Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
620
Views
0
Helpful
1
Replies

VPN connection suddenly disconnected

h-sakurai
Level 1
Level 1

‎05-20-2003 12:42 AM - edited ‎02-21-2020 12:33 PM

***** VPN connection suddenly disconnected *******

and never connected except booting

*********************************************************

When C3662 booted up and it worked for a few hours, IPSec between C3662 and C1710 was disconnected suddenly.

After disconnecting, IPSec could be never connected.

I tried the following process, but the problem still happened.

-disable keepalive

-execute ''no ip route-cache" on Center side interface(ATM1/0)

-replace HW

any idea?

Please help me!!

----------------------------------- Network Diagram ---------------------------------------

(Center Site) ATM(OC3) ADSL (Remote Site)

PC ----------- C3662 -------------------- Internet -------------------- C1710 ---------- PC

| <-------------------- GRE + IPSec ----------------------------------->

|

DMZ

Debug and Configurations here.

-----Center Router Debug when VPN disconnected(3662-AIM-VPN/HP) -----

<IOS=c3660-ik9o3s-mz.122-8.T8.bin>

Mar 6 19:27:00.491 JST: ISAKMP: received ke message (7/1)

Mar 6 19:27:00.491 JST: ISAKMP: DPD received kei with flags 0x20

Mar 6 19:27:00.491 JST: ISAKMP: Unlocking DPD struct 0x636836FC from crypto_ikmp_handle_kei_mess, count 1

Mar 6 19:27:00.491 JST: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Old State = IKE_DEST_SA New State = IKE_DEST_SA

Mar 6 19:27:00.491 JST: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Old State = IKE_DEST_SA New State = IKE_DEST_SA

Mar 6 19:27:06.567 JST: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= ***********, remote= ***********,

local_proxy= ***********/255.255.255.255/47/0 (type=1),

remote_proxy= ***********/255.255.255.255/47/0 (type=1),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0xB17078F5(2976938229), conn_id= 0, keysize= 0, flags= 0x400C

Mar 6 19:27:06.567 JST: ISAKMP: received ke message (1/1)

Mar 6 19:27:06.567 JST: ISAKMP: local port 500, remote port 500

Mar 6 19:27:06.567 JST: ISAKMP (0:4): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Old State = IKE_READY New State = IKE_I_MM1

Mar 6 19:27:06.567 JST: ISAKMP (0:4): beginning Main Mode exchange

Mar 6 19:27:06.571 JST: ISAKMP (0:4): sending packet to *********** (I) MM_NO_STATE

Mar 6 19:27:16.571 JST: ISAKMP (0:4): retransmitting phase 1 MM_NO_STATE...

Mar 6 19:27:16.571 JST: ISAKMP (0:4): incrementing error counter on sa: retransmit phase 1

Mar 6 19:27:36.567 JST: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= ***********, remote= ***********,

local_proxy= ***********/255.255.255.255/47/0 (type=1),

remote_proxy= ***********/255.255.255.255/47/0 (type=1)

Mar 6 19:27:36.567 JST: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= ***********, remote= ***********,

local_proxy= ***********/255.255.255.255/47/0 (type=1),

remote_proxy= ***********/255.255.255.255/47/0 (type=1),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0x9FB846F7(2679654135), conn_id= 0, keysize= 0, flags= 0x400C

Mar 6 19:27:36.567 JST: ISAKMP: received ke message (1/1)

Mar 6 19:27:36.567 JST: ISAKMP (0:4): SA is still budding. Attached new ipsec request to it.

Mar 6 19:27:36.571 JST: ISAKMP (0:4): retransmitting phase 1 MM_NO_STATE...

Mar 6 19:27:36.571 JST: ISAKMP (0:4): incrementing error counter on sa: retransmit phase 1

Mar 6 19:27:36.571 JST: ISAKMP (0:4): retransmitting phase 1 MM_NO_STATE

Mar 6 19:27:36.571 JST: ISAKMP (0:4): sending packet to *********** (I) MM_NO_STATE

Mar 6 19:27:46.571 JST: ISAKMP (0:4): retransmitting phase 1 MM_NO_STATE...

Mar 6 19:27:46.571 JST: ISAKMP (0:4): incrementing error counter on sa: retransmit phase 1

Mar 6 19:27:46.571 JST: ISAKMP (0:4): retransmitting phase 1 MM_NO_STATE

Mar 6 19:27:46.571 JST: ISAKMP (0:4): sending packet to *********** (I) MM_NO_STATE

Mar 6 19:27:50.491 JST: ISAKMP (0:3): purging node 2110852343

Mar 6 19:27:56.571 JST: ISAKMP (0:4): retransmitting phase 1 MM_NO_STATE...

Mar 6 19:27:56.571 JST: ISAKMP (0:4): incrementing error counter on sa: retransmit phase 1

Mar 6 19:27:56.571 JST: ISAKMP (0:4): retransmitting phase 1 MM_NO_STATE

Mar 6 19:27:56.571 JST: ISAKMP (0:4): sending packet to *********** (I) MM_NO_STATE

Mar 6 19:28:00.491 JST: ISAKMP (0:3): purging SA., sa=636CE404, delme=636CE404

Mar 6 19:28:00.491 JST: ISAKMP: Unlocking DPD struct 0x636836FC for declare_sa_dead(), count 0

----------- Center Router config highlight(3662-AIM-VPN/HP) ------------

IOS=c3660-ik9o3s-mz.122-8.T8.bin

--------------------------------------------------------------------------------------------

ip subnet-zero

no ip source-route

!

!

no ip domain-lookup

ip domain-name *****************

!

no ip bootp server

ip inspect name FW cuseeme

ip inspect name FW fragment maximum 256 timeout 1

ip inspect name FW ftp

ip inspect name FW h323

ip inspect name FW netshow

ip inspect name FW rcmd

ip inspect name FW realaudio

ip inspect name FW rtsp

ip inspect name FW smtp

ip inspect name FW sqlnet

ip inspect name FW streamworks

ip inspect name FW tcp

ip inspect name FW udp

ip inspect name FW vdolive

ip inspect name FW http timeout 3600

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 10

encr 3des

authentication pre-share

crypto isakmp key *************** address <site B router address>

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set IPSec_set esp-3des esp-sha-hmac

!

crypto map VPN local-address ATM1/0.32

crypto map VPN 10 ipsec-isakmp

description *** VPN ***

set peer <site B router address>

set transform-set IPSec_set

match address 192

!

fax interface-type fax-mail

mta receive maximum-recipients 0

!

interface Tunnel0

ip address ***********************

ip mtu 1400

tunnel source ATM1/0.32

tunnel destination <site B router address>

crypto map VPN

!

interface FastEthernet0/0

description *** LAN ***

ip address ***********************

ip access-group 111 in

ip access-group 112 out

ip nat inside

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

description *** DMZ ***

ip address ***********************

ip access-group 121 in

ip access-group 122 out

duplex auto

speed auto

no cdp enable

!

interface ATM1/0

no ip address

no ip route-cache

no ip mroute-cache

no atm scrambling cell-payload

atm sonet stm-1

no atm ilmi-keepalive

!

interface ATM1/0.32 point-to-point

description *** INTERNET ***

ip address <site A router address>

ip access-group 101 in

ip access-group 102 out

ip nat outside

ip inspect FW out

no ip route-cache

no ip mroute-cache

pvc 0/32

protocol ip *********** broadcast

vbr-nrt 10000 5000

oam-pvc manage

encapsulation aal5snap

!

crypto map VPN

!

ip nat pool PAT_POOL ***************** netmask ***************

ip nat inside source route-map PAT pool PAT_POOL overload

ip nat inside source static **************************

ip classless

ip route ********************************

ip http server

ip pim bidir-enable

!

access-list *****************************

no cdp run

!

route-map PAT permit 10

match ip address 191

!

!

call rsvp-sync

!

!

mgcp profile default

!

dial-peer cor custom

!

end

-----------------------------------------------------------------

Labels:
0 Helpful
1 Reply 1

beth-martin
Level 5
Level 5

‎06-02-2003 06:45 AM

The error you get is a very generic one, do re-check your configuration it might be a case of mistakenly changing some parameters in SA or an routing error.

0 Helpful
Customers Also Viewed These Support Documents