Cisco 861 to Sonicwall - intermittent tunnel issue Options

Unanswered Question
Jul 14th, 2009
User Badges:

Hi.  We have a new remote office with a Cisco 861 router tunneling
into a Sonicwall TZ180.  The tunnel comes up and seems to work for a
while, but drops intermittently.  When it drops, we lose VPN but not
Internet browsing.  We attempted to swap the Cisco out with a spare
Sonicwall and the tunnel stays up perfectly- but we want to keep
the Cisco in place.  Here is the corresponding configuration details -
notice anything?  When it goes down, a power cycle on the remote
office end fixes the issue.

Authentication method: IKE using preshared secret
IKE Phase 1 proposal: Main mode, Group 2, 3DES/SHA1, 28800 lifetime
Ipsec Phase 2 proposal: ESP/3DES/SHA1.  No PFS.

Cisco 861 --- this is a summary of the config, leaving out some class-
map and policy-map details.
crypto isakmp key ********** address MAIN-OFFICE-IP
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to MAIN OFFICE
set transform-set ESP-3DES-SHA1
match address 103
interface FastEthernet4
description $ETH-LAN$$FW_OUTSIDE$
ip address OUTSIDE_IP_HERE
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_2
interface Vlan1
description $FW_INSIDE$
ip address
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip forward-protocol nd
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
access-list 1 permit
access-list 2 remark CCP_ACL Category=16
access-list 2 permit
access-list 3 remark CCP_ACL Category=2
access-list 3 permit
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host any
access-list 100 permit ip any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host
access-list 102 permit ip any
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip
access-list 104 remark CCP_ACL Category=0
access-list 104 remark IPSec Rule
access-list 104 permit ip
access-list 105 remark CCP_ACL Category=2
access-list 105 remark IPSec Rule
access-list 105 deny   ip
access-list 105 permit ip any
route-map SDM_RMAP_1 permit 1
match ip address 102
route-map SDM_RMAP_2 permit 1
match ip address 105

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marcos Hernandez Thu, 07/16/2009 - 20:48
User Badges:
  • Blue, 1500 points or more


This forum is not for c800 support. Please use Netpro for these questions. On the question you ask, i would try to enable keepalives on the Cisco side:

UC500(config)#crypto isakmp keepalive ?
  <10-3600>  Number of seconds between keep alives




This Discussion