[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1437
  • Last Modified:

Cisco VPN GRE Tunnel over Cell / Dailer interface not working correctly

Hello all!

I'm having an issue with a tunnel between two routers. I have the tunnel up and going, I can ping back and forth across the tunnels. What I can't do is ping local devices on only one end of the tunnel. That router is connected via 4g LTE cell/dialer. It seems as if the dialer won't let traffic pass to the local network, with exception to the local network gateway (192.168.215.1).

Everything can ping 192.168.215.1. 192.168.215.1 can ping everything. However devices on network 192.168.215.0/24 can't ping anything except 192.168.215.1.

For the life of me I can't figure out what is wrong, but I'm beginning to think its the dialer or cell config. Can someone point out what I am doing wrong?

Here is the config for both router -

####################### Cell Router #######################

interface Tunnel1
 ip address 10.20.0.2 255.255.255.0
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source Dialer1
 tunnel destination x.x.61.180
!
interface GigabitEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 192.168.215.1 255.255.255.0
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Cellular0/0/0
 bandwidth 2000
 ip address negotiated
 ip virtual-reassembly in
 encapsulation slip
 dialer in-band
 dialer pool-member 1
 dialer-group 1
 async mode interactive
!
interface Dialer1
 ip address negotiated
 ip virtual-reassembly in
 dialer pool 1
 dialer idle-timeout 0
 dialer string LTE
 dialer persistent
 dialer-group 1
!
router eigrp 5
 network 10.0.0.0
 network 192.168.215.0
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.0.0 255.255.0.0 Tunnel1
!
dialer-list 1 protocol ip permit
!
line 0/0/0
 script dialer LTE
 modem InOut
 no exec
line 0/0/1 0/0/3
 no exec
line vty 0 4
 login local
 transport input all
!
end

Cell2901#ping 192.168.100.99
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.99, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/92/136 ms
Cell2901#ping 192.168.100.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/85/96 ms
Cell2901#ping 192.168.215.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.215.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Cell2901#

####################### VPN  Router #######################
interface Tunnel1
 ip address 10.20.0.1 255.255.255.0
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source x.x.61.180
 tunnel destination x.x.78.245
!
interface GigabitEthernet0/0
 description Public
 ip address x.x.61.180 255.255.255.248
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description Private Network
 ip address 192.168.100.99 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 5
 network 10.0.0.0
 network 192.168.100.0
 network 192.168.215.0
!
ip route 0.0.0.0 0.0.0.0 x.x.61.177
ip route 192.168.215.0 255.255.255.0 10.20.0.2

VPN#ping 192.168.215.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.215.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/81/88 ms
VPN#ping 192.168.215.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.215.13, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
0
EquityIT
Asked:
EquityIT
  • 9
  • 6
2 Solutions
 
greg wardCommented:
on the vpn router i would try this
conf t

router eigrp 5
 
 no network 192.168.215.0

as that network is on the other router.

Regards
0
 
greg wardCommented:
Did this work?
0
 
EquityITAuthor Commented:
Deepdraw, I removed the route from the VPN router and that did not fix the issue. Anything else I should try?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
greg wardCommented:
i would also remove this from the vpn router, so

no ip route 192.168.215.0 255.255.255.0 10.20.0.2

Regards
0
 
EquityITAuthor Commented:
I removed the static route from the VPN router to 192.168.215.0 network (no ip route 192.168.215.0 255.255.255.0 10.20.0.2). EIGRP is doing its job correctly, however I still have the same issues.

What I find interesting is I do a 'ping 192.168.100.2 source g0/1' from Cell2901 and the pings are successful. Since the g0/1 is the same network as the workstations I don't get why the traffic isn't passing. It seems like the dialer is dropping all traffic. Should I get rid of the external dialer interface and configure it without one?
0
 
EquityITAuthor Commented:
Here is another thing I just tried - from a workstation on 192.168.215.0, I can ping the local tunnel 10.20.0.2, but still can't hit the other side, 10.20.0.1.

Am I not tagging interesting traffic correctly?
0
 
EquityITAuthor Commented:
One last thing for the night... I'm doubting to think its the dialer. I just created a loopback interface on Cell2901 and added the network to EIGRP. The VPN router can ping the loop interface without issue. I'm lost.
0
 
greg wardCommented:
####################### Cell Router #######################
interface Tunnel1
 ip address 10.20.0.2 255.255.255.0
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source Dialer1  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<is this allways x.x.78.245?
 tunnel destination x.x.61.180
####################### VPN  Router #######################
interface Tunnel1
 ip address 10.20.0.1 255.255.255.0
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source x.x.61.180
 tunnel destination x.x.78.245

can you paste the output show crypto isakmp sa from both routers to show the tunnel is up
0
 
EquityITAuthor Commented:
Yes, the source Dialer1 has a static IP.

We currently aren't using IPSEC over GRE, just GRE tunnels.
0
 
EquityITAuthor Commented:
So I went ahead and configured IPSEC over GRE. Here is the relevant config portion from the VPN router, which is not decapping traffic. However the Cell2901 router is decapping and encapping traffic. The tunnels claim they are up, however I cannot ping end to end with the tunnels, I can ping the WAN interfaces without issue. Just an FYI, there are no ACLs or firewalls of any sort, just the ISPs.

Then I found this thread - http://www.experts-exchange.com/Networking/Security/IPsec/Q_23115027.html
Seems to be similar to my issue... Maybe I try changing router out, or just reloading IOS???

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key xxxxx address x.x.78.245
!
crypto ipsec transform-set VPN esp-3des esp-md5-hmac
 mode transport
!
crypto ipsec profile protect-gre
 set security-association lifetime seconds 86400
 set transform-set VPN
!
interface Tunnel1
 tunnel protection ipsec profile protect-gre

VPN#sh cry session
Crypto session current status

Interface: Tunnel1
Session status: UP-ACTIVE
Peer: x.x.78.245 port 500
  IKEv1 SA: local x.x.61.180/500 remote x.x.78.245/500 Active
  IPSEC FLOW: permit 47 host x.x.61.180 host x.x.78.245
        Active SAs: 2, origin: crypto map

VPN#sh cry ip sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr x.x.61.180

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (x.x.61.180/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (x.x.78.245/255.255.255.255/47/0)
   current_peer x.x.78.245 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 220, #pkts encrypt: 220, #pkts digest: 220
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 46, #recv errors 0

     local crypto endpt.: x.x.61.180, remote crypto endpt.: x.x.78.245
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x22F4CF1(36654321)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x3AF98AE1(989432545)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80000006, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4534668/85447)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x22F4CF1(36654321)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport, }
        conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80000006, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4534642/85447)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
VPN#sh int tun 1
Tunnel1 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 10.20.0.1/24
  MTU 17882 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source x.x.61.180, destination x.x.78.245
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255, Fast tunneling enabled
  Tunnel transport MTU 1442 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "protect-gre")
  Last input 00:14:01, output 00:24:08, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 46
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     74 packets input, 6673 bytes, 0 no buffer
     Received 0 broadcasts (62 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     420 packets output, 36745 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
0
 
greg wardCommented:
I would rebuild and upgrade the ios if you can.
Please let me know what happens.

Regards
0
 
EquityITAuthor Commented:
I swapped the 2901 out for a 1921 for testing. Same exact results.

Can't update the IOS versions due to the lack of SmartNet... I guess the next thing I need to do is have the routers at the same site and put a router in between them to simulate the internet so the configs need minimal changes, and the bypass the dailer. Its the only thing I can think of at this point.

Thanks for your help thus far!
0
 
greg wardCommented:
Can you set up a router at home. Then see if you can connect to both.
It would be easier than taking the routers out of production.

Also try adding the command
ip redirects on the tunnel interfaces
(not sure if that will work now ipsec is set up)

Regards
0
 
EquityITAuthor Commented:
Well we bit the bullet, renewed SmartNet and upgraded IOS and firmware. We are a step in the right direction... Without changing the configs the VPN came up right away and we are seeing encaps & decaps on both routers. We can ping back and forth from both tunnels and gateways, however we still can't pass internal traffic from the Cell router to HQ where the VPN router resides.

I'm going to reconfigure the Dialer and see what I come up with. I'll keep you in the loop.
0
 
EquityITAuthor Commented:
Got it to work!! I think we had multiple issues going on here...

4G LTE card needed new firmware. The router then needed a updated IOS, to work with the new firmware. Once that was done the VPN came up without changing the configs.

In order to get the traffic to pass, I got rid of the Dialer interface by following this write up [ISR LTE eHWIC Internet Configuration for Primary Access with DMVPN, No NAT, and No
Split Tunnel] - http://www.cisco.com/c/dam/en/us/products/collateral/interfaces-modules/4g-lte-wireless-wan-enhanced-high-speed-wan-interface-card/guide_c07-720271.pdf

I'm not sure the firmware was 100% necessary but there sure were a lot of little weird things I ran into. So I can only imagine it helped. And there was a lot more debug info available with the Cellular interface.

After that I was able to pass traffic to HQ, but unable to surf the net. So I put in some PBR routing on the HQ tunnel interface to set the next hop main router, which passes traffic to the ASA. Everything is working like a charm and I got 2/5Mbps with RSSI = -60 dBm.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 9
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now