EzVPN issues with a Comcast cable connection

Unanswered Question
Jul 2nd, 2007

I have a problem with a Comcast cable connection and an EzVPN. Simply put the connection drops within minutes of no activity. In other words, if I leave an RDP connection open from my datacenter to the remote site, the VPN connection will stay open all the time. A few minutes after I close the connection the VPN drops and the remote side has to wait until its keys timeout to reconnect (obviously without a reset).

I have multiple sites connecting to the EzVPN server without issues from multiple carriers. This one Comcast connection seems to be an issue. I've verified that the configurations for other DHCP based cable connections and this one are the same (except for local parameters). I've also run PING tests to test reliability and MTU issues. For the reliability I do have 1 - 2 packets out of 200 consistently dropping with a 2 second timeout value for the PING. (This is pinging the next hop router on the connection.) For MTU I was able to PING with packet sizes all the way up to 1500 bytes with the DF bit set.

So, I'm looking for any direction on this issue.

Here is the configuration of the router at the remote site (truncated for clarity):

!

crypto ipsec df-bit clear

!

crypto ipsec client ezvpn comcast-remote1

connect auto

group comcast-remote1 key testing1234

mode network-extension

peer 65.x.x.x

xauth userid mode interactive

!

bridge irb

!

interface FastEthernet0

description Trunk to LAN network

switchport mode trunk

!

interface FastEthernet4

description WAN connection

ip address dhcp client-id FastEthernet4

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

crypto ipsec client ezvpn comcast-remote1

!

interface Dot11Radio0

no ip address

!

bridge-group 1

!

interface Vlan1

description primary LAN connection

no ip address

ip tcp adjust-mss 1452

bridge-group 1

!

interface BVI1

description Bridged connection for Dot11Radio0 and Vlan1

ip address 10.x.x.x 255.255.255.0

ip helper-address 192.x.x.x

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly

crypto ipsec client ezvpn comcast-remote1 inside

!

!

bridge 1 protocol ieee

bridge 1 route ip

This remote router is a Cisco 871W running this image c870-advsecurityk9-mz.124-4.T7.bin. I've checked the other 871W routers that are on a DHCP cable connection and they are also running this image version.

Here is the relevant sections of the hub (EzVPN server) router:

crypto isakmp policy 20

encr aes 256

group 2

!

crypto isakmp policy 30

encr aes 256

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 90

encr aes 256

group 2

lifetime 28800

crypto isakmp keepalive 60 10

crypto isakmp nat keepalive 60

!

crypto isakmp client configuration group comcast-remote1

key testing1234

acl comcast-remote1_networks

save-password

!

crypto isakmp profile comcast-remote1_isakmpprof_dyncorp

match identity group comcast-remote1

isakmp authorization list comcast-remote1

client configuration address respond

accounting svpn_accounting

keepalive 60 retry 10

!

crypto ipsec transform-set high_security esp-aes esp-sha-hmac

crypto ipsec df-bit clear

!

crypto dynamic-map comcast-remote1_dynmap 20

set transform-set high_security

set isakmp-profile comcast-remote1_isakmpprof_dyncorp

reverse-route

!

crypto map svpn-map 109 ipsec-isakmp dynamic comcast-remote1_dynmap

!

interface FastEthernet0/0

bandwidth 102400

no ip address

speed 100

full-duplex

no cdp enable

!

interface FastEthernet0/0.40

encapsulation dot1Q 40

ip address 65.x.x.x 255.255.255.0

no cdp enable

crypto map svpn-map

crypto ipsec fragmentation before-encryption

!

interface FastEthernet1/0

switchport access vlan 4

bandwidth 102400

duplex full

speed 100

no cdp enable

!

interface Vlan4

ip address 192.x.x.x 255.255.255.0

ip virtual-reassembly

!

Thanks,

Mike

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion