WRV200 and Cisco Pix 506

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by kspare, Jun 21, 2006.

  1. kspare

    kspare Computer Guy Staff Member Member

    Something really weird is going on here....The vpn will come up, then drop then all of a sudden come up again. I'm thinking there is a negotiation problem.

    Heres the info from my pix config, which works perfectly for wrv54g routers and other pix firewalls.

    Tunnel Policy is default esp-aes-256-md5, tunnel life of 1 hour, and no pfs

    I have two IKE policies:
    Des md5 dh-2 preshare 3600 lifetime
    aes-des md5 dh-5 preshare 3600 lifetime

    ike is enable on the outside
    identity is set to address
    and nat traversal is enabled
    Nat keepalive is set to 60

    the des md5 ike is for wrv54gs
    the des aes-des is for pix's

    The preshared key is setup with noxuath and no mode config

    So thats how my pix is configured, works FLAWLESSLY with wrv54g and pixes.

    Here's the wrv200 config:
    tunnel a
    tunnel enabled
    gave it a name
    nat-t is disabled
    local is a subnet
    remote is a subnet
    gateway is an ip address (FQDN does not friggen work!)
    The only things I changed in ike was my pre shared key and isa and ipsec times are changed to 3600

    Dead Peer Detection is turned off
    If Ike Fail is off
    anti replay is off
    Global nat is disabled.

    The vpn will come up...last for 15 mins or so, and then drop again.

    The vpn log shows the following...but i'm not 100% where I can even fix it.

    042 [Wed 11:26:55] packet from xxx.xxx.xxx.xxx:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
    043 [Wed 11:26:55] packet from xxx.xxx.xxx.xxx:500: received and ignored informational message

    Any help would be appreciated. If I can get the vpn to work this will be a great box for me with the improved wireless.
  2. kspare

    kspare Computer Guy Staff Member Member

    I just noticed that as soon as a user connects via wireless the wrv200 craps out and reboots. but prior to that it was working really good. Seems like a flaw in the software at this point.
  3. kspare

    kspare Computer Guy Staff Member Member

    i've now switched the vpn to 3des with no wireless users.

    This worked perfectly for about an hour, once a wireless user came on it seemed to drop.

    Specifically, once the user logs on msn the router crashes and reboots.
  4. kspare

    kspare Computer Guy Staff Member Member

    Seems like this router is under powered...

    The vpn is now stable, the user on wireless can get on msn.

    BUT, if I try to go into the web interface to do anything, the router will crash, and I can work on it as long as the user does not go onto msn. Something is up. I've talk to linksys and there is not beta firmware out at this time to try and fix this.
  5. DocLarge

    DocLarge Super Moderator Staff Member Member

    What's hosting the vpn, the wrv200 or the pix?

  6. kspare

    kspare Computer Guy Staff Member Member

    One more update.

    My user told me today, if they just plug directly into the router and don't use wireless everything works fine.
  7. kspare

    kspare Computer Guy Staff Member Member

    Define host? It's a site to site vpn between the wrv200 and the pix
  8. csayers

    csayers LI Guru Member

    wireless kills vpn

    kspare, I can confirm this behaviour on 2 different wrv200s. the first one I sent back because I thought it was faulty. I cannot believe this thing would drop the vpn and disconnect the wireless user every 5 minutes or less!!!

    This thing is useless as a vpn endpoint if you use wireless or useless as a wireless ap if you use an ipsec vpn.

    I hope new firmware clears this up. Very weird behaviour from the built in webserver.

    I will say that plugging my dlink wireless ap into the lan and using the wrv200s ipsec vpn, the tunnel is very stable and reconnects quicly to my zyxel zywall35 if the tunnel drops for any reason.

    Bizarre that linksys labels this as a business class solution what a farce.
  9. HughR

    HughR LI Guru Member

    This should not be related to wireless activity behind the router. This message suggests that the other VPN box (a PIX?) isn't accepting the IKE proposal that this side is making.

    Of course all bets are off if some process in the WRV200 is corrupting the Pluto process on the same box. Does the WRV200 have memory protection? Perhaps not -- uC linux works on boxes without MMUs.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice