WAN and VPN connection problem

enikk · ‎12-16-2003

One of my branches just moved to a new building and has aquired a new DSL provider. We are

running a router-to-router VPN with 2611's.

They set up their equipment, i dialed in changed the ip address's on their router and ours. This

was the only thing i changed. I pinged their public ip and private ip through the tunnel and both

were working fine.

It worked for about 5 minutes and than no connectivity.

Here are the symptoms:

1. If i run a continious ping to the private and public ip's the private(through the tunnel) will

timeout after 5 minutes and the public will keep getting replies. When it stops getting replies

response time of the pings gets very high and than settles down.

2. There are times when that branch can ping my public ip and access the internet but i can't

ping their public ip at the same time.

3. Eventually all connectivity from their site is lost. Almost like it is slowly dying.

4. Recycling the router seems to temporarily fix the problem for about 5 minutes.

Below are the router configs. The only thing that was changed was the ip address's on both

routers. I am running another router-to-router VPN to another branch with the same configuration

and having no problems.

The branch with problems is on DSL and Interbaun(canada) is their ISP.

Could this be an ISP issue? Any suggestions?

ANy help would be great!!!

Branch

edrtr#sh run

Building configuration...

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname edrtr

!

enable secret 5

!

ip subnet-zero

no ip source-route

no ip finger

!

ip inspect max-incomplete high 1100

ip inspect one-minute high 1100

ip inspect name ETHERNET_0 tcp

ip inspect name ETHERNET_0 udp

ip inspect name ETHERNET_0 ftp

ip inspect name ETHERNET_0 smtp

!

crypto isakmp policy 1

authentication pre-share

crypto isakmp key xxxxxx address 10.10.10.10

!

crypto ipsec transform-set PH esp-des

mode transport

!

crypto map TUNNELMAP 10 ipsec-isakmp

set peer 10.10.10.10

set transform-set PH

match address 155

!

interface Tunnel0

description EDMONTON-LIVONIA

ip address 192.168.1.2 255.255.255.0

no ip directed-broadcast

no ip route-cache

no ip mroute-cache

tunnel source Ethernet0/1

tunnel destination 10.10.10.10

crypto map TUNNELMAP

!

interface Ethernet0/0

description LAN

ip address 192.168.77.1 255.255.255.0

ip access-group 100 in

no ip directed-broadcast

no ip proxy-arp

ip nat inside

!

interface Serial0/0

no ip address

no ip directed-broadcast

shutdown

!

interface Ethernet0/1

description INTERNET

ip address x.x.x.x 255.255.255.240

ip access-group 101 in

no ip directed-broadcast

no ip proxy-arp

ip nat outside

ip inspect ETHERNET_0 out

crypto map TUNNELMAP

!

ip nat inside source route-map NONAT interface Ethernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.x

ip route 192.168.2.0 255.255.255.0 Tunnel0

no ip http server

!

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 2 permit 192.168.2.0 0.0.0.255

access-list 100 deny ip 127.0.0.0 0.255.255.255 any log-input

access-list 100 deny ip 224.0.0.0 31.255.255.255 any log-input

access-list 100 deny ip host 0.0.0.0 any log-input

access-list 100 permit ip 192.168.0.0 0.0.255.255 any

access-list 100 permit icmp any any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input

access-list 101 deny ip 224.0.0.0 31.255.255.255 any log-input

access-list 101 deny ip host 0.0.0.0 any log-input

access-list 101 permit udp any host 11.11.11.11 eq isakmp

access-list 101 permit esp any host 11.11.11.11

access-list 101 permit gre any host 11.11.11.11

access-list 101 permit icmp any any

access-list 150 deny ip 192.168.77.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 150 permit ip 192.168.77.0 0.0.0.255 any

access-list 155 permit gre host 11.11.11.11 host 10.10.10.10

route-map NONAT permit 10

match ip address 150

!

snmp-server engineID local xxxxxx

snmp-server community xxxxx RO 2

snmp-server community xxxxx RW 2

banner motd ^C!!! This router is property of . Any unauthorized use

is strictly prohibited.!!!

^C

!

line con 0

exec-timeout 15 0

password 7

logging synchronous

login

transport input none

line aux 0

password 7

login

modem InOut

modem autoconfigure type usr_sportster

transport input all

speed 115200

line vty 0 4

access-class 1 in

exec-timeout 15 0

password 7

login

transport input telnet

!

end

Corporate Office

livrtr#sh run

Building configuration...

Current configuration:

!

version 12.0

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname livrtr

!

enable secret 5

!

memory-size iomem 20

ip subnet-zero

no ip source-route

no ip finger

no ip domain-lookup

!

ip inspect max-incomplete high 1100

ip inspect one-minute high 1100

ip inspect name Ethernet_0 tcp

ip inspect name Ethernet_0 udp

ip inspect name Ethernet_0 ftp

ip inspect name Ethernet_0 rcmd

ip inspect name Ethernet_0 realaudio

ip inspect name Ethernet_0 smtp

ip inspect name Ethernet_0 tftp

!

crypto isakmp policy 1

authentication pre-share

crypto isakmp key xxxx address 12.12.12.12

crypto isakmp key xxxx address 13.13.13.13

crypto isakmp key xxxx address 11.11.11.11

!

crypto ipsec transform-set PH esp-des

mode transport

crypto ipsec transform-set DMZ esp-3des

mode transport

!

crypto map TUNNELMAP 10 ipsec-isakmp

set peer 12.12.12.12

set transform-set PH

match address 155

crypto map TUNNELMAP 20 ipsec-isakmp

set peer 11.11.11.11

set transform-set PH

match address 177

crypto map TUNNELMAP 30 ipsec-isakmp

set peer 13.13.13.13

set transform-set DMZ

match address 199

!

interface Tunnel0

description LIVONIA-LANGLEY

ip address 192.168.0.1 255.255.255.0

no ip directed-broadcast

no ip route-cache

no ip mroute-cache

tunnel source Ethernet0/1

tunnel destination 12.12.12.12

crypto map TUNNELMAP

!

interface Tunnel1

description LIVONIA-EDMONTON

ip address 192.168.1.1 255.255.255.0

no ip directed-broadcast

no ip route-cache

no ip mroute-cache

tunnel source Ethernet0/1

tunnel destination 11.11.11.11

crypto map TUNNELMAP

!

interface Tunnel2

description LIVONIA-DMZ

ip address 192.168.3.1 255.255.255.0

no ip directed-broadcast

no ip route-cache

no ip mroute-cache

tunnel source Ethernet0/1

tunnel destination 13.13.13.13

crypto map TUNNELMAP

!

interface Ethernet0/0

description LAN

ip address 192.168.2.1 255.255.255.0

ip access-group 100 in

no ip directed-broadcast

no ip proxy-arp

ip nat inside

ip inspect Ethernet_0 in

no cdp enable

!

interface Ethernet0/1

description INTERNET

ip address x.x.x.x 255.255.255.0

ip access-group 101 in

no ip directed-broadcast

no ip proxy-arp

ip nat outside

no cdp enable

crypto map TUNNELMAP

!

ip nat inside source route-map NONAT interface Ethernet0/1 overload

ip nat inside source static 192.168.2.12 x.x.x.x

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.x

ip route 192.168.55.0 255.255.255.0 Tunnel0

ip route 192.168.77.0 255.255.255.0 Tunnel1

ip route 192.168.99.0 255.255.255.0 Tunnel2

no ip http server

!

logging 192.168.2.12

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 100 deny ip x.x.x.x 0.0.0.255 any log-input

access-list 100 deny ip 127.0.0.0 0.255.255.255 any log-input

access-list 100 deny ip 224.0.0.0 31.255.255.255 any log-input

access-list 100 deny ip host 0.0.0.0 any log-input

access-list 100 permit ip 192.168.0.0 0.0.255.255 any

access-list 100 permit icmp any any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input

access-list 101 deny ip 224.0.0.0 31.255.255.255 any log-input

access-list 101 deny ip host 0.0.0.0 any log-input

access-list 101 deny udp host 13.13.13.13 host 10.10.10.10 eq isakmp time-ra

nge DMZBAK

access-list 101 deny esp host 13.13.13.13 host 10.10.10.10 time-range DMZBAK

access-list 101 deny gre host 13.13.13.13 host 10.10.10.10 time-range DMZBAK

access-list 101 permit udp any host 10.10.10.10 eq isakmp

access-list 101 permit esp any host 10.10.10.10

access-list 101 permit gre any host 10.10.10.10

access-list 101 permit gre any host 10.10.10.11

access-list 101 permit tcp any host 10.10.10.11 eq 1723

access-list 101 permit icmp any any

access-list 101 permit udp any host 10.10.10.11 eq 5632

access-list 101 permit tcp any host 10.10.10.11 eq 5631

access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.77.0 0.0.0.255

access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.99.0 0.0.0.255

access-list 150 permit ip 192.168.2.0 0.0.0.255 any

access-list 155 permit gre host 10.10.10.10 host 12.12.12.12

access-list 177 permit gre host 10.10.10.10 host 11.11.11.11

access-list 199 permit gre host 10.10.10.10 host 13.13.13.13

no cdp run

route-map NONAT permit 10

match ip address 150

!

snmp-server engineID local xxxxxx

snmp-server community xxxx RO 1

snmp-server community xxxx RW 1

banner motd ^C* This router is property of

Any unauthorized use is strictly prohibited. *^C

!

line con 0

session-timeout 15

exec-timeout 15 0

password 7

login

transport input none

line aux 0

transport input all

stopbits 1

speed 57600

line vty 0 4

session-timeout 180

access-class 1 in

exec-timeout 15 0

password 7

login

transport input telnet

!

time-range DMZBAK

periodic daily 3:15 to 1:45

!

no scheduler allocate

end

vmoopeung · ‎12-22-2003

You have some problem with access-list associated with time range value , check out whether you pinged in those time .