1

I work for a company spited over two sites. Both sites are connected together via a vpn connection with two cisco 850 box.

The problem we are facing frequently (often during the morning, just after a night of inactivity), is that establishing a connection is very painful because we have to retry 10 times before success.

I've put wireshark on both computer, and I've observed that:

On the client:

 -> SYN ->
<- SYN/ACK <-
 -> ACK ->
 <- RST <-

On the server:

 <- SYN <-
-> SYN/ACK ->
 <- ACK <-
 <- RST <-

Both receive a RST (I guess from the VPN) !

I wonder what can lead to this problem ?

Anyone has face with similar problem ? Any clue how to solve this ? I think the problem may be related to some timeout configuration (because it happens only the morning)

Update:

Thanks all for your answers, I've forward your recommendations to my network administrator, but I'm still waiting for his answer. As soon as I got a response, I will post on this topic. As I have put a bounty, and even if my issue isn't solved, the bounty will be automatically attributed.

Steve Gury
  • 23
  • 8

3 Answers3

1

The default firmware on many of the Cisco 850 Series routers had buggy firmware. Update your firmware, if that doesn't solve it please post your show run

Jordan Eunson
  • 1,322
  • 1
  • 9
  • 15
1

Probably not the answer you want to hear, but you usually don't get a RST from a failed VPN.... my first guess would be that you either don't have matching ACLs on both sides (which should result in the tunnel not coming up at all) or your ACL either isn't allowing the outbound or inbound connection.

Have you tried increasing debug for isakmp & ipsec on the endpoints to see whether your encrypting/decrypting properly?

debug crypto ipsec

debug crypto isakmp
Greeblesnort
  • 1,759
  • 8
  • 10
0

greeblesnort is right, a down vpn would not send a RST - it'd show up as packet loss until it comes back - pings would time out, and initiating a tcp connection from your client would get no response (no syn/ack from the server).

That said, it could be that your first few attempts are causing the routers to re-initialize an expired security association. Make sure the re-key parameters are the same on both ends (crypto ipsec security-association lifetime seconds <###> (usually 86400)).

And yes, post your configs.

eric sorenson
  • 971
  • 8
  • 10