VPN Issue btn Cisco Router and Windows 2003

pavlosd · ‎06-03-2007

Hi All,

We've setup a VPN tunnel with a partner through Internet (@Different Country with different Time Zone) using the following guidlines:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b12b5.shtml

We are phasing the following "strange" problem... The tunnel comes up and works for 8-10 minutes. After that the windows server stops "decrypting" the packets that cisco sends (ESP packets get transmitted and received by the Windows 2003 server, confirmed with ethereal). Now, after 50-52 minutes (that is after 3600 seconds that the transform-set security association lifetime expires and SPI/SAs are re-negotiated) the tunnel works again and the story goes on forever (8-10 minutes works, 50-52 minutes does not work).

Any Ideas?

From Cisco Site, the configuration is as Follows.....

!

isakmp enable

!

crypto isakmp policy 1

encryption 3des

hash sha

group 2

authentication pre-share

lifetime 86400

!

crypto isakmp key peersharedkey! address <MY_Partner_IP>

!

crypto ipsec security-association lifetime seconds 3600

!

crypto ipsec transform-set PARTNERset esp-des esp-md5-hmac

!

crypto map PARTNER 1 ipsec-isakmp

set peer <MY_Partner_IP>

set transform-set PARTNERset

match address 115

!

interface Ethernet0/1

ip address <My_Public_IP> 255.255.255.248

crypto map PARTNER

!--- Source/Destination networks defined

access-list 115 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255

!

ip route 0.0.0.0 0.0.0.0 <My_ISP_Gateway>

didyap · ‎06-08-2007

Try this:

Adjust TCP MTU on the router.

pavlosd · ‎06-17-2007

We did adjust MTU on Server and Interfaces to make it 1400 but still problem remains. The packets that the devices transmit are small ~350 bytes, so I do not think is an MTU issue.