Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
279
Views
0
Helpful
1
Replies

Strange VPN Issue.. (urgent help please)

dparussalla
Level 1
Level 1

‎10-15-2006 05:28 PM - edited ‎02-21-2020 02:40 PM

Hi All,

I have a site running 1841 as a central site and 2x 877 as remote sites.

My problem is VPN running without a issue for a random time (sometimes 18hrs). Then suddenly no traffic flow from remote offices to melbourne it goes like that for about 1 hr. then traffic starts going.

during this time I can see peers active via crypto isa sa and crypto ipsec sa. But ping traffic don't go through.

tried debugging access list accosiated with vpn (debug ip packet 136). And from 877 router i can see traffic passed to dialer interface but debug ip packet doesn't show anything in the 1841 side.

Here is the config for 1841:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key xxxxxxxxxxxxxxxx address 203.xx.xx.xx

crypto isakmp key xxxxxxxxxxxxxxxx address 203.xx.xx.xx

crypto isakmp invalid-spi-recovery

!

crypto ipsec transform-set miles esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 5

set transform-set miles

set isakmp-profile VPNclient

reverse-route

!

!

crypto map milesvic 2 ipsec-isakmp

description Link to Sydney

set peer 203.xx.xx.xx

set transform-set miles

match address 136

crypto map milesvic 3 ipsec-isakmp

description Link to Adelaide

set peer 203.xx.xx.xx

set transform-set miles

match address 137

crypto map milesvic 18 ipsec-isakmp dynamic dynmap

interface Dialer1

crypto map milesvic

ip nat source static tcp 192.168.50.2 3389 interface Dialer1 3389

ip nat source static tcp 192.168.50.100 22 interface Dialer1 22

ip nat inside source list 101 interface Dialer1 overload

access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.48.0 0.0.15.255

access-list 101 permit ip 192.168.50.0 0.0.0.255 any

access-list 108 permit ip 192.168.48.0 0.0.15.255 any

access-list 110 permit icmp any any echo

access-list 110 permit icmp any any echo-reply

access-list 111 deny tcp any any established

access-list 111 permit tcp any any

access-list 112 deny tcp any any eq telnet

access-list 112 permit tcp any any eq 22

access-list 112 permit tcp any any eq 2022

access-list 120 permit ip 192.168.51.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 120 permit ip 192.168.52.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 122 permit esp any any

access-list 136 permit ip 192.168.49.0 0.0.0.255 192.168.51.0 0.0.0.255

access-list 136 permit ip 192.168.50.0 0.0.0.255 192.168.51.0 0.0.0.255

access-list 137 permit ip 192.168.49.0 0.0.0.255 192.168.52.0 0.0.0.255

access-list 137 permit ip 192.168.50.0 0.0.0.255 192.168.52.0 0.0.0.25

Labels:
0 Helpful
1 Reply 1

bwalchez
Level 4
Level 4

‎10-20-2006 06:04 AM

The issue may be due to the security association policies. To resolve this issue Clear the security association policies.

0 Helpful
Customers Also Viewed These Support Documents