annuler
Affichage des résultats de 
Rechercher plutôt 
Vouliez-vous dire : 
cancel
370
Visites
5
Compliment
12
Réponses

IPSec VPN "Up-Active" but No Traffic Passing Between Cisco and Bintec

Thomas27100
Level 1
Level 1

Hello,

I am currently facing a recurring issue with the configuration of an IPSec VPN between a Cisco router and a Bintec router. Although the VPN tunnel appears to be functioning correctly and is displayed as "UP-Active" on both sides, no traffic is passing through. This is an urgent matter, as despite several attempts to resolve the problem, the encapsulation and encryption do not seem to be working properly.

Here’s a detailed breakdown of the situation:

  • VPN Status: The tunnel shows "UP-Active" on both the Cisco and Bintec routers, indicating that the connection has been successfully established.

  • Traffic Flow: Despite the "UP-Active" status, no traffic is successfully passing between the two subnets. Pinging from the Bintec side to the Cisco subnet appears to send the request but receives no response, while pings from the Cisco side to the Bintec subnet fail entirely.

  • Encapsulation and Encryption: When I try to send traffic (like a ping), neither encapsulation nor encryption seems to happen, as if the VPN is not properly securing the traffic.
    exemple:
    local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
    current_peer 77.25.120.137 port 500
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

  • Routes and Policies: I have reviewed the routing tables on both routers, and the routes seem to be correctly set up. Additionally, the Access Control Lists (ACLs) and IPSec policies have been verified and should be functioning as expected.

  • NAT Configuration: I had previously received advice that my NAT configuration was incorrect and that I should adjust my ACLs related to NAT. Specifically, it was noted that there were multiple "overload NAT" configurations and various ACLs, which were suspected to be the cause. I’ve since adjusted the NAT setup, but the issue still persists.

Despite these configurations being reviewed and adjusted, I still encounter the same issue: the tunnel remains "UP-Active," but no traffic is exchanged between the two routers, and no data is being encapsulated or encrypted.

I would greatly appreciate any further insights, suggestions, or potential solutions from the community, as this has become quite urgent and the previous solution did not fully resolve the issue.

Thank you for your time and assistance.

Best regards,

12 RÉPONSES 12

do you have default route config in router ?

also share the 
show crypto isakmp sa detail 

MHM

 

Yes, I do have a default route configured, allowing the router to have internet connectivity:

 

 
Gateway of last resort is 90.164.48.142 to network 0.0.0.0 S*
0.0.0.0/0 [1/0] via 90.164.48.142

show crypto isakmp sa detail 

MHM

This ? 


IPv4 Crypto ISAKMP SA



C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1186 90.164.48.142 77.25.120.137 ACTIVE aes sha psk 2 23:02:44 N
Engine-id:Conn-id = SW:186

ip route 0.0.0.0 0.0.0.0 90.164.48.142
ip route 0.0.0.0 0.0.0.0 77.25.120.137 <<- this meaning there is antoher path?

also can you share 
show ip access-list 
when you ping from local LAN to remote LAN 

MHM 

I have get this:


Extended IP access list NAT_EXCLUDE
10 deny ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
20 permit ip 192.168.1.0 0.0.0.255 any
30 deny ip 192.168.1.0 0.0.0.255 192.168.205.0 0.0.0.255
Extended IP access list VPN
10 permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255 (6 matches)
20 permit ip 192.168.1.0 0.0.0.255 192.168.205.0 0.0.0.255

10 permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255 (6 matches) <<- this match meaning VPN ACL OK 
check show crypto ipsec sa again see if there is pkt enc 6 or not 

MHM

PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 8, #recv errors 0

 

I’ve now got encapsulation, encryption, and decryption working, as shown below:

 

less
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#send errors 0, #recv errors 0  

Despite this, the ping still doesn’t work, and I’m unable to contact the equipment on the remote network. The packets are being encapsulated and decrypted, but the communication still fails.

Could you please assist me in identifying what might still be causing the issue?

Do ping for 100 times

And check show crypto ipsec sa 

I think issue is routing. 

Can you run "" ip routing ""

In router 

Abd check 100 ping with count 

MHM

For sh crypto ipsec sa:

#pkts encaps: 37, #pkts encrypt: 37, #pkts digest: 37
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

 and "ip routing" return nothing ? 

ip routing <<- only add this command to router 

also delete this NAT 

ip access-list extended NAT_EXCLUDE
 10 deny   ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
 20 permit ip 192.168.1.0 0.0.0.255 any
 30 deny   ip 192.168.1.0 0.0.0.255 192.168.205.0 0.0.0.255

 add this instead 

ip access-list extended NAT_EXCLUDE
 10 deny   ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
 
 20 deny   ip 192.168.1.0 0.0.0.255 192.168.205.0 0.0.0.255
30 permit ip 192.168.1.0 0.0.0.255 any

 if your NAT cant be delete then 

interface GigabitEthernet0/0/1
 ip address 90.164.48.142 255.255.255.248
 ip nat outside <<- remove this and delete NAT above and add correct ONE
 negotiation auto
 crypto map CART

MHM