Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
778
Views
0
Helpful
2
Replies

Virtual -Access Interface drops after VPN peer change

ryanwalz
Level 1
Level 1

‎11-03-2008 11:07 AM

I have a Cisco 837 ADSL out in the field. I am migrating it to a new VPN concentrator. The VPN comes up fine and the network is reachable, for about 7 minutes, then the line protocol on the Virtual-Access interface changes to down and the dialer looses its public IP address. If I reload to the old configuration with the old peer, the Dialer gets its public IP back and everything works fine. Is there something anyone can think of that would cause the public IP address to be lost after changing VPN peer? It's wierd because the new VPN comes up and everything works fine for a few minutes before completely breaking because the dialer looses its public IP:

Oct 31 14:46:01.103: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

Oct 31 14:46:17.071: %SYS-5-CONFIG_I: Configured from console by user on vty0

(192.168.131.101)

Oct 31 14:53:30.089: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Acc

ess2, changed state to down

.Oct 31 15:06:10.243: Di1 DDR: dialer shutdown complete

.Oct 31 15:06:10.247: %LINK-5-CHANGED: Interface Virtual-Access2, changed state

to administratively down

.Oct 31 15:06:10.247: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1

.Oct 31 15:06:11.231: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state t

o up

.Oct 31 15:06:11.235: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state t

o down

.Oct 31 15:06:12.243: %LINK-5-CHANGED: Interface Dialer1, changed state to admin

istratively down

.Oct 31 15:06:29.848: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state t

o up

.Oct 31 15:06:29.852: %DIALER-6-BIND: Interface Vi2 bound to profile Di1

.Oct 31 15:06:31.844: %LINK-3-UPDOWN: Interface Dialer1, changed state to up

Labels:
0 Helpful
2 Replies 2

ajagadee
Cisco Employee
Cisco Employee

‎11-03-2008 11:23 AM

Ryan,

Can you post the configuration from the router.

Regards,

Arul

0 Helpful

ryanwalz
Level 1
Level 1
In response to ajagadee

‎11-03-2008 11:58 AM

When migrating to the new concentrator I add the following:

crypto isakmp key test address 21.118.135.77

ip access-list extended newvpn

permit ip 10.1.10.0 0.0.0.255 any

permit ip 10.1.100.0 0.0.0.255 any

crypto map csk 10 ipsec-isakmp

set peer 21.x.135.77

set transform-set vpn-set

match address newvpn

and change the crypto map on the dialer interface from:

crypto map vpn-site2site

To:

crypto map newvpn

I also remove the ip nat statements from dialer and ethernet interface and it all works fine for a few mintues.

Below is the working config:

Current configuration : 3747 bytes

!

! No configuration change since last restart

! NVRAM config last updated at 10:59:16 CST Mon Nov 3 2008 by user

!

version 12.3

no service pad

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

memory-size iomem 5

no logging console

!

clock timezone CST -6

clock summer-time CST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

aaa new-model

!

!

aaa authentication login default group radius local

aaa authorization exec default if-authenticated group radius local

aaa accounting exec default start-stop group radius

aaa session-id common

ip subnet-zero

!

!

!

!

ip tcp synwait-time 5

ip cef

no ip domain lookup

ip ftp username anonymous

ip ips po max-events 100

no ftp-server write-enable

!

!

!

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key test address 158.215.77.50

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 60

!

!

crypto ipsec transform-set vpn-set esp-3des esp-md5-hmac

!

crypto map vpn-site2site 10 ipsec-isakmp

set peer 158.215.77.50

set transform-set vpn-set

match address vpn

!

!

!

interface Ethernet0

ip address 10.1.10.3 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1460

hold-queue 100 out

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface FastEthernet2

no ip address

duplex auto

speed auto

!

interface FastEthernet3

no ip address

duplex auto

speed auto

!

interface FastEthernet4

no ip address

duplex auto

speed auto

!

interface Dialer1

ip address negotiated

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname

ppp chap password

ppp pap sent-username

crypto map vpn-site2site

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.1.0.0 255.255.0.0 10.1.10.1

!

ip http server

no ip http secure-server

!

ip nat inside source list nat interface Dialer1 overload

!

ip radius source-interface Ethernet0

!

ip access-list extended nat

ip access-list extended vpn

deny ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255

permit ip 10.1.0.0 0.0.255.255 10.0.0.0 0.255.255.255

!

control-plane

!

!

line con 0

no modem enable

transport preferred all

transport output all

line aux 0

transport preferred all

transport output all

line vty 0 4

transport preferred all

transport input all

transport output all

!

scheduler max-task-time 5000

ntp clock-period 17180101

end

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents