Cisco 861 to Sonicwall - intermittent tunnel issue Options
Hi. We have a new remote office with a Cisco 861 router tunneling into a Sonicwall TZ180. The tunnel comes up and seems to work for a while, but drops intermittently. When it drops, we lose VPN but not Internet browsing. We attempted to swap the Cisco out with a spare Sonicwall and the tunnel stays up perfectly- but we want to keep the Cisco in place. Here is the corresponding configuration details - notice anything? When it goes down, a power cycle on the remote office end fixes the issue.
-- Sonicwall: Authentication method: IKE using preshared secret IKE Phase 1 proposal: Main mode, Group 2, 3DES/SHA1, 28800 lifetime Ipsec Phase 2 proposal: ESP/3DES/SHA1. No PFS. --
Cisco 861 --- this is a summary of the config, leaving out some class- map and policy-map details. ! crypto isakmp key ********** address MAIN-OFFICE-IP ! ! crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac ! crypto map SDM_CMAP_2 1 ipsec-isakmp description Tunnel to MAIN OFFICE set peer MAIN-OFFICE-IP set transform-set ESP-3DES-SHA1 match address 103 ! interface FastEthernet4 description $ETH-LAN$$FW_OUTSIDE$ ip address OUTSIDE_IP_HERE 255.255.255.0 ip nat outside ip virtual-reassembly zone-member security out-zone duplex auto speed auto crypto map SDM_CMAP_2 ! ! interface Vlan1 description $FW_INSIDE$ ip address 192.168.20.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY_HERE ! ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4 overload ! ip access-list extended SDM_AH remark CCP_ACL Category=1 permit ahp any any ip access-list extended SDM_ESP remark CCP_ACL Category=1 permit esp any any ! access-list 1 permit 192.168.20.0 0.0.0.255 access-list 2 remark CCP_ACL Category=16 access-list 2 permit 192.168.20.0 0.0.0.255 access-list 3 remark CCP_ACL Category=2 access-list 3 permit 192.168.20.0 0.0.0.255 access-list 100 remark CCP_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 101 remark CCP_ACL Category=128 access-list 101 permit ip host 126.96.36.199 any access-list 102 remark CCP_ACL Category=0 access-list 102 permit ip any host 255.255.255.255 access-list 102 permit ip any 127.0.0.0 0.255.255.255 access-list 103 remark CCP_ACL Category=4 access-list 103 remark IPSec Rule access-list 103 permit ip 192.168.20.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 104 remark CCP_ACL Category=0 access-list 104 remark IPSec Rule access-list 104 permit ip 192.168.3.0 0.0.0.255 192.168.20.0 0.0.0.255 access-list 105 remark CCP_ACL Category=2 access-list 105 remark IPSec Rule access-list 105 deny ip 192.168.20.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 105 permit ip 192.168.20.0 0.0.0.255 any route-map SDM_RMAP_1 permit 1 match ip address 102 ! route-map SDM_RMAP_2 permit 1 match ip address 105 ! -- Thanks, Joe
Hi every one!!!When you are configuring a remote VPN connection, there
are some steps that are lost on the path. Here you can see those steps.
A) In your Cisco device: 1. Ensure you don´t have any rule denying the
traffic between the device and the remote...
Introduction: This document describes how to connect SG300 with Catalyst
switch via STP. Spanning Tree Protocol (STP) is a Layer 2 protocol that
runs on mainly on switches. The specification for STP is IEEE 802.1D.
The main purpose of STP is to ensure tha...
You have a Cisco Unified Communications Manager (CUCM) system and want
to configure a SPA112 analog telephone adaptor (ATA) to register to the
CUCM so that you can use up to two analog phones or similar FXS devices
with the CUCM.In this application note, ...