Solved

Cisco Site to Site VPN can ping other LAN but cannot access any resources

Posted on 2014-10-08
26
1,411 Views
Last Modified: 2014-10-20
I setup a site to site vpn between our two offices, and it is up. I can ping remote IP addresses on the other LAN, but I cannot access any HTTP based resources. For example, I want to be able to browse to the Cisco 303 phones and see their web interface. I can ping them and the printer, but not browse. I can ping from the routers to internal IP addresses on both LANs as well. There's some trash in there because I use the CLI and CP to try to set this up a few times. Rest assured I tried this with a clean version of these configs without success. Thanks for any help you can give!

-jeff

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname VARouter
!
boot-start-marker
boot-end-marker
!
no logging on
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.201.251 192.168.201.254
ip dhcp excluded-address 192.168.201.199
ip dhcp excluded-address 192.168.201.198
ip dhcp excluded-address 192.168.201.197
ip dhcp excluded-address 192.168.201.196
ip dhcp excluded-address 192.168.201.195
ip dhcp excluded-address 192.168.201.194
ip dhcp excluded-address 192.168.201.193
ip dhcp excluded-address 192.168.201.192
ip dhcp excluded-address 192.168.201.191
ip dhcp excluded-address 192.168.201.1 192.168.201.50
ip dhcp excluded-address 192.168.101.1 192.168.101.100
ip dhcp excluded-address 192.168.101.202 192.168.101.254
!
ip dhcp pool ccp-pool
   import all
   network 192.168.201.0 255.255.255.0
   default-router 192.168.201.1
   dns-server 75.75.75.75 75.75.76.76
   lease 2
!
ip dhcp pool GuestLAN
   import all
   network 192.168.101.0 255.255.255.0
   dns-server 75.75.75.75 4.2.2.2
   default-router 192.168.101.1
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip name-server 75.75.75.76
ip name-server 75.75.75.75
no ipv6 cef
!
!
license udi pid CISCO881W-GN-A-K9
license boot module c880-data level advsecurity
!
!
username etc etc etc
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 480
crypto isakmp key myKey address 2.2.2.2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to2.2.2.2
 set peer 2.2.2.2
 set transform-set ESP-3DES-SHA
 match address 101
!
!
!
!
!
interface FastEthernet0
 description LAN
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
 description VOIP VLAN
 switchport access vlan 2
!
interface FastEthernet4
 description $ES_WAN$$ETH-WAN$
 ip address 1.1.1.1 255.255.255.0
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan1
 ip nbar protocol-discovery
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport mode trunk
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.201.1 255.255.255.0
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 192.168.202.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 ip address 192.168.101.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.201.5 3389 interface FastEthernet4 53389
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 1.1.1.11
!
ip access-list extended VA2SC_ACL
 remark CCP_ACL Category=1
 permit ip 192.168.201.0 0.0.0.255 192.168.1.0 0.0.0.255
!
logging 192.168.201.118
access-list 100 remark CCP_ACL Category=19
access-list 100 remark IPSec Rule
access-list 100 deny   ip 192.168.201.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.201.0 0.0.0.255 any
access-list 100 permit ip 192.168.202.0 0.0.0.255 any
access-list 100 permit ip 192.168.101.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.201.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp run

!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
end
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
version 15.1
parser config cache interface
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SCRouter
!
boot-start-marker
boot-end-marker
!
!
logging buffered 52000
!
aaa new-model
!
!
aaa authentication login rtr-remote local
aaa authorization network rtr-remote local
!
!
!
!
!
aaa session-id common
!
service-module wlan-ap 0 bootimage autonomous
crypto pki token default removal timeout 0
!
ip source-route
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.30
ip dhcp excluded-address 192.168.1.1 192.168.1.31
!
ip dhcp pool vlan1pool
 import all
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 dns-server 75.75.75.75 75.75.76.76
!
!
ip cef
ip domain name search-mojo.com
ip name-server 75.75.75.75
ip name-server 75.75.76.76
no ipv6 cef
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO891W-AGN-A-K9 sn
!
!
username etc etc etc
!
!
!
!
ip ssh authentication-retries 2
ip ssh version 2
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 480
crypto isakmp key myKey address 1.1.1.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to1.1.1.1
 set peer 1.1.1.1
 set transform-set ESP-3DES-SHA
 match address 102
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
 description Tunnel to1.1.1.1
 set peer 1.1.1.1
 set transform-set ESP-3DES-SHA
 match address 103
!
bridge irb
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 no ip address
!
interface FastEthernet5
 no ip address
!
interface FastEthernet6
 no ip address
!
interface FastEthernet7
 no ip address
!
interface FastEthernet8
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0
 ip address 2.2.2.2 255.255.255.252
 ip access-group 151 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SDM_CMAP_2
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip address 192.168.2.1 255.255.255.0
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 no ip address
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
!
interface Async1
 no ip address
 encapsulation slip
!
ip local pool vpnpool 192.168.1.180 192.168.1.200
ip local pool dynpool 192.168.1.100 192.168.1.120
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
no ip nat service sip udp port 5060
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 2.2.2.22
!
ip access-list extended out2in
!
no logging trap
access-list 23 permit 0.0.0.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.201.0 0.0.0.255
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.201.0 0.0.0.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.201.0 0.0.0.255
access-list 150 permit ip any any
access-list 151 remark CCP_ACL Category=17
access-list 151 remark IPSec Rule
access-list 151 permit ip 192.168.201.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 151 permit udp host 1.1.1.1 host 2.2.2.2 eq non500-isakmp
access-list 151 permit udp host 1.1.1.1 host 2.2.2.2 eq isakmp
access-list 151 permit esp host 1.1.1.1 host 2.2.2.2
access-list 151 permit ahp host 1.1.1.1 host 2.2.2.2
access-list 151 deny   ip 192.168.1.0 0.0.0.255 192.168.201.0 0.0.0.255
access-list 151 permit ip any any
access-list 155 remark CCP_ACL Category=18
access-list 155 remark IPSec Rule
access-list 155 deny   ip 192.168.1.0 0.0.0.255 192.168.201.0 0.0.0.255
access-list 155 permit ip any any
cdp timer 5
!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 151
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 subscriber-policy 1
bridge 1 route ip
!
!
!
mgcp profile default
!
!
!
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin udptn ssh
line aux 0
line vty 0 4
 access-class 100 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 transport input ssh
!
end
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0
Comment
Question by:driscojs
  • 14
  • 6
  • 6
26 Comments
 
LVL 6

Expert Comment

by:Matt
ID: 40369170
Which traffic would you like to be sent accross VPN tunnel? I see no no-nat statements...
0
 

Author Comment

by:driscojs
ID: 40369356
I'd like to have general access to the other LAN as if it were the local LAN. Isn't this supposed to prevent the NAT of the LAN to LAN addresses? access-list 155 deny   ip 192.168.1.0 0.0.0.255 192.168.201.0 0.0.0.255 (theres a macthing one in the other router too)

I'm currently trying MTU options. I can ping the other LAN with packets of 1418 or less. I might have an MTU issue, but I'm not sure. Turned on ip tcp path-mtu-discovery, no luck after resetting the vpn on both ends via CP. Currently trying to learn/figure out how ot limit the MTU to a smaller size for VPN traffic. There won't be tons of VPN traffic, mostly me remotely administering things via HTTP and maybe RDP.

-jeff
0
 
LVL 6

Expert Comment

by:Matt
ID: 40369365
Can you do traceroute from one router to another?

And trace route to one of your http based resources?
0
 

Author Comment

by:driscojs
ID: 40369383
tracert 192.168.1.84 (from 192.168.201.84, hitting one of the voip phones on the other LAN from my laptop)
Tracing route to 192.168.1.84 over a maximum of 30 hops
  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3    68 ms    65 ms    66 ms  192.168.1.84
Trace complete.


-jeff
0
 

Author Comment

by:driscojs
ID: 40369398
Ok, now the tunnel shows down in CP, and no IPSec tunnels are shown under monitoring. But I have an open ping to 192.168.1.84 that's been running all day. Still pinging fine. The extended traceroutes on the router from 192.168.201 to 192.168.1.1 and vice versa are not returning anything.

Example:
#traceroute
Protocol [ip]:
Target IP address: 192.168.1.1
Source address: 192.168.201.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 192.168.1.1

  1  *  *  *
  2  *  *  *

If this helps, the connections seem ok on both routers:
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
   27  IPsec   3DES+SHA                  0     1038     1040 2.2.2.2
   28  IPsec   3DES+SHA               1169        0        0 2.2.2.2

More info:
(also works from the other router to this one)
ping
Protocol [ip]:
Target IP address: 192.168.201.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.201.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/76/80 ms


-jeff
0
 
LVL 6

Expert Comment

by:Matt
ID: 40369424
What do you get:

show crypto ipsec sa detail

show crypto ipsec sa

Do you have anything in log? "show logg"?
0
 
LVL 6

Expert Comment

by:Matt
ID: 40369437
Why have you defined two identical statements:

crypto map SDM_CMAP_1 1 ipsec-isakmp

crypto map SDM_CMAP_2 1 ipsec-isakmp

ACL lists 102 and 103 are equal?
0
 

Author Comment

by:driscojs
ID: 40369444
#show crypto ipsec sa detail

interface: GigabitEthernet0
    Crypto map tag: SDM_CMAP_2, local addr 2.2.2.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.201.0/255.255.255.0/0/0)
   current_peer 1.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 2166, #pkts encrypt: 2166, #pkts digest: 2166
    #pkts decaps: 1955, #pkts decrypt: 1955, #pkts verify: 1955
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
     current outbound spi: 0x761CB001(1981591553)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x459F582E(1168070702)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 29, flow_id: Onboard VPN:29, sibling_flags 80000046, crypto map: SDM_CMAP_2
        sa timing: remaining key lifetime (k/sec): (4493337/2851)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x761CB001(1981591553)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 30, flow_id: Onboard VPN:30, sibling_flags 80000046, crypto map: SDM_CMAP_2
        sa timing: remaining key lifetime (k/sec): (4493326/2851)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
---------------------------------------------------------------------------------------------------------------------

#show crypto ipsec sa

interface: GigabitEthernet0
    Crypto map tag: SDM_CMAP_2, local addr 2.2.2.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.201.0/255.255.255.0/0/0)
   current_peer 1.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 2253, #pkts encrypt: 2253, #pkts digest: 2253
    #pkts decaps: 2037, #pkts decrypt: 2037, #pkts verify: 2037
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
     current outbound spi: 0x761CB001(1981591553)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x459F582E(1168070702)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 29, flow_id: Onboard VPN:29, sibling_flags 80000046, crypto map: SDM_CMAP_2
        sa timing: remaining key lifetime (k/sec): (4493217/2768)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x761CB001(1981591553)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 30, flow_id: Onboard VPN:30, sibling_flags 80000046, crypto map: SDM_CMAP_2
        sa timing: remaining key lifetime (k/sec): (4493206/2768)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
0
 

Author Comment

by:driscojs
ID: 40369445
Those duplicates are likely a result of me "re-doing" the VPN in CP. It likes to make all new sets of lists. I had 4 IPSec ACL's that were identical too.

I do have some of this in the log:
Oct  8 21:30:33.988: CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1500, mtu=1446

I was going to go through and set the MTU on the VPN, but I haven't gotten to that yet/need to learn how to exactly.

-jeff
0
 
LVL 6

Assisted Solution

by:Matt
Matt earned 166 total points
ID: 40369461
On both routers add this:

crypto ipsec df-bit clear

Here is the same error:
https://learningnetwork.cisco.com/docs/DOC-16208
0
 

Author Comment

by:driscojs
ID: 40369500
I set that command, and I'd considered doing that earlier but was scared off by the potential performance hit, although I can't imagine we'd suffer much since there won't be much traffic. I'm still getting this after running a clear crypto session command: (MTU seems to still be an issue?)

#ping 192.168.201.1 source 192.168.1.1 size 1400
Type escape sequence to abort.
Sending 5, 1400-byte ICMP Echos to 192.168.201.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/73/76 ms

#ping 192.168.201.1 source 192.168.1.1 size 1500
Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 192.168.201.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.....
Success rate is 0 percent (0/5)
0
 
LVL 6

Expert Comment

by:Matt
ID: 40370044
Can you add ACL for VPN for testing purposes to allow all traffic? Tunnel is running OK, so it seems.
0
 
LVL 26

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 334 total points
ID: 40370045
Looks like your problem is MTU (in some cases could be mss also).
From your cisco device you can do this ping  and find valid MTU.

Router1#ping
Protocol [ip]:
Target IP address: 8.8.8.8
Repeat count [5]: 1
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]: y
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]: y
Sweep min size [36]: 1400
Sweep max size [18024]: 1500
Sweep interval [1]:

start count ! with zero and set MTU under interface with
ip mtu 1492 (or whatever size is OK in your case)

and in some cases could need to use (try only MTU first)
ip tcp adjust-mss 1452 (or whatever size is OK in your case)
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:driscojs
ID: 40370515
Any ping with MTU over 1446 fails. So I'm chasing down the MTU issue this morning.

-jeff
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40370601
Maybe this article can help you to understand IP fragmentation problem better.
I now it was good for my understanding  of these problems. :)

Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC
0
 

Author Comment

by:driscojs
ID: 40370718
Predrag,

I got the info I expected from that ping, MTU doesn't pass after 1446 on either router. I assume that is due to VPN overhead in the packet, out of the normal 1500. I can ping both routers externally at 1500.

I set ip mtu 1440 on the GigabitEthernet0 and FastEthernet4 and it killed the internet her at the office. :) I just removed it and all is well. The other office didn't report any issues.

-jeff
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40370800
Maybe I'm wrong, but I think you should apply it to both sides of tunnel interface.
0
 

Author Comment

by:driscojs
ID: 40370808
Predrag,

Do you mean setting the MTU to 1400 (or similar) on the Vlan1 and GiabitEthernet0 on one router and set it on VLan1 and FastEthernet4 on the other router?

-jeff
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40370882
I don't see what tunnel is here. to me looks it is FastEthernet 4 on one side, and gig0/0 on other, but you said that killed internet.
So I don't have a clue. :)
0
 

Author Comment

by:driscojs
ID: 40370887
I'm checking into a VTI right now. Seems much simpler. :)

-jeff
0
 

Author Comment

by:driscojs
ID: 40371249
So it appears that traffic is now coming across, just incredibly slowly. I tested the tunnel by trying to browse one of the VOIP phones from my laptop, and it gets a title for the tab, and even eventually the right background, etc, but it took several minutes. Any ideas on how to troubleshoot the speed? Both locations have a 50/10mbit Comcast Cable ISP. Normal internet outside the VPN is fine and fast.

-jeff
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40371267
Try to access something other that VOIP phone. And set MTU as big as it can be to minimize overhead.
0
 

Author Comment

by:driscojs
ID: 40371282
I did, the printer is 192.168.1.38 and acts the same, I get the tab title, and it churns and churns, but basically never comes up. There's only two laptops, the printer and a few phones. All on that one vlan down there.

-jeff
0
 

Accepted Solution

by:
driscojs earned 0 total points
ID: 40371468
Fixed! MTU and MSS seemed to do the trick, but I also think switching to the VTI made it FAR simpler to deal with the VPN.

Used this site to setup the VTI mostly, along with the Cisco site:
http://www.alfredtong.com/cisco/ipsec-vpn-cisco-ios-site-to-site-virtual-tunnel-interface-vti/

Basically,
1. set up VTI
2. setup ip route statement to send all LAN 2 LAN traffic to the tunnel
3. fix the MTU and MSS on the tunnel interface (also set this, but not sure it did anything useful: tunnel path-mtu-discovery)

Here's the config I used, after removing the old VPN and ACL stuff:

Router 1.1.1.1
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
no logging on
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1323232887
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1323232887
 revocation-check none
 rsakeypair TP-self-signed-1323232887
!
!
crypto pki certificate chain TP-self-signed-1323232887
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.201.251 192.168.201.254
ip dhcp excluded-address 192.168.201.199
ip dhcp excluded-address 192.168.201.198
ip dhcp excluded-address 192.168.201.197
ip dhcp excluded-address 192.168.201.196
ip dhcp excluded-address 192.168.201.195
ip dhcp excluded-address 192.168.201.194
ip dhcp excluded-address 192.168.201.193
ip dhcp excluded-address 192.168.201.192
ip dhcp excluded-address 192.168.201.191
ip dhcp excluded-address 192.168.201.1 192.168.201.50
ip dhcp excluded-address 192.168.101.1 192.168.101.100
ip dhcp excluded-address 192.168.101.202 192.168.101.254
!
ip dhcp pool ccp-pool
   import all
   network 192.168.201.0 255.255.255.0
   default-router 192.168.201.1
   dns-server 75.75.75.75 75.75.76.76
   lease 2
!
ip dhcp pool GuestLAN
   import all
   network 192.168.101.0 255.255.255.0
   dns-server 75.75.75.75 4.2.2.2
   default-router 192.168.101.1
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip name-server 75.75.75.76
ip name-server 75.75.75.75
no ipv6 cef
!
!
license udi pid CISCO881W-GN-A-K9 sn
license boot module c880-data level advsecurity
!
!
!
!
!
!
ip tcp path-mtu-discovery
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 480
crypto isakmp key myKey address 2.2.2.2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile VA2SC
 set transform-set ESP-3DES-SHA
!
!
!
!
!
!
interface Tunnel0
 ip unnumbered Vlan1
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source FastEthernet4
 tunnel mode ipsec ipv4
 tunnel destination 2.2.2.2
 tunnel path-mtu-discovery
 tunnel protection ipsec profile VA2SC
!
interface FastEthernet0
 description LAN
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
 description VOIP VLAN
 switchport access vlan 2
!
interface FastEthernet4
 description $ES_WAN$$ETH-WAN$
 ip address 1.1.1.1 255.255.255.0
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan1
 ip nbar protocol-discovery
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport mode trunk
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.201.1 255.255.255.0
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2
 ip address 192.168.202.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 ip address 192.168.101.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.201.5 3389 interface FastEthernet4 53389
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 1.1.1.11
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
logging 192.168.201.118
access-list 100 remark CCP_ACL Category=19
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit ip 192.168.201.0 0.0.0.255 any
access-list 100 permit ip 192.168.202.0 0.0.0.255 any
access-list 100 permit ip 192.168.101.0 0.0.0.255 any
no cdp run

!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
end
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------


Router 2.2.2.2:
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
version 15.1
parser config cache interface
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
!
logging buffered 52000
!
aaa new-model
!
!
aaa authentication login rtr-remote local
aaa authorization network rtr-remote local
!
!
!
!
!
aaa session-id common
!
clock timezone NewYork -5 0
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
service-module wlan-ap 0 bootimage autonomous
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2311379001
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2311379001
 revocation-check none
 rsakeypair TP-self-signed-2311379001
!
!
ip source-route
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.30
ip dhcp excluded-address 192.168.1.1 192.168.1.31
!
ip dhcp pool vlan1pool
 import all
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 dns-server 75.75.75.75 75.75.76.76
!
!
ip cef
ip name-server 75.75.75.75
ip name-server 75.75.76.76
no ipv6 cef
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO891W-AGN-A-K9 sn
!
!
!
!
!
!
ip tcp path-mtu-discovery
ip ssh authentication-retries 2
ip ssh version 2
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 480
crypto isakmp key myKey address 1.1.1.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile SC2VA
 set transform-set ESP-3DES-SHA
!
!
bridge irb
!
!
!
!
interface Tunnel0
 ip unnumbered Vlan1
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0
 tunnel mode ipsec ipv4
 tunnel destination 1.1.1.1
 tunnel path-mtu-discovery
 tunnel protection ipsec profile SC2VA
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 no ip address
!
interface FastEthernet5
 no ip address
!
interface FastEthernet6
 no ip address
!
interface FastEthernet7
 no ip address
!
interface FastEthernet8
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0
 ip address 2.2.2.2 255.255.255.252
 ip access-group 151 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip address 192.168.2.1 255.255.255.0
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 no ip address
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
!
interface Async1
 no ip address
 encapsulation slip
!
ip local pool vpnpool 192.168.1.180 192.168.1.200
ip local pool dynpool 192.168.1.100 192.168.1.120
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
no ip nat service sip udp port 5060
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 2.2.2.22
ip route 192.168.201.0 255.255.255.0 Tunnel0
!
ip access-list extended out2in
!
no logging trap
access-list 23 permit 0.0.0.0 0.0.0.255
access-list 100 permit ip any any
access-list 150 permit ip any any
access-list 151 remark CCP_ACL Category=19
access-list 151 permit ip any any
access-list 155 remark CCP_ACL Category=18
access-list 155 permit ip any any
cdp timer 5
!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 151
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 subscriber-policy 1
bridge 1 route ip
!
!
!
mgcp profile default
!
!
!
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin udptn ssh
line aux 0
line vty 0 4
 access-class 100 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 transport input ssh
!
end

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0
 
LVL 26

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 334 total points
ID: 40371570
My suggestion if MTU can be size 1446

ip mtu 1446
ip tcp adjust-mss 1406

it will reduce overhead

Thanks for working config :)
I was struggling to find tunnel interface - but as I can see now, there was none.
:)
0
 

Author Closing Comment

by:driscojs
ID: 40391548
Matt and Predrag were helpful in pointing me in the right direction, but I ultimately found the solution on my own. Matt was helpful with some commands and syntax as well. My solution was to not use the method Cisco directs you to in their help and also uses in the Cisco Professional wizard, instead, I used a VTI which was MUCH easier and more intuitive. That made the MTU issue not only obvious but easily rectified.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now