12-16-2003 01:17 PM - edited 03-02-2019 12:23 PM
One of my branches just moved to a new building and has aquired a new DSL provider. We are
running a router-to-router VPN with 2611's.
They set up their equipment, i dialed in changed the ip address's on their router and ours. This
was the only thing i changed. I pinged their public ip and private ip through the tunnel and both
were working fine.
It worked for about 5 minutes and than no connectivity.
Here are the symptoms:
1. If i run a continious ping to the private and public ip's the private(through the tunnel) will
timeout after 5 minutes and the public will keep getting replies. When it stops getting replies
response time of the pings gets very high and than settles down.
2. There are times when that branch can ping my public ip and access the internet but i can't
ping their public ip at the same time.
3. Eventually all connectivity from their site is lost. Almost like it is slowly dying.
4. Recycling the router seems to temporarily fix the problem for about 5 minutes.
Below are the router configs. The only thing that was changed was the ip address's on both
routers. I am running another router-to-router VPN to another branch with the same configuration
and having no problems.
The branch with problems is on DSL and Interbaun(canada) is their ISP.
Could this be an ISP issue? Any suggestions?
ANy help would be great!!!
Branch
edrtr#sh run
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname edrtr
!
enable secret 5
!
ip subnet-zero
no ip source-route
no ip finger
!
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name ETHERNET_0 tcp
ip inspect name ETHERNET_0 udp
ip inspect name ETHERNET_0 ftp
ip inspect name ETHERNET_0 smtp
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key xxxxxx address 10.10.10.10
!
!
crypto ipsec transform-set PH esp-des
mode transport
!
!
crypto map TUNNELMAP 10 ipsec-isakmp
set peer 10.10.10.10
set transform-set PH
match address 155
!
!
!
!
interface Tunnel0
description EDMONTON-LIVONIA
ip address 192.168.1.2 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
tunnel source Ethernet0/1
tunnel destination 10.10.10.10
crypto map TUNNELMAP
!
interface Ethernet0/0
description LAN
ip address 192.168.77.1 255.255.255.0
ip access-group 100 in
no ip directed-broadcast
no ip proxy-arp
ip nat inside
!
interface Serial0/0
no ip address
no ip directed-broadcast
shutdown
!
interface Ethernet0/1
description INTERNET
ip address x.x.x.x 255.255.255.240
ip access-group 101 in
no ip directed-broadcast
no ip proxy-arp
ip nat outside
ip inspect ETHERNET_0 out
crypto map TUNNELMAP
!
ip nat inside source route-map NONAT interface Ethernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 192.168.2.0 255.255.255.0 Tunnel0
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log-input
access-list 100 deny ip 224.0.0.0 31.255.255.255 any log-input
access-list 100 deny ip host 0.0.0.0 any log-input
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 permit icmp any any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input
access-list 101 deny ip 224.0.0.0 31.255.255.255 any log-input
access-list 101 deny ip host 0.0.0.0 any log-input
access-list 101 permit udp any host 11.11.11.11 eq isakmp
access-list 101 permit esp any host 11.11.11.11
access-list 101 permit gre any host 11.11.11.11
access-list 101 permit icmp any any
access-list 150 deny ip 192.168.77.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 150 permit ip 192.168.77.0 0.0.0.255 any
access-list 155 permit gre host 11.11.11.11 host 10.10.10.10
route-map NONAT permit 10
match ip address 150
!
snmp-server engineID local xxxxxx
snmp-server community xxxxx RO 2
snmp-server community xxxxx RW 2
banner motd ^C!!! This router is property of . Any unauthorized use
is strictly prohibited.!!!
^C
!
line con 0
exec-timeout 15 0
password 7
logging synchronous
login
transport input none
line aux 0
password 7
login
modem InOut
modem autoconfigure type usr_sportster
transport input all
speed 115200
line vty 0 4
access-class 1 in
exec-timeout 15 0
password 7
login
transport input telnet
!
end
Corporate Office
livrtr#sh run
Building configuration...
Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname livrtr
!
enable secret 5
!
memory-size iomem 20
ip subnet-zero
no ip source-route
no ip finger
no ip domain-lookup
!
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Ethernet_0 tcp
ip inspect name Ethernet_0 udp
ip inspect name Ethernet_0 ftp
ip inspect name Ethernet_0 rcmd
ip inspect name Ethernet_0 realaudio
ip inspect name Ethernet_0 smtp
ip inspect name Ethernet_0 tftp
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key xxxx address 12.12.12.12
crypto isakmp key xxxx address 13.13.13.13
crypto isakmp key xxxx address 11.11.11.11
!
!
crypto ipsec transform-set PH esp-des
mode transport
crypto ipsec transform-set DMZ esp-3des
mode transport
!
!
crypto map TUNNELMAP 10 ipsec-isakmp
set peer 12.12.12.12
set transform-set PH
match address 155
crypto map TUNNELMAP 20 ipsec-isakmp
set peer 11.11.11.11
set transform-set PH
match address 177
crypto map TUNNELMAP 30 ipsec-isakmp
set peer 13.13.13.13
set transform-set DMZ
match address 199
!
!
!
!
interface Tunnel0
description LIVONIA-LANGLEY
ip address 192.168.0.1 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
tunnel source Ethernet0/1
tunnel destination 12.12.12.12
crypto map TUNNELMAP
!
interface Tunnel1
description LIVONIA-EDMONTON
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
tunnel source Ethernet0/1
tunnel destination 11.11.11.11
crypto map TUNNELMAP
!
interface Tunnel2
description LIVONIA-DMZ
ip address 192.168.3.1 255.255.255.0
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
tunnel source Ethernet0/1
tunnel destination 13.13.13.13
crypto map TUNNELMAP
!
interface Ethernet0/0
description LAN
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
no ip directed-broadcast
no ip proxy-arp
ip nat inside
ip inspect Ethernet_0 in
no cdp enable
!
interface Ethernet0/1
description INTERNET
ip address x.x.x.x 255.255.255.0
ip access-group 101 in
no ip directed-broadcast
no ip proxy-arp
ip nat outside
no cdp enable
crypto map TUNNELMAP
!
ip nat inside source route-map NONAT interface Ethernet0/1 overload
ip nat inside source static 192.168.2.12 x.x.x.x
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 192.168.55.0 255.255.255.0 Tunnel0
ip route 192.168.77.0 255.255.255.0 Tunnel1
ip route 192.168.99.0 255.255.255.0 Tunnel2
no ip http server
!
logging 192.168.2.12
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 deny ip x.x.x.x 0.0.0.255 any log-input
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log-input
access-list 100 deny ip 224.0.0.0 31.255.255.255 any log-input
access-list 100 deny ip host 0.0.0.0 any log-input
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 permit icmp any any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input
access-list 101 deny ip 224.0.0.0 31.255.255.255 any log-input
access-list 101 deny ip host 0.0.0.0 any log-input
access-list 101 deny udp host 13.13.13.13 host 10.10.10.10 eq isakmp time-ra
nge DMZBAK
access-list 101 deny esp host 13.13.13.13 host 10.10.10.10 time-range DMZBAK
access-list 101 deny gre host 13.13.13.13 host 10.10.10.10 time-range DMZBAK
access-list 101 permit udp any host 10.10.10.10 eq isakmp
access-list 101 permit esp any host 10.10.10.10
access-list 101 permit gre any host 10.10.10.10
access-list 101 permit gre any host 10.10.10.11
access-list 101 permit tcp any host 10.10.10.11 eq 1723
access-list 101 permit icmp any any
access-list 101 permit udp any host 10.10.10.11 eq 5632
access-list 101 permit tcp any host 10.10.10.11 eq 5631
access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.55.0 0.0.0.255
access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.77.0 0.0.0.255
access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 150 permit ip 192.168.2.0 0.0.0.255 any
access-list 155 permit gre host 10.10.10.10 host 12.12.12.12
access-list 177 permit gre host 10.10.10.10 host 11.11.11.11
access-list 199 permit gre host 10.10.10.10 host 13.13.13.13
no cdp run
route-map NONAT permit 10
match ip address 150
!
snmp-server engineID local xxxxxx
snmp-server community xxxx RO 1
snmp-server community xxxx RW 1
banner motd ^C* This router is property of
Any unauthorized use is strictly prohibited. *^C
!
line con 0
session-timeout 15
exec-timeout 15 0
password 7
login
transport input none
line aux 0
transport input all
stopbits 1
speed 57600
line vty 0 4
session-timeout 180
access-class 1 in
exec-timeout 15 0
password 7
login
transport input telnet
!
time-range DMZBAK
periodic daily 3:15 to 1:45
!
no scheduler allocate
end
12-22-2003 01:14 PM
You have some problem with access-list associated with time range value , check out whether you pinged in those time .
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: