Solved: Cannot ping outside IP addresses

Kris McCormick · ‎09-10-2012

I think I've overlooked something simple but I can't ping outside IP addresses from within my router. I am able to ping outside addresses from the PCs behind the router. It is only when I am at the router CLI that I cannot ping outside addresses.

Using 14506 out of 262136 bytes

!

! Last configuration change at 12:35:16 PDT Mon Sep 10 2012 by sitetech

! NVRAM config last updated at 12:35:18 PDT Mon Sep 10 2012 by sitetech

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname rtr-jag-pd-01

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 warnings

enable secret 4 nqDHNNAboQs3pRtIt7QPcjUYTEPSRmg5GiHQcIb3Uq2

!

no aaa new-model

!

clock timezone PST -8 0

clock summer-time PDT recurring

!

no ipv6 cef

ip source-route

ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.48.25.1 10.48.25.63

ip dhcp excluded-address 10.48.26.1 10.48.26.63

ip dhcp excluded-address 10.48.27.1 10.48.27.63

!

ip dhcp pool voice

network 10.48.26.0 255.255.255.0

default-router 10.48.26.1

option 42 ip 10.48.255.9 10.48.255.254

option 2 hex ffff.8f80

option 156 ascii "ftpservers=10.48.2.16, country=1, language=1, layer2tagging=1, vlanid=102"

dns-server 64.60.0.17

!

ip dhcp pool data

network 10.48.25.0 255.255.255.0

default-router 10.48.25.1

option 156 ascii "ftpservers=10.48.2.16, country=1, language=1, layer2tagging=1, vlanid=102"

dns-server 64.60.0.17

!

ip dhcp pool chartwell

network 10.48.27.0 255.255.255.0

default-router 10.48.27.1

option 156 ascii "ftpservers=10.48.2.16, country=1, language=1, layer2tagging=1, vlanid=102"

dns-server 64.60.0.17

!

no ip bootp server

ip domain lookup source-interface Loopback0

ip domain name JAG

ip name-server 64.60.0.17

ip name-server 64.60.0.18

!

multilink bundle-name authenticated

!

parameter-map type ooo global

tcp reassembly queue length 64

tcp reassembly memory limit 4096

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-4286009541

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4286009541

revocation-check none

rsakeypair TP-self-signed-4286009541

!

crypto pki certificate chain TP-self-signed-4286009541

certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

license udi pid CISCO2901/K9 sn FTX1622Y01L

!

username sitetech privilege 15 secret 4 nqDHNNAboQs3pRtIt7QPcjUYTEPSRmg5GiHQcIb3Uq2

!

redundancy

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 1

!

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-all SSH_ACCESS

match access-group name SSH

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

match protocol ntp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_DMVPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_GRE

match class-map SDM_ESP

class-map type inspect match-all SDM_DMVPN_PT

match access-group 101

match class-map SDM_DMVPN_TRAFFIC

class-map type inspect match-any Mon-Echo-Svc

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any out-in

match access-group name out-in

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map match-any Call-Signaling

match ip dscp cs3

match ip dscp af31

class-map match-any Voice

match ip dscp ef

match access-group 161

class-map type inspect match-all ccp-cls-ccp-permit-1

match class-map Mon-Echo-Svc

match access-group name RM-Mon-Traffic

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect sdm-permit-gre

class type inspect SDM_GRE

pass

class class-default

drop log

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class type inspect ccp-sip-inspect

inspect

class type inspect ccp-h323-inspect

inspect

class type inspect ccp-h323annexe-inspect

inspect

class type inspect ccp-h225ras-inspect

inspect

class type inspect ccp-h323nxg-inspect

inspect

class type inspect ccp-skinny-inspect

inspect

class class-default

drop

policy-map type inspect out-in

class type inspect out-in

inspect

class class-default

drop

policy-map type inspect ccp-permit

class type inspect SDM_DMVPN_PT

pass

class type inspect ccp-cls-ccp-permit-1

inspect

class type inspect SSH_ACCESS

inspect

class class-default

drop

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

pass

class class-default

drop log

policy-map WAN-EDGE

class Voice

priority percent 33

class Call-Signaling

bandwidth percent 5

class class-default

fair-queue

!

zone security dmvpn-zone

zone security in-zone

zone security out-zone

zone-pair security sdm-zp-in-gre1 source in-zone destination dmvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security sdm-zp-gre-in1 source dmvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-out-gre source out-zone destination dmvpn-zone

service-policy type inspect sdm-permit-gre

zone-pair security ccp-zp-gre-out source dmvpn-zone destination out-zone

service-policy type inspect sdm-permit-gre

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security out-in source out-zone destination in-zone

service-policy type inspect out-in

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key (hidden) address 0.0.0.0 0.0.0.0

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10 periodic

!

crypto ipsec transform-set jag-trans esp-aes 256 esp-md5-hmac

!

crypto ipsec profile jag-dmvpn

set transform-set jag-trans

!

interface Loopback0

description $FW_INSIDE$

ip address 10.48.255.17 255.255.255.255

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

load-interval 30

!

interface Tunnel0

description DMVPN via TelePacific$FW_INSIDE$

bandwidth 1000

ip address 10.255.48.18 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip flow ingress

ip nhrp authentication DMVPN_NW

ip nhrp map multicast 206.82.221.230

ip nhrp map 10.255.48.254 206.82.221.230

ip nhrp network-id 100000

ip nhrp holdtime 30

ip nhrp nhs 10.255.48.254

zone-member security dmvpn-zone

ip tcp adjust-mss 1360

ip summary-address eigrp 1048 10.48.16.0 255.255.252.0

delay 1000

qos pre-classify

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile jag-dmvpn

!

interface Null0

no ip unreachables

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description TelePacific Internet$FW_OUTSIDE$

ip address zzz.zzz.zzz.26 255.255.255.248

ip access-group MILLS in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

load-interval 30

duplex auto

speed auto

no cdp enable

no mop enabled

service-policy output WAN-EDGE

!

interface GigabitEthernet0/1

description Inside Trunk

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly in

load-interval 30

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1.101

description PD Data$ETH-LAN$$FW_INSIDE$

encapsulation dot1Q 101

ip address 10.48.25.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

interface GigabitEthernet0/1.102

description PD Voice$ETH-LAN$$FW_INSIDE$

encapsulation dot1Q 102

ip address 10.48.26.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

interface GigabitEthernet0/1.110

description PD Chartwell$ETH-LAN$$FW_INSIDE$

encapsulation dot1Q 110

ip address 10.48.27.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

router eigrp 1048

network 10.0.0.0

network 10.48.0.0 0.0.255.255

network 10.255.48.0 0.0.0.255

network 10.255.49.0 0.0.0.255

passive-interface GigabitEthernet0/0

!

ip local policy route-map pbr-ping-monitor

no ip forward-protocol nd

no ip forward-protocol udp tftp

no ip forward-protocol udp nameserver

no ip forward-protocol udp domain

no ip forward-protocol udp time

no ip forward-protocol udp netbios-ns

no ip forward-protocol udp netbios-dgm

no ip forward-protocol udp tacacs

!

ip http server

ip http access-class 90

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat source list 110 interface GigabitEthernet0/0 overload

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source static 10.48.25.1 198.101.110.26

ip nat inside source static tcp 10.48.25.24 80 198.101.110.27 80 extendable

ip nat inside source static tcp 10.48.25.24 443 198.101.110.27 443 extendable

ip nat inside source static tcp 10.48.25.24 4000 198.101.110.27 4000 extendable

ip nat inside source static tcp 10.48.25.24 44000 198.101.110.27 44000 extendable

ip nat inside source static 10.48.25.24 198.101.110.27

ip route 0.0.0.0 0.0.0.0 zzz.zzz.zzz.25

!

ip access-list extended Mon-Echo-Traffic

remark CCP_ACL Category=128

permit ip xxx.xxx.xxx.224 0.0.0.31 any

ip access-list extended NATIP

deny ip 10.48.0.0 0.0.255.255 10.0.0.0 0.0.0.255

permit ip 10.48.0.0 0.0.255.255 any

ip access-list extended RM-Mon-Traffic

remark CCP_ACL Category=128

permit ip xxx.xxx.xxx.224 0.0.0.31 any

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

ip access-list extended SDM_IP

remark CCP_ACL Category=0

permit ip any any

ip access-list extended SSH

permit tcp any any eq 22

ip access-list extended natip

ip access-list extended out-in

permit tcp any host 10.48.25.24 eq 443

permit tcp any host 10.48.25.24 eq 4000

permit tcp any host 10.48.25.24 eq 44000

permit tcp any host 10.48.25.24 eq www

ip access-list extended pbr-ping-TP

permit icmp host zzz.zzz.zzz.26 host xxx.xxx.xxx.230

!

access-list 1 permit 10.48.0.0 0.0.255.255

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 23 permit 10.48.0.0 0.0.255.255

access-list 90 remark HTTP Server ACL

access-list 90 permit 10.255.48.0 0.0.0.255

access-list 90 permit 10.48.0.0 0.0.255.255

access-list 90 permit 10.20.0.0 0.3.255.255

access-list 90 permit 10.16.1.0 0.0.0.255

access-list 90 permit xxx.xxx.xxx.224 0.0.0.15

access-list 90 deny any

access-list 100 permit ip zzz.zzz.zzz.24 0.0.0.3 any

access-list 101 permit ip any host zzz.zzz.zzz.26

access-list 103 remark VTY Access-class list1

access-list 103 permit ip 10.255.48.0 0.0.0.255 any

access-list 103 permit ip 10.48.0.0 0.0.255.255 any

access-list 103 permit ip 10.16.1.0 0.0.0.255 any

access-list 103 permit ip 10.20.0.0 0.3.255.255 any

access-list 103 permit ip xxx.xxx.xxx.224 0.0.0.31 any

access-list 103 deny ip any any

access-list 110 permit ip 10.48.0.0 0.0.255.255 any

access-list 111 permit ip 10.48.0.0 0.0.255.255 any

access-list 161 remark : ShoreTel Voice over IP Ports

access-list 161 permit udp any any eq 2427

access-list 161 permit udp any any eq 2727

access-list 161 permit udp any any range 5440 5446

access-list 161 permit udp any any eq 5004

access-list 161 permit udp any any eq 5060

access-list 161 permit tcp any any eq 5060

access-list 161 permit udp host 10.48.14.16 gt 1024 any gt 1024

access-list 161 permit udp 10.48.10.0 0.0.0.255 any

!

control-plane

!

banner login ^CCThis system is considered private and proprietary and is subject to audit. The unauthorized access, use or modification of this or any other computer systems or networks or of the data contained therein or in transit thereto/therefrom is

Disconnect IMMEDIATELY if you are not an authorized user!

^C

!

line con 0

login local

transport output telnet

line aux 0

login local

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

ntp server 192.12.19.20

ntp server 164.67.62.194

end

cadet alain · ‎09-12-2012

Hi Kris,

good catch, I don't think I would have spotted this easily without debugs.

Glad you solved your problem.

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎09-10-2012

Hi,

Can you add this command to your config:

ip inspect log drop-pkt and tell us if you've got any log output when pinging from the router.

Regards.

Alain

Don't forget to rate helpful posts.

Kris McCormick · ‎09-10-2012

Hello,

I've added it to the config and did various pings. As expected, none were successful but they didn't show in the log either. I also pinged www.Google.com and the name was resolved but the ping failed. Here is what was recorded:

012298: .Sep 10 15:01:17.611 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012299: .Sep 10 15:02:47.760 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012300: .Sep 10 15:03:47.840 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012301: .Sep 10 15:04:47.916 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012302: .Sep 10 15:05:01.260 PDT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:1978490700 1500 bytes is out-of-order; expected seq:1978386444. Reason: TCP reassembly queue overflow - session 10.48.25.168:50848 to 208.85.46.21:80 on zone-pair ccp-zp-in-out class ccp-protocol-http

012303: .Sep 10 15:05:19.772 PDT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:711583619 1500 bytes is out-of-order; expected seq:711487259. Reason: TCP reassembly queue overflow - session 10.48.25.142:49629 to 207.171.187.117:80 on zone-pair ccp-zp-in-out class ccp-protocol-http

012304: .Sep 10 15:06:18.005 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012305: .Sep 10 15:06:37.645 PDT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:2064835234 1500 bytes is out-of-order; expected seq:2064740334. Reason: TCP reassembly queue overflow - session 10.48.25.166:53593 to 173.236.199.90:80 on zone-pair ccp-zp-in-out class ccp-protocol-http

012306: .Sep 10 15:07:48.165 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012307: .Sep 10 15:09:18.242 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012308: .Sep 10 15:10:05.894 PDT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1727064329 1500 bytes is out-of-order; expected seq:2567808847. Reason: TCP reassembly queue overflow - session 10.48.25.166:53898 to 208.57.239.140:80 on zone-pair ccp-zp-in-out class ccp-protocol-http

012309: .Sep 10 15:10:19.306 PDT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1723586546 1500 bytes is out-of-order; expected seq:2571348894. Reason: TCP reassembly queue overflow - session 10.48.25.166:53898 to 208.57.239.140:80 on zone-pair ccp-zp-in-out class ccp-protocol-http

012310: .Sep 10 15:10:33.302 PDT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:13438822 1500 bytes is out-of-order; expected seq:13406702. Reason: TCP reassembly queue overflow - session 10.48.25.142:49714 to 207.171.187.117:80 on zone-pair ccp-zp-in-out class ccp-protocol-http

012311: .Sep 10 15:10:48.394 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012312: .Sep 10 15:12:18.475 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012313: .Sep 10 15:12:26.535 PDT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-129881396 1500 bytes is out-of-order; expected seq:4165041012. Reason: TCP reassembly queue overflow - session 10.48.25.166:53930 to 208.57.239.143:80 on zone-pair ccp-zp-in-out class ccp-protocol-http

012314: .Sep 10 15:12:29.055 PDT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-129229796 1500 bytes is out-of-order; expected seq:4165643380. Reason: TCP reassembly queue overflow - session 10.48.25.166:53930 to 208.57.239.143:80 on zone-pair ccp-zp-in-out class ccp-protocol-http

012315: .Sep 10 15:13:48.631 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012316: .Sep 10 15:14:48.711 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012317: .Sep 10 15:16:18.788 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012318: .Sep 10 15:17:48.948 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012321: .Sep 10 15:18:24.332 PDT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1772919495 1500 bytes is out-of-order; expected seq:2521951441. Reason: TCP reassembly queue overflow - session 10.48.25.127:52912 to 208.85.46.23:80 on zone-pair ccp-zp-in-out class ccp-protocol-http

012324: .Sep 10 15:19:19.025 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012326: .Sep 10 15:19:56.805 PDT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-686732709 1500 bytes is out-of-order; expected seq:3608130331. Reason: TCP reassembly queue overflow - session 10.48.25.168:50976 to 209.107.207.34:80 on zone-pair ccp-zp-in-out class ccp-protocol-http

012329: .Sep 10 15:20:49.177 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012332: .Sep 10 15:22:01.901 PDT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:1841933159 1500 bytes is out-of-order; expected seq:1841834639. Reason: TCP reassembly queue overflow - session 10.48.25.175:57994 to 207.171.187.117:80 on zone-pair ccp-zp-in-out class ccp-protocol-http

012334: .Sep 10 15:22:19.257 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012336: .Sep 10 15:22:53.858 PDT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-105094622 1500 bytes is out-of-order; expected seq:4189729594. Reason: TCP reassembly queue overflow - session 10.48.25.175:58037 to 207.171.187.117:80 on zone-pair ccp-zp-in-out class ccp-protocol-http

012338: .Sep 10 15:23:49.410 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012342: .Sep 10 15:25:19.490 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012346: .Sep 10 15:26:49.655 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012349: .Sep 10 15:27:43.371 PDT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:1421996587 1500 bytes is out-of-order; expected seq:1421935599. Reason: TCP reassembly queue overflow - session 10.48.25.175:58249 to 65.55.227.209:80 on zone-pair ccp-zp-in-out class ccp-protocol-http

012351: .Sep 10 15:28:19.719 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012354: .Sep 10 15:29:49.880 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012358: .Sep 10 15:31:19.952 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012361: .Sep 10 15:32:50.105 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012365: .Sep 10 15:34:20.189 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012369: .Sep 10 15:35:50.333 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012370: .Sep 10 15:36:13.006 PDT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1296085792 1500 bytes is out-of-order; expected seq:2998782224. Reason: TCP reassembly queue overflow - session 10.48.25.172:50750 to 208.57.0.46:80 on zone-pair ccp-zp-in-out class ccp-protocol-http

012373: .Sep 10 15:37:20.418 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012377: .Sep 10 15:38:50.562 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

012381: .Sep 10 15:39:56.759 PDT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-1507195997 1500 bytes is out-of-order; expected seq:2787703335. Reason: TCP reassembly queue overflow - session 10.48.25.137:56073 to 98.139.212.8:80 on zone-pair ccp-zp-in-out class ccp-protocol-http

012383: .Sep 10 15:40:20.647 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

I am having a separate VPN issues and the 230 address is the hub in a DMVPN configuration. So, i'm not surprised to see those log entries there (but I'm trying to seolve that as well).

cadet alain · ‎09-11-2012

Hi,

can you ping 8.8.8.8 and modify this policy like this:

policy-map type inspect ccp-permit

class type inspect SDM_DMVPN_PT

pass

class type inspect ccp-cls-ccp-permit-1

inspect

class type inspect SSH_ACCESS

inspect

class class-default

drop log

Have you got any log message this time?

Regards.

Alain

Don't forget to rate helpful posts.

Kris McCormick · ‎09-11-2012

Good morning,

I've made the change and pinged 8.8.8.8 but still nothing relevant in the log:

013705: .Sep 11 08:53:09.818 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

013707: .Sep 11 08:54:39.894 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

013710: .Sep 11 08:55:39.974 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

013713: .Sep 11 08:57:10.123 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

013716: .Sep 11 08:58:10.203 PDT: %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.230 has no SA and is not an initialization offer

I wonder if there is a problem with NAT and the VPN that is causing this issue? Currently NAT is referencing access list 110:

access-list 110 permit ip 10.48.0.0 0.0.255.255 any

But I probably don't want to NAT internal traffic that should go over the VPN. Would that affect the pings as well?

Kris McCormick · ‎09-12-2012

I was able to resolve this by removing this line from the config:

ip nat inside source static 10.48.25.1 zzz.zzz.zzz.26

I'm not sure why the router's WAN interface was NATed to the LAN interface. It doesn't seem to accomplish anything. I was able to ping from the router once I took that out.

cadet alain · ‎09-12-2012

Hi Kris,

good catch, I don't think I would have spotted this easily without debugs.

Glad you solved your problem.

Regards.

Alain

Don't forget to rate helpful posts.