Cisco 861 to Sonicwall - intermittent tunnel issue

Hi. We have a new remote office with a Cisco 861 router tunneling into a Sonicwall TZ180. The tunnel comes up and seems to work for a while, but drops intermittently. When it drops, we lose VPN but not Internet browsing. We attempted to swap the Cisco out with a spare Sonicwall and the tunnel stays up indefinitely - but we want to keep the Cisco in place. Here is the appropiate configuration details - notice anything? When it goes down, a power cycle on the remote office end fixes the issue.

-- Sonicwall: Authentication method: IKE using preshared secret IKE Phase 1 proposal: Main mode, Group 2, 3DES/SHA1, 28800 lifetime Ipsec Phase 2 proposal: ESP/3DES/SHA1. No PFS.

-- Cisco 861 --- this is a summary of the config, leaving out some class- map and policy-map details. ! crypto isakmp key ********** address MAIN-OFFICE-IP ! ! crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac ! crypto map SDM_CMAP_2 1 ipsec-isakmp description Tunnel to MAIN OFFICE set peer MAIN-OFFICE-IP set transform-set ESP-3DES-SHA1 match address 103 ! interface FastEthernet4 description $ETH-LAN$$FW_OUTSIDE$ ip address OUTSIDE_IP_HERE 255.255.255.0 ip nat outside ip virtual-reassembly zone-member security out-zone duplex auto speed auto crypto map SDM_CMAP_2 ! ! interface Vlan1 description $FW_INSIDE$ ip address 192.168.20.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY_HERE ! ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4 overload ! ip access-list extended SDM_AH remark CCP_ACL Category=1 permit ahp any any ip access-list extended SDM_ESP remark CCP_ACL Category=1 permit esp any any ! access-list 1 permit 192.168.20.0 0.0.0.255 access-list 2 remark CCP_ACL Category=16 access-list 2 permit 192.168.20.0 0.0.0.255 access-list 3 remark CCP_ACL Category=2 access-list 3 permit 192.168.20.0 0.0.0.255 access-list 100 remark CCP_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 101 remark CCP_ACL Category=128 access-list 101 permit ip host 66.148.129.218 any access-list 102 remark CCP_ACL Category=0 access-list 102 permit ip any host 255.255.255.255 access-list 102 permit ip any 127.0.0.0 0.255.255.255 access-list 103 remark CCP_ACL Category=4 access-list 103 remark IPSec Rule access-list 103 permit ip 192.168.20.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 104 remark CCP_ACL Category=0 access-list 104 remark IPSec Rule access-list 104 permit ip 192.168.3.0 0.0.0.255 192.168.20.0 0.0.0.255 access-list 105 remark CCP_ACL Category=2 access-list 105 remark IPSec Rule access-list 105 deny ip 192.168.20.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 105 permit ip 192.168.20.0 0.0.0.255 any route-map SDM_RMAP_1 permit 1 match ip address 102 ! route-map SDM_RMAP_2 permit 1 match ip address 105 !

-- Thanks, Joe

Reply to
JoeG
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.