Reset the Router Constantly

Unanswered Question
Sep 22nd, 2010

Hi Everyone,

I have got a Site to Site VPN.


I've got a Cisco ASA 5520 device at my work place and  a Cisco 857 ADSL router for a branch office and have the internet up and  running,

But I have minor issue and that is I have to reset my branch router constantly to make VPN run.

I dont know whats going on.

Please advice experts.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Marcin Latosiewicz Wed, 09/22/2010 - 02:33

Please check if you have.

crypto isakmp keepalive

crypto isakmp invalid-spi-recovery

configured.

If you don't I'd say it would be reasonable to add. (both options on router, option 1 on ASA)

Marcin

Samir Shaikh Wed, 09/22/2010 - 02:46

Thank for your prompt response

Please can you emphasize those commands. What's does they mean ?

Samir Shaikh Fri, 09/24/2010 - 06:56

Hi Marchin,

Still the problem persits.

My VPN was not working after rebooting the router It works

Please suggest

Samir Shaikh Fri, 09/24/2010 - 08:06

Hi Marcin,

Here is the router configuration



Current configuration : 3748 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash c850-advsecurityk9-mz.124-15.T14.bin
boot-end-marker
!
no logging buffered
no logging console
enable secret 5 $1$I7fD$hFcavQfsBAttAU3kdsCyo0
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-514007288
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-514007288
revocation-check none
rsakeypair TP-self-signed-514007288
!
!
crypto pki certificate chain TP-self-signed-514007288
certificate self-signed 01
  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 35313430 30373238 38301E17 0D303230 35313430 35303431
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3531 34303037
  32383830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  A2EABB56 14D234BE 7889BC4D A55C7A99 0461AB52 AEEB74F9 4240866D CFE99361
  093C1C41 5225FD37 41266629 C9758902 F7A17B16 0982CA9A B9FA3AAF 40A0C258
  A55E8EEC 183249CF 3E0A4F1A E6C044D5 25735261 5D38C06A 421411A2 4FCD8644
  D834C59F A57E9391 A09D8AAB 57C18AEA 804FCB47 0EC6F632 5E0647A6 4C82EA29
  02030100 01A36930 67300F06 03551D13 0101FF04 05300301 01FF3014 0603551D
  11040D30 0B820944 722E4661 6B656568 301F0603 551D2304 18301680 1443A6AE
  ABA34B03 84DE5AA5 AA18D747 5899D8BA 3F301D06 03551D0E 04160414 43A6AEAB
  A34B0384 DE5AA5AA 18D74758 99D8BA3F 300D0609 2A864886 F70D0101 04050003
  8181002F A141EFFE E7E015D4 1BC5D116 EEF1F6FA 2956E23E FE4A8A0D FF3293D9
  3E9E9C09 8ABBD4BD 08947278 8276FB24 4D42E45F 877029F1 CEC1423E E38CDBA6
  08855E81 41D6281B 3DE69A80 913DC48F DCB05F81 151F4BB2 3F69DD5C 49F7BDF2
  0E7E2A02 C10A9906 BF3E2AA3 61D967A2 7A1C4377 9B598D48 4CA26916 FC9D251C 8CE796
        quit
dot11 syslog
!
!
ip cef
ip name-server 212.93.XX.XX
ip name-server 212.93.XX.XX
!
!
!        
username admin privilege 15 password 7 070C2E414B4D0D041C170218
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 11.22.33.44
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 3600
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to11.22.33.44
set peer 11.22.33.44
set transform-set ESP-3DES-SHA
match address 100
!
archive
log config
  hidekeys
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/35
  pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 44.55.66.77 255.255.255.248
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ppp chap password 7 0355095852
ppp pap sent-username XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX password 7 XXXXXXXXXXXX
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http authentication local
ip http secure-server
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 44.55.66.70 0.0.0.7 10.1.2.0 0.0.0.255
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
password 7 1306181F0E48102B20212127
login local
!
scheduler max-task-time 5000
end




Marcin Latosiewicz Fri, 09/24/2010 - 08:25

crypto isakmp keepalive 3600

That's a bit too high! One keepalive every hour? Typical value it 30 seconds.

It would be interesting to know what's happening during the issue:

Debugs to collect:

- debug crypto isa

- debug crypto ipsec

Marcin

Marcin Latosiewicz Fri, 09/24/2010 - 09:07

Two possible ways,

it's either printed to monitor session:

----------

conf t

logg on

logg mon deb

exit

term mon

----------

once you finish getting output you can do "term no mon" and "un all".

or to buffer:

---------

conf t

logg on

logg buffered debug

exit

show logg

-----------

Marcin

Actions

This Discussion