Solved

Cisco 861: easyVPN stops working on second connect

Posted on 2011-03-24
7
1,095 Views
Last Modified: 2012-05-11
For a customer we run several small Cisco appliances (mostly 851) as VPN servers in remote locations. We recently transitioned to the successor model 861. All seems fine except one (crippling) thing:
whenever the router is reset, the first Cisco VPN client connection works fine. Once this connection terminates, ALL following VPN client connections _seem_ to work (no errors in the client log, keepalives are transmitted, no errors, no failed packets), but no data (not even ICMP) actually gets through. When I reset the 861, the first connection works again, and all following connections fail.
situation:
internal network: 192.168.233.1/24
VPN network (on loopback interface): 192.168.234.1/24
IP address pool for VPN clients: 192.168.234.2 - .127
The incoming VPN connection is using TCP (port 10000) and gets forwarded before reaching the router in one setup. But in another situation, we use UDP directly connected to the internet and get the same problem.

I already enabled ICMP debugging, and when I ping the router's internal address 192.168.233.1 from a vpn client, say 192.168.234.5, the router claims to answer the ping. However, it never reaches the client.

I attached the complete configuration (confidential stuff represented by XXX) for review.

Please note:
* there are some unused access lists I set up for testing
* there is no firewall configuration because we are behind another router that only forwards port 10000 TCP to us

Best Regards
Mike

version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXX
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 XXX
enable password 7 XXX
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone Berlin 1
!
crypto pki trustpoint TP-self-signed-2638506017
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2638506017
 revocation-check none
 rsakeypair TP-self-signed-2638506017
!
!
no ip source-route
!
ip cef
no ip bootp server
ip domain name local
!
!
license udi pid CISCO861-K9 sn XXX
!
!
archive
 log config
  hidekeys
!
no spanning-tree vlan 1
username root privilege 15 secret 5 XXX
username remote secret 5 XXX
crypto ctcp port 10000
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group vpn
 key XXX
 pool SDM_POOL_1
 acl 104
 netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group vpn
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   client configuration group vpn
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile ciscocp-ike-profile-1
!
!
interface Loopback0
 ip address 192.168.234.1 255.255.255.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.233.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 192.168.234.2 192.168.234.127
ip forward-protocol nd
no ip http server
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 10.179.232.0 255.255.255.0 192.168.233.2
ip route 172.16.0.0 255.255.0.0 192.168.233.2
!
ip access-list log-update threshold 10
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.233.0 0.0.0.255
access-list 100 remark XXX
access-list 100 permit ip 192.168.233.0 0.0.0.255 any
access-list 100 permit ip 192.168.234.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.233.0 0.0.0.255 any
access-list 101 permit ip 192.168.234.0 0.0.0.255 any
access-list 102 permit ip 192.168.233.0 0.0.0.255 192.168.234.0 0.0.0.255
access-list 103 permit ip 192.168.233.0 0.0.0.255 192.168.234.0 0.0.0.255 log
access-list 103 permit ip 192.168.234.0 0.0.0.255 192.168.233.0 0.0.0.255 log
access-list 104 permit ip 192.168.233.0 0.0.0.255 any log-input
access-list 104 permit ip 192.168.234.0 0.0.0.255 any log-input
no cdp run

!
control-plane
!
banner exec ^CCC
 XXX
 ^C
banner login ^CCC
 XXX
 ^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 privilege level 15
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window

0
Comment
Question by:MFollwerk
  • 3
  • 2
7 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 35209706
Wow, this is an odd one.  And you say this architecture worked fine before you migrated to the 861?  Was the migration to the 861 also a migration to 15.0 code?  I haven't done any research to see if it's even possible to downgrade the 861 to something in the 12.x code train.
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 35209732
I verified there is a 12.4 release for the 861.  If the migration included moving to 15.0 code, it may be worth downgrading to see what  the behavior is.
0
 

Author Comment

by:MFollwerk
ID: 35210620
Thanks for the hint. I actually did not look into the code revisions yet, but you may be right. Unfortunately these problems only occurred after the routers were deployed (in pretty remote places) so I cannot simply downgrade them.

What makes things even worse:
I (re-)tested things with a reserve unit today, and these problems do not occur in our test network. All I can imagine is that the problem might be related to NAT on the client side, which is the only real difference between the test network and the real thing. However, I can't imagine why it would work on the first try then.
Anyway, it will take me a while to build a test network that can actually reproduce the error. Then I will try a downgrade to 12.4.

In the meantime, I am more than open to other suggestions.

Best Regards
Mike
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:MFollwerk
ID: 35258875
Hi,

we did some tests with a reserve unit and after a *lot* of work I think you are right. It seems to be an OS version problem. We did the tests with an older unit that still has 12.4, and it works flawlessly. I also posted the problem on the Cisco forum, and besides some minor configuration faults (which have nothing to do with the problem above) the issue persisted. I also tried doing a similar configuration using crypto maps, but never got it to work with CTCP (which is, unfortunately, a necessity for us).

So all that remains is to downgrade the newer units to 12.4 and maybe switch to AnyConnect or something else in future.

One last question before I close this issue:
who do I need to contact at Cisco to be allowed to actually download the 12.4 firmware image? They say to contact your Cisco partner, but since the routers were bought by a customer this is difficult.
Is there another way?
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35481689
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 

Author Comment

by:MFollwerk
ID: 36203880
Sorry it took so long to get back to this. After _endless_ red tape with Cisco to get a patch, I can confirm this:
the problem in question is a bug in Cisco IOS 15.0 that has been known to Cisco at the time. Finding that out however was not that easy, as Cisco is not a very talkative company. Upgrading to IOS 15.1 solved the problem, after long weeks of waiting for the request to get a new firmware (for a unit under warranty!) to be approved...
Downgrading to 12.4 would also have worked, but the same problem applies: Cisco is not exactly forthcoming in supplying replacement firmware files.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now