Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1958
Views
0
Helpful
1
Replies

BVI not responding to ARP requests ?

cfischle
Level 1
Level 1

‎10-07-2013 06:08 AM - edited ‎03-04-2019 09:14 PM

I have a 2811 router running IOS c2800nm-adventerprisek9-mz.124-22.YB8 with a wireless module ( HWIC-AP-G-A ) configured with an ipsec vpn.

Because of the wireless module, I believe that I need to have the inside ip address on the BVI.

When I do this, my vpn clients are unable to communicate with computers on the private network.

After a lot of debugging, I believe the reason to be that the BVI does not seem to respond to ARP requests from computers on the private network.

If I put the inside ip address on f0/1, then the VPN works the way it is supposed to but my wireless clients are unable to get an ip address due the BVI not having a network presence without an ip address.

debug arp output when I ping the vpn client from a computer on the private net and the inside ip is on f0/1:

Oct  7 00:05:20.075: IP ARP: rcvd req src 10.0.0.102 001c.c0ef.dc08, dst 10.0.0.153 FastEthernet0/1

Oct  7 00:05:20.075: IP ARP: sent rep src 10.0.0.153 001e.f760.8f11,

                 dst 10.0.0.102 001c.c0ef.dc08 FastEthernet0/1

debug arp output when I ping the vpn client from a computer on the private net and the inside ip is on bvi1:

Oct  7 00:09:22.971: IP ARP: rcvd req src 10.0.0.102 001c.c0ef.dc08, dst 10.0.0.154 BVI1

and no reply is ever sent.

This config works for VPN clients but not for wireless clients:

interface FastEthernet0/1

description House LAN

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface BVI1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly

This config works for wireless clients but not for VPN clients:

interface FastEthernet0/1

description House LAN

no ip address

bridge-group 1

ip virtual-reassembly

duplex auto

speed auto

!

interface BVI1

ip address 10.0.0.1 255.255.255.0

ip nat inside

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly

Is this a bug ?

Here's the config:

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname xxx-2811

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

no logging buffered

enable secret 5 $1$5OZ2$iYMxqrGokppZb91bQmD.V/

!

aaa new-model

!

!

aaa authentication login default local-case

aaa authorization network xxx-vpn local

!

!

aaa session-id common

clock timezone EST -5

clock summer-time EST recurring

!

dot11 syslog

!

dot11 ssid XXX2811

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7 01425F520C5353052B

!

ip source-route

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.0.1 10.0.0.99

ip dhcp excluded-address 10.0.0.151 10.0.0.255

!

ip dhcp pool dhcppool

   network 10.0.0.0 255.255.255.0

   dns-server 75.75.75.75 75.75.76.76

   default-router 10.0.0.1

!

!

ip domain name xxx.local

ip ddns update method no-ip

HTTP

  add http://xxx@dynupdate.no-ip.com/nic/update?hostname=//xxx@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>

  remove http://xxx@dynupdate.no-ip.com/nic/update?hostname=//xxx@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>

interval maximum 2 0 0 0

interval minimum 1 0 0 0

!

login on-failure log

login on-success log

no ipv6 cef

!

multilink bundle-name authenticated

!

!

username xxx privilege 15 password 7 065756771B165C330F

archive

log config

  hidekeys

!

crypto logging session

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp client configuration address-pool local vpnpool

!

crypto isakmp client configuration group xxx-vpn

key xxx

dns 75.75.75.75 75.75.76.76

pool vpnpool

acl 101

include-local-lan

split-dns xxx.local

max-logins 2

!

!

crypto ipsec transform-set transform-1 esp-aes esp-sha-hmac

!

crypto dynamic-map vpnmap 10

set transform-set transform-1

reverse-route

!

!

crypto map vpnmap client authentication list default

crypto map vpnmap isakmp authorization list xxx-vpn

crypto map vpnmap client configuration address initiate

crypto map vpnmap client configuration address respond

crypto map vpnmap 10 ipsec-isakmp dynamic vpnmap

!

!

ip ssh maxstartups 3

ip ssh authentication-retries 2

ip ssh version 2

bridge irb

!

!

!

!

interface FastEthernet0/0

description Comcast WAN

ip ddns update hostname xxx.no-ip.biz

ip ddns update no-ip

ip address dhcp client-id FastEthernet0/0

ip access-group IncomingTrafficACL in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map vpnmap

!

interface FastEthernet0/1

description House LAN

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface Dot11Radio0/3/0

description House WAN

no ip address

!

encryption mode ciphers aes-ccm tkip

!

ssid XXX2811

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

world-mode dot11d country US both

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface BVI1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly

!

ip local pool vpnpool 10.0.0.151 10.0.0.160

ip forward-protocol nd

no ip http server

ip http authentication local

no ip http secure-server

!

!

ip dns server

ip nat inside source route-map RM-POLICY-NAT interface FastEthernet0/0 overload

!

ip access-list extended ACL-POLICY-NAT

remark Deny_10_Network_NAT_Permit_all_other

deny   ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 10.0.0.0 0.0.0.255 any

ip access-list extended IncomingTrafficACL

remark ACCEPT-ESTABLISHED

permit tcp any any established

remark ACCEPT-DNS-IN

permit udp any eq domain any

remark ACCEPT-NTP-IN

permit udp any eq ntp any

remark ACCEPT-DHCP-IN

permit udp any eq bootps any

remark ACCEPT-IPSEC-VPN

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit esp any any

remark DENY-SSH

deny   tcp any any eq 22 log

remark DENY-ALL-OTHER

deny   ip any any log

!

logging trap debugging

logging 10.0.0.102

access-list 101 permit ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255 log

access-list 101 remark VPN Access List

!

!

!

route-map RM-POLICY-NAT permit 10

match ip address ACL-POLICY-NAT

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

!

!

banner login  Authorized Users only.  This is a monitored network.

!

line con 0

line aux 0

line vty 0 4

privilege level 15

transport input ssh

!

scheduler allocate 20000 1000

ntp server 18.85.44.118

end



Labels:
0 Helpful
1 Reply 1

cfischle
Level 1
Level 1

‎10-08-2013 03:33 PM

Ok, finally figured out the issue was the "no ip proxy-arp" setting on the BVI.

After enabling "ip proxy-arp" and reloading, inside computers are getting arp requests answered and can ping vpn clients and vpn clients can ping inside computers.

0 Helpful
Customers Also Viewed These Support Documents