Site to Site VPN drops conection after traffic dies down 1

[COMPUTERTECH33]

Hi all.

I have a remote site that drops its connection each day. The drop is only after there is no activity from the branch. It always drops after the last employee leaves for the day.

sh ru
Building configuration...

Current configuration : 3839 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxxxxx
!
no logging on
enable password 7 zzzzzzzzzzzzzzzzzzzzz
!
username xxxxxxxxxxx password 7 xxxxxxxxxxxxxxxx
username xxxxxxxxxxx password 7 xxxxxxxxxxxxxxxx
username xxxxxxxxxxx password 7 xxxxxxxxxxxxxxxx
memory-size iomem 20
ip subnet-zero
no ip finger
no ip domain-lookup
ip host test 2005 192.168.18.1
ip dhcp excluded-address 192.168.18.1 192.168.18.20
!
ip dhcp pool xxxxxxxx
import all
network 192.168.18.0 255.255.255.0
default-router 192.168.18.1
domain-name xxxxxxxx.com
dns-server 172.17.2.60 xxxxxxxxxxx
netbios-name-server 172.17.2.60 172.17.2.30
netbios-node-type h-node
lease 30
!
ip dhcp pool jdirect1
host 192.168.18.20 255.255.255.0
hardware-address 0030.c154.724b
client-name NPI54724b
!
ip dhcp pool jdirect2
host 192.168.18.19 255.255.255.0
hardware-address 0030.c153.bdbc
client-name NPI53bdbc
!
chat-script modem ABORT ERROR "" "ATDT\T" TIMEOUT 60 CONNECT \c
!
!
crypto isakmp policy 11
hash md5
authentication pre-share
crypto isakmp key xxxxxxxxxxxxxxxx address xxxxxxxxxxxxxxx
!
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
set peer xxxxxxxxxxxxxxxx
set transform-set sharks
match address 121
!
!
!
!
interface Ethernet0
ip address xxxxxxxxxxxxx 255.255.255.248
ip nat outside
no ip route-cache
no ip mroute-cache
half-duplex
crypto map nolan
!
interface FastEthernet0
ip address 192.168.18.1 255.255.255.0
ip helper-address 172.17.2.30
ip helper-address 172.17.2.255
ip helper-address 172.17.255.255
ip directed-broadcast
ip nat inside
no ip route-cache
no ip mroute-cache
speed auto
!
interface Async5
ip address xxxxxxxxxxxxxx 255.255.255.0
encapsulation ppp
keepalive 10
dialer in-band
dialer idle-timeout 300
dialer string xxxxxxxxxxxxxx
dialer-group 1
fair-queue
ppp authentication chap
!
interface Dialer1
no ip address
no cdp enable
!
router eigrp 100
network xx.0.0.0
network xx.1.0.0
network 172.20.0.0
network 172.21.0.0
network 192.168.18.0
auto-summary
no eigrp log-neighbor-changes
!
ip nat inside source route-map nonat interface Ethernet0 overload
ip kerberos source-interface any
ip classless
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
ip forward-protocol udp netbios-ss
ip forward-protocol udp 42508
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxxx
ip route 0.0.0.0 0.0.0.0 Async5 200
no ip http server
!
no logging trap
access-list 110 deny ip 192.168.18.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 110 deny ip 192.168.18.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 110 permit ip 192.168.18.0 0.0.0.255 any
access-list 120 permit ip 192.168.18.0 0.0.0.255 any
access-list 121 permit ip 192.168.18.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 121 permit ip 192.168.18.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 150 permit esp host xxxxxxxxxxxxxx host xxxxxxxxxxxxx
access-list 150 permit udp host xxxxxxxxxxxhost xxxxxxxxxxx eq isakmp
access-list 150 permit ip any 192.168.18.0 0.0.0.255
access-list 150 deny ip any any
priority-list 1 protocol ip high
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 110
!

^C
!
line con 0
password 7 xxxxxxxxxxx
login
transport input none
line aux 0
password 7 xxxxxxxxxxxxx
autoselect ppp
modem InOut
modem autoconfigure discovery
transport input all
autohangup
flowcontrol hardware
line vty 0 4
password 7 xxxxxxxxxxxxxxxxxxxxx
login
!
no scheduler allocate
end

Any help would be appreciated.

 

[JOAMON]

Is it possible that when the last person leaves and turns out the lights they are killing the power to the router as well? Does the remote site turn of all of their PC's when they leave?

 

[COMPUTERTECH33]

When I do a sh version, the router has been up for 3 days. So no, I don't think it is a power issue. If all computers at the remote branch are turned off, would that kill the vpn connection to our central HQ?

I have 50 remote sites, and this is the only one with this issue.

 

[JOAMON]

I don't know. I would think that without any interesting traffic that the router would close the VPN based on some kind of timer. When the VPN went down I would do and extended ping to bring the VPN back up and then IP scan that remote subnet and see if there is anything left online. We leave or PC's online as our Microsoft updates, Virus scans, and backups take place in the off hours.

One thing you may check is the IOS on the remote device. Could be the version it is running may have a bug.

What type of internet connection at that remote site?

 

[COMPUTERTECH33]

It is a DSL circuit. So, you're saying that I should ping the remote router WAN ip from my central location, and see if that brings the circuit back up?

IOS (tm) C1700 Software (C1700-K2SY7-M), Version 12.1(3)XT2,

 

[JOAMON]

An extended ping from HQ router lan interface to lan interface of remote router should attempt to bring the VPN back up. Do a show crypto isa sa and you will see if the connection comes back. May take a minute or so. If the VPN comes back up I would then use an IP scanner and scan for devices active on that remote subnet.

Also that IOS is really old and could be the problem. Get a 12.3 release for that feature set and give that a try.

1720 Software Feature Sets: IP/ADSL/FW/IDS PLUS IPSEC 3DES
Release: 12.3.18 ( LD - Limited Deployment )
16(MB) Min. Flash
48(MB) Min. Memory
c1700-k9o3sy7-mz.123-18.bin 16-MAR-2006

12.1(3)XT2 RETIRED 15-JAN-2004
Current IOS runs on 32 and 8 for memory
IP Plus IPSec 3DES ADSL
c1700-k2sy7-mz
8 MB
32 MB

What model 1700 is this and what WICS are in it?

 

[COMPUTERTECH33]

Well, I pinged an internal Ip address and the site has not gone down for the last two nights.

Any other ideas besides upgrading IOS?

thanks

 

[JOAMON]

Intermittant problems are hard to fix. I beleive one of two or both are the problem. 1st is that IOS should be upgraded. I remember having problems with older IOS releases at our site with VPN connections. Upgrading the IOS for each device seemed to fix it for us. 2nd is the VPN may be dropping due to carrier problems. DSL not the most reliable communication method. Could be that after a carrier drop that the VPN does not re-establish until interesting traffic is generated and then the router will connect.

 

[JOAMON]

Take a look at the following link. It is a free tool that you can setup to automatically ping different devices. It can also be setup to send an email upon failure. It may be useful as it will keep a log of all failures and maybe then after several events there may be a pattern or common time of failure. Then it will be easier to pinpoint.

http://shareware.pcmag.com/product.php[id]53657[cid]206[SiteID]pcmag

For the speech part to work properly you may need to download a few components from

http://www.microsoft.com/msagent