10-15-2006 05:28 PM - edited 02-21-2020 02:40 PM
Hi All,
I have a site running 1841 as a central site and 2x 877 as remote sites.
My problem is VPN running without a issue for a random time (sometimes 18hrs). Then suddenly no traffic flow from remote offices to melbourne it goes like that for about 1 hr. then traffic starts going.
during this time I can see peers active via crypto isa sa and crypto ipsec sa. But ping traffic don't go through.
tried debugging access list accosiated with vpn (debug ip packet 136). And from 877 router i can see traffic passed to dialer interface but debug ip packet doesn't show anything in the 1841 side.
Here is the config for 1841:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxxxxxxxxxxxxx address 203.xx.xx.xx
crypto isakmp key xxxxxxxxxxxxxxxx address 203.xx.xx.xx
crypto isakmp invalid-spi-recovery
!
crypto ipsec transform-set miles esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 5
set transform-set miles
set isakmp-profile VPNclient
reverse-route
!
!
crypto map milesvic 2 ipsec-isakmp
description Link to Sydney
set peer 203.xx.xx.xx
set transform-set miles
match address 136
crypto map milesvic 3 ipsec-isakmp
description Link to Adelaide
set peer 203.xx.xx.xx
set transform-set miles
match address 137
crypto map milesvic 18 ipsec-isakmp dynamic dynmap
interface Dialer1
crypto map milesvic
ip nat source static tcp 192.168.50.2 3389 interface Dialer1 3389
ip nat source static tcp 192.168.50.100 22 interface Dialer1 22
ip nat inside source list 101 interface Dialer1 overload
access-list 101 deny ip 192.168.50.0 0.0.0.255 192.168.48.0 0.0.15.255
access-list 101 permit ip 192.168.50.0 0.0.0.255 any
access-list 108 permit ip 192.168.48.0 0.0.15.255 any
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply
access-list 111 deny tcp any any established
access-list 111 permit tcp any any
access-list 112 deny tcp any any eq telnet
access-list 112 permit tcp any any eq 22
access-list 112 permit tcp any any eq 2022
access-list 120 permit ip 192.168.51.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 120 permit ip 192.168.52.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 122 permit esp any any
access-list 136 permit ip 192.168.49.0 0.0.0.255 192.168.51.0 0.0.0.255
access-list 136 permit ip 192.168.50.0 0.0.0.255 192.168.51.0 0.0.0.255
access-list 137 permit ip 192.168.49.0 0.0.0.255 192.168.52.0 0.0.0.255
access-list 137 permit ip 192.168.50.0 0.0.0.255 192.168.52.0 0.0.0.25
10-20-2006 06:04 AM
The issue may be due to the security association policies. To resolve this issue Clear the security association policies.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide