andersenks
asked on
Cisco VPN Tunnel cannot get e-mail from Exchange server
Having a problem with my VPN tunnel. I have five VPN tunnels setup that work fine except one site, at this site all of our users are having troubles getting their e-mail from the Exchange server. I can ping it and can even telnet to the exchange server from the remote site. All the showrooms have virtually the same config and the tunnel seems to be up and running fine.....I'm completley stumped... Can anyone see anything wrong with the config on the remote router???
Cisco 831 router
version 12.3
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname *****
!
logging buffered 25000 debugging
enable secret 5 ******
!
clock timezone EST -5
no aaa new-model
ip subnet-zero
ip domain name domain.com
no ip dhcp conflict logging
ip dhcp excluded-address 10.11.4.1 10.11.4.100
!
ip dhcp pool atlanta
network 10.11.4.0 255.255.255.0
dns-server 192.168.1.5 192.168.1.7
default-router 10.11.4.1
domain-name domain.com
lease 7
!
!
ip inspect name inboundfw ftp
ip inspect name inboundfw smtp
ip inspect name inboundfw tcp timeout 3600
ip inspect name inboundfw http timeout 3600
ip inspect name inboundfw udp
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key 0 **** address 66.88.86.116
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set mytransform esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 66.88.86.116
set transform-set mytransform
match address VPNTraffic
!
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.252
!
interface Ethernet0
description LAN
ip address 10.11.4.1 255.255.255.0
ip nat inside
ip inspect inboundfw out
no cdp enable
!
interface Ethernet1
description DSL to BellSouth
no ip address
duplex auto
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
crypto map mymap
!
interface Dialer0
ip address negotiated
ip access-group 101 in
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap hostname *******@bellsouth.net
ppp chap password 0 ********
crypto map mymap
!
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source list internet interface Dialer0 overload
ip nat inside source static tcp 10.11.4.2 3389 interface Dialer0 3389
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip access-list extended VPNTraffic
remark VPN Traffic
permit ip 10.11.4.0 0.0.0.255 172.16.0.0 0.0.255.255
permit ip 10.11.4.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.11.4.0 0.0.0.255 192.168.40.0 0.0.0.255
ip access-list extended internet
remark Internet Usage
deny ip 10.11.4.0 0.0.0.255 172.16.0.0 0.0.255.255
deny ip 10.11.4.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 10.11.4.0 0.0.0.255 192.168.40.0 0.0.0.255
permit ip 10.11.4.0 0.0.0.255 any
no logging trap
access-list 120 permit ip 10.11.4.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 120 permit ip 10.11.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 10.11.4.0 0.0.0.255 192.168.40.0 0.0.0.255
dialer-list 1 protocol ip permit
route-map NONAT permit 10
match ip address 120
set ip next-hop 1.1.1.2
!
!
line con 0
exec-timeout 120 0
password ****
login
no modem enable
stopbits 1
line aux 0
password ****
login
line vty 0 4
exec-timeout 120 0
password ****
login
!
scheduler max-task-time 5000
!
end
Let me know if you need to see the destination router config
atl-show-edge1_ro#sh cry isakmp sa
dst src state conn-id slot
66.88.86.116 68.213.15.8 QM_IDLE 1 0
Cisco 831 router
version 12.3
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname *****
!
logging buffered 25000 debugging
enable secret 5 ******
!
clock timezone EST -5
no aaa new-model
ip subnet-zero
ip domain name domain.com
no ip dhcp conflict logging
ip dhcp excluded-address 10.11.4.1 10.11.4.100
!
ip dhcp pool atlanta
network 10.11.4.0 255.255.255.0
dns-server 192.168.1.5 192.168.1.7
default-router 10.11.4.1
domain-name domain.com
lease 7
!
!
ip inspect name inboundfw ftp
ip inspect name inboundfw smtp
ip inspect name inboundfw tcp timeout 3600
ip inspect name inboundfw http timeout 3600
ip inspect name inboundfw udp
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key 0 **** address 66.88.86.116
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set mytransform esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 66.88.86.116
set transform-set mytransform
match address VPNTraffic
!
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.252
!
interface Ethernet0
description LAN
ip address 10.11.4.1 255.255.255.0
ip nat inside
ip inspect inboundfw out
no cdp enable
!
interface Ethernet1
description DSL to BellSouth
no ip address
duplex auto
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
crypto map mymap
!
interface Dialer0
ip address negotiated
ip access-group 101 in
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap hostname *******@bellsouth.net
ppp chap password 0 ********
crypto map mymap
!
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source list internet interface Dialer0 overload
ip nat inside source static tcp 10.11.4.2 3389 interface Dialer0 3389
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip access-list extended VPNTraffic
remark VPN Traffic
permit ip 10.11.4.0 0.0.0.255 172.16.0.0 0.0.255.255
permit ip 10.11.4.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.11.4.0 0.0.0.255 192.168.40.0 0.0.0.255
ip access-list extended internet
remark Internet Usage
deny ip 10.11.4.0 0.0.0.255 172.16.0.0 0.0.255.255
deny ip 10.11.4.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 10.11.4.0 0.0.0.255 192.168.40.0 0.0.0.255
permit ip 10.11.4.0 0.0.0.255 any
no logging trap
access-list 120 permit ip 10.11.4.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 120 permit ip 10.11.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 10.11.4.0 0.0.0.255 192.168.40.0 0.0.0.255
dialer-list 1 protocol ip permit
route-map NONAT permit 10
match ip address 120
set ip next-hop 1.1.1.2
!
!
line con 0
exec-timeout 120 0
password ****
login
no modem enable
stopbits 1
line aux 0
password ****
login
line vty 0 4
exec-timeout 120 0
password ****
login
!
scheduler max-task-time 5000
!
end
Let me know if you need to see the destination router config
atl-show-edge1_ro#sh cry isakmp sa
dst src state conn-id slot
66.88.86.116 68.213.15.8 QM_IDLE 1 0
ASKER
Hahaa!!! I am fried... The exchange server is on the 192.168.1.0 subnet
thanks for the help
thanks for the help
I don't see anything obviously wrong with your config. Specifically, what problem are the user's experiencing? What errors are they seeing? Are you seeing problems with any other applications?
-Todd
-Todd
ASKER
Not that I can see... everything else looks normal... even ping times are okay. When users open Outlook they get that pop up serveral times that says "Outlook is requesting data from your Exchange server" Eventually it will sync up. When we try to send mail we get an error that Outlook was unable to connect to the Exchange sever due to network issues... very odd.
ASKER
If this is any help... looks okay to me
atl-show-edge1_ro#sh cry ipsec sa
interface: Dialer0
Crypto map tag: mymap, local addr. 68.213.15.8
protected vrf:
local ident (addr/mask/prot/port): (10.11.4.0/255.255.255.0/0 /0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0 /0/0)
current_peer: 66.88.86.116:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 116817, #pkts encrypt: 116817, #pkts digest 116817
#pkts decaps: 160489, #pkts decrypt: 160489, #pkts verify 160489
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 11, #recv errors 0
local crypto endpt.: 68.213.15.8, remote crypto endpt.: 66.88.86.116
path mtu 1500, media mtu 1500
current outbound spi: 7E541A10
inbound esp sas:
spi: 0x7E698CE0(2120846560)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 20, flow_id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4487803/73017)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7E541A10(2119440912)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 21, flow_id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4489201/73017)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
protected vrf:
local ident (addr/mask/prot/port): (10.11.4.0/255.255.255.0/0 /0)
remote ident (addr/mask/prot/port): (192.168.40.0/255.255.255. 0/0/0)
current_peer: 66.88.86.116:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 68.213.15.8, remote crypto endpt.: 66.88.86.116
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf:
local ident (addr/mask/prot/port): (10.11.4.0/255.255.255.0/0 /0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/ 0)
current_peer: 66.81.88.116:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1342, #pkts encrypt: 1342, #pkts digest 1342
#pkts decaps: 430, #pkts decrypt: 430, #pkts verify 430
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 68.213.15.8, remote crypto endpt.: 66.88.86.116
path mtu 1500, media mtu 1500
current outbound spi: 1DBE70DF
inbound esp sas:
spi: 0xB7D791E2(3084358114)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 22, flow_id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4434746/73012)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1DBE70DF(499019999)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 23, flow_id: 4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4434620/73009)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
atl-show-edge1_ro#sh cry ipsec sa
interface: Dialer0
Crypto map tag: mymap, local addr. 68.213.15.8
protected vrf:
local ident (addr/mask/prot/port): (10.11.4.0/255.255.255.0/0
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer: 66.88.86.116:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 116817, #pkts encrypt: 116817, #pkts digest 116817
#pkts decaps: 160489, #pkts decrypt: 160489, #pkts verify 160489
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 11, #recv errors 0
local crypto endpt.: 68.213.15.8, remote crypto endpt.: 66.88.86.116
path mtu 1500, media mtu 1500
current outbound spi: 7E541A10
inbound esp sas:
spi: 0x7E698CE0(2120846560)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 20, flow_id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4487803/73017)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7E541A10(2119440912)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 21, flow_id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4489201/73017)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
protected vrf:
local ident (addr/mask/prot/port): (10.11.4.0/255.255.255.0/0
remote ident (addr/mask/prot/port): (192.168.40.0/255.255.255.
current_peer: 66.88.86.116:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 68.213.15.8, remote crypto endpt.: 66.88.86.116
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf:
local ident (addr/mask/prot/port): (10.11.4.0/255.255.255.0/0
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/
current_peer: 66.81.88.116:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1342, #pkts encrypt: 1342, #pkts digest 1342
#pkts decaps: 430, #pkts decrypt: 430, #pkts verify 430
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 68.213.15.8, remote crypto endpt.: 66.88.86.116
path mtu 1500, media mtu 1500
current outbound spi: 1DBE70DF
inbound esp sas:
spi: 0xB7D791E2(3084358114)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 22, flow_id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4434746/73012)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1DBE70DF(499019999)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 23, flow_id: 4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4434620/73009)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
I agree with tlamonia, the configs look ok and your ipsec sa looks good, and you can ping and telnet.
Only thing I can suggest is resizing your MTU.
If you ping your exchange server from a pc on the remote subnet with the "-l" option to find the max packet size being allowed through your isp.
Start at 1500, eg ping 192.168.1.?? -l 1500.
Does it reply or time out, if timeout then keep reducing until you get a response, drop by 100 each time.
When you get replies then set your MTU to that value.
If it replies at 1500 then clear down the tunnel and let it renegotiate, sometimes works....
Only thing I can suggest is resizing your MTU.
If you ping your exchange server from a pc on the remote subnet with the "-l" option to find the max packet size being allowed through your isp.
Start at 1500, eg ping 192.168.1.?? -l 1500.
Does it reply or time out, if timeout then keep reducing until you get a response, drop by 100 each time.
When you get replies then set your MTU to that value.
If it replies at 1500 then clear down the tunnel and let it renegotiate, sometimes works....
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
tlamonia,
Agree with the adjust-mss addition, forgot that bit !!
Agree with the adjust-mss addition, forgot that bit !!
ASKER
This is what I'm getting when pinging from the remote site
C:\>ping 192.168.1.4 -l 1500
Pinging 192.168.1.4 with 1500 bytes of data:
Reply from 192.168.1.4: bytes=1500 time=251ms TTL=123
Reply from 192.168.1.4: bytes=1500 time=248ms TTL=123
Reply from 192.168.1.4: bytes=1500 time=275ms TTL=123
Reply from 192.168.1.4: bytes=1500 time=262ms TTL=123
Ping statistics for 192.168.1.4:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 248ms, Maximum = 275ms, Average = 259ms
C:\>ping 192.168.1.4 -l 1500
Pinging 192.168.1.4 with 1500 bytes of data:
Reply from 192.168.1.4: bytes=1500 time=251ms TTL=123
Reply from 192.168.1.4: bytes=1500 time=248ms TTL=123
Reply from 192.168.1.4: bytes=1500 time=275ms TTL=123
Reply from 192.168.1.4: bytes=1500 time=262ms TTL=123
Ping statistics for 192.168.1.4:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 248ms, Maximum = 275ms, Average = 259ms
Have a look through the following http://msexchangeteam.com/archive/2005/05/25/405353.aspx
Some good info in there, especially the bit on ExMon to look at the mapi client usage.
Will keep looking into it but post back anything you find useful from above.
Some good info in there, especially the bit on ExMon to look at the mapi client usage.
Will keep looking into it but post back anything you find useful from above.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Well I did all three things...
1. Added the keepalives
2. Lowered the MTU to 1370
3. reloaded the remote router and ran "clear cry isakmp sa" on the destination router.
and...
it worked! Not sure which of the three resolved it but I suspect it was lowering the MTU
Thanks so much guys.... very much appreciated!
1. Added the keepalives
2. Lowered the MTU to 1370
3. reloaded the remote router and ran "clear cry isakmp sa" on the destination router.
and...
it worked! Not sure which of the three resolved it but I suspect it was lowering the MTU
Thanks so much guys.... very much appreciated!
Glad to help!
-Todd
-Todd
-Todd