Re: internet connection disconnecting frequently

mdasifsm1 · ‎03-04-2014

Hi,

we have mgre setup which we are connecting to home offices from head office over DSL lines at home office side.

everything working fine, the tunnel is up and running but the internet connection getting droped frequently, but to my surprise the vpn connection is active and working.

gre tunnel is formed over dsl (same as DMVPN) to connect head office and normal internet traffic will go through nat device towards internet.

lan ip is provided to the pc through DHCP server from the router 881.

My topology is like

Head Office(cisco 1941)---->Internet--------->nat device---->cisco 881---->PC.

i can ping to head office continuously but when i am doing the same with internet the packets are getting droped .

attaching the cisco 881 config.

can any one help..

JohnTylerPearce · ‎03-04-2014

Asif,

Can you post the results of 'show ip nat translations' when you are initiating traffic from the spoke (home office). I want to make sure a translation is taking place.

Also, can you post the results from a traceroute to 8.8.8.8 from a PC on that spoke.

mdasifsm1 · ‎03-04-2014

Hi John,

Thanks for the reply,

attaching the output from router and pc

actual ips are in output as i changed in the first discussion

pc ip : 192.168.75.250

gateway 192.168.75.249(cisco 881)

paul driver · ‎03-04-2014

Hello

Looking at you first file you sent, (I cannot open the second one you posted )

You have a 192.168.50.0/24 being advertiesd by rip but you pysical interface is /29

and your acl statement for NAT doesnt look correct with denying 192.168.1.0/24 and 192.168.2.0/24 and permmiting everything else even though they are not in the same subnetwork of the physical interface - I would specify the actual subnet to be permitted and not leave it to ip any any.

You seem to have only part of the cryptographic vpn configured, are you wanting to use ipsec also ?

For your NHRP sepcifying a tunnel mode, enabling multicast and NOT as far as I am aware specifying a tunnel destination

is required.

crypto isakmp key xxxx address 0.0.0.0 0.0.0.0 - ( on HUB and SPOKE - this adds dynamic pre−shared keys for all of the remote VPNs)

crypto ipsec transform-set NHRP esp-3des esp-md5-hmac

crypto ipsec profile TEST

set security-association lifetime seconds xxx

set transform-set NHRP

int tun0

ip nhrp map multicast dynamic

NO tunnel destination

tunnel mode gre multipoint

tunnel protection ipsec profile TEST

no access-list 2000

access-list 2000 permit ip any

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mdasifsm1 · ‎03-04-2014

Hi ,

thank you for the reply..

we have home offices in different regions and some isps blocking port 4500 so i am not using ipsec for them.

as per the natting, the access list filters the traffic going on wan , and direct the intrested traffic on tunnel and all other will be going to internet so i specified any any.

and the rip, there is nothing wrong with the network connection to my head office and there are no packet drops on the tunnel, but when i am pinging to ips like 8.8.8.8 and 4.2.2.2 the pings started to getting droped after 5 or 10 min.