We help IT Professionals succeed at work.

VPN Tunnel Traffic not passing

Hello,

I have a Cisco 861 router configured with a site-to-site vpn to a Linksys WRV210.  The connection has worked in the passed without issue until recently.  The location that has the VPN connection had other vendors come in to update other systems and I believe somehow has affected the VPN.   Not fully understanding how or what it takes to troubleshoot this type of service (IPSec VPN) I loaded the 861 with a backup config.  After the reload the VPN does connect but does not seem to be passing data correctly.  

When I traceroute from the 861 the traffic is going through the public/WAN interface and not over the VPN tunnel.

I have not messed with the Linksys WRV210 much because it's pretty much a no brainier. However, if you feel the issue could be there I am happy to provide config and info for that device.

Cisco 861 local network: 192.168.1.0:/24
Linksys WRV210 local network: 192.168.2.0/24


Thanks for any help and let me know if you need more information to help troubleshoot this.


!
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname santo-861
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 *REMOVED*
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime -5
!
crypto pki trustpoint TP-self-signed-3248388390
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3248388390
 revocation-check none
 rsakeypair TP-self-signed-3248388390
!
!
crypto pki certificate chain TP-self-signed-3248388390
 *REMOVED*
        quit
no ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.79
ip dhcp excluded-address 192.168.1.120 192.168.1.254
!
ip dhcp pool main-pool
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.254 
   dns-server 192.168.1.254 4.2.2.2 
   lease 0 12
!
!
ip cef
no ip bootp server
ip domain name *REMOVED*
ip name-server 192.168.1.254
ip name-server 4.2.2.2
!
!
license udi pid CISCO861-K9 sn FTX1337Y2C2
!
!
username *REMVOED* privilege 15 secret 5 *REMOVED*
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key *REMOVED* address *REMOVED*
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to *REMOVED*
 set peer *REMOVED*
 set transform-set ESP-3DES-SHA 
 match address VPN
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address *REMOVED* 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Vlan1
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip default-gateway *REMOVED*
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.1.20 2368 interface FastEthernet4 2368
ip nat inside source static tcp 192.168.1.20 61002 interface FastEthernet4 61002
ip nat inside source static tcp 192.168.1.20 61031 interface FastEthernet4 61031
ip nat inside source static udp 192.168.1.20 61031 interface FastEthernet4 61031
ip nat inside source static tcp 192.168.1.20 6320 interface FastEthernet4 6320
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.242 80 *REMOVED* 80 extendable
ip nat inside source static tcp 192.168.1.242 8080 *REMOVED* 8080 extendable
ip nat inside source static tcp 192.168.1.242 8081 *REMOVED* 8081 extendable
ip nat inside source static tcp 192.168.1.243 80 *REMOVED* 80 extendable
ip nat inside source static tcp 192.168.1.243 1159 *REMOVED* 1159 extendable
ip nat inside source static tcp 192.168.1.243 1160 *REMOVED* 1160 extendable
ip nat inside source static tcp 192.168.1.244 80 *REMOVED* 80 extendable
ip nat inside source static tcp 192.168.1.244 8080 *REMOVED* 8080 extendable
ip nat inside source static tcp 192.168.1.244 8081 *REMOVED* 8081 extendable
ip route 0.0.0.0 0.0.0.0 *REMOVED*
!
ip access-list extended VPN
 remark CCP_ACL Category=4
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
logging trap debugging
access-list 1 remark CCP_ACL Category=16
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=2
access-list 100 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
no cdp run

route-map SDM_RMAP_1 permit 1
 match ip address 100
!
!
control-plane
!
!
line con 0
 logging synchronous
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
end

Open in new window

Comment
Watch Question

Commented:
What system are you using,

Did you ping exact direct IP address  or that is re-direct address.

Your data server should report you the connection error  report/log file , could you display it in EE, otherwise
we could not fully understand your problem


Duncan

Author

Commented:
Hi and thanks for the replay.

In the past the VPN was used for RDP from the admin office to the remote office.   I have tried to ping from both sides to the routers (861 and WRV210) to the local IP (192.168.1.254 and 192.168.2.1) but with no successes.  

I have to say, I do not fully understand what you mean by data server or report/logs.   Both sides of the VPN has a random assortment of desktops and servers in operation.  

Commented:
Okay I know the problem. If as you said  I have tried to ping from both sides to the routers (861 and WRV210) to the local IP (192.168.1.254 and 192.168.2.1) but with no successes,
this is NOT at your side problem, you could not do anything besides contact the connection vendor because ping is not success that pretty sure is not your-side problem, try
contact them for technical support. They have all  error report and log file for the connection
problem for your part

Author

Commented:
Hmm, thanks for the reply but I don't think it is correct to move the issue to the service provider.  I am almost positive the issue has something to do with the configuration or function of one of or both routers I have.  I just find it very unlikely the two service providers I have could cause VPN traffic not to route correctly but still allow the connection to be made.

Like I stated before, if i do a traceroute from the 861 to the LAN IP of the WRV210 (192.168.2.1) the route goes through the WAN IP and not the tunnel.  I am not sure if this is normal behavior for a cisco router but seems unlikely.

Below is an example of the traceroute:

santo-861#traceroute 192.168.2.1

Type escape sequence to abort.
Tracing the route to 192.168.2.1

  1 192.168.1.254 4 msec 0 msec 4 msec
  2 174.141.x.x.nw.nuvox.net (174.141.x.x) 8 msec 12 msec 8 msec
  3 ge8-3.x.nw.nuvox.net (209.177.x.x) 28 msec 48 msec 8 msec
  4 ge8-3.x.nw.nuvox.net (209.177.x.x) !H  *  *
santo-861#


Thanks for the help.

Author

Commented:
thanks for the link, i'll check it out and report back

Author

Commented:
Although the presented solution did help in many areas of understanding VPN it wasn't a clear answer to help solve my stated issue.