Link to home
Create AccountLog in
Avatar of andersenks
andersenksFlag for United States of America

asked on

Cisco VPN Tunnel cannot get e-mail from Exchange server

Having a problem with my VPN tunnel. I have five VPN tunnels setup that work fine except one site, at this site all of our users are having troubles getting their e-mail from the Exchange server. I can ping it and can even telnet to the exchange server from the remote site. All the showrooms have virtually the same config and the tunnel seems to be up and running fine.....I'm completley stumped... Can anyone see anything wrong with the config on the remote router???

Cisco 831 router
version 12.3
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname *****
!
logging buffered 25000 debugging
enable secret 5 ******
!
clock timezone EST -5
no aaa new-model
ip subnet-zero
ip domain name domain.com
no ip dhcp conflict logging
ip dhcp excluded-address 10.11.4.1 10.11.4.100
!
ip dhcp pool atlanta
   network 10.11.4.0 255.255.255.0
   dns-server 192.168.1.5 192.168.1.7
   default-router 10.11.4.1
   domain-name domain.com
   lease 7
!
!
ip inspect name inboundfw ftp
ip inspect name inboundfw smtp
ip inspect name inboundfw tcp timeout 3600
ip inspect name inboundfw http timeout 3600
ip inspect name inboundfw udp
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pppoe
!
no ftp-server write-enable
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key 0 **** address 66.88.86.116
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set mytransform esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
 set peer 66.88.86.116
 set transform-set mytransform
 match address VPNTraffic
!
!
!
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.252
!
interface Ethernet0
 description LAN
 ip address 10.11.4.1 255.255.255.0
 ip nat inside
 ip inspect inboundfw out
 no cdp enable
!
interface Ethernet1
 description DSL to BellSouth
 no ip address
 duplex auto
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
 crypto map mymap
!
interface Dialer0
 ip address negotiated
 ip access-group 101 in
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp chap hostname *******@bellsouth.net
 ppp chap password 0 ********
 crypto map mymap
!
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source list internet interface Dialer0 overload
ip nat inside source static tcp 10.11.4.2 3389 interface Dialer0 3389
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip access-list extended VPNTraffic
 remark VPN Traffic
 permit ip 10.11.4.0 0.0.0.255 172.16.0.0 0.0.255.255
 permit ip 10.11.4.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 10.11.4.0 0.0.0.255 192.168.40.0 0.0.0.255
ip access-list extended internet
 remark Internet Usage
 deny   ip 10.11.4.0 0.0.0.255 172.16.0.0 0.0.255.255
 deny   ip 10.11.4.0 0.0.0.255 192.168.1.0 0.0.0.255
 deny   ip 10.11.4.0 0.0.0.255 192.168.40.0 0.0.0.255
 permit ip 10.11.4.0 0.0.0.255 any
no logging trap
access-list 120 permit ip 10.11.4.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 120 permit ip 10.11.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 10.11.4.0 0.0.0.255 192.168.40.0 0.0.0.255
dialer-list 1 protocol ip permit
route-map NONAT permit 10
 match ip address 120
 set ip next-hop 1.1.1.2
!
!
line con 0
 exec-timeout 120 0
 password ****
 login
 no modem enable
 stopbits 1
line aux 0
 password ****
 login
line vty 0 4
 exec-timeout 120 0
 password ****
 login
!
scheduler max-task-time 5000
!
end

Let me know if you need to see the destination router config
atl-show-edge1_ro#sh cry isakmp sa
dst             src             state          conn-id slot
66.88.86.116    68.213.15.8     QM_IDLE              1    0
Avatar of tlamonia
tlamonia

Staring at these configs all day can turn your brain to jelly.  What's the subnet or IP of your Exchange server?
-Todd
Avatar of andersenks

ASKER

Hahaa!!! I am fried... The exchange server is on the 192.168.1.0 subnet

thanks for the help
I don't see anything obviously wrong with your config.  Specifically, what problem are the user's experiencing?  What errors are they seeing?  Are you seeing problems with any other applications?
-Todd
Not that I can see... everything else looks normal... even ping times are okay. When users open Outlook they get that pop up serveral times that says "Outlook is requesting data from your Exchange server" Eventually it will sync up. When we try to send mail we get an error that Outlook was unable to connect to the Exchange sever due to network issues... very odd.
If this is any help... looks okay to me

atl-show-edge1_ro#sh cry ipsec sa


interface: Dialer0
    Crypto map tag: mymap, local addr. 68.213.15.8

   protected vrf:
   local  ident (addr/mask/prot/port): (10.11.4.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer: 66.88.86.116:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 116817, #pkts encrypt: 116817, #pkts digest 116817
    #pkts decaps: 160489, #pkts decrypt: 160489, #pkts verify 160489
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 11, #recv errors 0

     local crypto endpt.: 68.213.15.8, remote crypto endpt.: 66.88.86.116
     path mtu 1500, media mtu 1500
     current outbound spi: 7E541A10

     inbound esp sas:
      spi: 0x7E698CE0(2120846560)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 20, flow_id: 1, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4487803/73017)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x7E541A10(2119440912)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 21, flow_id: 2, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4489201/73017)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (10.11.4.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.40.0/255.255.255.0/0/0)
   current_peer: 66.88.86.116:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 68.213.15.8, remote crypto endpt.: 66.88.86.116
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (10.11.4.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
   current_peer: 66.81.88.116:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1342, #pkts encrypt: 1342, #pkts digest 1342
    #pkts decaps: 430, #pkts decrypt: 430, #pkts verify 430
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 68.213.15.8, remote crypto endpt.: 66.88.86.116
     path mtu 1500, media mtu 1500
     current outbound spi: 1DBE70DF

     inbound esp sas:
      spi: 0xB7D791E2(3084358114)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 22, flow_id: 3, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4434746/73012)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x1DBE70DF(499019999)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 23, flow_id: 4, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4434620/73009)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:
I agree with tlamonia, the configs look ok and your ipsec sa looks good, and you can ping and telnet.
Only thing I can suggest is resizing your MTU.
If you ping your exchange server from a pc on the remote subnet with the "-l" option to find the max packet size being allowed through your isp.
Start at 1500, eg ping 192.168.1.?? -l 1500.
Does it reply or time out, if timeout then keep reducing until you get a response, drop by 100 each time.
When you get replies then set your MTU to that value.
If it replies at 1500 then clear down the tunnel and let it renegotiate, sometimes works....
ASKER CERTIFIED SOLUTION
Avatar of tlamonia
tlamonia

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
tlamonia,

Agree with the adjust-mss addition, forgot that bit !!

This is what I'm getting when pinging from the remote site
C:\>ping 192.168.1.4 -l 1500

Pinging 192.168.1.4 with 1500 bytes of data:

Reply from 192.168.1.4: bytes=1500 time=251ms TTL=123
Reply from 192.168.1.4: bytes=1500 time=248ms TTL=123
Reply from 192.168.1.4: bytes=1500 time=275ms TTL=123
Reply from 192.168.1.4: bytes=1500 time=262ms TTL=123

Ping statistics for 192.168.1.4:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 248ms, Maximum =  275ms, Average =  259ms
Have a look through the following http://msexchangeteam.com/archive/2005/05/25/405353.aspx
Some good info in there, especially the bit on ExMon to look at the mapi client usage.
Will keep looking into it but post back anything you find useful from above.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Well I did all three things...

1. Added the keepalives
2. Lowered the MTU to 1370
3. reloaded the remote router and ran "clear cry isakmp sa" on the destination router.

and...
   it worked! Not sure which of the three resolved it but I suspect it was lowering the MTU

Thanks so much guys.... very much appreciated!
Glad to help!
-Todd