
!
crypto map VPN_TUNNEL 10 ipsec-isakmp
description ***TUNNEL-TO-FAIRFIELD***
set peer 173.161.255.241
set transform-set ESP-3DES-SHA
match address 105
!
!
!
!
!
interface Loopback1
ip address 10.10.30.1 255.255.255.0
!
interface Tunnel1
ip address 172.16.0.2 255.255.255.0
ip mtu 1420
tunnel source GigabitEthernet0/0
tunnel destination 173.161.255.241
tunnel path-mtu-discovery
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Optonline WAN secondary
ip address 108.58.179.### 255.255.255.248 secondary
ip address 108.58.179.### 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN_TUNNEL
!
interface GigabitEthernet0/1
description T1 WAN Link
ip address 64.7.17.### 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
description LAN
ip address 10.10.0.1 255.255.255.0 secondary
ip address 10.10.0.3 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
tunnel mode ipsec ipv4
tunnel protection ipsec profile EASY_VPN_IPSec_PROFILE1
!
!
router eigrp 1
network 10.10.0.0 0.0.0.255
network 10.10.30.0 0.0.0.255
network 172.16.0.0 0.0.0.255
!
router odr
!
router bgp 100
bgp log-neighbor-changes
!
ip local pool EZVPN-POOL 10.10.30.51 10.10.30.199 recycle delay
65535
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map OPTIMUM-ISP interface
GigabitEthernet0/0 overload
ip nat inside source route-map T1-ISP interface GigabitEthernet0/1
overload
ip nat inside source static tcp 10.10.0.243 25 108.58.179.### 25
extendable
ip nat inside source static tcp 10.10.0.243 80 108.58.179.### 80
extendable
ip nat inside source static tcp 10.10.0.243 443 108.58.179.### 443
extendable
ip nat inside source static tcp 10.10.0.220 3389 108.58.179.### 3389
extendable
ip nat inside source static tcp 10.10.0.17 12000 108.58.179.###
12000 extendable
ip nat inside source static tcp 10.10.0.16 80 108.58.179.### 80
extendable
ip nat inside source static tcp 10.10.0.16 443 108.58.179.### 443
extendable
ip nat inside source static tcp 10.10.0.16 3389 108.58.179.### 3389
extendable
ip route 0.0.0.0 0.0.0.0 108.58.179.### track 1
ip route 0.0.0.0 0.0.0.0 64.7.17.97 ##
!
ip access-list extended VPN+ENVYPTED_TRAFFIC
permit ip 10.10.0.0 0.0.0.255 any
permit ip 10.0.0.0 0.0.0.255 any
permit ip 10.10.30.0 0.0.0.255 any
!
ip sla 1
icmp-echo 108.58.179.### source-interface GigabitEthernet0/0
threshold 100
timeout 200
frequency 3
ip sla schedule 1 life forever start-time now
access-list 1 permit 10.10.0.0 0.0.0.255
access-list 2 permit 10.10.0.0 0.0.0.255
access-list 100 permit ip 10.10.0.0 0.0.0.255 any
access-list 105 remark ***GRE-TRAFFIC TO FAIRFIELD***
access-list 105 permit gre host 108.58.179.### host 173.161.255.###
!
!
!
!
route-map T1-ISP permit 10
match ip address 100
match interface GigabitEthernet0/1
!
route-map OPTIMUM-ISP permit 10
match ip address 100
match interface GigabitEthernet0/0
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
end
TQI-WN-RT2911#
##############################################################################
10-13-2012 12:33 AM
Hello Shuja,
The configuration looks good to me. The 'recycle delay' feature only keep the ip address unallocated for the specified time period, To my knowledge we can not guarantee the assigment of the same IP with this feature.
Regarding the communicaion timeout issue, you can check the following things
1. While the is client connected to VPN, initiate a communincation to your internal network, and see whether you are getting
'decap' counter getting incremented in show 'crypto ipsec sa ' for that specific client IP
If the decap counter getting incremented, that says, the traffic is reaching your router and doing IP sec decryption but not properly processing after that due to some reason.
If the decap counter not increasing, you can do a reverse ping from the router to the client IP with source address of your LAN interface, then can notice 'encap' counter incresing but no decapsulations..
In that scenario, I would say the issue is local to the client and you may need to change the VPN client version and see
regards
Harish
10-16-2012 07:22 AM
Hi Harish,
Thank you for the respond. I will perform the troublshooting steps you provided next time I hear about the issue from my users and I will post the results.
Thank you for review my config though. It is good hear that I haven't miss configured anything here.
Thanks,
Shuja
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide