Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 861 to Sonicwall - intermittent tunnel issue Options

Hi.  We have a new remote office with a Cisco 861 router tunneling
into a Sonicwall TZ180.  The tunnel comes up and seems to work for a
while, but drops intermittently.  When it drops, we lose VPN but not
Internet browsing.  We attempted to swap the Cisco out with a spare
Sonicwall and the tunnel stays up perfectly- but we want to keep
the Cisco in place.  Here is the corresponding configuration details -
notice anything?  When it goes down, a power cycle on the remote
office end fixes the issue.

--
Sonicwall:
Authentication method: IKE using preshared secret
IKE Phase 1 proposal: Main mode, Group 2, 3DES/SHA1, 28800 lifetime
Ipsec Phase 2 proposal: ESP/3DES/SHA1.  No PFS.
--


Cisco 861 --- this is a summary of the config, leaving out some class-
map and policy-map details.
!
crypto isakmp key ********** address MAIN-OFFICE-IP
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to MAIN OFFICE
set peer MAIN-OFFICE-IP
set transform-set ESP-3DES-SHA1
match address 103
!
interface FastEthernet4
description $ETH-LAN$$FW_OUTSIDE$
ip address OUTSIDE_IP_HERE 255.255.255.0
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_2
!
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY_HERE
!
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4
overload
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
!
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 2 remark CCP_ACL Category=16
access-list 2 permit 192.168.20.0 0.0.0.255
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 192.168.20.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 66.148.129.218 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 255.255.255.255
access-list 102 permit ip any 127.0.0.0 0.255.255.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.20.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 104 remark CCP_ACL Category=0
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.3.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 105 remark CCP_ACL Category=2
access-list 105 remark IPSec Rule
access-list 105 deny   ip 192.168.20.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 105 permit ip 192.168.20.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 102
!
route-map SDM_RMAP_2 permit 1
match ip address 105
!
--
Thanks,
Joe

1 REPLY
New Member

Re: Cisco 861 to Sonicwall - intermittent tunnel issue Options

Hi,

This forum is not for c800 support. Please use Netpro for these questions. On the question you ask, i would try to enable keepalives on the Cisco side:

UC500(config)#crypto isakmp keepalive ?
  <10-3600>  Number of seconds between keep alives

Thanks,

Marcos

3066
Views
0
Helpful
1
Replies