• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2477
  • Last Modified:

Cisco VPN Configuration Problems

Good Evening.

Working on bringing up a VPN site to site between two Cisco 2800 series routers.
I think the tunnel's being built, however when I debug I get the following problem:
IPSEC(crypto_get_cm_handle_from_pak): Failed to create access pak sub block

Anyone know what this means?  Digging around on cisco/google hasn't got me much.

Can't seem to get traffic down the tunnel obviously, I can provide full edited configs if that will help or anyone has the urge to read them.

0
Posthumous
Asked:
Posthumous
1 Solution
 
predragpetrovicCommented:
hi,

could you please upload the configuration files regarding the tunnel creation (crypto maps, access-lists, interface configurations) from both sides.

predrag
0
 
Istvan KalmarHead of IT Security Division Commented:
what shows the following:

sh cry isa sa
sh cry ips sa
0
 
PosthumousAuthor Commented:


Router 1 Config Info

crypto logging session
!
crypto isakmp policy 21
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ectunnel address a.a.a.a
!
crypto isakmp peer address a.a.a.a
 description routercan
!
crypto ipsec security-association lifetime seconds 43200
!
crypto ipsec transform-set ectunnelset esp-aes 256 esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map ectunnelmap local-address Loopback0
crypto map ectunnelmap 21 ipsec-isakmp
 set peer a.a.a.a
 set transform-set ectunnelset
 match address 199


interface Loopback0
 ip address b.b.b.b 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip inspect SDM_LOW in
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 crypto map ectunnelmap


access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255



Router 2 VPN config

crypto logging session
!
crypto isakmp policy 21
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ectunnel address b.b.b.b
!
crypto isakmp peer address b.b.b.b
 description cisco2800
!
crypto ipsec security-association lifetime seconds 43200
!
crypto ipsec transform-set ectunnelset esp-aes 256 esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map ectunnelmap local-address Vlan2
crypto map ectunnelmap 21 ipsec-isakmp
 set peer b.b.b.b
 set transform-set ectunnelset
 match address 199

interface Vlan2
 ip address a.a.a.a 255.255.255.248
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect SDM_LOW in
 ip ips sdm_ips_rule in
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 crypto map ectunnelmap



access-list 199 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255



Currently I can ping back and forth between servers at the two locations, and can even send an RDP connect session from one site to the other.
However it won't authenticate as there are no DNS server at the 2ndary location just a single application server.
I'm thinking (which is never a good thing), will the order of the ACL translation in anyway effect this?  
If there are ACL's example at 100 102 103, will those affect the interesting traffic at the interfaces before the 199 access list and thus account for some traffic being passed but not all types?
If i was to lower the VPN ACL to example 10? would this change this problem?
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
PosthumousAuthor Commented:
sho cry ips sa

interface: Loopback0
    Crypto map tag: ectunnelmap, local addr a.a.a.a

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer b.b.b.b port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 38.99.187.1, remote crypto endpt.: b.b.b.b
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer b.b.b.b port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 97220, #pkts encrypt: 97220, #pkts digest: 97220
    #pkts decaps: 104607, #pkts decrypt: 104607, #pkts verify: 104607
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

     local crypto endpt.: 38.99.187.1, remote crypto endpt.: b.b.b.b
     path mtu 1500, ip mtu 1500
     current outbound spi: 0xECC28AE2(3972172514)

     inbound esp sas:
      spi: 0x88F324A5(2297636005)
        transform: esp-256-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3003, flow_id: NETGX:3, crypto map: ectunnelmap
        sa timing: remaining key lifetime (k/sec): (4563413/4144)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xECC28AE2(3972172514)
        transform: esp-256-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3004, flow_id: NETGX:4, crypto map: ectunnelmap
        sa timing: remaining key lifetime (k/sec): (4563413/4144)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Serial0/0/0:0
    Crypto map tag: ectunnelmap, local addr 38.99.187.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer b.b.b.b port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 38.99.187.1, remote crypto endpt.: b.b.b.b
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer b.b.b.b port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 97220, #pkts encrypt: 97220, #pkts digest: 97220
    #pkts decaps: 104607, #pkts decrypt: 104607, #pkts verify: 104607
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

     local crypto endpt.: 38.99.187.1, remote crypto endpt.: b.b.b.b
     path mtu 1500, ip mtu 1500
     current outbound spi: 0xECC28AE2(3972172514)

     inbound esp sas:
      spi: 0x88F324A5(2297636005)
        transform: esp-256-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3003, flow_id: NETGX:3, crypto map: ectunnelmap
        sa timing: remaining key lifetime (k/sec): (4563413/4144)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xECC28AE2(3972172514)
        transform: esp-256-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3004, flow_id: NETGX:4, crypto map: ectunnelmap
        sa timing: remaining key lifetime (k/sec): (4563413/4144)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Serial0/0/1:0
    Crypto map tag: ectunnelmap, local addr 38.99.187.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer b.b.b.b port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 38.99.187.1, remote crypto endpt.: b.b.b.b
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer b.b.b.b port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 97220, #pkts encrypt: 97220, #pkts digest: 97220
    #pkts decaps: 104607, #pkts decrypt: 104607, #pkts verify: 104607
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

     local crypto endpt.: 38.99.187.1, remote crypto endpt.: b.b.b.b
     path mtu 1500, ip mtu 1500
     current outbound spi: 0xECC28AE2(3972172514)

     inbound esp sas:
      spi: 0x88F324A5(2297636005)
        transform: esp-256-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3003, flow_id: NETGX:3, crypto map: ectunnelmap
        sa timing: remaining key lifetime (k/sec): (4563413/4143)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xECC28AE2(3972172514)
        transform: esp-256-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3004, flow_id: NETGX:4, crypto map: ectunnelmap
        sa timing: remaining key lifetime (k/sec): (4563413/4143)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
0
 
Texas_BillyCommented:
This usually indicates a memory leak on the router showing the error, are you seeing this on both sides?

You said you can ping across the tunnel and open RDP sessions to / from servers on opposite sides, is that correct?  If so, what symptoms led you to check the log file for errors?  Is there a particular application or protocol that isn't working?  --TX
0
 
PosthumousAuthor Commented:
Hey,
Yeah we can open applications but no authentication's are happening.
Can ping across the connections, and if there are previously opened connection when the failover happens they remain active ie exchange/www work as long as the authentications were done before the vpn was in place.

0
 
Texas_BillyCommented:
This sounds like a DNS problem rather than a VPN problem.  When you ping, are you pinging by IP or hostname?  if you ping and nslookup to a host on the remote side, do they resolve the same IP?
0
 
PosthumousAuthor Commented:
I'll test out the DNS resolution through the VPN as soon as possible.
From my recollection (which is hazy at them moment), DNS resolution was working across the VPN without issue.

Last night I removed all ACL and ips items from both the inside and outside of the internet facing connections on both routers and brought up the VPN.  At this point I was still able to ping and tracert to the offsite servers, however WWW and RDP connections still failed to connect or authenticate.

Am i wrong in assuming that ALL ip traffic should be passing between the locations without issue?  Is there certain types of traffic that would be in some way blocked hindered specifically DNS or Windows Authentication port traffic?
0
 
PosthumousAuthor Commented:
DNS resolves though the vpn.
Routers CAN NOT ping each other when the VPN is up strangely, but can ping servers by ip or by DNS on either side of the router vpn connection.
Am stumped here, and believing that perhaps its a firewall acl type issue again.

Is there a way to enable debugs of some kind that would allow me to obtain and provide more information specifically to the packet types that are getting dumped by acl/firewall IF it is even that?
Perhaps a debug specific to vpn traffic of some kind?
0
 
PosthumousAuthor Commented:
Found the problem! Sort of...

ACL was blocking the connectivity but only on one of the connections causing what looked like a "flapping" of the connectivity on the load balanced side of the world.
The VPN is now stable in a connected state, with DNS resolving properly.

However, I am still unable to pass windows authentication packets across the VPN when it's up and running.  Been running debugs against the subnet where the packets would/should come from but seeing no errors or blocked data packets from that site.

Any thoughts on what/why windows authentication isn't working over the VPN connection?
0
 
Sankar1985Commented:
Hi,

Can you try the following and post the details?

Debug crypto isakmp and show crypto isakmp

Best,
Sankar.K
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now