hello 

thank for your quick reply.

please find in attachement the both configurations I corrected the presentation of the VPN in the picture please find it also in attachement .

of i have done forward of ports 4500  500 and 50 in each ISP FIBER OPTIC ROUTERs .

Best regards.

Hi,

I've labbed this in GNS3 and I think I understand why it is displaying the "dst" as it's own private IP address.

When I tested it, I can also see that on SITE1 router the "dst" is it's own private IP address. I believe this is because the SITE2 router initiated the VPN (by sending interesting traffic). To prove this I cleared the VPN tunnels' and initiated traffic again but this time sourced from the SITE1 router, once the VPN was established I could see the output on the SITE2 router confirmed the "dst" was it's own (site2's) private IP. My assumption is that this is probably by design.

In regard to your other issue, are you experiencing this issue just in packet tracer or in a real life scenario, but you are attempting to replicate the issue in packet tracer?

You may want to increase the Security Association lifetime (e.g 86400 seconds) and use stronger encryption, hashing and dh group. The SA's won't renew every 1800 seconds as you currently have but if you use stronger algorithms that should be ok.

crypto map ftthmap 10 ipsec-isakmp
 set security-association lifetime seconds 86400

crypto isakmp policy 5
 encr aes

 hash sha

 group 15

Other than that, there doesn't especially look like a major issue with the VPN config.

HTH

thank you RJI for your replay.

yes i have this problem in real life that block some time in 1 hour some time in 4 hours ... not stable

but what is surprising is that the ping is continuous it does not cut. (between the 2 hosts in the end of tunnel . 8-10 ms..

and I found sometimes that I had 2 active SA? not always but it happens too.

i just done the modification i'm waiting to see the result i will reply tomorrow morning :D

thank you very much

hello RJi

i have the same problem

but this time i have a screenshot of  crypto isakmp SA

i have 2 SA?

i have done the change you told me yesturday.

please find in attachement  the result of command crypto isakmp sa and ipsec sa in both routers . and a screenshot.

thank you

best regards.

MAX

Ok, next time the applications stop working, can you please take a packet capture on one of the routers and see if you can see traffic coming over the tunnel. You previously said you could ping across the tunnel, so curious to know if the packets for the application that stops working are actually sent across the tunnel.

Is it more than 1 application that stops working?

Did the VPN previously work or is this new?

hello 

i  have done a debug crypto isakmp and a debug crypto ipsec

i see that  messages who repeat ecah time

*May 9 08:14:38.428: ISAKMP:(2005):deleting node 1071797942 error FALSE reason "Informational (in) state 1"
*May 9 08:14:38.428: ISAKMP:(2005):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 9 08:14:38.428: ISAKMP:(2005):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*May 9 08:14:39.908: ISAKMP:(2005):purging node -1858277763
*May 9 08:14:40.764: ISAKMP (2005): received packet from x.x.249.81 dport 4500 sport 4500 Global (I) QM_IDLE

please find in attachement the debug file site 1 and site 2 .

thank you very much for your assitance and the time that you give to this problem ...

i m sorry i dont know how to do with cisco router . but i'm trying to catch 

paquet from  remote host ( SITE2 ) to My Server  host ( Site 1) with wireshark i dont know if it's enough or no.

i ll post the result when the problem will occur again  .

thank you

MaXD

I've checked out those debugs you sent in the last message and I don't think they are anything to worry about.

I believe they are related to the command "crypto isakmp keepalive" that you have configured. This regularly sends a DPD/R_U_THERE message to check whether peer VPN tunnel is up.

I replicated your config in my lab, with that command enabled I received the same messages as you did. Removing that command, resetting the tunnel I now no longer received those messages.

Next time you have an issue, check to see if you can access another server over the VPN, not just ping. Also the packet capture would be really useful.

EDIT: that keepalive command is useful, I don't recommend removing it. I just removed it for testing purposes only, to confirm the output of the messages you received.

HTH

Dear RJI

thank you for your helps.

 the problem was the Nat i have set a  nat static and i need to set dynamic NAT .

until now all seems to be fine 6 days.

thank you  for the time you spent to help.

Have a nice day.