Solved

Cisco VPN Traffic Flow Problem

Posted on 2011-03-25
14
743 Views
Last Modified: 2012-05-11
Network Diagram

Site A - Internet - Site B

I have established a VPN between Site A and Site B. From Site B I am able to ping and access resources and servers inside Site A.  However, I am not able to even ping from Site A to Site B.

I attempt to perform a traceroute from Site A to Site B and I get as far as the loopback interface and then it dies.  I believe this indicates that Site B is not blocking packets from Site A.

Site A is configured using EzVPN Server

Site B is configured to connect to Site A using EzVPN Remote

Both sites are using Cisco 1921/k9 routers

I can not figure out what is blocking or mis-routing packets initiated from Site A going to site B.

See the IOS config from Site A below.

192.168.9.x = Site A Network
192.168.6.x = Loopback on Site A router
192.168.3.x = Site B Network

aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.9.xx 192.168.9.xx
!
ip dhcp pool CLIENT
   import all
   network 192.168.9.xx 255.255.255.0
   default-router 192.168.9.xx
   dns-server 192.168.9.xx 8.8.8.8
!
!
no ip bootp server
no ip domain lookup
ip domain name domainname.local
ip host trps.trendmicro.com 150.70.74.51
ip name-server 192.168.9.xx
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint

crypto pki certificate chain 

username user1 privilege 15 secret 5 [password]
username tunnel1 privilege 15 secret 5 [password]
!
redundancy
!
!
!
crypto logging ezvpn
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group TunnelOnly
 key {key}
 dns 192.168.9.xx
 pool SDM_POOL_1
 acl 100
 save-password
 netmask 255.255.255.252
crypto isakmp profile ciscocp-ike-profile-1
   match identity group TunnelOnly
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address initiate
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.6.xx 255.255.255.252
 !
!
interface GigabitEthernet0/0
 description Link_to_WAN$FW_OUTSIDE$$ETH-WAN$
 ip address xxx.xxx.xxx.xxx 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 !
!
interface GigabitEthernet0/1
 description Internal$ETH-LAN$$FW_INSIDE$
 ip address 192.168.9.xx 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 !
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
 !
!
ip local pool SDM_POOL_1 192.168.6.2
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload

!default route is to Link1_to_WAN (gi0/0)
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 2
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.9.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.9.0 0.0.0.255 any
access-list 100 permit ip 192.168.3.0 0.0.0.255 any

scheduler allocate 20000 1000
ntp update-calendar
ntp server 126.6.15.28 prefer source GigabitEthernet0/0
ntp server 126.6.15.29 source GigabitEthernet0/0

Open in new window

0
Comment
Question by:ITFireman
  • 5
  • 4
  • 3
  • +1
14 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35220826
what shows the following on booth sides?

sh cry isa sa
sh cry ips  sa
0
 

Author Comment

by:ITFireman
ID: 35221545
Site A


   
SiteA#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
Site.A.WAN.IP   Site.B.WAN.IP   QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

SiteA#sh cry ips sa

interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr Site.A.WAN.IP

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer Site.B.WAN.IP port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1254, #pkts encrypt: 1254, #pkts digest: 1254
    #pkts decaps: 1275, #pkts decrypt: 1275, #pkts verify: 1275
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: Site.A.WAN.IP, remote crypto endpt.: Site.B.WAN.IP
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x9744B849(2537863241)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x403E71F3(1077834227)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2015, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4585604/1231)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x9744B849(2537863241)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2016, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4585600/1231)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Open in new window



Site B
SiteB#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
Site.A.WAN.IP   Site.B.WAN.IP QM_IDLE           1004 ACTIVE

IPv6 Crypto ISAKMP SA

SiteB#sh cry ips sa

interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr Site.B.WAN.IP

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer Site.A.WAN.IP port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1279, #pkts encrypt: 1279, #pkts digest: 1279
    #pkts decaps: 1258, #pkts decrypt: 1258, #pkts verify: 1258
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: Site.B.WAN.IP, remote crypto endpt.: Site.A.WAN.IP
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x403E71F3(1077834227)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x9744B849(2537863241)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2035, flow_id: Onboard VPN:35, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4408086/612)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x403E71F3(1077834227)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2036, flow_id: Onboard VPN:36, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4408090/612)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Open in new window

0
 

Author Comment

by:ITFireman
ID: 35221566
After looking at the above, it seems that Site A has it's IP as the destination.

Is that correct?  Or is it just identifying how the tunnel is setup?
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35221584
it shows the tunnel is up...
0
 
LVL 4

Expert Comment

by:m_walker
ID: 35221592
Double check all your routing tables.  Devices can do source based routing for a "session" and create one way working tests.

I have seen windows have an incorret route for a Host thus could not reply to a ping, but it could ping it.  It sounds and looks wrong, bit half worked, I think the issue was it only used its routing table to reply, but used the default route as well (after a timeout???) for a new connection. So check all the routing tables and ensure they all point to where the need to go.  

If you make a change to a route, it helps to clear the rounting tables and reload them to ensure any incorrect routes learned are cleaned up prior to testing a config change.

0
 

Author Comment

by:ITFireman
ID: 35221779
Thanks M...  That was my initial thought too, but I ran traceroute and ping also from the IOS command line receiving the same results of not being able to reach site B from site A.

0
 
LVL 4

Expert Comment

by:m_walker
ID: 35221792
I any look out our VPN when the other lads get stuck (which is not very often), so talk concepts.  
When the VPN comes up (which it sounds like it does), how does the router each end know about the network(s) at the other end?  We have one end with a default gateway via the VPN (remote site), and have a static route in our core router for the VPN networks (which get sent out via eirgp to other routers). So you may find a site network route is missing.  Just saying double check for the routes and typos...
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 35222103
Looks to me like a NAT issue. Site B to A works because B is natting outbound traffic. A to B does not work because you don't have a nat rule to make it work.

Here's what I would do:

no ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source list 102 interface GigabitEthernet0/0 overload
access-list 102 deny ip 192.168.9.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.9.0 0.0.0.255 any

Instead of EZVPN Server and Client roles, I highly recommend setting up a standard site-site VPN unless one of them has a dynamic IP address.
0
 
LVL 4

Expert Comment

by:m_walker
ID: 35224207
Good call lrmoore.
0
 

Author Comment

by:ITFireman
ID: 35224582
lrmoore... Thanks. I attempted a site-to-site vpn as you suggested.  The tunnel does come up.  But I am now not able to ping either side now.

I cleaned up both routers and started from scratch before creating the site-to-site vpn just to make sure no old lists/transformations/etc were left in the configuration...

Here is an excerpt from Site A

 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 authentication pre-share
crypto isakmp key [[[mykey]]] address xxx.xxx.xxx.173
!
!
crypto ipsec transform-set Cisco esp-des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel toxxx.xxx.xxx.173
 set peer xxx.xxx.xxx.173
 set transform-set Cisco 
 match address 100
!
interface GigabitEthernet0/0
 description Link_to_WAN$FW_OUTSIDE$$ETH-WAN$
 ip address xxx.xxx.xxx.33 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map SDM_CMAP_1
 !
!
interface GigabitEthernet0/1
 description Internal$ETH-LAN$$FW_INSIDE$
 ip address xxx.xxx.xx9.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 !
!
interface FastEthernet0/0/0
 description Link_to_DSL$ETH-WAN$
 ip address 141.157.24.24 255.255.255.0
 shutdown
 duplex auto
 speed auto
 no cdp enable
 !
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.34 2
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip xxx.xxx.xx9.0 0.0.0.255 xxx.xxx.xx3.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip xxx.xxx.xx9.0 0.0.0.255 xxx.xxx.xx3.0 0.0.0.255
access-list 101 permit ip xxx.xxx.xx9.0 0.0.0.255 any
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!

Open in new window


Here is an excerpt from Site B

 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 authentication pre-share
crypto isakmp key BeachPower address xxx.xxx.xxx.33
!
!
crypto ipsec transform-set Cisco esp-des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel toxxx.xxx.xxx.33
 set peer xxx.xxx.xxx.33
 set transform-set Cisco 
 match address 100
!
!
interface GigabitEthernet0/0
 description Link_to_WAN$FW_OUTSIDE$$ETH-WAN$
 ip address xxx.xxx.xxx.173 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map SDM_CMAP_1
 !
!
interface GigabitEthernet0/1
 description Internal$ETH-LAN$$FW_INSIDE$
 ip address xxx.xxx.xx3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 !
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.174 2 permanent
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip xxx.xxx.xx3.0 0.0.0.255 xxx.xxx.xx9.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip xxx.xxx.xx3.0 0.0.0.255 xxx.xxx.xx9.0 0.0.0.255
access-list 101 permit ip xxx.xxx.xx3.0 0.0.0.255 any
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!

Open in new window


As you can see the only difference is the IP addresses have swapped.

When I run a traceroute from Site A to the internal address at Site B, it goes out to the WAN and not in to the tunnel.  The same is true if I go from B to A.

sh cry isa sa shows the tunnel is up and that it is in an idle state.

I am about to go bald trying to get this to work...
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35225011
Hi,

Are the tunnels UP?
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35225012
Did you reloaded the routers?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 35225944
>When I run a traceroute from Site A to the internal address at Site B

If you are doing this only router to router, you have to source the trace/ping with the LAN interface IP.
The best way to test is to have a PC on one side do a continuous ping to a PC on the other side.


0
 

Author Comment

by:ITFireman
ID: 35227088
Thanks lrmoore.  Appreciate the advice.  Once I got off the router and pinged from another device, it went through.

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now