Cisco 1712 VPN Router Problems

Hi,

Might be a long shot (someone correct me if I'm wrong) but try reducing the MTU on the relevant tunnel interfaces if you havent already or reduce the TCP maximum segment size on the relevant interfaces and on all endpoints.( the latter for tcp specific connections).

Try sending a ping with a large packet size ie (1476 allowing for encapsulation overhead) across the tunnel and see what happens (loss?).

Then carry on reducing the packet size in the pings and see if any loss occurs. You can then use this value following successful pings without loss as the MTU on the interfaces.

To reduce the TCP maximum segment size under the interface config: ip tcp adjust-mss 1440 Start higher then reduce until data transfer is successful.

Hope this helps,

Rob

Thanks for the tip. I tried that and all seemed well for about 30 seconds and then:

Reply from 192.168.1.27: bytes=1400 time=31ms TTL=125 Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125 Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125 Reply from 192.168.1.27: bytes=1400 time=32ms TTL=125 Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125 Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125 Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125 Reply from 192.168.1.27: bytes=1400 time=32ms TTL=125 Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Request timed out. Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125 Reply from 192.168.1.27: bytes=1400 time=31ms TTL=125 Reply from 192.168.1.27: bytes=1400 time=32ms TTL=125 Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125 Reply from 192.168.1.27: bytes=1400 time=31ms TTL=125 Reply from 192.168.1.27: bytes=1400 time=31ms TTL=125 Reply from 192.168.1.27: bytes=1400 time=31ms TTL=125 Reply from 192.168.1.27: bytes=1400 time=32ms TTL=125 Reply from 192.168.1.27: bytes=1400 time=79ms TTL=125 Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125 Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125

Ping statistics for 192.168.1.27: Packets: Sent = 110, Received = 83, Lost = 27 (24% loss), Approximate round trip times in milli-seconds: Minimum = 31ms, Maximum = 79ms, Average = 29ms

The connection just seems to hang for whatever reason. The tunnel doesn't go down though...

If you ping the external IP of one of the adjacent routers the same way does it return any packet loss?

Post your config if you can.

Rob

Hi Rob,

The same thing is happening for all of the connections.

Here it is:

Current configuration : 4537 bytes ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service compress-config service sequence-numbers ! hostname XXXX ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 no logging buffered logging console critical enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX ! username xxxxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxx clock timezone PCTime 0 clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero no ip source-route ! ! ! ! ip tcp synwait-time 10 ip domain name xxxxxxxxx.co.uk ip name-server xxx.xxx.xxx.10 ip name-server xxx.xxx.xxx.11 no ip bootp server ip cef ip ids po max-events 100 ip ssh time-out 60 ip ssh authentication-retries 2 no ftp-server write-enable ! ! ! ! ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp policy 20 encr 3des authentication pre-share group 2 crypto isakmp key xxxxxxxxxxx address xxx.xxx.xxx.xxx crypto isakmp key xxxxxxxxxxx address xxx.xxx.xxx.xxx no-xauth crypto isakmp key xxxxxxxxxxx address xxx.xxx.xxx.xxx no-xauth crypto isakmp key xxxxxxxxxxx address xxx.xxx.xxx.xxx ! ! crypto ipsec transform-set REMOTE-SET esp-3des esp-md5-hmac crypto ipsec transform-set REMOTE-SHA esp-3des esp-sha-hmac crypto ipsec df-bit clear ! crypto map REMOTE-MAP 10 ipsec-isakmp description Remote VPN crypto map set peer xxx.xxx.xxx.xxx set transform-set REMOTE-SET match address VPN-PLACE1 crypto map REMOTE-MAP 20 ipsec-isakmp description Remote VPN crypto map set peer xxx.xxx.xxx.xxx set transform-set REMOTE-SET match address VPN-PLACE2 crypto map REMOTE-MAP 30 ipsec-isakmp set peer xxx.xxx.xxx.xxx set transform-set REMOTE-SET match address VPN-PLACE3 crypto map REMOTE-MAP 40 ipsec-isakmp set peer xxx.xxx.xxx.xxx set transform-set REMOTE-SHA match address VPN-PLACE4 ! ! ! interface Vif1 ip address 10.1.1.1 255.255.0.0 shutdown ! interface BRI0 no ip address no ip redirects no ip proxy-arp ip route-cache flow shutdown no cdp enable ! interface FastEthernet0 description $FW_OUTSIDE$$ETH-WAN$ ip address xxx.xxx.xxx.xxx 255.255.255.192 ip mask-reply ip directed-broadcast ip route-cache flow ip tcp adjust-mss 1440 duplex auto speed auto no cdp enable crypto map REMOTE-MAP crypto ipsec df-bit clear ! interface FastEthernet1 no ip address no cdp enable ! interface FastEthernet2 no ip address no cdp enable ! interface FastEthernet3 no ip address no cdp enable ! interface FastEthernet4 no ip address no cdp enable ! interface Vlan1 description $FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$ ip address 10.2.2.2 255.255.255.0 no ip redirects no ip proxy-arp ip route-cache flow ip tcp adjust-mss 1400 crypto ipsec df-bit clear ! ip classless ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx no ip http server ip http authentication local ip http secure-server ip nat pool PLACE3-NAT-POOL xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask

255.255.255.0 ! ! ! ip access-list extended PLACE3-ACL remark ACL for PLACE3 for dynamic NAT remark SDM_ACL Category=2 deny ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx deny ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx deny ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx deny ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx permit ip host 10.2.2.3 host xxx.xxx.xxx.xx5 ip access-list extended VPN- ip access-list extended VPN-PLACE1 remark SDM_ACL Category=4 permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx ip access-list extended VPN-PLACE2 remark SDM_ACL Category=4 permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx ip access-list extended VPN-PLACE3 permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx ip access-list extended VPN-PLACE4 permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx logging trap debugging no cdp run ! route-map SDM_RMAP_1 permit 1 match ip address PLACE3-ACL ! ! control-plane ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 login local transport output telnet line aux 0 login local transport output telnet line vty 0 4 privilege level 15 login local transport input telnet ssh line vty 5 15 privilege level 15 login local transport input telnet ssh ! scheduler allocate 4000 1000 scheduler interval 500 end

As far as I know or understand is that the match addresses for the Crypto Maps should be from source net to destination net and mirrorimaged on the other routers with their relevant internal networks. That is in the setup you using atleast. Some versions of IOS can be funny/buggy with different match address acls.

"permit ip 10.2.2.0 0.0.0.255 " Something like this: permit ip 10.2.2.0 0.0.0.255 192.168.0.0 0.0.0.255.

access-lists are pointing to the IP addresses of the endpoints and I believe they should be the internal networks.

//>

ip access-list extended VPN-PLACE1 remark SDM_ACL Category=4 permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx ip access-list extended VPN-PLACE2 remark SDM_ACL Category=4 permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx ip access-list extended VPN-PLACE3 permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx ip access-list extended VPN-PLACE4 permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx //>

So just for testing change these access-lists to point to the relevant destination networks not the device itself.

Remove "host xxx.xxx.xxx.xxx" and replace with "network inverse_mask"

Also remove all references to "crypto ipsec df-bit clear" for testing.

Rob

I've had bad experiences with cef on that router and some 12.3 releases, have you tried to switch it off? Bye, Tosh.

take a look at the crypto maps and the lifetimes of the isakmp- and ipsec-parts. "show crypto isakmp policy" and "show crypto map" should give you some answers. anyway, debug output of isakmp and ipsec is welcome. you didn't say anything about the other ipsec-endpoints. cisco's too? or something else.

once i've had nearly the same problem. regularly issueing "clear crypto isakmp" was the only thing i could do. after updating the IOS everything was clean.

\cd