VPN Access-List stops working

ricky · ‎02-14-2008

We have a Cisco 827-4V VPN Router with IOS ver. 12.2. We use this Router for several hardware to hardware VPN connections as well as software to hardware VPN connections. We just recently set up another Cisco Hardware to Hardware connection for a remote location and all had been working fine. Then the 827 router got re-booted. After it rebooted the new location began to have trouble accessing the resources on our LAN. They could Ping our servers and devices using the IP address or the Host name. We could ping their devices but could not print to any of their printers. They were unable to log into any of the applications including our Exchange email server. We narrowed the problem down to an Access-List entry. We found out by removing the Access-List in question and then re-applying it, things worked like they were suppose to. However, when we re-boot this router the problem re-occurs. The strange thing is this Access-List is still in place in the configuration, but doesn't work unless we remove it and re-apply it. The Access-List in question is number 130. This problem only affects the one remote location our other locations continue to work fine as well as any of our users who are accessing the network via a software VPN. I'm attaching the configuration, any help on solving this issue would be appreciated.

Richard Burts · ‎02-14-2008

Ricky

This is a pretty strange symptom. I would like to clarify one thing about what you describe. You remove access list 130 and readd it. Is the content of access list 130 in the startup config exactly the same as the content of access list 130 in the running config? (is the access list 130 that you remove only a single line? and does it have exactly the same addresses and masks as the line that you add back in?)

HTH

Rick

HTH

Rick

ricky · ‎02-14-2008

Yes, the content is exactly the same, we actually will copy the access-list line before removing it and then Paste to Host to put it back. And, yes it is a single line with the same addresses and masks.

Richard Burts · ‎02-14-2008

Ricky

Well there goes one theory :(

It sounds a bit like a symptom that I have seen in one environment. If you do not remove and add the access list but instead you issue the commands clear crypto isakmp and clear crypto sa will it bring up the connection and begin to communicate?

HTH

Rick

HTH

Rick

ricky · ‎02-14-2008

Rick,

No we haven't tried that and currently we have the connection working and will have to test that at a later time. But, what would that mean if that did work?

Richard Burts · ‎02-14-2008

Ricky

I certainly understand that while the connection is working that you do not want to do anything to disrupt it. The next time that you need to reboot give the clear crypto commands a try and post back indicating whether they helped or not.

As for what it would mean if it works I am not clear about that. I have observed the symptom of not negotiating ISAKMP after a reboot and found a workaround that is less intrusive than removing and replacing an access list (and assume that both may have the same result of re-initializing something). We are still looking for the cause of the problem and have not yet found it. I note that we have lots of routers running site to site VPN tunnels and they work fine after a reboot. We have one connection that has this symptom of having a problem after a reboot.

HTH

Rick

HTH

Rick

ricky · ‎02-14-2008

Rick,

We will certainly try this next time we have to reboot and I'll post back the results. I do appreciate your input and taking the time to discuss this issue.

Ricky

husycisco · ‎02-14-2008

Hi Ricky

I once encountered an issue similar to yours. It was caused by ASDM (SDM in routers) that it was placing a weird char in a crypto statement. Did you use SDM to enter access-lists? If yes, I would recommend removing ACEs one by one then removing ACL, and typing a new one with a new name via CLI.

Regards