VPN Access-List stops working

Unanswered Question

We have a Cisco 827-4V VPN Router with IOS ver. 12.2. We use this Router for several hardware to hardware VPN connections as well as software to hardware VPN connections. We just recently set up another Cisco Hardware to Hardware connection for a remote location and all had been working fine. Then the 827 router got re-booted. After it rebooted the new location began to have trouble accessing the resources on our LAN. They could Ping our servers and devices using the IP address or the Host name. We could ping their devices but could not print to any of their printers. They were unable to log into any of the applications including our Exchange email server. We narrowed the problem down to an Access-List entry. We found out by removing the Access-List in question and then re-applying it, things worked like they were suppose to. However, when we re-boot this router the problem re-occurs. The strange thing is this Access-List is still in place in the configuration, but doesn't work unless we remove it and re-apply it. The Access-List in question is number 130. This problem only affects the one remote location our other locations continue to work fine as well as any of our users who are accessing the network via a software VPN. I'm attaching the configuration, any help on solving this issue would be appreciated.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Thu, 02/14/2008 - 11:53
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ricky


This is a pretty strange symptom. I would like to clarify one thing about what you describe. You remove access list 130 and readd it. Is the content of access list 130 in the startup config exactly the same as the content of access list 130 in the running config? (is the access list 130 that you remove only a single line? and does it have exactly the same addresses and masks as the line that you add back in?)


HTH


Rick

Richard Burts Thu, 02/14/2008 - 12:19
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ricky


Well there goes one theory :(


It sounds a bit like a symptom that I have seen in one environment. If you do not remove and add the access list but instead you issue the commands clear crypto isakmp and clear crypto sa will it bring up the connection and begin to communicate?


HTH


Rick

Richard Burts Thu, 02/14/2008 - 12:46
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ricky


I certainly understand that while the connection is working that you do not want to do anything to disrupt it. The next time that you need to reboot give the clear crypto commands a try and post back indicating whether they helped or not.


As for what it would mean if it works I am not clear about that. I have observed the symptom of not negotiating ISAKMP after a reboot and found a workaround that is less intrusive than removing and replacing an access list (and assume that both may have the same result of re-initializing something). We are still looking for the cause of the problem and have not yet found it. I note that we have lots of routers running site to site VPN tunnels and they work fine after a reboot. We have one connection that has this symptom of having a problem after a reboot.


HTH


Rick

husycisco Thu, 02/14/2008 - 15:03
User Badges:
  • Gold, 750 points or more

Hi Ricky

I once encountered an issue similar to yours. It was caused by ASDM (SDM in routers) that it was placing a weird char in a crypto statement. Did you use SDM to enter access-lists? If yes, I would recommend removing ACEs one by one then removing ACL, and typing a new one with a new name via CLI.


Regards

Actions

This Discussion