cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2046
Views
0
Helpful
2
Replies
shuja.najmee
Beginner

EasyVPN Server (Router 2911) Cisco VPN client on Windows 7 - Traffic flow issue.

I have couple of issues with my EasyVPN server and Cisco VPN Client on Win7.

1: VPN Client establishes the connection, traffic flow, destination network can be pinged. After a few minutes traffic stops passing the VPN. No ping to IP or DNS names can be made. In order to resole it. Users have to re-establish the VPN again. Occastioanl it stays and continue to work.

2: VPN Clients don't pick the same IP address from local address pool even though I specified "RECYLE" option in the IP local pool command.

I would apprecaite if someone look at my configuration and advise any mis-config or anything that needs to be corrected.

Thank you so much.

Configuration:

##############################################################################

TQI-WN-RT2911#sh run

Building configuration...

Current configuration : 7420 bytes

!

! Last configuration change at 14:49:13 UTC Fri Oct 12 2012 by admin

! NVRAM config last updated at 14:49:14 UTC Fri Oct 12 2012 by admin

! NVRAM config last updated at 14:49:14 UTC Fri Oct 12 2012 by admin

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname TQI-WN-RT2911

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

aaa authorization network default local

!

!

!

!

!

aaa session-id common

!

!

no ipv6 cef

ip source-route

ip cef

!

!

!

ip dhcp remember

!

!

ip domain name telquestintl.com

!

multilink bundle-name authenticated

!

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2562258950

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2562258950

revocation-check none

rsakeypair TP-self-signed-2562258950

!

!

crypto pki certificate chain TP-self-signed-2562258950

certificate self-signed 01

  #########

            quit

license udi pid CISCO2911/K9 sn ##############

!

!

!

redundancy

!

!

!

!

!

track 1 ip sla 1 reachability

delay down 10 up 20

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key ############## address 173.161.255.###

255.255.255.240

!

crypto isakmp client configuration group EASY_VPN

key ##############

dns 10.10.0.241 10.0.0.241

domain domain.com

pool EZVPN-POOL

acl VPN+ENVYPTED_TRAFFIC

save-password

max-users 50

max-logins 10

netmask 255.255.255.0

crypto isakmp profile EASY_VPN_IKE_PROFILE1

   match identity group EASY_VPN

   client authentication list default

   isakmp authorization list default

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile EASY_VPN_IPSec_PROFILE1

set security-association idle-time 86400

set transform-set ESP-3DES-SHA

set isakmp-profile EASY_VPN_IKE_PROFILE1

!

!

crypto map VPN_TUNNEL 10 ipsec-isakmp

description ***TUNNEL-TO-FAIRFIELD***

set peer 173.161.255.241

set transform-set ESP-3DES-SHA

match address 105

!

!

!

!

!

interface Loopback1

ip address 10.10.30.1 255.255.255.0

!

interface Tunnel1

ip address 172.16.0.2 255.255.255.0

ip mtu 1420

tunnel source GigabitEthernet0/0

tunnel destination 173.161.255.241

tunnel path-mtu-discovery

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Optonline  WAN secondary

ip address 108.58.179.### 255.255.255.248 secondary

ip address 108.58.179.### 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map VPN_TUNNEL

!

interface GigabitEthernet0/1

description T1 WAN Link

ip address 64.7.17.### 255.255.255.240

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/2

description LAN

ip address 10.10.0.1 255.255.255.0 secondary

ip address 10.10.0.3 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback1

tunnel mode ipsec ipv4

tunnel protection ipsec profile EASY_VPN_IPSec_PROFILE1

!

!

router eigrp 1

network 10.10.0.0 0.0.0.255

network 10.10.30.0 0.0.0.255

network 172.16.0.0 0.0.0.255

!

router odr

!

router bgp 100

bgp log-neighbor-changes

!

ip local pool EZVPN-POOL 10.10.30.51 10.10.30.199 recycle delay

65535

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map OPTIMUM-ISP interface

GigabitEthernet0/0 overload

ip nat inside source route-map T1-ISP interface GigabitEthernet0/1

overload

ip nat inside source static tcp 10.10.0.243 25 108.58.179.### 25

extendable

ip nat inside source static tcp 10.10.0.243 80 108.58.179.### 80

extendable

ip nat inside source static tcp 10.10.0.243 443 108.58.179.### 443

extendable

ip nat inside source static tcp 10.10.0.220 3389 108.58.179.### 3389

extendable

ip nat inside source static tcp 10.10.0.17 12000 108.58.179.###

12000 extendable

ip nat inside source static tcp 10.10.0.16 80 108.58.179.### 80

extendable

ip nat inside source static tcp 10.10.0.16 443 108.58.179.### 443

extendable

ip nat inside source static tcp 10.10.0.16 3389 108.58.179.### 3389

extendable

ip route 0.0.0.0 0.0.0.0 108.58.179.### track 1

ip route 0.0.0.0 0.0.0.0 64.7.17.97 ##

!

ip access-list extended VPN+ENVYPTED_TRAFFIC

permit ip 10.10.0.0 0.0.0.255 any

permit ip 10.0.0.0 0.0.0.255 any

permit ip 10.10.30.0 0.0.0.255 any

!

ip sla 1

icmp-echo 108.58.179.### source-interface GigabitEthernet0/0

threshold 100

timeout 200

frequency 3

ip sla schedule 1 life forever start-time now

access-list 1 permit 10.10.0.0 0.0.0.255

access-list 2 permit 10.10.0.0 0.0.0.255

access-list 100 permit ip 10.10.0.0 0.0.0.255 any

access-list 105 remark ***GRE-TRAFFIC TO FAIRFIELD***

access-list 105 permit gre host 108.58.179.### host 173.161.255.###

!

!

!

!

route-map T1-ISP permit 10

match ip address 100

match interface GigabitEthernet0/1

!

route-map OPTIMUM-ISP permit 10

match ip address 100

match interface GigabitEthernet0/0

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

transport input telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

end

TQI-WN-RT2911#

##############################################################################

2 REPLIES 2
Harish Balakrishnan
Enthusiast

Hello Shuja,

The configuration looks good to me.  The 'recycle delay' feature only keep the ip address unallocated  for the specified time period,  To my knowledge we can not guarantee the assigment of the same IP with this feature.

Regarding the communicaion timeout issue, you can check the following things

1. While the is client connected to VPN, initiate a communincation to your internal network, and see whether you are getting

'decap' counter getting incremented in show 'crypto ipsec sa ' for that specific client IP

If the decap counter getting incremented, that says, the traffic is reaching your router and doing IP sec decryption but not properly processing after that due to some reason.

If the decap counter not increasing, you can do a reverse ping from the router to the client IP with source address of your LAN interface, then can notice 'encap' counter incresing but  no decapsulations..

In that scenario, I would say the issue is local to the client and  you may need to change the VPN client version and see

regards

Harish

Hi Harish,

Thank you for the respond. I will perform the troublshooting steps you provided next time I hear about the issue from my users and I will post the results.

Thank you for review my config though. It is good hear that I haven't miss configured anything here.

Thanks,

Shuja