?
Solved

Cisco VPN Configuration Problems

Posted on 2009-12-21
11
Medium Priority
?
2,450 Views
Last Modified: 2012-05-08
Good Evening.

Working on bringing up a VPN site to site between two Cisco 2800 series routers.
I think the tunnel's being built, however when I debug I get the following problem:
IPSEC(crypto_get_cm_handle_from_pak): Failed to create access pak sub block

Anyone know what this means?  Digging around on cisco/google hasn't got me much.

Can't seem to get traffic down the tunnel obviously, I can provide full edited configs if that will help or anyone has the urge to read them.

0
Comment
Question by:Posthumous
11 Comments
 
LVL 9

Expert Comment

by:predragpetrovic
ID: 26101671
hi,

could you please upload the configuration files regarding the tunnel creation (crypto maps, access-lists, interface configurations) from both sides.

predrag
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 26102512
what shows the following:

sh cry isa sa
sh cry ips sa
0
 
LVL 1

Author Comment

by:Posthumous
ID: 26104431


Router 1 Config Info

crypto logging session
!
crypto isakmp policy 21
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ectunnel address a.a.a.a
!
crypto isakmp peer address a.a.a.a
 description routercan
!
crypto ipsec security-association lifetime seconds 43200
!
crypto ipsec transform-set ectunnelset esp-aes 256 esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map ectunnelmap local-address Loopback0
crypto map ectunnelmap 21 ipsec-isakmp
 set peer a.a.a.a
 set transform-set ectunnelset
 match address 199


interface Loopback0
 ip address b.b.b.b 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip inspect SDM_LOW in
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 crypto map ectunnelmap


access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255



Router 2 VPN config

crypto logging session
!
crypto isakmp policy 21
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ectunnel address b.b.b.b
!
crypto isakmp peer address b.b.b.b
 description cisco2800
!
crypto ipsec security-association lifetime seconds 43200
!
crypto ipsec transform-set ectunnelset esp-aes 256 esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map ectunnelmap local-address Vlan2
crypto map ectunnelmap 21 ipsec-isakmp
 set peer b.b.b.b
 set transform-set ectunnelset
 match address 199

interface Vlan2
 ip address a.a.a.a 255.255.255.248
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect SDM_LOW in
 ip ips sdm_ips_rule in
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 crypto map ectunnelmap



access-list 199 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255



Currently I can ping back and forth between servers at the two locations, and can even send an RDP connect session from one site to the other.
However it won't authenticate as there are no DNS server at the 2ndary location just a single application server.
I'm thinking (which is never a good thing), will the order of the ACL translation in anyway effect this?  
If there are ACL's example at 100 102 103, will those affect the interesting traffic at the interfaces before the 199 access list and thus account for some traffic being passed but not all types?
If i was to lower the VPN ACL to example 10? would this change this problem?
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 1

Author Comment

by:Posthumous
ID: 26108133
sho cry ips sa

interface: Loopback0
    Crypto map tag: ectunnelmap, local addr a.a.a.a

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer b.b.b.b port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 38.99.187.1, remote crypto endpt.: b.b.b.b
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer b.b.b.b port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 97220, #pkts encrypt: 97220, #pkts digest: 97220
    #pkts decaps: 104607, #pkts decrypt: 104607, #pkts verify: 104607
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

     local crypto endpt.: 38.99.187.1, remote crypto endpt.: b.b.b.b
     path mtu 1500, ip mtu 1500
     current outbound spi: 0xECC28AE2(3972172514)

     inbound esp sas:
      spi: 0x88F324A5(2297636005)
        transform: esp-256-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3003, flow_id: NETGX:3, crypto map: ectunnelmap
        sa timing: remaining key lifetime (k/sec): (4563413/4144)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xECC28AE2(3972172514)
        transform: esp-256-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3004, flow_id: NETGX:4, crypto map: ectunnelmap
        sa timing: remaining key lifetime (k/sec): (4563413/4144)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Serial0/0/0:0
    Crypto map tag: ectunnelmap, local addr 38.99.187.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer b.b.b.b port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 38.99.187.1, remote crypto endpt.: b.b.b.b
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer b.b.b.b port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 97220, #pkts encrypt: 97220, #pkts digest: 97220
    #pkts decaps: 104607, #pkts decrypt: 104607, #pkts verify: 104607
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

     local crypto endpt.: 38.99.187.1, remote crypto endpt.: b.b.b.b
     path mtu 1500, ip mtu 1500
     current outbound spi: 0xECC28AE2(3972172514)

     inbound esp sas:
      spi: 0x88F324A5(2297636005)
        transform: esp-256-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3003, flow_id: NETGX:3, crypto map: ectunnelmap
        sa timing: remaining key lifetime (k/sec): (4563413/4144)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xECC28AE2(3972172514)
        transform: esp-256-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3004, flow_id: NETGX:4, crypto map: ectunnelmap
        sa timing: remaining key lifetime (k/sec): (4563413/4144)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Serial0/0/1:0
    Crypto map tag: ectunnelmap, local addr 38.99.187.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer b.b.b.b port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 38.99.187.1, remote crypto endpt.: b.b.b.b
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer b.b.b.b port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 97220, #pkts encrypt: 97220, #pkts digest: 97220
    #pkts decaps: 104607, #pkts decrypt: 104607, #pkts verify: 104607
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

     local crypto endpt.: 38.99.187.1, remote crypto endpt.: b.b.b.b
     path mtu 1500, ip mtu 1500
     current outbound spi: 0xECC28AE2(3972172514)

     inbound esp sas:
      spi: 0x88F324A5(2297636005)
        transform: esp-256-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3003, flow_id: NETGX:3, crypto map: ectunnelmap
        sa timing: remaining key lifetime (k/sec): (4563413/4143)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xECC28AE2(3972172514)
        transform: esp-256-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3004, flow_id: NETGX:4, crypto map: ectunnelmap
        sa timing: remaining key lifetime (k/sec): (4563413/4143)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
0
 
LVL 7

Expert Comment

by:Texas_Billy
ID: 26108671
This usually indicates a memory leak on the router showing the error, are you seeing this on both sides?

You said you can ping across the tunnel and open RDP sessions to / from servers on opposite sides, is that correct?  If so, what symptoms led you to check the log file for errors?  Is there a particular application or protocol that isn't working?  --TX
0
 
LVL 1

Author Comment

by:Posthumous
ID: 26109415
Hey,
Yeah we can open applications but no authentication's are happening.
Can ping across the connections, and if there are previously opened connection when the failover happens they remain active ie exchange/www work as long as the authentications were done before the vpn was in place.

0
 
LVL 7

Expert Comment

by:Texas_Billy
ID: 26115166
This sounds like a DNS problem rather than a VPN problem.  When you ping, are you pinging by IP or hostname?  if you ping and nslookup to a host on the remote side, do they resolve the same IP?
0
 
LVL 1

Author Comment

by:Posthumous
ID: 26116377
I'll test out the DNS resolution through the VPN as soon as possible.
From my recollection (which is hazy at them moment), DNS resolution was working across the VPN without issue.

Last night I removed all ACL and ips items from both the inside and outside of the internet facing connections on both routers and brought up the VPN.  At this point I was still able to ping and tracert to the offsite servers, however WWW and RDP connections still failed to connect or authenticate.

Am i wrong in assuming that ALL ip traffic should be passing between the locations without issue?  Is there certain types of traffic that would be in some way blocked hindered specifically DNS or Windows Authentication port traffic?
0
 
LVL 1

Author Comment

by:Posthumous
ID: 26193683
DNS resolves though the vpn.
Routers CAN NOT ping each other when the VPN is up strangely, but can ping servers by ip or by DNS on either side of the router vpn connection.
Am stumped here, and believing that perhaps its a firewall acl type issue again.

Is there a way to enable debugs of some kind that would allow me to obtain and provide more information specifically to the packet types that are getting dumped by acl/firewall IF it is even that?
Perhaps a debug specific to vpn traffic of some kind?
0
 
LVL 1

Accepted Solution

by:
Posthumous earned 0 total points
ID: 26344174
Found the problem! Sort of...

ACL was blocking the connectivity but only on one of the connections causing what looked like a "flapping" of the connectivity on the load balanced side of the world.
The VPN is now stable in a connected state, with DNS resolving properly.

However, I am still unable to pass windows authentication packets across the VPN when it's up and running.  Been running debugs against the subnet where the packets would/should come from but seeing no errors or blocked data packets from that site.

Any thoughts on what/why windows authentication isn't working over the VPN connection?
0
 
LVL 2

Expert Comment

by:Sankar1985
ID: 33109651
Hi,

Can you try the following and post the details?

Debug crypto isakmp and show crypto isakmp

Best,
Sankar.K
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question