7200 with VTI ipsec issues - Page 2

jonathan johnson · ‎05-21-2013

Hi,

We have a Cisco 7204 G1 running c7200-advipservicesk9-mz.122-33.SRE7.bin and we're having a lot of difficulties getting a VTI working to a Cisco 2921 with adv. security.

I've ruled out that the 2921 is at fault by successfully establishing a VTI to another 2921 and a 7200 running a different IOS release.

We see the tunnel come up, but when I sent a ping from the 2921 to the 7204 there isn't a reply.

When I look at the results on the 7204 from a 'sh crypto engin connection active', I see the decrypt counters increase, but I don't see the Encrypt counters increase as it's trying to reply to the ping. I'm not sure if this is because there is an issue with the encryption or wheather there might be a more fundemental issue with the router not replying to the pings.

I've tried the following IOS releases (c7200-advipservicesk9-mz.122-33.SRE7 & c7200-advipservicesk9-mz.122-33.SRE6) and they all behave the same way - this makes me think it might be a config issue rather than and IOS bug which is what I first thought.

c7200-advipservicesk9-mz.122-33.SRE7.bin

sh crypto engine connections active

Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address

1 Tu10 IPsec 3DES+SHA 0 31 10.5.5.1

2 Tu10 IPsec 3DES+SHA 19 0 10.5.5.1

1001 Tu10 IKE SHA+3DES 0 0 10.5.5.1

Here is a copy of my config on the 7204 - the other end (Cisco 2921) is configured in the same way

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxxxx address 192.168.5.1

!

crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac

!

crypto ipsec profile IPSEC-VPN

set transform-set 3DESSHA

interface Loopback10

ip address 10.5.5.1 255.255.255.255

!

interface Tunnel10

ip address 10.10.10.1 255.255.255.252

tunnel source Loopback10

tunnel mode ipsec ipv4

tunnel destination 192.168.5.1

tunnel protection ipsec profile IPSEC-VPN

Any assistance would be greatly appreciated.

Thanks,

Jonathan.

jonathan johnson · ‎05-22-2013

Hi Rick,

I agree with you about the buggy behaviour. I've just changed the IOS to

c7200-advipservicesk9-mz.124-24.T7.bin and the tunnel came up and started working straightaway.

I had tested this before and knew that the tunnels work on that IOS version, but this last test ruled out a config associated issue.

What I wasn't sure of, is if this IOS version needs 'extra' config to make the tunnels work. It doesn't seem to be the case and it's possibly nothing more than a bug - I just find it a bit strange that this occurs across three different revisions of the 12.2.33SRE stream....

I might have to break my design and move the tunnels to another 7200 running a more VTI friendly IOS version.

Thanks for all your assistance.

Jonathan.

Richard Burts · ‎05-23-2013

Jonathan

It is good to know that the problem with the tunnels was related to the version of IOS and not some kind of configuration issue.

Since the uBR7200 is aimed at a very different functionality (cable modem termination) than the 7200 I am not surprised that there are some differences between the 12.2(33) for the uBR7200 and the 12.4(24) for the regular 7200. But you would think that if they added support for VTI in the uBR code that they would have found and fixed the buggy behavior at some point.

HTH

Rick

HTH

Rick