How to keep a VPN tunnel open?

Unanswered Question
Jan 6th, 2009

Hello,

I am 17 routers Cisco 837

With

Cisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.3(2)XE4, RELEASE SOFTWARE (fc1)


My tunnel is mounted but falls after 1 day


is there a way to automate the recovery of the tunnel without rebooting the router !!


thank's



Building configuration...


Current configuration : 3646 bytes

!

version 12.3

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname ******

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 <removed>

!

no aaa new-model

ip subnet-zero

!

ip cef

ip audit notify log

ip audit po max-events 100

ip ssh break-string

no ftp-server write-enable

no scripting tcl init

no scripting tcl encdir

!

crypto isakmp policy 1

authentication pre-share

!

crypto isakmp policy 2

hash md5

authentication pre-share

crypto isakmp key xxxkey address ***************

crypto isakmp keepalive 10

!

crypto ipsec transform-set xxxtransform esp-null esp-sha-hmac

crypto ipsec df-bit clear

!

crypto map xxxmap 1 ipsec-isakmp

set peer **********

set transform-set xxxtransform

match address 151

!

interface Ethernet0

description CRWS Generated text. Please do not delete this:192.168.6.1-255.255.

ip address 192.168.6.1 255.255.255.0

ip nat inside

no ip mroute-cache

hold-queue 100 out

!

interface ATM0

no ip address

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface FastEthernet2

no ip address

duplex auto

speed auto

!

interface FastEthernet3

no ip address

duplex auto

speed auto

!

interface FastEthernet4

no ip address

duplex auto

speed auto

!

interface Dialer0

no ip address

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer remote-name redback

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname ****************

ppp chap password xxx

ppp pap sent-username ************** password xxx

ppp ipcp dns request

ppp ipcp wins request

crypto map xxxmap

hold-queue 224 in

!

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source list 105 interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip http server

no ip http secure-server

!

access-list 23 permit 194.204.200.32 0.0.0.31

access-list 23 permit 192.168.6.0 0.0.0.255

access-list 102 deny ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 deny ip 192.168.6.0 0.0.0.255 ********* 0.0.0.3

access-list 102 deny ip 192.168.6.0 0.0.0.255 ********* 0.0.0.3

access-list 102 permit ip 192.168.6.0 0.0.0.255 any

access-list 151 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 151 permit ip 192.168.6.0 0.0.0.255 ********** 0.0.0.3

dialer-list 1 protocol ip permit

!

control-plane

!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mulatif Tue, 01/06/2009 - 08:12

Is there any VPN traffic flowing through the tunnel, when it goes down after 1 day ?

You can try to configure periodic ISAKMP keepalive at both ends, which should keep the tunnel UP.

"crypto isakmp keepalive periodic"


Thanks,

Naman

nkila_lna Wed, 01/07/2009 - 02:12

Thank you


But my router does not accept this command

"crypto isakmp keepalive periodic"


accept only "crypto isakmp keepalive "

mulatif Thu, 01/08/2009 - 07:57

Maybe that is not available in the Software version you are running. You can check the CLI guide for your software version to verify, if that option is available.


Thanks,

Naman

nkila_lna Tue, 01/13/2009 - 02:28

Router#debug crypto ipsec


*Mar 1 23:56:01.366: SSH0: password authentication failed for root

*Mar 1 23:56:01.366: SSH0: AAA authentication fail reason: Password:

*Mar 1 23:56:04.730: %HIFN79XX-3-CMD_ERR: Hifn 79XX command returned error: (0x1044)

*Mar 1 23:56:04.730: chifn79xx_lopri_error: unknown error 0x1044

*Mar 1 23:56:04.730: IPSECcard: an error coming back 0x1044

*Mar 1 23:56:05.090: IPSEC(key_engine): major = 1

*Mar 1 23:56:05.090: IPSEC(key_engine): expired_timer




Router#debug crypto isakmp


*Mar 1 23:44:07.570: SSH0: password authentication failed for root

*Mar 1 23:44:07.570: SSH0: AAA authentication fail reason: Password:

*Mar 1 23:44:07.722: ISAKMP:(0:13:HW:2): retransmitting phase 1 MM_SA_SETUP...

*Mar 1 23:44:07.722: ISAKMP:(0:13:HW:2):incrementing error counter on sa: retransmit phase 1

*Mar 1 23:44:07.722: ISAKMP:(0:13:HW:2): retransmitting phase 1 MM_SA_SETUP

*Mar 1 23:44:07.722: ISAKMP:(0:13:HW:2): sending packet to xx.xx.xx.xx my_port 500 peer_port 500 (R) MM_SA_SETUP

*Mar 1 23:44:08.410: ISAKMP (0:268435469): received packet from xx.xx.xx.xx dport 500 sport 500 Global (R) MM_SA_SETUP

*Mar 1 23:44:08.410: ISAKMP:(0:13:HW:2): phase 1 packet is a duplicate of a previous packet.

*Mar 1 23:44:08.410: ISAKMP:(0:13:HW:2): retransmission skipped for phase 1 (time since last transmission 688)

*Mar 1 23:44:12.162: SSH0: password authentication failed for root

*Mar 1 23:44:12.162: SSH0: AAA authentication fail reason: Password:

Ivan Martinon Tue, 01/13/2009 - 08:47

Hey there, let's clean a little bit your config, shall we?


First you should not have this line in there:


ip nat inside source list 105 interface Dialer1 overload


Cause it is using a list number that is not showing up on the config and most likely does not exist, this could cause a problem, so let's get rid of that line, unless you are indeed using it somewhere else.


Keepalives will not keep your tunnel up, instead they will detect whether the remote peer is active or not and if the remote peer is not active then they will force the tunnel to be renegotiated or turned down.


Traffic flowing through your tunnel at all time should keep your tunnel up, but if no traffic is flowing through the tunnel it is normal behavior for it to be brought down. The question here lies on why the tunnel does not recover back.


When the tunnel not coming up, can you get the outpt of the next and paste it here?


show crypto isakmp sa

"show ip nat trans | inc 500"




nkila_lna Wed, 01/14/2009 - 07:05

Router#show crypto isakmp sa

dst src state conn-id slot

xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy MM_SA_SETUP 12 0

xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy MM_SA_SETUP 11 0

xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy MM_SA_SETUP 10 0

xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy MM_NO_STATE 9 0 (deleted)



Router#show ip nat trans | inc 500

tcp xxx.xxx.xxx.xxx:1500 zzz.zzz.zzz.zzz:1500 ppp.ppp.ppp.ppp:80 ppp.ppp.ppp.ppp:80

tcp xxx.xxx.xxx.xxx:2500 zzz.zzz.zzz.zzz:2500 jjj.jjj.jjj.jjj:80 jjj.jjj.jjj.jjj:80

falain Sat, 01/17/2009 - 13:48

the best method I used is to maintain traffic in Tunnel:

I use an ip sla icmp-echo (ping) from spoke to datacenter sourced from loopback 0

In that way, source interface is always up even if ethernet lan interface is down

nkila_lna Tue, 01/20/2009 - 02:26

Session status: DOWN-NEGOTIATING

--------------------------------



ROUTER#show crypto session detail

Crypto session current status


Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication


Interface: Dialer1

Session status: DOWN-NEGOTIATING

Peer: xx.xx.xx.xx/500 fvrf: (none) ivrf: (none)

Desc: (none)

Phase1_id: (none)

IKE SA: local yy.yy.yy.yy/500 remote xx.xx.xx.xx/500 Inactive

Capabilities:(none) connid:2 lifetime:0

IPSEC FLOW: permit ip 192.168.6.0/255.255.255.0 zz.zz.zz.zz/255.255.255.252

Active SAs: 0, origin: crypto map

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

IPSEC FLOW: permit ip 192.168.6.0/255.255.255.0 192.168.1.0/255.255.255.0

Active SAs: 0, origin: crypto map

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

Outbound: #pkts enc'ed 0 drop 20 life (KB/Sec) 0/0

falain Tue, 01/20/2009 - 10:52

have you done a

deb cry isa

deb cry ips


to see whats happening ?


nkila_lna Wed, 01/21/2009 - 02:02

ROUTER#debug crypto ipsec


Crypto IPSEC debugging is on

Jan 21 09:25:24.391: IPSEC(key_engine): major = 1

Jan 21 09:25:24.391: IPSEC(key_engine): expired_timer

Jan 21 09:26:11.580: %HIFN79XX-3-CMD_ERR: Hifn 79XX command returned error: (0x1044)

Jan 21 09:26:11.580: chifn79xx_lopri_error: unknown error 0x1044

Jan 21 09:26:11.580: IPSECcard: an error coming back 0x1044

Jan 21 09:26:24.420: IPSEC(key_engine): major = 1

Jan 21 09:26:24.420: IPSEC(key_engine): expired_timer

Jan 21 09:26:44.420: IPSEC(key_engine): major = 1

Jan 21 09:26:44.420: IPSEC(key_engine): expired_timer

Jan 21 09:26:50.080: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= xxx.xxx.xxx.xxx, remote= yyy.yyy.yyy.yyy,

local_proxy= 192.168.6.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-null esp-sha-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0xB4C14AC1(3032566465), conn_id= 0, keysize= 0, flags= 0x400A

Jan 21 09:26:50.640: %HIFN79XX-3-CMD_ERR: Hifn 79XX command returned error: (0x1044)

Jan 21 09:26:50.640: chifn79xx_lopri_error: unknown error 0x1044

Jan 21 09:26:50.640: IPSECcard: an error coming back 0x1044

Jan 21 09:27:04.460: IPSEC(key_engine): major = 1

Jan 21 09:27:04.460: IPSEC(key_engine): expired_timer

Jan 21 09:27:20.088: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= xxx.xxx.xxx.xxx, remote= yyy.yyy.yyy.yyy,

local_proxy= 192.168.6.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)

Jan 21 09:27:20.088: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= xxx.xxx.xxx.xxx, remote= yyy.yyy.yyy.yyy,

local_proxy= 192.168.6.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-null esp-sha-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0x74AF07E2(1957627874), conn_id= 0, keysize= 0, flags= 0x400A

Jan 21 09:27:50.088: IPSEC(key_engine): major = 1

Jan 21 09:27:50.088: IPSEC(key_engine): expired_timer

Jan 21 09:27:50.088: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= xxx.xxx.xxx.xxx, remote= yyy.yyy.yyy.yyy,

local_proxy= 192.168.6.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4)

Jan 21 09:28:04.491: IPSEC(key_engine): major = 1

Jan 21 09:28:04.491: IPSEC(key_engine): expired_timer

nkila_lna Wed, 01/21/2009 - 02:08

ROUTER#debug crypto isakmp


Jan 21 09:45:46.563: ISAKMP:(0:17:HW:2): constructed NAT-T vendor-03 ID

Jan 21 09:45:46.563: ISAKMP:(0:17:HW:2): sending packet to XXX.XXX.XXX.XXX my_port 500 peer_port 500 (R) MM_SA_SETUP

Jan 21 09:45:46.563: ISAKMP:(0:17:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Jan 21 09:45:46.563: ISAKMP:(0:17:HW:2):Old State = IKE_R_MM1 New State = IKE_R_MM2


Jan 21 09:45:46.631: ISAKMP (0:268435473): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (R) MM_SA_SETUP

Jan 21 09:45:46.635: ISAKMP:(0:17:HW:2):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Jan 21 09:45:46.635: ISAKMP:(0:17:HW:2):Old State = IKE_R_MM2 New State = IKE_R_MM3


Jan 21 09:45:46.635: ISAKMP:(0:17:HW:2): processing KE payload. message ID = 0

Jan 21 09:45:46.839: ISAKMP:(0:17:HW:2): processing NONCE payload. message ID = 0

Jan 21 09:45:46.839: ISAKMP: Looking for a matching key for XXX.XXX.XXX.XXX in default : success

Jan 21 09:45:46.839: ISAKMP:(0:17:HW:2):found peer pre-shared key matching XXX.XXX.XXX.XXX

Jan 21 09:45:46.839: %HIFN79XX-1-ERROR: host_sa_create, pPktEngEntryHMACFreeQ is empty

Jan 21 09:45:46.839: %HIFN79XX-3-CMD_ERR: Hifn 79XX command returned error: (0x1051)

Jan 21 09:45:46.839: IPSECcard: an error coming back 0x1051

Jan 21 09:45:46.839: ISAKMP:(0:17:HW:2):error from epa_ikmp_create_skeyid (MM_SA_SETUP)

Jan 21 09:45:46.843: -Traceback= 80C3E5C4 80C2C590 80C2C77C 80C4A584 80DCBD3C 80C4E05C 80C4DE98 80C22898 80C22DC4 802BDA2C 802C21F8

Jan 21 09:45:46.843: ISAKMP:(0:17:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Jan 21 09:45:46.843: ISAKMP:(0:17:HW:2):Old State = IKE_R_MM3 New State = IKE_R_MM3



falain Wed, 01/21/2009 - 10:33

seems to be due to hardware acceleration card

Try to switch off crypto card or try a more recent C837 IOS release. it sounds like this bug:

CSCec52778


Symptoms: IKE Phase 1 does not get established on a Cisco 837 router configured for RSA signature authentication when the VPN crypto card is activated. The following syslog messages are observed:


%CRYPTO-6-IKMP_CRYPT_FAILURE: IKE (connection id "id") unable to encrypt packet %HIFN79XX-3-CMD_ERR: Hifn 79XX command returned error: (0x10FF)


Also a traceback might be seen.


Conditions: This has been observed with Cisco IOS Release 12.2(13)ZH2 and 12.3(2)T1


Workaround: Switching off the crypto card will resolve the issue.



connect2world Sun, 07/24/2011 - 01:00

Hi,


I believe your config statement has left out the some important ip-access list rule.Add these statements on top of the access-list 102(subsitute the destination_peer_ip with your actual peer IP.):


access-list 102 deny   udp host any host destination_peer_ip eq isakmp

access-list 102 deny   udp host any host destination_peer_ip eq non500-isakmp

access-list 102 deny   ahp host any host destination_peer_ip

access-list 102 deny   esp host any host destination_peer_ip

access-list 102 deny   pcp host any host destination_peer_ip

access-list 102 deny ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 deny ip 192.168.6.0 0.0.0.255 ********* 0.0.0.3

access-list 102 deny ip 192.168.6.0 0.0.0.255 ********* 0.0.0.3

access-list 102 permit ip 192.168.6.0 0.0.0.255 any


The additional 5 statements must take place before  your 192.168.x.x subnets access-list  inorder to prevent ipsec/isakmp peer communication traffic from being NAT. This will ensure tunnel stay up and from having random vpn disconnect.The destination peer must also have those statement in reverse order so that both peer can have 2 way communication for tunnel establishment.

Actions

This Discussion