cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
726
Views
0
Helpful
4
Replies

Help with VPN Disconnects

oldredtop
Level 1
Level 1

Obviously a noob here...so please be gentle... 

I would like to know if anyone has been able to get a site to site, ipsec based, VPN working without random periodic drops using AT&T/Bellsouth with a single static or dynamic WAN addresses?  I can get a VPN connection to work, but after period of time (15-60 minutes) the VPN connection drops and even though the VPN light on the router remains lit, the VPN connection is dead.  Power cycling the Cisco model 851 router will bring the VPN back to life….for another 15-60 minutes.

I run a similar router config file for Charter cable and Windstream DSL dynamic addressing and they work fine.  I have tried this setup in multiple locations to eliminate the possibility of line issues…without success.  I can’t figure out what is different about AT&T and their techs have no clue.  It’s almost as if AT&T is doing something to reset the connection every “x” number of minutes.  VPN connections are perfect on AT&T if I use a “block” of static IP’s.  No drops or resets.  Naturally, that requires using their more expensive business DSL service… 

Here is the basic config…

Westell or Netopia DSL modem set to bridge mode.  The DSL Modem handles the PPPoe connection and authentication.

Cisco 851 Router handles everything else…internal 192.168.x.x network, ipsec  site to site VPN connection to Cisco ASA 5510.

If anyone has a similar config working on AT&T/Bellsouth, I love to hear about it.  Any thoughts or suggestions appreciated…

Thanks in advance.

Brad

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

With dynamic ip address assigned by ISP, you might want to double check if:

1) the PPP connection happened to reset every 15-60 minutes (coincide with the time when the VPN tunnel is down).

2) ISP is somehow assigning a new ip address every 15-60 minutes (coincide with the time when the VPN tunnel is down).

If they are, then the VPN tunnel which was built with the old ip address is still in the SA table, and when new ip address gets assigned to your dynamic site, the head end is not aware, and still sends traffic towards the old address. Once you reloads the router, it clears down the tunnel, and new tunnel gets negotiated with the new ip address.

Thanks for the quick response, hallijenn.

Just did confirmation check for the IP address reset...it was unchanged.  I also experience the same symptoms on a connection assigned a single static WAN IP.

Thanks.

This issue was solved by adding the keepalive command to the remote 851.  So keepalive is now running on both ends of the VPN.

Thanks.

Great to hear it's all working fine now with keepalives. Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: