EZVPN problem - UC500 & ISR 871

Unanswered Question
Mar 31st, 2009

I currently have EZVPN running on a UC500 and an ISR 871 connected to it - tunnel comes up fine, however the phone will drop after about 1 minute or 2 of talking.  Tunnel looks like it stays up.  Does anyone know what the issue may be?


Here is how the config looks on each end


The UC500 is running -

uc500-advipservicesk9-mz.124-20.T2


aaa authentication login default local
aaa authentication login Foxtrot_sdm_easyvpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network Foxtrot_sdm_easyvpn_group_ml_1 local


crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group EZVPN_GROUP_1
key mykey

pool SDM_POOL_1
save-password
max-users 10
crypto isakmp profile sdm-ike-profile-1
   match identity group EZVPN_GROUP_1
   client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1
   isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!



ISR 871 is running -

c870-advipservicesk9-mz.124-24.T


crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
connect auto
group EZVPN_GROUP_1 key mykey
mode client
peer outsideIPofUC500
username user1 password password1
xauth userid mode local
!


This has been a big problem for me and I appreciate any help in resolving this issue!  Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jyoopro4ia Thu, 04/02/2009 - 06:46

I've downgraded the firmware from -


c870-advipservicesk9-mz.124-24.T


to


c870-advipservicesk9-mz.124-4.T8


I've had this issue with two ISRs and one seems to be ok after the downgrade.  I can't be 100% sure yet but I will keep this post updated.  If the issue still occurs I'll be sure to post up the debugs.


Thanks!

Sivaraj Rajendran Thu, 04/02/2009 - 04:13

Ensure the tunnel is up through out the session ?. (i.e Are you able to ping the remote side after the phone connection goes out) . Verify your remote side through the ping command whether any packet drops there in the path.


If the tunnel continoulsy up, then provide the following debug command output.


debug voip ccapi inout


For more information about this command :
http://www.cisco.com/en/US/docs/ios/12_3t/debug/command/reference/dbg_v1gt.html#wp1243090


For debugging and troublshooting refer this link:
https://supportforums.cisco.com/docs/DOC-9830

Actions

This Discussion

Related Content