VPN Traffic Down - between 1801 and PIX 515e - VPN seems to drop, re-instated from the 1801 end only
Using a PIX 515e and a Cisco 1801 for a site to site VPN. The VPN works fine between both devices. Then if not used i.e. no traffic the VPN seems to have been broken. Doing a sh crypto isakmp sa on the PIX shows Phase1 is up and the same on the 1801 router. See output below
If I try to connect to the router interface (1801, Ip 192.168.35.230) fails see debug information below. As if the VPN is down.
If I try to ping from the 1801 to IP's on the PIX end of the VPN it brings the VPN up and all starts working.
Strange, any ideas as to why ? IS this normal behaviour on a VPN site to site link. The link out of the 1801 is an ADSL line.
nta-fw-05# sh crypto isakmp sa
Total : 9
Embryonic : 0
dst src state pending created
xxx.xxx.110.34 xxx.xxx.116.348 QM_IDLE 0 2
inta-fw-05# ping 192.168.35.230
crypto_isakmp_process_bloc
:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 1759240113
ISAMKP (0): received DPD_R_U_THERE from peer 217.44.180.124
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS 192.168.35.230 NO response received -- 1
000ms
192.168.35.230 NO response received -- 1000ms
192.168.35.230 NO response received -- 1000ms
If I try to connect to the router interface (1801, Ip 192.168.35.230) fails see debug information below. As if the VPN is down.
If I try to ping from the 1801 to IP's on the PIX end of the VPN it brings the VPN up and all starts working.
Strange, any ideas as to why ? IS this normal behaviour on a VPN site to site link. The link out of the 1801 is an ADSL line.
nta-fw-05# sh crypto isakmp sa
Total : 9
Embryonic : 0
dst src state pending created
xxx.xxx.110.34 xxx.xxx.116.348 QM_IDLE 0 2
inta-fw-05# ping 192.168.35.230
crypto_isakmp_process_bloc
:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 1759240113
ISAMKP (0): received DPD_R_U_THERE from peer 217.44.180.124
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS 192.168.35.230 NO response received -- 1
000ms
192.168.35.230 NO response received -- 1000ms
192.168.35.230 NO response received -- 1000ms
tigerbam
IKMP_NO_ERR_NO_TRANS - This message indicates that ISAKMP had no errors and there is no need for re-transmission. Maybe its to do with crypto access list. If you can share across your PIX & 1800 configuration i can look into it.
ASKER
See appropriate config, note an access-list for ICMP has been added and this works...
I also have noticed that when I am connected to the console, my hypertem session seems to hang(1801). Am in the process of configuring another 1801, but would appreciate of you check the confg below just to rule that out.
Cisco 1800 settings :-
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key intamac address xxx.xxx.110.34 no-xauth
!
!
crypto ipsec transform-set intatrans esp-3des esp-sha-hmac
crypto ipsec transform-set intatrans-strong esp-3des esp-sha-hmac
!
crypto dynamic-map remote-map 10
set security-association idle-time 1800
!
!
crypto map intamap 110 ipsec-isakmp
description Tunnel to Northampton
set peer xxx.xxx.110.34
set transform-set intatrans-strong
set pfs group2
match address 110
crypto map intamap 1000 ipsec-isakmp dynamic remote-map
access-list 110 permit ip 192.168.35.0 0.0.0.255 167.165.0.0 0.0.255.255
access-list 199 permit icmp 192.168.35.0 0.0.0.255 any
access-list 199 permit ip 192.168.35.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 199
PIX Seetings :-
access-list 170 permit ip 167.165.0.0 255.255.0.0 192.168.35.0 255.255.255.0
crypto map intamap 70 ipsec-isakmp
crypto map intamap 70 match address 170
crypto map intamap 70 set pfs group2
crypto map intamap 70 set peer xxx.xxx.116.238
crypto map intamap 70 set transform-set intatrans-strong
crypto map intamap 70 set security-association lifetime seconds 3600 kilobytes 4
608000
I also have noticed that when I am connected to the console, my hypertem session seems to hang(1801). Am in the process of configuring another 1801, but would appreciate of you check the confg below just to rule that out.
Cisco 1800 settings :-
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key intamac address xxx.xxx.110.34 no-xauth
!
!
crypto ipsec transform-set intatrans esp-3des esp-sha-hmac
crypto ipsec transform-set intatrans-strong esp-3des esp-sha-hmac
!
crypto dynamic-map remote-map 10
set security-association idle-time 1800
!
!
crypto map intamap 110 ipsec-isakmp
description Tunnel to Northampton
set peer xxx.xxx.110.34
set transform-set intatrans-strong
set pfs group2
match address 110
crypto map intamap 1000 ipsec-isakmp dynamic remote-map
access-list 110 permit ip 192.168.35.0 0.0.0.255 167.165.0.0 0.0.255.255
access-list 199 permit icmp 192.168.35.0 0.0.0.255 any
access-list 199 permit ip 192.168.35.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 199
PIX Seetings :-
access-list 170 permit ip 167.165.0.0 255.255.0.0 192.168.35.0 255.255.255.0
crypto map intamap 70 ipsec-isakmp
crypto map intamap 70 match address 170
crypto map intamap 70 set pfs group2
crypto map intamap 70 set peer xxx.xxx.116.238
crypto map intamap 70 set transform-set intatrans-strong
crypto map intamap 70 set security-association lifetime seconds 3600 kilobytes 4
608000
If your console hangs on the 1800, it indicates a CPU hog or memory hog. There are bugs in some IOS versions that create a memory leak in the IPSEC engine and causes these symptoms. Try an updated version of IOS on the router.
ASKER
Its currently running IOS 12.4, dont want to upgrade unless I really need to.
Need to find out if this version is the problem or not .
Need to find out if this version is the problem or not .
ASKER
I am awaiting a response back from someone concerning this.
There is no difinitive way to know if it is a bug unless you:
1) open a TAC case with Cisco and get their engingeers to research through information that we don't have access to
2) Just try another version of IOS. If it fixes it you're done. If not, then you probably need to open a TAC case.
1) open a TAC case with Cisco and get their engingeers to research through information that we don't have access to
2) Just try another version of IOS. If it fixes it you're done. If not, then you probably need to open a TAC case.
ASKER
Dont have a TAC account setup with Cisco , so to do this I will need that.
To open a TAC case I assume you have to have a support contract in place ?
To open a TAC case I assume you have to have a support contract in place ?
Yes. You'll probably also have to have a support contract to be able to download another verion of IOS.
If this is a new router, you might get service as part of initial configuration.
Send email to TAC@cisco.com . Provide your router serial number and a description of the problem. Say it is intial configuration. They should get back to you and may provide you with an updated IOS image, or tell you that you need a SmartNet contract.
Sorry I can't be of more help than that.
If this is a new router, you might get service as part of initial configuration.
Send email to TAC@cisco.com . Provide your router serial number and a description of the problem. Say it is intial configuration. They should get back to you and may provide you with an updated IOS image, or tell you that you need a SmartNet contract.
Sorry I can't be of more help than that.
ASKER
No I appreciate your help in this.
Hey can you tell me the exact IOS version number...do a "show version" command. Got the following from the cisco site.
Cisco IOS crashes while processing malformed ISAKMP message
SYMPTOM:
A device running Cisco IOS may crash during processing of an Internet
Key Exchange (IKE) message.
CONDITIONS:
The device must have a valid and complete configuration for IPsec. IPsec
VPN features in IOS that use IKE include Site-to-Site VPN tunnels, EzVPN
(server and remote), DMVPN, IPsec over GRE and GET VPN.
WORKAROUND:
Customers that do not require IPsec functionality on their devices can
use the command "no crypto isakmp enable" in global configuration mode
to disable the processing of IKE messages and eliminate device exposure.
If IPsec is configured this bug may be mitigated by applying access
control lists that limit the hosts or IP networks that are allowed to
establish IPsec sessions with affected devices. This assumes that IPsec
peers are known. This workaround may not be feasible for remote access
VPN gateways where the source IP addresses of VPN clients are not known
in advance. ISAKMP uses port UDP/500 and can also use UDP/848 (the GDOI
port) when GDOI is in use.
I think you need to update your IOS to fix the issue.
Cisco IOS crashes while processing malformed ISAKMP message
SYMPTOM:
A device running Cisco IOS may crash during processing of an Internet
Key Exchange (IKE) message.
CONDITIONS:
The device must have a valid and complete configuration for IPsec. IPsec
VPN features in IOS that use IKE include Site-to-Site VPN tunnels, EzVPN
(server and remote), DMVPN, IPsec over GRE and GET VPN.
WORKAROUND:
Customers that do not require IPsec functionality on their devices can
use the command "no crypto isakmp enable" in global configuration mode
to disable the processing of IKE messages and eliminate device exposure.
If IPsec is configured this bug may be mitigated by applying access
control lists that limit the hosts or IP networks that are allowed to
establish IPsec sessions with affected devices. This assumes that IPsec
peers are known. This workaround may not be feasible for remote access
VPN gateways where the source IP addresses of VPN clients are not known
in advance. ISAKMP uses port UDP/500 and can also use UDP/848 (the GDOI
port) when GDOI is in use.
I think you need to update your IOS to fix the issue.
ASKER
Output from a show version is : - C180x software (C180x-adventerprisek9-m),
Says release software (fc1)
Says release software (fc1)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
To get an IOS I need TAC support, do not have one for this router, does anyone know any other way to get a copy to upgrade to.
Not legally.