I currently have many other VPN's actively working, and terminated on the server side router. 

I have many L2L tunnels, and RA connections.  I also have one other ezVPN connection, but it is from an ASA, not IOS.

If the server is handling fine other tunnels I don't think we're having a problem there...

What about the client? You mentioned the debugs won't say much, but can you include the messages when the problem happens?

You mentioned the client won't drop the tunnel (only the server)... this is strange...

Could you collect the errors/messages on both sides for this tunnel even if they don't show much?

Federico.

Thank you for the reply.

I now have the tunnel up, and it is functional.  Oddly enough, when I bring the tunnel up, internet traffic at the remote site ceases to work.  ONLY VPN traffic continues to work.

On the remote end, I do have an ACL for interesting traffic to initiate the SA.  I have an ACL on the server side which mirrors this.  It is only for one subnet.

Not too sure what could be causing the problem.

On the ezVPN client side, local-address refers to the internet facing interface, correct?

Local address on the client side should be the LAN on the client side (not on the server side).

If Internet is lost when VPN is established the problem is split-tunneling.

Check that the client reports under statistics and secured routes that it's encrypting traffic only for the intended subnet (as opposed to 0.0.0.0)

Federico.

Excellent recommendation!

What does the Local-address command do? I had it set to the internet facing interface.  I assumed it was local-address, as in, local peer address as opposed to local LAN address.

I won't be able to test until later - I'm waiting until they are gone for the day.

My ACL statement on the remote end is:

ip access-list extended VPN_OUT

permit ip 192.168.16.0 0.0.0.255 10.0.0.0 0.255.255.255

Everything looks right, but I'm still unable to make any connections online.  Tunnel works fine.

interface: FastEthernet0/0

    Crypto map tag: FastEthernet0/0-head-0, local addr X.X.X.X

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.16.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

   current_peer X.X.X.X port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 124, #pkts encrypt: 124, #pkts digest: 124

    #pkts decaps: 114, #pkts decrypt: 114, #pkts verify: 114

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

It's like NAT just completely stops working for some reason.  I don't get it.  No NAT translations happen at all after starting the tunnel.

Can you paste the NAT configuration on the client side?

Federico.

ip nat inside source list NAT_TEST interface FastEthernet0/0 overload

!

ip access-list extended NAT_TEST

deny   ip 192.168.16.0 0.0.0.255 10.10.1.0 0.0.0.255

permit ip 192.168.16.0 0.0.0.255 any

Hi,

Could you post the complete output of "show crypto ipsec sa" from the client (without the sensitive information of course)?

Cheers,

Prapanch