We have a Cisco 827-4V VPN Router with IOS ver. 12.2. We use this Router for several hardware to hardware VPN connections as well as software to hardware VPN connections. We just recently set up another Cisco Hardware to Hardware connection for a remote location and all had been working fine. Then the 827 router got re-booted. After it rebooted the new location began to have trouble accessing the resources on our LAN. They could Ping our servers and devices using the IP address or the Host name. We could ping their devices but could not print to any of their printers. They were unable to log into any of the applications including our Exchange email server. We narrowed the problem down to an Access-List entry. We found out by removing the Access-List in question and then re-applying it, things worked like they were suppose to. However, when we re-boot this router the problem re-occurs. The strange thing is this Access-List is still in place in the configuration, but doesn't work unless we remove it and re-apply it. The Access-List in question is number 130. This problem only affects the one remote location our other locations continue to work fine as well as any of our users who are accessing the network via a software VPN. I'm attaching the configuration, any help on solving this issue would be appreciated.
This is a pretty strange symptom. I would like to clarify one thing about what you describe. You remove access list 130 and readd it. Is the content of access list 130 in the startup config exactly the same as the content of access list 130 in the running config? (is the access list 130 that you remove only a single line? and does it have exactly the same addresses and masks as the line that you add back in?)
Yes, the content is exactly the same, we actually will copy the access-list line before removing it and then Paste to Host to put it back. And, yes it is a single line with the same addresses and masks.
It sounds a bit like a symptom that I have seen in one environment. If you do not remove and add the access list but instead you issue the commands clear crypto isakmp and clear crypto sa will it bring up the connection and begin to communicate?
I certainly understand that while the connection is working that you do not want to do anything to disrupt it. The next time that you need to reboot give the clear crypto commands a try and post back indicating whether they helped or not.
As for what it would mean if it works I am not clear about that. I have observed the symptom of not negotiating ISAKMP after a reboot and found a workaround that is less intrusive than removing and replacing an access list (and assume that both may have the same result of re-initializing something). We are still looking for the cause of the problem and have not yet found it. I note that we have lots of routers running site to site VPN tunnels and they work fine after a reboot. We have one connection that has this symptom of having a problem after a reboot.
I once encountered an issue similar to yours. It was caused by ASDM (SDM in routers) that it was placing a weird char in a crypto statement. Did you use SDM to enter access-lists? If yes, I would recommend removing ACEs one by one then removing ACL, and typing a new one with a new name via CLI.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...