Puzzling VPN problem with Windows 2003

Discussion in 'Cisco' started by John Rennie, Mar 14, 2006.

  1. John Rennie

    John Rennie Guest

    I have a standard IPSEC VPN running between two 837s using a shared secret. If
    I put two Windows 2003 domain controllers at opposite ends of the VPN then
    reproducibly ever 8 days or so the two domain controllers lose the ability to
    talk to each other.

    The two DCs have been left in the same site and both are global catalog
    servers, so there is quite a lot of replication traffic between them. For the
    first 8 days everything is fine, but after that the file replication service
    starts reporting errors. If I do "net view \\theotherserver" from either of
    the servers I get a 2 minute wait then a variery of different error messages.
    The servers can still ping each other and indeed can still telnet to each
    other on port 25 or 80. They can also "net view" other servers not involved in
    the VPN. When the error has happened the only cure is to reboot the servers.
    Rebooting the routers does not have any effect.

    I've done some limited packet sniffing when trying the "net view", and it
    looks as though some, but not all of the packets sent by one server do not
    arrive at the other server. However I haven't pinned down any definite
    patterns.

    I've done the obvious control experiment of using different routers to
    establish the VPN. If I try it with two Draytek Vigor 2800 routers then the
    problem does *not* occur. At least I rang the experiment for 22 days and the
    problem didn't occur.

    The problem only happens with the Cisco VPN, but rebooting the Ciscos doesn't
    help. That means the problem must be with the servers, but then it doesn't
    happen using the Draytek routers so I'm led neatly back to where I started. My
    guess is that that there is some intermittent problem with the VPN that upsets
    the IP stack on Windows 2003; maybe some unexpected packet loss or packet
    corruption. The problem is quite reproducible so it's a real effect.

    Pinning this one down is likely to prove impossible. I'm hoping someone out
    there will have run into the same problem or will know of a reference to it on
    Cisco's site. All suggestions gratefully received.

    I've attached the config for one of the two 837s making the VPN. The other
    config is very similar so I haven't posted it.

    JR

    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname Router
    !
    logging buffered 4096
    enable secret <enablesecret>
    !
    username router password <password>
    username admin password <password>
    username renniej password <password>
    no aaa new-model
    ip subnet-zero
    !
    !
    ip inspect name myfw cuseeme timeout 3600
    ip inspect name myfw ftp timeout 3600
    ip inspect name myfw rcmd timeout 3600
    ip inspect name myfw realaudio timeout 3600
    ip inspect name myfw tftp timeout 30
    ip inspect name myfw udp timeout 15
    ip inspect name myfw tcp timeout 3600
    ip inspect name myfw h323 timeout 3600
    !ip audit notify log
    !ip audit po max-events 100
    !no ftp-server write-enable
    !
    ! PPTP dialins
    ! ============
    !
    vpdn enable
    !
    vpdn-group pptp
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    exit
    exit
    !
    interface Virtual-Template1
    ip unnumbered Ethernet0
    peer default ip address pool default
    ppp encrypt mppe auto
    ppp authentication ms-chap
    !
    ip local pool default 192.168.128.224 192.168.128.239
    !
    ! VPNs
    ! ====
    !
    crypto isakmp policy 1
    encryption des
    hash sha
    authentication pre-share
    group 1
    !
    crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
    crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
    crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac
    crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
    !
    ! Work
    crypto map cm-cryptomap 1 ipsec-isakmp
    set peer <work-ip>
    set transform-set tr-des-sha
    match address 120
    crypto isakmp key <sharedsecret> address <work-ip>
    !
    no access-list 120
    access-list 120 remark Site to Site VPN to Work
    access-list 120 permit ip 192.168.128.0 0.0.0.255 172.31.255.0 0.0.0.255
    access-list 120 deny ip 192.168.128.0 0.0.0.255 any
    !
    ! Use a policy map to prevent NAT through the VPN by routing the VPN
    ! traffic through the loopback adapter
    !
    route-map nonat permit 10
    match ip address 129
    set ip next-hop 1.1.1.2
    !
    no access-list 129
    access-list 129 remark Route VPN traffic through the loopback adapter
    access-list 129 permit ip 192.168.128.0 0.0.0.255 172.31.255.0 0.0.0.255
    !
    ! Interfaces
    ! ==========
    !
    interface Loopback0
    ip address 1.1.1.1 255.255.255.0
    !
    interface Ethernet0
    ip address 192.168.128.254 255.255.255.0
    ip nat inside
    ip route-cache policy
    ip policy route-map nonat
    no ip mroute-cache
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no ip mroute-cache
    atm vc-per-vp 64
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    !
    interface Dialer1
    ip address negotiated
    ip access-group 111 in
    ip nat outside
    ip inspect myfw out
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap pap callin
    ppp chap hostname <adslusername>
    ppp chap password <adslpassword>
    ppp pap sent-username <adslusername> password <adslpassword>
    crypto map cm-cryptomap
    no ip route-cache
    no ip mroute-cache
    hold-queue 224 in
    !
    ! NAT
    ! ===
    !
    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source static 192.168.128.1 217.146.127.18
    ip nat inside source static 192.168.128.16 217.146.127.19
    ip nat inside source static 192.168.128.128 217.146.127.22
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip http server
    no ip http secure-server
    !
    ! Access lists
    ! ============
    !
    no access-list 23
    access-list 23 remark Allowed to manage the router
    access-list 23 permit 192.168.128.0 0.0.0.255
    !
    no access-list 102
    access-list 102 remark Addresses to NAT behind router
    access-list 102 deny ip 192.168.128.0 0.0.0.255 172.31.255.0 0.0.0.255
    access-list 102 permit ip 192.168.128.0 0.0.0.255 any
    ! Can't remember why this is here; probably an accident of history
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    !
    no access-list 111
    access-list 111 remark Incoming access from the Internet
    ! ping
    access-list 111 permit icmp any any administratively-prohibited
    access-list 111 permit icmp any any echo
    access-list 111 permit icmp any any echo-reply
    access-list 111 permit icmp any any packet-too-big
    access-list 111 permit icmp any any time-exceeded
    access-list 111 permit icmp any any traceroute
    access-list 111 permit icmp any any unreachable
    ! VPN
    access-list 111 permit esp any any
    access-list 111 permit udp any any eq isakmp
    access-list 111 permit tcp any any eq 1723
    access-list 111 permit gre any any
    ! Servers
    access-list 111 permit tcp any host 217.146.127.18 eq 21
    access-list 111 permit tcp any host 217.146.127.18 eq 25
    access-list 111 permit tcp any host 217.146.127.18 eq 53
    access-list 111 permit udp any host 217.146.127.18 eq 53
    access-list 111 permit tcp any host 217.146.127.18 eq 80
    access-list 111 permit tcp any host 217.146.127.18 eq 110
    access-list 111 permit tcp any host 217.146.127.18 eq 443
    ! Allow file sharing access
    access-list 111 permit udp any host 217.146.127.19 eq 6257
    access-list 111 permit tcp any host 217.146.127.19 eq 6699
    access-list 111 permit tcp any host 217.146.127.19 eq 5042
    access-list 111 permit udp any host 217.146.127.19 eq 5042
    access-list 111 permit tcp any host 217.146.127.19 eq 6346
    ! Allow incoming NTP
    access-list 111 permit udp any any eq 123
    ! Allow VPN traffic
    access-list 111 permit ip 172.31.255.0 0.0.0.255 192.168.128.0 0.0.0.255
    ! Deny the rest
    access-list 111 deny ip any any log
    !
    dialer-list 1 protocol ip permit
    !
    ! SNMP
    ! ====
    snmp-server community public ro
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    stopbits 1
    line aux 0
    line vty 0 4
    access-class 23 in
    exec-timeout 120 0
    login local
    length 0
    !
    scheduler max-task-time 5000
    !
    banner motd |
    Rattus Hacking Software

    You require authorisation to connect to this device.
    If you are not authorised to connect to this device please disconnect now.

    |
    !
    end
    John Rennie, Mar 14, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Geert

    puzzling routing problem

    Geert, Apr 7, 2004, in forum: Cisco
    Replies:
    0
    Views:
    439
    Geert
    Apr 7, 2004
  2. Steve Meyerson

    Puzzling Hijack (I think) Problem

    Steve Meyerson, Sep 21, 2004, in forum: Computer Support
    Replies:
    7
    Views:
    504
    Jimmy Dean
    Sep 23, 2004
  3. bhat

    A puzzling observation for me!

    bhat, Oct 7, 2004, in forum: Computer Support
    Replies:
    0
    Views:
    414
  4. Demolitio

    puzzling dvd burner problem

    Demolitio, Jul 16, 2005, in forum: Computer Support
    Replies:
    10
    Views:
    905
    Jimmy Dean
    Jul 17, 2005
  5. Mort

    Puzzling Flash Exposure Problem With Canon S100

    Mort, Jan 2, 2012, in forum: Digital Photography
    Replies:
    2
    Views:
    383
    Robert Coe
    Jan 5, 2012
Loading...

Share This Page