PIX to Router VPN going down

Unanswered Question
Jan 20th, 2006
User Badges:

Hello,


I have recently implemented a site to site dynamic to static VPN between a PIX 500 series 6.3(3), and an 871W router. The PIX is the static side, and the 871W is the dynamic side.


I am having the VPN go down every 24ish hours or so. I believe that I need to do something with DPD, but I haven't been able to find exactly what. Here's part of the config of the 871W-


crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxx address xxxx

!

crypto ipsec security-association lifetime seconds 900

!

crypto ipsec transform-set strong esp-3des esp-md5-hmac

!

crypto map xxxvpn 10 ipsec-isakmp

set peer xxxx

set transform-set strong

match address 100

!

bridge irb

!

!

interface FastEthernet0

no ip address

no cdp enable

!

interface FastEthernet1

no ip address

no cdp enable

!

interface FastEthernet2

no ip address

no cdp enable

!

interface FastEthernet3

no ip address

no cdp enable

!

interface FastEthernet4

ip address xxxxx 255.255.255.240

ip access-group 125 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

crypto map xxxvpn

!

interface Dot11Radio0

no ip address

!

broadcast-key vlan 1 change 45

!

!

encryption vlan 1 key 1 size 128bit 7 xxxx transmit-key

encryption vlan 1 mode wep mandatory

!

ssid xxxx

vlan 1

authentication open

!

speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0

rts threshold 2312

channel 2457

station-role root

no cdp enable

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

no ip address

ip virtual-reassembly

ip tcp adjust-mss 1452

bridge-group 1

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.33.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip classless

ip route 0.0.0.0 0.0.0.0 xxxxx

!

no ip http server

no ip http secure-server

ip nat inside source list 110 interface FastEthernet4 overload

!

access-list 100 remark Tag traffic to be encrypted

access-list 100 permit ip 192.168.33.0 0.0.0.255 172.28.0.0 0.0.255.255

access-list 100 permit ip 192.168.33.0 0.0.0.255 172.23.0.0 0.0.255.255

access-list 100 permit ip 192.168.33.0 0.0.0.255 172.21.0.0 0.0.255.255

access-list 100 permit ip 192.168.33.0 0.0.0.255 172.20.0.0 0.0.255.255

access-list 100 permit ip 192.168.33.0 0.0.0.255 172.22.0.0 0.0.255.255

access-list 100 permit ip 192.168.33.0 0.0.0.255 172.24.0.0 0.0.255.255

access-list 100 permit ip 192.168.33.0 0.0.0.255 172.29.0.0 0.0.255.255

access-list 100 permit ip 192.168.33.0 0.0.0.255 10.28.0.0 0.0.255.255

access-list 100 permit ip 192.168.33.0 0.0.0.255 10.254.0.0 0.0.255.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 110 remark Performs NAT against everything but VPN traffic

access-list 110 deny ip 192.168.33.0 0.0.0.255 10.28.0.0 0.0.255.255

access-list 110 deny ip 192.168.33.0 0.0.0.255 10.254.0.0 0.0.255.255

access-list 110 permit ip 192.168.33.0 0.0.0.255 any

access-list 125 remark Restrict access on external interface fa4

access-list 125 permit udp host xxxx any eq isakmp

access-list 125 permit udp host xxxx eq isakmp any

access-list 125 permit esp host xxxx any

access-list 125 permit icmp any any

access-list 125 permit ip xxxxx 0.0.0.255 any

access-list 125 permit ip 172.28.0.0 0.0.255.255 any


no cdp run

!

control-plane

!

bridge 1 route ip

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vkapoor5 Wed, 01/25/2006 - 09:50
User Badges:
  • Bronze, 100 points or more

I feel this could be due to the expiration of "Security Association". If there is no user traffic for a duration longer than the SA lifetime, the SA will expire and the new SA will be formed only when there is a user traffic initiated. Look at the logs for more information on why the VPN is breaking.


You can try configuring "keepalives" between the VPN peers so that the VPN is always on and does not timeout.


"crypto isakmp keepalive 10"


Actions

This Discussion