We have UC500 setup that does a site-to-site VPN with a Cisco 800 series router. The problem we seem to experience is calls dropping at the remote site and also the VPN seems to disconnect from time to time and to get it up and running we have to restart the router.
Has anyone experience anything like this before? Maybe there is something I should look out for?
I know its not ideal to have a UC500 sitting on the edge of the network and we should really have another router do to all the VPN and routing stuff but this was not set up by us and I wanna help them out. But before we start purchasing new h/w I want to make sure that getting a new router WILL solve the issue.
I would start diagnosing if isn't an internet connection quality issue causing the drops.
There is a variety of tools you can use for that, the simpler being of the whatsup type.
I don't seen anything wrong with having the UC500 to face the internet, as long it is correctly configured.
I've been taught to not place UC on the edge as its best to keep voice and routing on separate devices. I have found out that the type of VPN they use is ezvpn. Would you suggest IPSec for site-to-site instead? However I am not sure if they have a static ip at the remote site so that may be the reason why they have this type of VPN in the first place.
What I was thinking is sticking a Cisco 857 router instead of the srp527 and make that do all the VPN and routing. I will run some diagnostics when I get a chance tomorrow.
Sent from Cisco Technical Support iPad App
In order to see why the tunnel is dropping, you will want to run the following debugs on both routers:
- debug crypto isakmp
- debug crypto ipsec
Since it's an intermittent thing and you don't know when the tunnel will drop, it's best to setup a syslog server and send debugging level logs to it:
- logging trap debug
If a syslog server isn't available, you can bump up the buffer size and log to the buffer:
- no logging console
- logging buffer 1024000 debug
Please note, it's always best to get debugs from both sides surrounding this.
This is what I get quite a bit.
820487: Feb 2 09:37:06.075: %FW-6-DROP_PKT: Dropping tcp session 22.214.171.124:25 192.168.10.2:29443 due to Stray Segment with ip ident 0 tcpflags 0x5010 seq.no 680750143 ack 259908053
820488: Feb 2 09:37:45.715: %VOICE_IEC-3-GW: C SCRIPTS: Internal Error (Interface busy): IEC=126.96.36.199.26.0 on callID -1
820489: Feb 2 09:37:48.843: %ISDN-6-CONNECT: Interface Serial0/3/0:0 is now connected to 7811491251 N/A
820490: Feb 2 09:38:07.255: %VOICE_IEC-3-GW: CCAPI: Internal Error (Software Error): IEC=188.8.131.52.13.114 on callID 13784 GUID=716C1EF54CB811E19852937BC28CB60A
Does that have anything to do with the VPN session?
For starters the SRP527's are somewhat unproven as a VPN router/concentrator when you throw in a UC into the mix, at this stage I would question its capabilities with the current firmware as well.
Secondly it doesn't run IOS so you would have to use the GUI for debugging which is not quite as informative as say an IOS Debug.
Your suggestion to go for an 857 is a pretty good decision, but at this point I would highly recommend an 867 which are the more newer ones and are not EOL/EOS like the 857 model is.
Alternatively, you can place the 527 in bridge mode and have the UC controll the internet connection, which is absolutely fine, so long as the firewall on the UC is correctly configured, and this can be easily achieved if you use CCA to configure the system.
I am sure you will get some resistance to my comment on the 527's, but I am fairly certain I am right as I ran tests on them for quite some time to find their limitations, they are an awesome DSL router and brilliant at doing that, but start asking too much of them, they get VERY...VERY..VERY hot and start to drop connections and under-performing badly
Well that's my /2c on this topic lol
Thanks for that. I am on site now running some tests and it turns out the SRP has been replaced and they now have a BT infinity connection (modem that has a direct RJ45 connection in to the UC560's WAN port). UC now controls the internet and VPN.
I can also see that remote site connects to the UC with a SR520 via EZVPN tunnel. I have just also witnessed a drop in the VPN tunnel.
Here it is attached
Yep that will happed
The UC is doing what it is supposed to, ACL 104 is not liking it.
Did you use CCA to build the firewall/acl rules? Or did you configure it via CLI??
Its getting late where I am at now and I am Desperate for sleep if I get a chance to look into the debugs after I finish major job tomorrow I will report back, but in saying that someone should get to it before me or you work it out by then, either way ill check back tomorrow.
This was configured by the major telecoms company here and I think they have done it via CCA. I prefer to use CLI to do the configurations. Just need to work out how to stop the VPN connection from dropping out.