Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco 871 and 861w always hangs after vpn configuration

We are using cisco 871 and 861W for some home offices, and configured site to site vpn back to HQ, however all the users complain that after a while they need to reboot the router because the router hangs, I can't even ping it when it hangs. After the reboot, everything is working ok, what is the problem? Anybody can help? Thanks

3 REPLIES
Cisco Employee

Re: Cisco 871 and 861w always hangs after vpn configuration

Hi,

Can you console into the router at the time when it hangs? The reason could be multiple for the router not responding. Look at things like CPU usage, memory usage, interface stats, etc. I would suggest getting a "show tech" from the router at the time when it hangs and opening up a TAC case with all available information for looking into this. Working out the reason for such a thing over here wil be tough unless we have more specifics.

Let me know if there is some detail that has caught your attention.

Regards,

Prapanch

New Member

Re: Cisco 871 and 861w always hangs after vpn configuration

Thanks for your help, if I remember right, when the system hangs, I have no access the box

any more, no telnet, not tried the console.  Here is my conifgure,

is there any mistake?

Cisco871#sh run
Building configuration...

Current configuration : 5311 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco871
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 **
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2330963373
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2330963373
revocation-check none
rsakeypair TP-self-signed-2330963373
!
!
crypto pki certificate chain TP-self-signed-2330963373
certificate self-signed 01
 
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 172.19.9.1 172.19.9.99
!
ip dhcp pool INSIDE_POOL
   network 172.19.9.0 255.255.255.0
   default-router 172.19.9.1
 
  
!
!
ip cef
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL telnet
ip inspect name FIREWALL ftp
ip inspect name FIREWALL http
ip inspect name FIREWALL https
ip inspect name FIREWALL router
ip inspect name FIREWALL icmp
ip inspect name FIREWALL imap
ip inspect name FIREWALL imap3
ip inspect name FIREWALL isakmp
ip inspect name FIREWALL ipsec-msft
no ip domain lookup

!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp key ****** address 192.3.1.21
!
!
crypto ipsec transform-set VPN-SET esp-aes 256 esp-md5-hmac
!        
crypto map VPN-MAP 100 ipsec-isakmp
set peer 192.3.1.21
set security-association lifetime seconds 28800
set transform-set VPN-SET
set pfs group2
set reverse-route distance 100
match address 101
!
archive
log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
description inside
!
interface FastEthernet1
description inside
!
interface FastEthernet2
description inside
!
interface FastEthernet3
description inside
!
interface FastEthernet4
description Internet
ip address dhcp
ip access-group 199 in
ip inspect FIREWALL out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN-MAP
!
interface Vlan1
description inside
ip address 172.19.9.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!        
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map no-nat interface FastEthernet4 overload
!
access-list 101 remark define networks for VPN encryption
access-list 101 permit ip 172.19.9.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 101 permit ip 172.19.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 172.19.9.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 172.19.9.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip 172.19.9.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 110 remark define networks for NAT exclusion
access-list 110 deny   ip 172.19.9.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 110 deny   ip 172.19.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny   ip 172.19.9.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 deny   ip 172.19.9.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 110 deny   ip 172.19.9.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 110 permit ip 172.19.9.0 0.0.0.255 any
access-list 199 remark careful with things from the Internet
access-list 199 permit udp any any eq bootpc
access-list 199 permit udp any any eq isakmp
access-list 199 permit ip host 192.3.1.21 any
access-list 199 deny   ip any any
no cdp run

!
!
!
route-map no-nat permit 10
match ip address 110
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 *****
login
transport input telnet ssh
!        
scheduler max-task-time 5000
end

Thanks

Cisco Employee

Re: Cisco 871 and 861w always hangs after vpn configuration

Hi,

The config looks alright. I would suggest you to try console when you see the same symptom again and then maybe run debugs, etc., to see wht exactly is going wrong.

Also, if you do have console access, it will be better to open a TAC case before reloading the router to collect all necessary information.

Thanks and Regards,

Prapanch

573
Views
0
Helpful
3
Replies