Re: Packets Dropped

djtoro · ‎07-27-2004

I have two scenes. The first one, I'm using one Cisco 1750 and a Cisco 3660; the IPSec VPN be up and I have normal traffic. At second scene the Cisco 1750 is replaced by one Cisco 1760 and the Cisco 3660 stays. Both the 1750 and 1760 routers configurations are identical but in this scene the IPSec VPN go up and the traffic is dropped. What can it be happening?

Cisco 1750:

Router#sh ver

Cisco Internetwork Operating System Software

IOS (tm) C1700 Software (C1700-K8SY7-M), Version 12.2(4)YA6, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

Synched to technology version 12.2(5.4)T

TAC Support: http://www.cisco.com/tac

Compiled Wed 23-Jul-03 15:28 by ealyon

Image text-base: 0x80008124, data-base: 0x80CAE780

ROM: System Bootstrap, Version 12.0(3r)T1, RELEASE SOFTWARE (fc1)

ROM: C1700 Software (C1700-K8SY7-M), Version 12.2(4)YA6, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

Router uptime is 4 days, 20 hours, 40 minutes

System returned to ROM by power-on

System image file is "flash:c1700-k8sy7-mz.122-4.YA6.bin"

cisco 1750 (MPC860T) processor (revision 0x801) with 36864K/12288K bytes of memory.

Processor board ID JAD05340Z83 (2959114695), with hardware revision 0000

MPC860T processor: part number 0, mask 32

Bridging software.

X.25 software, Version 3.0.0.

1 FastEthernet/IEEE 802.3 interface(s)

1 ATM network interface(s)

32K bytes of non-volatile configuration memory.

8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

Cisco 1760:

Apoyo_Aereo#sh ver

Cisco Internetwork Operating System Software

IOS (tm) C1700 Software (C1700-K8SV3Y7-M), Version 12.2(15)ZL1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

Synched to technology version 12.3(0.1)

TAC Support: http://www.cisco.com/tac

Compiled Mon 13-Oct-03 20:55 by ealyon

Image text-base: 0x80008120, data-base: 0x8150C508

ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)

ROM: C1700 Software (C1700-K8SV3Y7-M), Version 12.2(15)ZL1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

Apoyo_Aereo uptime is 2 days, 6 hours, 1 minute

System returned to ROM by power-on

System image file is "flash:c1700-k8sv3y7-mz.122-15.ZL1.bin"

cisco 1760 (MPC860P) processor (revision 0x500) with 59590K/5946K bytes of memory.

Processor board ID FOC07481SCC (2173843939), with hardware revision 0000

MPC860P processor: part number 5, mask 2

Bridging software.

X.25 software, Version 3.0.0.

1 FastEthernet/IEEE 802.3 interface(s)

1 ATM network interface(s)

32K bytes of non-volatile configuration memory.

32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

gfullage · ‎07-27-2004

This is your problem:

ISAKMP: reserved not zero on NOTIFY payload!

This message indicates the pre-shared keys on the 1760 and the other end don't match. Going by the config they look the same, but if you cut/pasted the config in there may be some hidden characters or something in there. I suggest you remove the "crypto isakmp key" line from th e1760 and re-type it in manually (don't cut/paste it), and see how you go.

Also, this won't be affecting the tunnel, but your nat statement in the 1760 references access-list 190, when it should be referencing ACL 100. People on the inside of this router will have no access to outside with the current config in place.

djtoro · ‎07-28-2004

Thanks. I made the changes that suggested but the behavior is the same one. Below I describe the debug crypto output of the Cisco 1760 and the debug ip icmp of the Cisco 3660. If You see carefully the VPN go up and the 3660 respond but the packets are dropped to the Cisco 1760. Any new suggestion??

djtoro · ‎07-28-2004

Thanks. I made the changes that suggested but the behavior is the same one. Below I describe the debug crypto output of the Cisco 1760 and the debug ip icmp of the Cisco 3660. If You see carefully the VPN go up and the 3660 respond but the packets are dropped to the Cisco 1760. Any new suggestion??

gfullage · ‎07-28-2004

OK, the tunnel is being built now, but traffic is still not passing over it I guess. Check the "sho cry ipsec sa" output off both the 1760 and the 3660, this will tell you where the packets are getting dropped.

Look for the "Packets encap'd" and "decap'd" counters. First check the encaps on teh 1760, if this is incrementing it'll tell you the 1760 is sending them out OK. Then check the decaps number on the 3660, this indicates whether it is receiving them from the 1760 OK. then check the encap's on the 3660, this indicates it is replying to them, and finally the decaps on the 1760, indicating it is receiving the replies.

This should give you an indication where things are going wrong.

I don't know what SW you're running on the 1760, but you might try turning off fast switching on the BVI/ATM int with the following (especially if, going by the counters above, the 3660 isn't receiving the packets from the 1760):

int bvi1

no ip route-cache

int atm0/0

no ip route-cache

djtoro · ‎07-28-2004

Perfect!!! it's working. thank you very much. I turned fast switching off on tne interfaces and the traffic began to run.

But one detail: Checking the fast switching on the Cisco 1750 is "ON" and the VPN and traffic working!!!!. What's the difference??

Anex the both show crypto ipsec sa routers' commands.

Thanks you very much!!!,, Again.