Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 861 to Sonicwall - intermittent tunnel issue Options

Hi.  We have a new remote office with a Cisco 861 router tunneling
into a Sonicwall TZ180.  The tunnel comes up and seems to work for a
while, but drops intermittently.  When it drops, we lose VPN but not
Internet browsing.  We attempted to swap the Cisco out with a spare
Sonicwall and the tunnel stays up perfectly- but we want to keep
the Cisco in place.  Here is the corresponding configuration details -
notice anything?  When it goes down, a power cycle on the remote
office end fixes the issue.

Authentication method: IKE using preshared secret
IKE Phase 1 proposal: Main mode, Group 2, 3DES/SHA1, 28800 lifetime
Ipsec Phase 2 proposal: ESP/3DES/SHA1.  No PFS.

Cisco 861 --- this is a summary of the config, leaving out some class-
map and policy-map details.
crypto isakmp key ********** address MAIN-OFFICE-IP
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to MAIN OFFICE
set transform-set ESP-3DES-SHA1
match address 103
interface FastEthernet4
description $ETH-LAN$$FW_OUTSIDE$
ip address OUTSIDE_IP_HERE
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_2
interface Vlan1
description $FW_INSIDE$
ip address
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip forward-protocol nd
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
access-list 1 permit
access-list 2 remark CCP_ACL Category=16
access-list 2 permit
access-list 3 remark CCP_ACL Category=2
access-list 3 permit
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host any
access-list 100 permit ip any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host
access-list 102 permit ip any
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip
access-list 104 remark CCP_ACL Category=0
access-list 104 remark IPSec Rule
access-list 104 permit ip
access-list 105 remark CCP_ACL Category=2
access-list 105 remark IPSec Rule
access-list 105 deny   ip
access-list 105 permit ip any
route-map SDM_RMAP_1 permit 1
match ip address 102
route-map SDM_RMAP_2 permit 1
match ip address 105

New Member

Re: Cisco 861 to Sonicwall - intermittent tunnel issue Options


This forum is not for c800 support. Please use Netpro for these questions. On the question you ask, i would try to enable keepalives on the Cisco side:

UC500(config)#crypto isakmp keepalive ?
  <10-3600>  Number of seconds between keep alives