Help with VPN Disconnects

Unanswered Question
Apr 15th, 2010
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Obviously a noob here...so please be gentle... 


I would like to know if anyone has been able to get a site to site, ipsec based, VPN working without random periodic drops using AT&T/Bellsouth with a single static or dynamic WAN addresses?  I can get a VPN connection to work, but after period of time (15-60 minutes) the VPN connection drops and even though the VPN light on the router remains lit, the VPN connection is dead.  Power cycling the Cisco model 851 router will bring the VPN back to life….for another 15-60 minutes.


I run a similar router config file for Charter cable and Windstream DSL dynamic addressing and they work fine.  I have tried this setup in multiple locations to eliminate the possibility of line issues…without success.  I can’t figure out what is different about AT&T and their techs have no clue.  It’s almost as if AT&T is doing something to reset the connection every “x” number of minutes.  VPN connections are perfect on AT&T if I use a “block” of static IP’s.  No drops or resets.  Naturally, that requires using their more expensive business DSL service… 


Here is the basic config…

Westell or Netopia DSL modem set to bridge mode.  The DSL Modem handles the PPPoe connection and authentication.

Cisco 851 Router handles everything else…internal 192.168.x.x network, ipsec  site to site VPN connection to Cisco ASA 5510.


If anyone has a similar config working on AT&T/Bellsouth, I love to hear about it.  Any thoughts or suggestions appreciated…


Thanks in advance.


Brad

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Thu, 04/15/2010 - 06:27
User Badges:
  • Cisco Employee,

With dynamic ip address assigned by ISP, you might want to double check if:

1) the PPP connection happened to reset every 15-60 minutes (coincide with the time when the VPN tunnel is down).

2) ISP is somehow assigning a new ip address every 15-60 minutes (coincide with the time when the VPN tunnel is down).


If they are, then the VPN tunnel which was built with the old ip address is still in the SA table, and when new ip address gets assigned to your dynamic site, the head end is not aware, and still sends traffic towards the old address. Once you reloads the router, it clears down the tunnel, and new tunnel gets negotiated with the new ip address.

oldredtop Thu, 04/15/2010 - 06:55
User Badges:

Thanks for the quick response, hallijenn.


Just did confirmation check for the IP address reset...it was unchanged.  I also experience the same symptoms on a connection assigned a single static WAN IP.


Thanks.

oldredtop Thu, 04/22/2010 - 04:37
User Badges:

This issue was solved by adding the keepalive command to the remote 851.  So keepalive is now running on both ends of the VPN.


Thanks.

Jennifer Halim Thu, 04/22/2010 - 04:40
User Badges:
  • Cisco Employee,

Great to hear it's all working fine now with keepalives. Thanks.

Actions

This Discussion