Re: Problems on IPSEC VPN after ADSL Modem changed. VPN Down

federicoaguirre · ‎03-28-2019

Hi there, this is mi setup:

A: Cisco CISCO2911/K9
B: Cisco 851 (MPC8272)

Router (A) => Internet => ADSL Modem => Router (B)

This is my configuration on both:

A:
########################## config.txt ##########################

crypto keyring vpn
pre-shared-key address 0.0.0.0 0.0.0.0 key qwerty

crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp nat keepalive 20

crypto isakmp profile l2lvpn
keyring vpn
match identity address 0.0.0.0

crypto ipsec transform-set vpnsts esp-3des esp-md5-hmac

crypto dynamic-map rtpmap 20
set transform-set vpnsts
set isakmp-profile l2lvpn
match address 150

crypto map rtp 5 ipsec-isakmp dynamic rtpmap

interface GigabitEthernet0/1
ip address 190.222.55.28 255.255.255.0
ip access-group WAN_IN in
ip nat outside
ip inspect SALIENTE_G1 out
ip virtual-reassembly in
duplex auto
speed auto
crypto map rtp

access-list 150 permit ip 10.0.0.0 0.255.255.255 192.168.9.0 0.0.0.255

################################################################

B:
########################## config.txt ##########################

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key qwerty address 190.222.55.28

crypto ipsec transform-set antares esp-3des esp-md5-hmac

crypto map jupiter 10 ipsec-isakmp
set peer 190.222.55.28
set transform-set antares
match address 101

interface FastEthernet4
ip address dhcp (192.168.1.33)
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map jupiter

access-list 101 permit ip 192.168.9.0 0.0.0.255 host 10.0.0.10

################################################################

Problems started when my ISP change my ADSL modem. At this moment, the VPN worked for 1 h and goes down, then we had to restart ADSL and Cisco to get it come up. In this way we work for a month, then yesterday, VPN goes down again and never came up.

Any idea?

Any help?

I'm attaching a couple of logs of debug called A.txt and B.txt, each one named as their router.

Any help would be appreciated.

In my Interface FastEthernet 4 I have:

ip nat outside => because this is the router that handles Internet requests.

With this option, Internet works fine and VPN works for a couple of minutes....

If I remove this option:

no ip nat outside

The VPN works forever, but users couln't browse any page.!

Deepak Kumar · ‎03-28-2019

Hi,

I found some logs which are indicating packet drops in between at Modem or ISP network.

Mar 28 17:25:14.751: ISAKMP:(7177): phase 1 packet is a duplicate of a previous packet.
Mar 28 17:25:14.751: ISAKMP:(7177): retransmitting due to retransmit phase 1
Mar 28 17:25:15.251: ISAKMP:(7177): retransmitting phase 1 QM_IDLE      ...
Mar 28 17:25:15.251: ISAKMP (7177): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Mar 28 17:25:15.251: ISAKMP:(7177): retransmitting phase 1 QM_IDLE
Mar 28 17:25:15.251: ISAKMP:(7177): sending packet to 190.48.28.75 my_port 4500 peer_port 4500 (R) QM_IDLE
ssra-ar-buenosaires-01-e-01#
Mar 28 17:25:15.251: ISAKMP:(7177):Sending an IKE IPv4 Packet.
ssra-ar-buenosaires-01-e-01#
Mar 28 17:25:20.703: ISAKMP:(1789):purging node -2023569880

-----------------------------

Mar  27 23:58:36.754: ISAKMP:(2853): retransmitting phase 1 MM_KEY_EXCH...
*Mar  27 23:58:36.754: ISAKMP:(2853):peer does not do paranoid keepalives.

*Mar  27 23:58:36.754: ISAKMP:(2853):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 190.222.55.28)
*Mar  27 23:58:36.758: ISAKMP:(2853):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 190.222.55.28)
*Mar  27 23:58:36.758: ISAKMP: Unlocking peer struct 0x82E6EBF0 for isadb_mark_sa_deleted(), count 0
*Mar  27 23:58:36.758: ISAKMP: Deleting peer node by peer_reap for 190.222.55.28: 82E6EBF0
*Mar  27 23:58:36.758: ISAKMP:(2853):deleting node -606795749 error FALSE reason "IKE deleted"

Please check some settings on the modem as:

1. Port 50,4500 (UDP) port forwarded correctly.

2. VPN bypass (Protocol 50) option is selected in the Modem Firewall.

3. Check with Disable modem firewall (if enabled).

4. There are no packet drops from the ISP side.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

federicoaguirre · ‎03-28-2019

Hi Deepak, thanks a lot for your quick response and help.

Quick question about mentioned steps:
1 - Port 50,4500 (UDP) port forwarded correctly. => Could be 500 and 4500 instead of 50 / 4500 ? - Yes both 500 and 4500 forwarded to the router.
3 - I can't do it, the modem doesn't allow to disable FW
4 - I don't understand what do you mean.

Thanks,
FA

Rob Ingram · ‎03-28-2019

Hi, Your debug from B-2 indicates ISAKMP MM1 - MM4 were completed successfully, and the retransmissions occur on MM_KEY_EXCH. This would indicate there was connectivity between the 2 routers during this negotiation.

Unfortunately the logs your provided from the other router are not from the same time period, that would confirm that a) if there was connectivity and b) would provide more information on the potential cause.

Please can you provide debug from both routers at the exact time you try to replicate the issue.

Is the VPN currently down?

Can you confirm that nothing changed on either of the routers?

Deepak Kumar · ‎03-28-2019

Hi,

Thanks for correct me. It was a typo and the correct port is UDP 500.

Option4:

I am not sure why your modem is not allowing you to disable the FW. Is this modem provided by the ISP? If yes then ask ISP for disabling the FW. Maybe that you are not a "SUPER ADMIN".

Point 5:

May your ISP is blocking VPN on your connection. Check with ISP if required.

Is it possible to configure this modem in the Bridge mode? Try with Bridge mode so you will get public IP on the router.