Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco 1712 VPN Router Problems

Reply
Thread Tools

Cisco 1712 VPN Router Problems

 
 
lee@leefarrand.com
Guest
Posts: n/a
 
      05-09-2005
Hi folks, I was wondering if any of you Cisco guru's out there would be

willing to help me out.


I am currently experiencing a problem with my Cisco 1712 VPN router. I
have 5 VPN tunnels set up to different sites and they are all working
fine i.e. the tunnel comes up and I can ping the other side. However
recently I have been experiencing packet loss, I set up a continuous
ping to the other IP address and every minute or so the ping stops
responding for about 30 seconds and then comes back again.


The same thing happens when transferring any amount of data through the

connection - it just dies.


I am seeing roughly 30% packet loss through the connection and I have
been pulling my hair out looking through Cisco.com for a solution but
so far no luck.


Does anyone have any ideas?


Thanks in advance

 
Reply With Quote
 
 
 
 
RobO
Guest
Posts: n/a
 
      05-09-2005
Hi,

Might be a long shot (someone correct me if I'm wrong) but try reducing
the MTU on the relevant tunnel interfaces if you havent already or
reduce the TCP maximum segment size on the relevant interfaces and on
all endpoints.( the latter for tcp specific connections).

Try sending a ping with a large packet size ie (1476 allowing for
encapsulation overhead) across the tunnel and see what happens (loss?).

Then carry on reducing the packet size in the pings and see if any loss
occurs.
You can then use this value following successful pings without loss as
the MTU on the interfaces.

To reduce the TCP maximum segment size under the interface config:
ip tcp adjust-mss 1440
Start higher then reduce until data transfer is successful.

Hope this helps,

Rob

 
Reply With Quote
 
 
 
 
lee@leefarrand.com
Guest
Posts: n/a
 
      05-09-2005
Thanks for the tip. I tried that and all seemed well for about 30
seconds and then:

Reply from 192.168.1.27: bytes=1400 time=31ms TTL=125
Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125
Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125
Reply from 192.168.1.27: bytes=1400 time=32ms TTL=125
Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125
Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125
Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125
Reply from 192.168.1.27: bytes=1400 time=32ms TTL=125
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125
Reply from 192.168.1.27: bytes=1400 time=31ms TTL=125
Reply from 192.168.1.27: bytes=1400 time=32ms TTL=125
Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125
Reply from 192.168.1.27: bytes=1400 time=31ms TTL=125
Reply from 192.168.1.27: bytes=1400 time=31ms TTL=125
Reply from 192.168.1.27: bytes=1400 time=31ms TTL=125
Reply from 192.168.1.27: bytes=1400 time=32ms TTL=125
Reply from 192.168.1.27: bytes=1400 time=79ms TTL=125
Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125
Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125

Ping statistics for 192.168.1.27:
Packets: Sent = 110, Received = 83, Lost = 27 (24% loss),
Approximate round trip times in milli-seconds:
Minimum = 31ms, Maximum = 79ms, Average = 29ms

The connection just seems to hang for whatever reason. The tunnel
doesn't go down though...

 
Reply With Quote
 
RobO
Guest
Posts: n/a
 
      05-09-2005
If you ping the external IP of one of the adjacent routers the same way
does it return any packet loss?

Post your config if you can.

Rob

 
Reply With Quote
 
lee@leefarrand.com
Guest
Posts: n/a
 
      05-09-2005
Hi Rob,

The same thing is happening for all of the connections.

Here it is:

Current configuration : 4537 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
!
hostname XXXX
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
logging console critical
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
username xxxxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxx
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
!
ip tcp synwait-time 10
ip domain name xxxxxxxxx.co.uk
ip name-server xxx.xxx.xxx.10
ip name-server xxx.xxx.xxx.11
no ip bootp server
ip cef
ip ids po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxx address xxx.xxx.xxx.xxx
crypto isakmp key xxxxxxxxxxx address xxx.xxx.xxx.xxx no-xauth
crypto isakmp key xxxxxxxxxxx address xxx.xxx.xxx.xxx no-xauth
crypto isakmp key xxxxxxxxxxx address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set REMOTE-SET esp-3des esp-md5-hmac
crypto ipsec transform-set REMOTE-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map REMOTE-MAP 10 ipsec-isakmp
description Remote VPN crypto map
set peer xxx.xxx.xxx.xxx
set transform-set REMOTE-SET
match address VPN-PLACE1
crypto map REMOTE-MAP 20 ipsec-isakmp
description Remote VPN crypto map
set peer xxx.xxx.xxx.xxx
set transform-set REMOTE-SET
match address VPN-PLACE2
crypto map REMOTE-MAP 30 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set REMOTE-SET
match address VPN-PLACE3
crypto map REMOTE-MAP 40 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set REMOTE-SHA
match address VPN-PLACE4
!
!
!
interface Vif1
ip address 10.1.1.1 255.255.0.0
shutdown
!
interface BRI0
no ip address
no ip redirects
no ip proxy-arp
ip route-cache flow
shutdown
no cdp enable
!
interface FastEthernet0
description $FW_OUTSIDE$$ETH-WAN$
ip address xxx.xxx.xxx.xxx 255.255.255.192
ip mask-reply
ip directed-broadcast
ip route-cache flow
ip tcp adjust-mss 1440
duplex auto
speed auto
no cdp enable
crypto map REMOTE-MAP
crypto ipsec df-bit clear
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
no ip address
no cdp enable
!
interface Vlan1
description $FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.2.2.2 255.255.255.0
no ip redirects
no ip proxy-arp
ip route-cache flow
ip tcp adjust-mss 1400
crypto ipsec df-bit clear
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
no ip http server
ip http authentication local
ip http secure-server
ip nat pool PLACE3-NAT-POOL xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask
255.255.255.0
!
!
!
ip access-list extended PLACE3-ACL
remark ACL for PLACE3 for dynamic NAT
remark SDM_ACL Category=2
deny ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
deny ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
deny ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
deny ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
permit ip host 10.2.2.3 host xxx.xxx.xxx.xx5
ip access-list extended VPN-
ip access-list extended VPN-PLACE1
remark SDM_ACL Category=4
permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
ip access-list extended VPN-PLACE2
remark SDM_ACL Category=4
permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
ip access-list extended VPN-PLACE3
permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
ip access-list extended VPN-PLACE4
permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
logging trap debugging
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address PLACE3-ACL
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end

 
Reply With Quote
 
RobO
Guest
Posts: n/a
 
      05-09-2005
As far as I know or understand is that the match addresses for the
Crypto Maps should be from source net to destination net and
mirrorimaged on the other routers with their relevant internal
networks.
That is in the setup you using atleast.
Some versions of IOS can be funny/buggy with different match address
acls.

"permit ip 10.2.2.0 0.0.0.255 <internal_net_other_side>
<inverse_mask_for_other_side>"
Something like this:
permit ip 10.2.2.0 0.0.0.255 192.168.0.0 0.0.0.255.

>From what I can see in your previous posting is that the match address

access-lists are pointing to the IP addresses of the endpoints and I
believe they should be the internal networks.

//>
ip access-list extended VPN-PLACE1
remark SDM_ACL Category=4
permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
ip access-list extended VPN-PLACE2
remark SDM_ACL Category=4
permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
ip access-list extended VPN-PLACE3
permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
ip access-list extended VPN-PLACE4
permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
//>

So just for testing change these access-lists to point to the relevant
destination networks not the device itself.

Remove "host xxx.xxx.xxx.xxx" and replace with "network inverse_mask"

Also remove all references to "crypto ipsec df-bit clear" for testing.

Rob

 
Reply With Quote
 
Tosh
Guest
Posts: n/a
 
      05-10-2005
> Does anyone have any ideas?
>

I've had bad experiences with cef on that router and some 12.3 releases,
have you tried to switch it off?
Bye,
Tosh.


 
Reply With Quote
 
Draschl Clemens
Guest
Posts: n/a
 
      05-11-2005
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> Hi folks, I was wondering if any of you Cisco guru's out there would be
>
> willing to help me out.
>
>
> I am currently experiencing a problem with my Cisco 1712 VPN router. I
> have 5 VPN tunnels set up to different sites and they are all working
> fine i.e. the tunnel comes up and I can ping the other side. However
> recently I have been experiencing packet loss, I set up a continuous
> ping to the other IP address and every minute or so the ping stops
> responding for about 30 seconds and then comes back again.
>
>
> The same thing happens when transferring any amount of data through the
>
> connection - it just dies.
>
>
> I am seeing roughly 30% packet loss through the connection and I have
> been pulling my hair out looking through Cisco.com for a solution but
> so far no luck.
>
>
> Does anyone have any ideas?


take a look at the crypto maps and the lifetimes of the isakmp- and
ipsec-parts. "show crypto isakmp policy" and "show crypto map" should
give you some answers.
anyway, debug output of isakmp and ipsec is welcome. you didn't say
anything about the other ipsec-endpoints. cisco's too? or something else.

once i've had nearly the same problem. regularly issueing "clear crypto
isakmp" was the only thing i could do. after updating the IOS everything
was clean.

\cd
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco Router 1712 - Data Traffic pascalkoester@web.de Cisco 0 12-07-2005 10:49 AM
Setting up VPN on a Cisco 1712 Ray Cisco 5 10-24-2005 08:30 AM
VPN on a Cisco 1712 reidar.westvik@gmail.com Computer Support 3 10-21-2005 01:52 PM
VPN 1712 Gateway for VPN Client POL Cisco 4 09-15-2004 10:19 AM
External DHCP for Easy Vpn Server 1712 VPN Client POL Cisco 0 09-10-2004 10:12 AM



Advertisments