Cisco 861 to Sonicwall - intermittent tunnel issue Options

Unanswered Question
Jul 14th, 2009

Hi.  We have a new remote office with a Cisco 861 router tunneling
into a Sonicwall TZ180.  The tunnel comes up and seems to work for a
while, but drops intermittently.  When it drops, we lose VPN but not
Internet browsing.  We attempted to swap the Cisco out with a spare
Sonicwall and the tunnel stays up perfectly- but we want to keep
the Cisco in place.  Here is the corresponding configuration details -
notice anything?  When it goes down, a power cycle on the remote
office end fixes the issue.

--
Sonicwall:
Authentication method: IKE using preshared secret
IKE Phase 1 proposal: Main mode, Group 2, 3DES/SHA1, 28800 lifetime
Ipsec Phase 2 proposal: ESP/3DES/SHA1.  No PFS.
--


Cisco 861 --- this is a summary of the config, leaving out some class-
map and policy-map details.
!
crypto isakmp key ********** address MAIN-OFFICE-IP
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to MAIN OFFICE
set peer MAIN-OFFICE-IP
set transform-set ESP-3DES-SHA1
match address 103
!
interface FastEthernet4
description $ETH-LAN$$FW_OUTSIDE$
ip address OUTSIDE_IP_HERE 255.255.255.0
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_2
!
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY_HERE
!
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4
overload
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
!
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 2 remark CCP_ACL Category=16
access-list 2 permit 192.168.20.0 0.0.0.255
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 192.168.20.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 66.148.129.218 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 255.255.255.255
access-list 102 permit ip any 127.0.0.0 0.255.255.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.20.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 104 remark CCP_ACL Category=0
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.3.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 105 remark CCP_ACL Category=2
access-list 105 remark IPSec Rule
access-list 105 deny   ip 192.168.20.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 105 permit ip 192.168.20.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 102
!
route-map SDM_RMAP_2 permit 1
match ip address 105
!
--
Thanks,
Joe

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcos Hernandez Thu, 07/16/2009 - 20:48

Hi,

This forum is not for c800 support. Please use Netpro for these questions. On the question you ask, i would try to enable keepalives on the Cisco side:

UC500(config)#crypto isakmp keepalive ?
  <10-3600>  Number of seconds between keep alives

Thanks,

Marcos

Actions

This Discussion