cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3045
Views
0
Helpful
11
Replies

877 VPN keeps dropping

Damien Silman
Level 1
Level 1

I've got a few remote sites running the below config, they stay connected over PPPoE but the VPN tunnel keeps dropping, or flaps up and down and ultimately stabilises or drops.

Where have I gone wrong?

Show version:

Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(24)T6, RELEASE SOFTWARE (fc2)

Config:

Current configuration : 3666 bytes

!

! No configuration change since last restart

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ITTest

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable secret PASSWORD

enable password PASSWORD

!

no aaa new-model

clock timezone GMT 0

clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00

!

!

dot11 syslog

ip source-route

!

!

ip cef

ip domain name gratte.com

ip name-server 172.20.0.221

ip name-server 172.20.0.222

!

!

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key PRESHAREDKEY address XXX.XXX.XXX.XXX no-xauth

!

!

crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac

!

crypto ipsec profile IPSEC-VPN

set transform-set 3DESSHA

!

!

archive

log config

  hidekeys

!

!

!

!

!

interface Tunnel0

description --- IPSec Tunnel to KX ---

ip address 172.29.0.1 255.255.255.252

ip ospf mtu-ignore

load-interval 30

tunnel source Dialer0

tunnel destination XXX.XXX.XXX.XXX

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC-VPN

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 172.29.0.10 255.255.255.252

ip nat inside

ip virtual-reassembly

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

ppp chap hostname USERNAME

ppp chap password PASSWORD

ppp pap sent-username USERNAME password PASSWORD

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 172.16.0.0 255.240.0.0 Tunnel0

ip route 172.29.0.0 255.255.0.0 Vlan1

no ip http server

no ip http secure-server

!

ip dns server

ip nat inside source list 100 interface FastEthernet0 overload

!

access-list 100 deny   ip 172.29.0.0 0.0.255.255 172.16.0.0 0.0.240.255

access-list 100 permit ip 172.29.0.0 0.0.255.255 any

!

!

!

snmp-server community public RO

!

control-plane

!

!

line con 0

password PASSWORD

login

no modem enable

line aux 0

line vty 0 4

password PASSWORD

login

!

scheduler max-task-time 5000

ntp server 172.20.0.221

ntp server 172.20.0.222

end

When I originally made this config, I was familiar with cisco switches, and had to learn all the router stuff.

Now I have more knowledge; I've tried to make a new config, the problem with that is I can't even get the VPN tunnel up to start with... that config is below (same h/w and f/w)

ITTest#show run

Building configuration...

Current configuration : 6053 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug uptime

service timestamps log uptime

service password-encryption

service sequence-numbers

!

hostname ITTest

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 10240

logging console critical

!

no aaa new-model

clock timezone GMT 0

clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00

!

!

dot11 syslog

ip source-route

ip dhcp excluded-address 172.30.58.1 172.30.58.99

!

ip dhcp pool dhcppool

   import all

   network 172.30.58.0 255.255.255.0

   default-router 172.30.58.1

   dns-server 172.30.58.1 172.20.0.221 172.20.0.222

   domain-name gratte.com

   lease 7

   update arp

!

!

ip cef

ip inspect name firewall tcp

ip inspect name firewall udp

ip inspect name firewall cuseeme

ip inspect name firewall h323

ip inspect name firewall rcmd

ip inspect name firewall realaudio

ip inspect name firewall streamworks

ip inspect name firewall vdolive

ip inspect name firewall sqlnet

ip inspect name firewall tftp

ip inspect name firewall ftp

ip inspect name firewall icmp

ip inspect name firewall sip

ip inspect name firewall esmtp max-data 52428800

ip inspect name firewall fragment maximum 256 timeout 1

ip inspect name firewall netshow

ip inspect name firewall rtsp

ip inspect name firewall pptp

ip inspect name firewall skinny

no ip bootp server

no ip domain lookup

ip domain name gratte.com

ip name-server 172.20.0.121

ip name-server 172.20.0.120

!

!

!

!

file verify auto

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key PRESHAREDKEY address XXX.XXX.XXX.XXX no-xauth

!

!

crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac

!

crypto map cm-cryptomap 110 ipsec-isakmp

set peer XXX.XXX.XXX.XXX

set transform-set 3DESSHA

match address 110

!

archive

log config

  hidekeys

path flash:config

write-memory

!

!

ip tcp selective-ack

ip tcp timestamp

!

!

!

interface ATM0

no ip address

ip nat outside

ip virtual-reassembly

no atm ilmi-keepalive

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 172.30.58.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Dialer0

ip address negotiated

ip access-group 101 in

no ip redirects

no ip unreachables

ip mtu 1492

ip inspect firewall out

ip nat outside

ip virtual-reassembly

encapsulation ppp

no ip route-cache cef

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

ppp chap hostname USERNAME

ppp chap password PASSWORD

ppp ipcp dns request

ppp ipcp route default

crypto map cm-cryptomap

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip dns server

ip nat pool pool1 172.30.58.0 172.30.59.0 netmask 0.0.0.255

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source list 105 interface Dialer0 overload

!

access-list 1 permit 172.30.58.0 0.0.0.255

access-list 1 remark The local LAN.

access-list 2 remark Where management can be done from.

access-list 2 permit 172.30.58.0 0.0.0.255

access-list 2 permit 172.20.0.0 0.0.255.255

access-list 3 remark Traffic not to check for intrustion detection.

access-list 3 deny   172.20.0.0 0.0.0.255

access-list 3 permit any

access-list 101 remark Traffic allowed to enter the router from the Internet

access-list 101 permit ip 172.20.0.0 0.0.0.255 172.30.58.0 0.0.0.255

access-list 101 deny   ip 0.0.0.0 0.255.255.255 any

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip 169.254.0.0 0.0.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.0.2.0 0.0.0.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 198.18.0.0 0.1.255.255 any

access-list 101 deny   ip 224.0.0.0 0.15.255.255 any

access-list 101 deny   ip any host 255.255.255.255

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit udp any any eq isakmp

access-list 101 permit esp any any

access-list 101 permit tcp any any eq 1723

access-list 101 permit gre any any

access-list 101 deny   icmp any any echo

access-list 101 deny   ip any any log

access-list 102 remark Traffic allowed to enter the router from the Ethernet

access-list 102 permit ip any host 172.30.58.1

access-list 102 deny   ip any host 172.30.58.255

access-list 102 deny   udp any any eq tftp log

access-list 102 permit ip 172.30.58.0 0.0.0.255 172.20.0.0 0.0.0.255

access-list 102 deny   ip any 0.0.0.0 0.255.255.255 log

access-list 102 deny   ip any 10.0.0.0 0.255.255.255 log

access-list 102 deny   ip any 127.0.0.0 0.255.255.255 log

access-list 102 deny   ip any 169.254.0.0 0.0.255.255 log

access-list 102 deny   ip any 172.16.0.0 0.15.255.255 log

access-list 102 deny   ip any 192.0.2.0 0.0.0.255 log

access-list 102 deny   ip any 192.168.0.0 0.0.255.255 log

access-list 102 deny   ip any 198.18.0.0 0.1.255.255 log

access-list 102 deny   udp any any eq 135 log

access-list 102 deny   tcp any any eq 135 log

access-list 102 deny   udp any any eq netbios-ns log

access-list 102 deny   udp any any eq netbios-dgm log

access-list 102 deny   tcp any any eq 445 log

access-list 102 permit ip 172.30.58.0 0.0.0.255 any

access-list 102 permit ip any host 255.255.255.255

access-list 102 deny   ip any any log

access-list 105 remark Traffic to NAT

access-list 105 deny   ip 172.30.58.0 0.0.0.255 172.20.0.0 0.0.0.255

access-list 105 permit ip 172.30.58.0 0.0.0.255 any

access-list 110 remark Site to Site VPN

access-list 110 permit ip 172.30.58.0 0.0.0.255 172.20.0.0 0.0.0.255

access-list 110 deny   ip 172.30.58.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

!

!

snmp-server community blooby RW

snmp-server community public RO

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

login

!

scheduler max-task-time 5000

end

Any suggestions on either the above configs would be greatly appreciated!

Thanks!

-Damo.

1 Accepted Solution

Accepted Solutions

xDSL has a major flaw.  If you have a faulty xDSL copper towards your premises you get very bad line speed and synch.

Look at here in Australia.  Our copper cabling to the premises to the property (business or residences) is so bad that everytime it rains, water goes into the cracks of the cable and causes issues.  Unfortunately, our Telco's don't want to repair these cables because they just want to take our money.


Same goes with you.  Take the results that you've posted and show it to your telco and demand to get the lines fixed.

View solution in original post

11 Replies 11

Leo Laohoo
Hall of Fame
Hall of Fame

All this time and your DSL link stays up?

Can you post the output to the command "sh dsl atm"?

Yes, I had to reload the router earlier to bring the VPN back up, but both DSL and VPN are up currently on the below example:

ITTest#show dsl int atm0

ATM0

Alcatel 20190 chipset information

                ATU-R (DS)                      ATU-C (US)

Modem Status:    Showtime (DMTDSL_SHOWTIME)

DSL Mode:        ITU G.992.3 (ADSL2) Annex A

ITU STD NUM:     0x03                            0x2

Chip Vendor ID:  'STMI'                          'IFTN'

Chip Vendor Specific:  0x0000                    0x71C8

Chip Vendor Country:   0x0F                      0xB5

Modem Vendor ID: 'CSCO'                          '    '

Modem Vendor Specific: 0x0000                    0x0000

Modem Vendor Country:  0xB5                      0x00

Serial Number Near:    FCZ1519C4H 877-K9   12.4

Serial Number Far:  Chip ID:     C196P (1)

DFE BOM:         DFE3.0 Annex A (1)

Capacity Used:   99%                             100%

Noise Margin:     3.0 dB                          6.0 dB

Output Power:    18.0 dBm                        12.5 dBm

Attenuation:     49.0 dB                         27.0 dB

FEC ES Errors:    0                               0

ES Errors:       757                              0

SES Errors:       9                               0

LOSES Errors:     1                               0

UES Errors:       0                               0

Defect Status:   None                            None

Last Fail Code:  None

Watchdog Counter: 0x48

Watchdog Resets: 0

Selftest Result: 0x00

Subfunction:     0x00

Interrupts:      23931 (0 spurious)

PHY Access Err:  0

Activations:     1

LED Status:      ON

LED On Time:     100

LED Off Time:    100

Init FW:         init_3.0.33_nobist.bin

Operation FW:    AMR-3.0.033.bin

FW Source:       external

FW Version:      3.0.33

                 DS Channel1      DS Channel0   US Channel1       US Channel0

Speed (kbps):             0             2255             0               996

Cells:                    0          6223653             0         119336458

Reed-Solomon EC:          0                0             0                 0

CRC Errors:               0             1086             0                 0

Header Errors:            0              588             0                 0

Total BER:                0E-0           8389E-10

Leakage Average BER:      0E-0           3688E-10

Interleave Delay:         0               13             0                63

                        ATU-R (DS)      ATU-C (US)

Bitswap:               enabled            enabled

Bitswap success:          0                   0

Bitswap failure:          0                   0

LOM Monitoring : Disabled

DMT Bits Per Bin

000: 0 0 0 0 0 0 6 8 9 A B C C C C C

010: C C C B B B B B A A A A A 9 8 7

020: 0 6 7 7 7 7 7 7 7 7 7 7 6 7 6 6

030: 6 5 5 5 5 5 6 6 6 5 5 6 5 5 5 6

040: 5 6 5 5 6 5 5 6 5 6 6 6 6 6 6 6

050: 7 7 7 7 7 8 8 8 8 8 2 8 8 7 7 7

060: 7 6 6 6 6 5 5 5 4 4 4 4 4 2 2 2

070: 2 2 2 2 2 2 2 2 2 2 1 1 1 0 0 0

080: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

090: 0 0 0 0 1 1 1 1 0 2 2 2 2 2 2 2

0A0: 2 2 2 2 2 2 3 4 4 4 4 4 5 5 5 5

0B0: 5 5 5 5 5 5 5 5 4 4 4 4 4 4 4 2

0C0: 2 2 2 2 1 0 0 0 0 0 0 0 0 0 0 0

0D0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0E0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0F0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

DSL: Training log buffer capability is not enabled

Attenuation:     49.0 dB                         27.0 dB

Noise Margin:     3.0 dB                          6.0 dB

Your issue, I believe, has got nothing to do with your router.  Your Attenuation is too high (20.0 dB and lower).  Noise Margin is no better.

This is another router on an entirely different site, show dsl int atm0 output is:

StGeorgesDATA#show dsl int atm0

ATM0

Alcatel 20190 chipset information

                ATU-R (DS)                      ATU-C (US)

Modem Status:    Showtime (DMTDSL_SHOWTIME)

DSL Mode:        ITU G.992.5 (ADSL2+) Annex A

ITU STD NUM:     0x03                            0x2

Chip Vendor ID:  'STMI'                          'IFTN'

Chip Vendor Specific:  0x0000                    0x71C8

Chip Vendor Country:   0x0F                      0xB5

Modem Vendor ID: 'CSCO'                          '    '

Modem Vendor Specific: 0x0000                    0x0000

Modem Vendor Country:  0xB5                      0x00

Serial Number Near:    FCZ160290S 877-M-K9 12.4

Serial Number Far:  Chip ID:     C196P (1) capability-enabled

DFE BOM:         DFE3.0 Annex M (3)

Capacity Used:   97%                             99%

Noise Margin:     3.0 dB                          7.0 dB

Output Power:    20.0 dBm                        11.0 dBm

Attenuation:     20.0 dB                          5.0 dB

FEC ES Errors:    0                              28474

ES Errors:        0                               7

SES Errors:       0                               1

LOSES Errors:     0                               1

UES Errors:       0                               0

Defect Status:   None                            None

Last Fail Code:  None

Watchdog Counter: 0x4E

Watchdog Resets: 0

Selftest Result: 0x00

Subfunction:     0x00

Interrupts:      24585 (0 spurious)

PHY Access Err:  0

Activations:     1

LED Status:      ON

LED On Time:     100

LED Off Time:    100

Init FW:         init_3.0.33_nobist.bin

Operation FW:    AMR-3.0.033.bin

FW Source:       external

FW Version:      3.0.33

                 DS Channel1      DS Channel0   US Channel1       US Channel0

Speed (kbps):             0            18825             0              1242

Cells:                    0         96888503             0         150258020

Reed-Solomon EC:          0            42660             0             77263

CRC Errors:               0                7             0                 7

Header Errors:            0                4             0                84

Total BER:                0E-0           5591E-12

Leakage Average BER:      0E-0           1762E-13

                        ATU-R (DS)      ATU-C (US)

Bitswap:               enabled            enabled

LOM Monitoring : Disabled

DMT Bits Per Bin

Not able to get complete DMT bin information.Please retry "show dsl" after few s

econds.

DSL: Training log buffer capability is not enabled

Attenuation is much lower; what would you say in response to the above? Or do they both point to bad lines/too far from the exchange?

Attenuation:     20.0 dB                          5.0 dB

Looks good.  20.0 dB and the lower value the better.

Noise Margin:     3.0 dB                          7.0 dB

Ooopps.  That's not nice.  Should be higher than 20 dB (higher value the better).

So potentially I'm looking at two different issues.

I am aware that the first example above is quite a distance from where the aDSL line is presented, the second example isn't though, what could be the cause of the bad noise margin? Bad cabling? I'd expect not as we have two 877 routers on two seperate lines at that site, both have the same symptoms.

Thanks.

xDSL has a major flaw.  If you have a faulty xDSL copper towards your premises you get very bad line speed and synch.

Look at here in Australia.  Our copper cabling to the premises to the property (business or residences) is so bad that everytime it rains, water goes into the cracks of the cable and causes issues.  Unfortunately, our Telco's don't want to repair these cables because they just want to take our money.


Same goes with you.  Take the results that you've posted and show it to your telco and demand to get the lines fixed.

I've got BT on to the case of the poor attenuation site, we are trying to move it to a closer cabinet to the premises.

I still have an issue with noise margin, BT (telecomms company) can't see any faults with the line, I've replaced micro filts, replaced cabling, and I've still got a poor noise margin.

Is there anything I can adjust on the routers to compensate this?

Example:

Noise Margin:     6.0 dB                          6.5 dB

Output Power:    21.0 dBm                        12.0 dBm

Attenuation:     24.0 dB                         11.0 dB

Thanks,

Is there anything I can adjust on the routers to compensate this?

No there is none.

With the majority of our sites it now seems to be an inconsistency with the 877 hardware and the cabinets that BT are connecting them to in the exchange, we've fixed this by using the ISP provider router/modem and just using the 877 to create the tunnel from behind it.

With one of the sites, it is infact terrible wiring from the ISP.

Thanks for your help Leo.

Glad to be of some assistance, Damien.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco