Cisco 1712 VPN Router Problems

Discussion in 'Cisco' started by lee@leefarrand.com, May 9, 2005.

  1. Guest

    Hi folks, I was wondering if any of you Cisco guru's out there would be

    willing to help me out.


    I am currently experiencing a problem with my Cisco 1712 VPN router. I
    have 5 VPN tunnels set up to different sites and they are all working
    fine i.e. the tunnel comes up and I can ping the other side. However
    recently I have been experiencing packet loss, I set up a continuous
    ping to the other IP address and every minute or so the ping stops
    responding for about 30 seconds and then comes back again.


    The same thing happens when transferring any amount of data through the

    connection - it just dies.


    I am seeing roughly 30% packet loss through the connection and I have
    been pulling my hair out looking through Cisco.com for a solution but
    so far no luck.


    Does anyone have any ideas?


    Thanks in advance :)
     
    , May 9, 2005
    #1
    1. Advertising

  2. RobO Guest

    Hi,

    Might be a long shot (someone correct me if I'm wrong) but try reducing
    the MTU on the relevant tunnel interfaces if you havent already or
    reduce the TCP maximum segment size on the relevant interfaces and on
    all endpoints.( the latter for tcp specific connections).

    Try sending a ping with a large packet size ie (1476 allowing for
    encapsulation overhead) across the tunnel and see what happens (loss?).

    Then carry on reducing the packet size in the pings and see if any loss
    occurs.
    You can then use this value following successful pings without loss as
    the MTU on the interfaces.

    To reduce the TCP maximum segment size under the interface config:
    ip tcp adjust-mss 1440
    Start higher then reduce until data transfer is successful.

    Hope this helps,

    Rob
     
    RobO, May 9, 2005
    #2
    1. Advertising

  3. Guest

    Thanks for the tip. I tried that and all seemed well for about 30
    seconds and then:

    Reply from 192.168.1.27: bytes=1400 time=31ms TTL=125
    Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125
    Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125
    Reply from 192.168.1.27: bytes=1400 time=32ms TTL=125
    Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125
    Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125
    Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125
    Reply from 192.168.1.27: bytes=1400 time=32ms TTL=125
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125
    Reply from 192.168.1.27: bytes=1400 time=31ms TTL=125
    Reply from 192.168.1.27: bytes=1400 time=32ms TTL=125
    Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125
    Reply from 192.168.1.27: bytes=1400 time=31ms TTL=125
    Reply from 192.168.1.27: bytes=1400 time=31ms TTL=125
    Reply from 192.168.1.27: bytes=1400 time=31ms TTL=125
    Reply from 192.168.1.27: bytes=1400 time=32ms TTL=125
    Reply from 192.168.1.27: bytes=1400 time=79ms TTL=125
    Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125
    Reply from 192.168.1.27: bytes=1400 time=47ms TTL=125

    Ping statistics for 192.168.1.27:
    Packets: Sent = 110, Received = 83, Lost = 27 (24% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 31ms, Maximum = 79ms, Average = 29ms

    The connection just seems to hang for whatever reason. The tunnel
    doesn't go down though...
     
    , May 9, 2005
    #3
  4. RobO Guest

    If you ping the external IP of one of the adjacent routers the same way
    does it return any packet loss?

    Post your config if you can.

    Rob
     
    RobO, May 9, 2005
    #4
  5. Guest

    Hi Rob,

    The same thing is happening for all of the connections.

    Here it is:

    Current configuration : 4537 bytes
    !
    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service compress-config
    service sequence-numbers
    !
    hostname XXXX
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    no logging buffered
    logging console critical
    enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    !
    username xxxxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxx
    clock timezone PCTime 0
    clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    no aaa new-model
    ip subnet-zero
    no ip source-route
    !
    !
    !
    !
    ip tcp synwait-time 10
    ip domain name xxxxxxxxx.co.uk
    ip name-server xxx.xxx.xxx.10
    ip name-server xxx.xxx.xxx.11
    no ip bootp server
    ip cef
    ip ids po max-events 100
    ip ssh time-out 60
    ip ssh authentication-retries 2
    no ftp-server write-enable
    !
    !
    !
    !
    !
    !
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    !
    crypto isakmp policy 20
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key xxxxxxxxxxx address xxx.xxx.xxx.xxx
    crypto isakmp key xxxxxxxxxxx address xxx.xxx.xxx.xxx no-xauth
    crypto isakmp key xxxxxxxxxxx address xxx.xxx.xxx.xxx no-xauth
    crypto isakmp key xxxxxxxxxxx address xxx.xxx.xxx.xxx
    !
    !
    crypto ipsec transform-set REMOTE-SET esp-3des esp-md5-hmac
    crypto ipsec transform-set REMOTE-SHA esp-3des esp-sha-hmac
    crypto ipsec df-bit clear
    !
    crypto map REMOTE-MAP 10 ipsec-isakmp
    description Remote VPN crypto map
    set peer xxx.xxx.xxx.xxx
    set transform-set REMOTE-SET
    match address VPN-PLACE1
    crypto map REMOTE-MAP 20 ipsec-isakmp
    description Remote VPN crypto map
    set peer xxx.xxx.xxx.xxx
    set transform-set REMOTE-SET
    match address VPN-PLACE2
    crypto map REMOTE-MAP 30 ipsec-isakmp
    set peer xxx.xxx.xxx.xxx
    set transform-set REMOTE-SET
    match address VPN-PLACE3
    crypto map REMOTE-MAP 40 ipsec-isakmp
    set peer xxx.xxx.xxx.xxx
    set transform-set REMOTE-SHA
    match address VPN-PLACE4
    !
    !
    !
    interface Vif1
    ip address 10.1.1.1 255.255.0.0
    shutdown
    !
    interface BRI0
    no ip address
    no ip redirects
    no ip proxy-arp
    ip route-cache flow
    shutdown
    no cdp enable
    !
    interface FastEthernet0
    description $FW_OUTSIDE$$ETH-WAN$
    ip address xxx.xxx.xxx.xxx 255.255.255.192
    ip mask-reply
    ip directed-broadcast
    ip route-cache flow
    ip tcp adjust-mss 1440
    duplex auto
    speed auto
    no cdp enable
    crypto map REMOTE-MAP
    crypto ipsec df-bit clear
    !
    interface FastEthernet1
    no ip address
    no cdp enable
    !
    interface FastEthernet2
    no ip address
    no cdp enable
    !
    interface FastEthernet3
    no ip address
    no cdp enable
    !
    interface FastEthernet4
    no ip address
    no cdp enable
    !
    interface Vlan1
    description $FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
    ip address 10.2.2.2 255.255.255.0
    no ip redirects
    no ip proxy-arp
    ip route-cache flow
    ip tcp adjust-mss 1400
    crypto ipsec df-bit clear
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
    no ip http server
    ip http authentication local
    ip http secure-server
    ip nat pool PLACE3-NAT-POOL xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask
    255.255.255.0
    !
    !
    !
    ip access-list extended PLACE3-ACL
    remark ACL for PLACE3 for dynamic NAT
    remark SDM_ACL Category=2
    deny ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
    deny ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
    deny ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
    deny ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
    permit ip host 10.2.2.3 host xxx.xxx.xxx.xx5
    ip access-list extended VPN-
    ip access-list extended VPN-PLACE1
    remark SDM_ACL Category=4
    permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
    ip access-list extended VPN-PLACE2
    remark SDM_ACL Category=4
    permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
    ip access-list extended VPN-PLACE3
    permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
    ip access-list extended VPN-PLACE4
    permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
    logging trap debugging
    no cdp run
    !
    route-map SDM_RMAP_1 permit 1
    match ip address PLACE3-ACL
    !
    !
    control-plane
    !
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    login local
    transport output telnet
    line aux 0
    login local
    transport output telnet
    line vty 0 4
    privilege level 15
    login local
    transport input telnet ssh
    line vty 5 15
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler allocate 4000 1000
    scheduler interval 500
    end
     
    , May 9, 2005
    #5
  6. RobO Guest

    As far as I know or understand is that the match addresses for the
    Crypto Maps should be from source net to destination net and
    mirrorimaged on the other routers with their relevant internal
    networks.
    That is in the setup you using atleast.
    Some versions of IOS can be funny/buggy with different match address
    acls.

    "permit ip 10.2.2.0 0.0.0.255 <internal_net_other_side>
    <inverse_mask_for_other_side>"
    Something like this:
    permit ip 10.2.2.0 0.0.0.255 192.168.0.0 0.0.0.255.

    >From what I can see in your previous posting is that the match address

    access-lists are pointing to the IP addresses of the endpoints and I
    believe they should be the internal networks.

    //>
    ip access-list extended VPN-PLACE1
    remark SDM_ACL Category=4
    permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
    ip access-list extended VPN-PLACE2
    remark SDM_ACL Category=4
    permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
    ip access-list extended VPN-PLACE3
    permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
    ip access-list extended VPN-PLACE4
    permit ip 10.2.2.0 0.0.0.255 host xxx.xxx.xxx.xxx
    //>

    So just for testing change these access-lists to point to the relevant
    destination networks not the device itself.

    Remove "host xxx.xxx.xxx.xxx" and replace with "network inverse_mask"

    Also remove all references to "crypto ipsec df-bit clear" for testing.

    Rob
     
    RobO, May 9, 2005
    #6
  7. Tosh Guest

    > Does anyone have any ideas?
    >

    I've had bad experiences with cef on that router and some 12.3 releases,
    have you tried to switch it off?
    Bye,
    Tosh.
     
    Tosh, May 10, 2005
    #7
  8. wrote:
    > Hi folks, I was wondering if any of you Cisco guru's out there would be
    >
    > willing to help me out.
    >
    >
    > I am currently experiencing a problem with my Cisco 1712 VPN router. I
    > have 5 VPN tunnels set up to different sites and they are all working
    > fine i.e. the tunnel comes up and I can ping the other side. However
    > recently I have been experiencing packet loss, I set up a continuous
    > ping to the other IP address and every minute or so the ping stops
    > responding for about 30 seconds and then comes back again.
    >
    >
    > The same thing happens when transferring any amount of data through the
    >
    > connection - it just dies.
    >
    >
    > I am seeing roughly 30% packet loss through the connection and I have
    > been pulling my hair out looking through Cisco.com for a solution but
    > so far no luck.
    >
    >
    > Does anyone have any ideas?


    take a look at the crypto maps and the lifetimes of the isakmp- and
    ipsec-parts. "show crypto isakmp policy" and "show crypto map" should
    give you some answers.
    anyway, debug output of isakmp and ipsec is welcome. you didn't say
    anything about the other ipsec-endpoints. cisco's too? or something else.

    once i've had nearly the same problem. regularly issueing "clear crypto
    isakmp" was the only thing i could do. after updating the IOS everything
    was clean.

    \cd
     
    Draschl Clemens, May 11, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. POL
    Replies:
    4
    Views:
    694
  2. POL
    Replies:
    0
    Views:
    643
  3. Ray
    Replies:
    5
    Views:
    3,055
    Uli Link
    Oct 24, 2005
  4. Replies:
    0
    Views:
    453
  5. VPN on a Cisco 1712

    , Oct 20, 2005, in forum: Computer Support
    Replies:
    3
    Views:
    1,206
Loading...

Share This Page