VPN Tunnel Traffic not passing
Hello,
I have a Cisco 861 router configured with a site-to-site vpn to a Linksys WRV210. The connection has worked in the passed without issue until recently. The location that has the VPN connection had other vendors come in to update other systems and I believe somehow has affected the VPN. Not fully understanding how or what it takes to troubleshoot this type of service (IPSec VPN) I loaded the 861 with a backup config. After the reload the VPN does connect but does not seem to be passing data correctly.
When I traceroute from the 861 the traffic is going through the public/WAN interface and not over the VPN tunnel.
I have not messed with the Linksys WRV210 much because it's pretty much a no brainier. However, if you feel the issue could be there I am happy to provide config and info for that device.
Cisco 861 local network: 192.168.1.0:/24
Linksys WRV210 local network: 192.168.2.0/24
Thanks for any help and let me know if you need more information to help troubleshoot this.
I have a Cisco 861 router configured with a site-to-site vpn to a Linksys WRV210. The connection has worked in the passed without issue until recently. The location that has the VPN connection had other vendors come in to update other systems and I believe somehow has affected the VPN. Not fully understanding how or what it takes to troubleshoot this type of service (IPSec VPN) I loaded the 861 with a backup config. After the reload the VPN does connect but does not seem to be passing data correctly.
When I traceroute from the 861 the traffic is going through the public/WAN interface and not over the VPN tunnel.
I have not messed with the Linksys WRV210 much because it's pretty much a no brainier. However, if you feel the issue could be there I am happy to provide config and info for that device.
Cisco 861 local network: 192.168.1.0:/24
Linksys WRV210 local network: 192.168.2.0/24
Thanks for any help and let me know if you need more information to help troubleshoot this.
!
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname santo-861
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 *REMOVED*
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime -5
!
crypto pki trustpoint TP-self-signed-3248388390
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3248388390
revocation-check none
rsakeypair TP-self-signed-3248388390
!
!
crypto pki certificate chain TP-self-signed-3248388390
*REMOVED*
quit
no ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.79
ip dhcp excluded-address 192.168.1.120 192.168.1.254
!
ip dhcp pool main-pool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 192.168.1.254 4.2.2.2
lease 0 12
!
!
ip cef
no ip bootp server
ip domain name *REMOVED*
ip name-server 192.168.1.254
ip name-server 4.2.2.2
!
!
license udi pid CISCO861-K9 sn FTX1337Y2C2
!
!
username *REMVOED* privilege 15 secret 5 *REMOVED*
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key *REMOVED* address *REMOVED*
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to *REMOVED*
set peer *REMOVED*
set transform-set ESP-3DES-SHA
match address VPN
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address *REMOVED* 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip default-gateway *REMOVED*
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.1.20 2368 interface FastEthernet4 2368
ip nat inside source static tcp 192.168.1.20 61002 interface FastEthernet4 61002
ip nat inside source static tcp 192.168.1.20 61031 interface FastEthernet4 61031
ip nat inside source static udp 192.168.1.20 61031 interface FastEthernet4 61031
ip nat inside source static tcp 192.168.1.20 6320 interface FastEthernet4 6320
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.242 80 *REMOVED* 80 extendable
ip nat inside source static tcp 192.168.1.242 8080 *REMOVED* 8080 extendable
ip nat inside source static tcp 192.168.1.242 8081 *REMOVED* 8081 extendable
ip nat inside source static tcp 192.168.1.243 80 *REMOVED* 80 extendable
ip nat inside source static tcp 192.168.1.243 1159 *REMOVED* 1159 extendable
ip nat inside source static tcp 192.168.1.243 1160 *REMOVED* 1160 extendable
ip nat inside source static tcp 192.168.1.244 80 *REMOVED* 80 extendable
ip nat inside source static tcp 192.168.1.244 8080 *REMOVED* 8080 extendable
ip nat inside source static tcp 192.168.1.244 8081 *REMOVED* 8081 extendable
ip route 0.0.0.0 0.0.0.0 *REMOVED*
!
ip access-list extended VPN
remark CCP_ACL Category=4
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
logging trap debugging
access-list 1 remark CCP_ACL Category=16
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=2
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
!
line con 0
logging synchronous
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
end
What system are you using,
Did you ping exact direct IP address or that is re-direct address.
Your data server should report you the connection error report/log file , could you display it in EE, otherwise
we could not fully understand your problem
Duncan
Did you ping exact direct IP address or that is re-direct address.
Your data server should report you the connection error report/log file , could you display it in EE, otherwise
we could not fully understand your problem
Duncan
Hi and thanks for the replay.
In the past the VPN was used for RDP from the admin office to the remote office. I have tried to ping from both sides to the routers (861 and WRV210) to the local IP (192.168.1.254 and 192.168.2.1) but with no successes.
I have to say, I do not fully understand what you mean by data server or report/logs. Both sides of the VPN has a random assortment of desktops and servers in operation.
In the past the VPN was used for RDP from the admin office to the remote office. I have tried to ping from both sides to the routers (861 and WRV210) to the local IP (192.168.1.254 and 192.168.2.1) but with no successes.
I have to say, I do not fully understand what you mean by data server or report/logs. Both sides of the VPN has a random assortment of desktops and servers in operation.
Okay I know the problem. If as you said I have tried to ping from both sides to the routers (861 and WRV210) to the local IP (192.168.1.254 and 192.168.2.1) but with no successes,
this is NOT at your side problem, you could not do anything besides contact the connection vendor because ping is not success that pretty sure is not your-side problem, try
contact them for technical support. They have all error report and log file for the connection
problem for your part
this is NOT at your side problem, you could not do anything besides contact the connection vendor because ping is not success that pretty sure is not your-side problem, try
contact them for technical support. They have all error report and log file for the connection
problem for your part
Hmm, thanks for the reply but I don't think it is correct to move the issue to the service provider. I am almost positive the issue has something to do with the configuration or function of one of or both routers I have. I just find it very unlikely the two service providers I have could cause VPN traffic not to route correctly but still allow the connection to be made.
Like I stated before, if i do a traceroute from the 861 to the LAN IP of the WRV210 (192.168.2.1) the route goes through the WAN IP and not the tunnel. I am not sure if this is normal behavior for a cisco router but seems unlikely.
Below is an example of the traceroute:
santo-861#traceroute 192.168.2.1
Type escape sequence to abort.
Tracing the route to 192.168.2.1
1 192.168.1.254 4 msec 0 msec 4 msec
2 174.141.x.x.nw.nuvox.net (174.141.x.x) 8 msec 12 msec 8 msec
3 ge8-3.x.nw.nuvox.net (209.177.x.x) 28 msec 48 msec 8 msec
4 ge8-3.x.nw.nuvox.net (209.177.x.x) !H * *
santo-861#
Thanks for the help.
Like I stated before, if i do a traceroute from the 861 to the LAN IP of the WRV210 (192.168.2.1) the route goes through the WAN IP and not the tunnel. I am not sure if this is normal behavior for a cisco router but seems unlikely.
Below is an example of the traceroute:
santo-861#traceroute 192.168.2.1
Type escape sequence to abort.
Tracing the route to 192.168.2.1
1 192.168.1.254 4 msec 0 msec 4 msec
2 174.141.x.x.nw.nuvox.net (174.141.x.x) 8 msec 12 msec 8 msec
3 ge8-3.x.nw.nuvox.net (209.177.x.x) 28 msec 48 msec 8 msec
4 ge8-3.x.nw.nuvox.net (209.177.x.x) !H * *
santo-861#
Thanks for the help.
This will at least get you started:
https://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#topic1-problem
https://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#topic1-problem
Premium Content
You need an Expert Office subscription to comment.Start Free Trial