?
Solved

Traffic not passing through VPN tunnel

Posted on 2009-12-16
12
Medium Priority
?
921 Views
Last Modified: 2012-05-08
I have an established VPN between a NetGear FVS114 in France and a Cisco 877 in the UK. Both routers show the VPN status as active but I cannot see devices on the other side of the link. Can anyone help to diagnose the connection and find a solution? It is an IPSec tunnel with pre-shared key. I'm pretty sure it has something to do with the firewall on the Cisco router (the Netgear router is very basic) but my knowledge of IOS is scant, so please bear with me. I used the SDM VPN wizard to set up the Cisco.
0
Comment
Question by:mjlane
  • 6
  • 3
  • 2
  • +1
12 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26060498
Hi,

I advise to see the nonat statement on CISCO 877, I think thic causes it....
Please show us the config....

Best regards,
Istvan
0
 
LVL 16

Expert Comment

by:Raheem05
ID: 26060528
Agree we need to see the config, of course remove the passwords and put XX on the public interface IP's
0
 

Author Comment

by:mjlane
ID: 26060699
I have attached edited file.
SDMConfigEdt.txt
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 2

Expert Comment

by:devinnull
ID: 26071169
Will you also post the output of "show crypto isakmp sa" and "show crypto ipsec sa".  I don't see anything immediately wrong with the config.

Cheers.
0
 

Author Comment

by:mjlane
ID: 26071515
As requested
crpto-results.txt
0
 
LVL 2

Expert Comment

by:devinnull
ID: 26072462
Looks to me like the problem is at the NetGear side.  Most likely it is NAT'ing the VPN traffic or something to that effect.  This portion of the crypto results indicates this:

protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer nnn.nnn.nnn.nnn port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1535, #pkts encrypt: 1535, #pkts digest: 1535
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

Since you are encapsulating and encrypting outgoing traffic, the Cisco end is doing it's job.  However, you aren't decapsulating or decrypting any traffic, so the far end is not sending interesting traffic through the tunnel.

Hope that helps.
0
 

Author Comment

by:mjlane
ID: 26072949
Thanks for the response. The weird thing is that the link was working ok and I haven't changed any configs, although our ISP the Netgear side has updated the ADSL link which required a reboot. The Netgear does not allow any detailed configuration and there are no NAT settings on it (as far as I can see) so I really don't know where to go from here. Any ideas?
0
 
LVL 2

Accepted Solution

by:
devinnull earned 2000 total points
ID: 26076990
The NetGear must have the ability to configure what traffic is interesting to the tunnel.  Check that end and make sure that the list is showing the correct traffic.  Also, I'm shocked that the NetGear has VPN features, but not NAT.  Seems like it would be the other way around if anything.  What model NetGear router is this?
0
 

Author Comment

by:mjlane
ID: 26077987
It's an FVS114 firewall router. I will check the config menus again to look for NAT settings.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26078085
Please make interesting traffic, and provide us the following on the cisco:

deb cry isa
deb cry ips

sh log
0
 

Author Comment

by:mjlane
ID: 26094397
I am at the Cisco end and have tried some browsing of the far end and sent a network print job to a remote printer. The log entries during that period are shown below, but I don't see anything relevant:

CNO UNAUTHORISED USE OF THIS ROUTER

User Access Verification
Username: admin
Password:
office#sh log
Syslog logging: enabled (1 messages dropped, 113 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
    Console logging: level debugging, 3948 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 4060 messages logged, xml disabled,
                    filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled

No active filter modules.

    Trap logging: level debugging, 4098 message lines logged

Log Buffer (51200 bytes):

004018: Dec 21 09:05:46.798 PCTime: %FW-6-DROP_PKT: Dropping tcp pkt 217.140.46.
116:443 => 192.168.0.26:1139
004019: Dec 21 09:06:36.082 PCTime: %APPFW-4-HTTP_STRICT_PROTOCOL: Sig:15 HTTP p
rotocol violation detected -  HTTP Protocol not detected from 192.168.0.14:50068
 to 64.156.132.140:80
004020: Dec 21 09:06:36.082 PCTime: %APPFW-4-HTTP_STRICT_PROTOCOL: Sig:15 HTTP p
rotocol violation detected -  HTTP Protocol not detected from 192.168.0.14:50068
 to 64.156.132.140:80
004021: Dec 21 09:07:03.398 PCTime: %FW-6-DROP_PKT: Dropping tcp pkt 155.136.69.
200:443 => 192.168.0.26:1162
004022: Dec 21 09:07:34.702 PCTime: %FW-6-DROP_PKT: Dropping tcp pkt 155.136.69.
200:443 => 192.168.0.26:1166
004023: Dec 21 09:08:06.494 PCTime: %APPFW-4-HTTP_STRICT_PROTOCOL: Sig:15 HTTP p
rotocol violation detected -  HTTP Protocol not detected from 192.168.0.14:50102
 to 193.252.121.71:80
004024: Dec 21 09:08:06.494 PCTime: %APPFW-4-HTTP_STRICT_PROTOCOL: Sig:15 HTTP p
rotocol violation detected -  HTTP Protocol not detected from 192.168.0.14:50102
 to 193.252.121.71:80
004025: Dec 21 09:08:08.042 PCTime: %FW-6-DROP_PKT: Dropping tcp pkt 91.103.138.
65:80 => 192.168.0.14:50106
004026: Dec 21 09:09:39.770 PCTime: %FW-6-DROP_PKT: Dropping tcp pkt 155.136.69.
200:443 => 192.168.0.26:1202
office#
0
 

Author Closing Comment

by:mjlane
ID: 31666651
I appreciate all the help received on this but I opted to rent a router (with free IP phone) from my ISP so that they would support all future problems. The ISP router connected straight away and re-established the VPN which has been down since November. All working ok now with a Cisco 877 in the UK and an Orange Livebox Pro in France so no further help is required. Many thanks to all.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question