Cisco 831 EzVpn Timeout

[ior]

Hi, I have a Cisco 831 (12.2(8r)YN) That im using to EzVpn into my job's concentrator. The tunnel is only used by my Cisco Ip Phone (7960) to reach our CCM.

The problem is that once or twice every day the phone drops its connection to the CCM. Upon further investigation i notice that I no longer can ping IPs on the other side of the VPN. Though i can still access the web.

When checking the log of the router its clear that the router has not noticed that the VPN is down. Rebooting the router / running clear crypto ipsec client solves the problem.

Any ideas / suggestions are appreciated.

Relevant parts of the config:

ip dhcp pool LAN
network xxxx xxxx
next-server xxx
default-router xxx
dns-server xxx
lease 7

!
!
no ip domain lookup
ip domain name xxxx
no ip bootp server
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp keepalive 10 periodic
!
!
!
!
!
crypto ipsec client ezvpn lab-ipphone
connect auto
group yyyy key xxxxxxxxxx
mode network-extension
peer xxxxxxx
username xxxxx password xxxxxxx
!
!
!
!
interface Ethernet0
description *** LAN ***
ip address xxxxx xxxxxx
no ip proxy-arp
ip tcp adjust-mss 1452
no cdp enable
crypto ipsec client ezvpn lab-ipphone inside
hold-queue 100 out
!
interface Ethernet1
description *** Internet Interface ***
bandwidth 256
no ip address
duplex auto
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
description DSL
bandwidth 256
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 7 xxxxxxxx
crypto ipsec client ezvpn lab-ipphone
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route xxx 255.255.0.0 Dialer1
ip route xxx 255.255.255.128 Dialer1
ip route xxx 255.255.255.255 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source list 102 interface Dialer1 overload
!
!
access-list 102 permit ip xxxxxx 0.0.0.15 any
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane

 

[SF18C]

You didn't state what type of access you are using, so I assuming that you are a SOHO user with local ADSL type service connection. Could it be that your ISP "takes a break?" I know that my DSL service drops once a day on my dialer 1 interface to deliver a new DHCP address from them. This would drop my PC based VPN client connection to the Concentrator (as it should) but was not long enough to effect web surfing.

Of course I don't think that you would need to reboot the router but I am not very familiar with the 837's EasyVPN and crypto settings. I would try sys-logging your dialer 1 interface and also using the SDM to monitor the connection as well.

Let me know how it goes, I have an 837 and wish to start using the VPN ability to nail into the concentrator directly and not have the need to run a client on my PC's.

SF18C
CCNP, MCSE, A+, N+ & HPCC
Tis better to die on your feet than live on your knees!

 

[ior]

You are correct, im using DSL at home. However i would think that if my dialer would get a new ip it should "know" that it has to reestablish the vpn connection. Or atleast it should do some basic heartbeating to check if the connection is still alive.

Ill monitor my Dialer interface and get back to you though.

 

[ior]

You seem to be correct, i just noticed that after a dropout the router reports that:
"A pre-shared key for address mask xxxxxxx already exists!"

Which is one of the exact same messages I get when i take the dialer interface down & up again.

However, im still not certain on how knowing that makes things any easier, the router still doesnt detect that the tunnel is actually down.

 

[SF18C]

Are you using the Secure Devise Manager to configure the VPN or just using the CLI?

Maybe an IOS upgrade is in order? The lastes is 12.3(8)T3

http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/prod_release_note09186a00801fe5b8.html

Open Caveats - Release 12.3(4)XG
This section documents possible unexpected behavior by Cisco IOS Release 12.3(4)XG and describes only severity 1 and 2 caveats and selected severity 3 caveats.

CSCin69275

The EzVPN tunnel is not brought down when IKE SAs are cleared.

On issuing clear crypto isa command when the Easy Virtual Private network (EzVPN) tunnel is up, the Internet Key Exchange (IKE) security associations (SAs) gets cleared but IP security (IPSec) SAs remains until the lifetime expires and the tunnel is in IPSEC_ACTIVE state.

Workaround

Use clear crypto sa or clear crypto ipsec client ezvpn commands to clear the tunnel and to renegotitate the SAs.

also look here:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087d1e.html

SF18C
CCNP, MCSE, A+, N+ & HPCC
Tis better to die on your feet than live on your knees!

 

[SF18C]

Also check this out;

http://www.cisco.com/en/US/products...ts_feature_guide09186a00801a7a7a.html#1051551

SF18C
CCNP, MCSE, A+, N+ & HPCC
Tis better to die on your feet than live on your knees!

 

[SF18C]

At this point I would be looking hard at this part of the config:
crypto ipsec client ezvpn lab-ipphone
connect auto
group yyyy key xxxxxxxxxx
mode network-extension
peer xxxxxxx
username xxxxx password xxxxxxx
It appears that the auto part of this is not working as advertised.

http://www.cisco.com/en/US/products/hw/routers/ps221/prod_bulletin09186a008009976e.html

Manual Tunnel Control


A new crypto command can be used when manual configuration has been specified in the Easy VPN configuration. This command is useful for example, when tunnel establishment needs to be manually controlled in ISDN links.


The config commands are as follows:

crypto ipsec client ezvpn <name>

connect { | manual}
crypto ipsec client connect <name> -

Config commands:

connect { | manual} The command has two connect settings: auto and manual. Auto is the default and will automatically attempt to establish a tunnel connection when this config is attached to an interface. The manual option requires the "crypto ipsec client connect <name>" to initiate connections.

You can hit me directly at sf18c2000@yahoo.com

SF18C
CCNP, MCSE, A+, N+ & HPCC
Tis better to die on your feet than live on your knees!

 

[ior]

Thanks for all your answers.

SFC18C, im using the cli. And ill look into getting a newer IOS asap. However im not sure that is applies to me as im running 12.2, however its worth a try.

Also the auto part is kind of working, as the tunnel is automatically connected whenever i reboot the router. And manual control isnt really an option as I need my phone to stay online all the time.

I have also verified that this setup works flawlessly for a collegue of mine, the difference beeing that he is not on a PPOE connection, so he doesnt have to use a dialer.

Ive turned on some debug commands, ill post my findings tomorrow.

 

[ior]

1 night has passed and this is what Ive learned from the logs:
nothing.

I kept my ip overnight, and my Cisco phone stayed online (for once). So Ill have to wait until it decides to disconnect.

However Ive run into another problem. My ip nat static commands has for some reason stopped working over night. negating them with no, and readding them solved the problem. But I assume this can be related to my VPN problem.

Im guessing that the damn Dialer interface is messing with me. Does anyone have any ideas why the following commands have stopped working over night the last 2 days?

ip nat inside source static udp 10.88.89.67 5005 interface Dialer1 5005
ip nat inside source static udp 10.88.89.67 5061 interface Dialer1 5061
ip nat inside source static udp 10.88.89.67 5060 interface Dialer1 5060
ip nat inside source static udp 10.88.89.67 5004 interface Dialer1 5004
ip nat inside source static udp 10.88.89.67 3478 interface Dialer1 3478

 

[ior]

Update: Putting the whole router behind another (Netgear) router and disabling the dialer interface didnt help at all. The same issues are there, when my DSL gets a new ip / has to relogin with PPPOE my VPN connection is dropped without the router noticing it.

I will continue to investigate & report back here. Any and all suggestions are appreciated.