Solved

Ability to browse LAN goes "deaf" after a while

Posted on 2010-09-11
8
503 Views
Last Modified: 2012-05-10
If I reload the router, I'm able to browse the LAN over VPN. However, after a little while, it seems to go deaf, and even though my VPN client can initially connect, it doesn't seem to allow packets back to the VPN client if I ping the router.

The icmp debug shows the router is getting pings over VPN, and responding to them, but my VPN client is not getting the responses. I suspect there's still an issue with NAT, even though there are specific deny ACL entries in the ACL for the NAT statement.

Configuration attached. I've also attached current show access-lists output.

Regards,

Luis
Standard IP access list 1
    10 permit 192.168.123.0, wildcard bits 0.0.0.255
Standard IP access list 3
    10 permit 192.168.123.0, wildcard bits 0.0.0.255 (6 matches)
    20 permit 192.168.129.128, wildcard bits 0.0.0.7 (4 matches)
    30 permit 192.168.129.0, wildcard bits 0.0.0.255
Extended IP access list 101
    10 permit ip 192.168.123.0 0.0.0.255 any
Extended IP access list 102
    10 permit ip 192.168.123.0 0.0.0.255 any
Extended IP access list 150
    10 deny ip any 192.168.128.128 0.0.0.31
    20 deny ip any 192.168.129.128 0.0.0.7 (3785 matches)
    30 permit ip 192.168.123.0 0.0.0.255 any (57876 matches)
Extended IP access list SDM_AH
    10 permit ahp any any
Extended IP access list SDM_ESP
    10 permit esp any any

Open in new window

!
! Last configuration change at 11:45:18 Pacific Sat Sep 11 2010
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname mre-van-cr01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 ***
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network ciscocp_vpn_group_ml_1 local 
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone Pacific -8
clock summer-time Pacific date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1507793008
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1507793008
 revocation-check none
 rsakeypair TP-self-signed-1507793008
!
!
crypto pki certificate chain TP-self-signed-1507793008
 certificate self-signed 01
  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31353037 37393330 3038301E 170D3130 30393131 30313033 
  31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35303737 
  39333030 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100C150 094B319F 018EF68A F1173F1E 24011944 344D4F7D 6BC59164 73E9112D 
  36B74720 02E0F877 055BCB73 68F2D0EE CF5EC1D5 0776AEFC 8321AA11 59B32304 
  E2C4A11F 91838DB6 560B8798 8C653ECC AE77F524 EAF24827 1422CA93 B2184BA9 
  14AAD152 8F67B3B7 16397E99 7FA18030 D9513E50 858BC1FE 7963B0A6 633EEF0B 
  69230203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603 
  551D1104 1D301B82 196D7265 2D76616E 2D637230 312E6D72 656E7669 726F2E6C 
  616E301F 0603551D 23041830 16801432 7128E8CF 28DF31A2 7E8314AB 66C0CFFD 
  23E69530 1D060355 1D0E0416 04143271 28E8CF28 DF31A27E 8314AB66 C0CFFD23 
  E695300D 06092A86 4886F70D 01010405 00038181 0060C1FA 8C93E8A5 458DCF70 
  5E6ED93F 6EA5BCB3 2FDCCF38 17BDCE22 DB9E6193 4EF968C1 9F64B380 A9575165 
  4A268D44 6575F1F2 6F1CDBF6 8E5CA156 0DFB4F57 3132BDEB B0B829C8 4CC02920 
  D219D551 A3A55DE9 60DEC000 1867E5B9 6F0DE238 1C58FDCC E2F6A852 00BDB7AD 
  83EE9C99 2C5EC97C 9299B1C8 E16AEACF 1C9F9E52 37
  	quit
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.123.186
ip dhcp excluded-address 192.168.123.1 192.168.123.127
ip dhcp excluded-address 192.168.123.192 192.168.123.254
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.123.0 255.255.255.0
   dns-server 192.168.123.250 
   default-router 192.168.123.1 
   domain-name ***
   lease 0 2
!
!
ip cef
no ip bootp server
ip domain name ***
ip name-server 204.174.64.1
ip name-server 204.174.65.1
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn ***
!
!
username admin privilege 15 secret 5 ***
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
!         
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group MRE-ADMIN
 key ***
 dns 192.168.123.250
 domain ***
 pool SDM_POOL_1
 acl 101
 max-users 6
 netmask 255.255.255.0
!
crypto isakmp client configuration group MRE-STAFF
 key ***
 dns 192.168.123.250
 domain ***
 pool SDM_POOL_2
 acl 102
 max-users 30
 netmask 255.255.255.224
crypto isakmp profile ciscocp-ike-profile-1
   match identity group MRE-ADMIN
   match identity group MRE-STAFF
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto ipsec profile CiscoCP_Profile1
 set security-association idle-time 900
 set transform-set ESP-3DES-SHA 
 set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Loopback0
 description $FW_INSIDE$
 ip address 1.1.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 !
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 spanning-tree portfast
 !
!
interface FastEthernet1
 spanning-tree portfast
 !
!
interface FastEthernet2
 spanning-tree portfast
 !
!
interface FastEthernet3
 !
!
interface FastEthernet4
 spanning-tree portfast
 !
!
interface FastEthernet5
 spanning-tree portfast
 !
!
interface FastEthernet6
 spanning-tree portfast
 !
!
interface FastEthernet7
 spanning-tree portfast
 !
!
interface FastEthernet8
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 duplex auto
 speed auto
 !
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
 !
!
interface GigabitEthernet0
 description ***Upstream to Internet***$ETH-WAN$$FW_OUTSIDE$
 ip address 111.111.111.111 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 duplex full
 speed 10
 no cdp enable
 !        
!
interface Vlan1
 description *** Local Network ***$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
 ip address 192.168.123.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 load-interval 30
 !
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
 !        
!
ip local pool SDM_POOL_2 192.168.128.129 192.168.128.158
ip local pool SDM_POOL_1 192.168.129.129 192.168.129.134
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map NONAT interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 111.111.111.111
!
ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.123.0 0.0.0.255
access-list 3 permit 192.168.123.0 0.0.0.255
access-list 3 permit 192.168.129.128 0.0.0.7
access-list 3 permit 192.168.129.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.123.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 192.168.123.0 0.0.0.255 any
access-list 150 deny   ip any 192.168.128.128 0.0.0.31
access-list 150 deny   ip any 192.168.129.128 0.0.0.7
access-list 150 permit ip 192.168.123.0 0.0.0.255 any
!
!
!
!
route-map NONAT permit 10
 description *** NAT Address Translation Rule List ***
 match ip address 150
!
!
!
control-plane
 !
!
line con 0
 logging synchronous
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 transport output telnet
line vty 0 4
 access-class 3 in
 logging synchronous
 transport input telnet ssh
line vty 5 15
 logging synchronous
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp update-calendar
ntp server 17.151.16.20 prefer source GigabitEthernet0
ntp server 17.151.16.21 source GigabitEthernet0
ntp server 17.151.16.22 source GigabitEthernet0
ntp server 17.151.16.23 source GigabitEthernet0
end

Open in new window

0
Comment
Question by:monkeymac
  • 5
  • 2
8 Comments
 
LVL 1

Author Comment

by:monkeymac
ID: 33655569
I've been doing so more testing, and after reloading the router, the first time I VPN to the network, I can ping and browse the network.

If I disconnect from VPN, and reconnect shortly thereafter, I can't ping or browse any longer.

When monitoring ICMP debug info, the router gets the pings, but my client over VPN does not get the responses.

So, nothing else has changed, except connecting over VPN, disconnecting, and reconnecting.

Any ideas?

Regards,

Luis
0
 
LVL 9

Expert Comment

by:ken2421
ID: 33655575
I have solved this on many occasion with the old time solution: the host file.

%Windows%/system32/drivers/etc/host

Run notepad as Administrator and browse to directory.
Chage notepad to all files.

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#      127.0.0.1       localhost
#      ::1             localhost
192.168.123.250        server.local         #or whatever you dns server is



Save the file. Flush the dns resolver cash. Reconnect the vpn and voila'.

Good luck,
Ken
0
 
LVL 1

Author Comment

by:monkeymac
ID: 33655627
Thanks Ken - this is not a DNS issue, thanks for your comment though.

Regards,

Luis
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 33656010
HI,

this config not allowing ping the router inside LAN address!
Why do you want to ping lan addres from VPN?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 1

Author Comment

by:monkeymac
ID: 33656017
For testing of connectivity. I also cannot use remote desktop to administer machines. Whether it's ping or remote desktop it doesn't matter.

The issue is that if I reload the router, I can access devices on the network on the very first VPN connection, if I disconnect VPN and reconnect, I can no longer access devices on the network.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 33656021
strange....

What shows the 'sh cry isa sa' an 'sh cry ips sa' on the second connection?
0
 
LVL 1

Author Comment

by:monkeymac
ID: 33656024
sh cry isa sa:

dst             src             state          conn-id status
111.111.111.111 200.200.200.200   QM_IDLE           2018 ACTIVE
111.111.111.111 200.200.200.200   MM_NO_STATE       2017 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

sh cry ips sa

interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr 111.111.111.111

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.129.134/255.255.255.255/0/0)
   current_peer 200.200.200.200 port 47074
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 166, #pkts decrypt: 166, #pkts verify: 166
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 111.111.111.111, remote crypto endpt.: 200.200.200.200
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
     current outbound spi: 0x243E339(38003513)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x9DBDD3FB(2646463483)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 31, flow_id: Onboard VPN:31, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4575336/3549)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x243E339(38003513)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 32, flow_id: Onboard VPN:32, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4575373/3549)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
0
 
LVL 1

Accepted Solution

by:
monkeymac earned 0 total points
ID: 33656092
So it seems this issue is an active bug (CSCth39861).

Workaround is to change to dynamic crypto map.

Regards,

Luis
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now