Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1024
Views
0
Helpful
7
Replies

CEF and VPN with two ISP's

Go to solution
luchonat1
Level 1
Level 1

‎03-08-2018 03:27 PM - edited ‎03-05-2019 10:03 AM

Hello people!

 

I have the following problem:

 

I have a 1921 router, connected to two ISP's, no routing exchanged with this ISP's just simple internet services.

I've configured nat and cef, so traffic is being load-shared with this two ISP's.

Over one of the ISP's link, I've created a VPN tunnel to a remote site and everything works as expected.

Also, I enabled EasyVPN server on the router, so I can connect with PC's with IPsec clients.

I can succesfully connect to this service through both ISP's; but problem is that after a while that everything works as expected something starts to fail: I can not ssh into the router and cannot get to the LAN's that should be reachable through the tunnel. I've been doing a lot of testing, and seems to me that it is something about CEF.

 

Here's my current config:

Current configuration : 14399 bytes
!
! Last configuration change at 12:31:35 GMT Thu Mar 8 2018 by lnatale
! NVRAM config last updated at 19:42:43 GMT Wed Mar 7 2018 by lnatale
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname bla
!
boot-start-marker
boot-end-marker
!
!
logging buffered 52000
!
aaa new-model
!
!
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
clock timezone GMT -3 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!


!
ip dhcp database tftp://192.168.20.2/snlc-r01-roo-r6a/dhcp-leases-databases/db
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 172.16.101.1 172.16.101.220
ip dhcp excluded-address 192.168.16.1 192.168.16.249
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.128
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool Private
import all
network 172.16.101.0 255.255.255.0
domain-name senalco.lan
dns-server 172.16.101.1
default-router 172.16.101.1
!
ip dhcp pool Administrative
import all
network 192.168.16.0 255.255.255.0
domain-name adm.senalco.lan
dns-server 192.168.16.1 192.168.16.1
default-router 192.168.16.1
!
ip dhcp pool PublicWiFi
import all
network 192.168.28.0 255.255.255.0
domain-name pub.senalco.lan
default-router 192.168.28.1
dns-server 192.168.28.1 192.168.28.1
!
!
!
ip domain name adm.senalco.lan
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
multilink bundle-name authenticated
!
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-4272564176
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4272564176
revocation-check none
rsakeypair TP-self-signed-4272564176
!
!
crypto pki certificate chain TP-self-signed-4272564176
certificate self-signed 01
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

quit
license udi pid CISCO1921/K9 sn FJC2131L12U
license boot module c1900 technology-package securityk9
license boot module c1900 technology-package datak9
!
!
archive
path tftp://192.168.20.2/snlc-r01-roo-r6a/conf/$h-$t
write-memory
time-period 1440
username admin privilege 15 secret 5 asdfasdf
username lnatale privilege 15 secret 5 asdfasdf
!
redundancy
!
!
!
!
lldp run
track timer interface 5
!
track 1 ip sla 1
delay down 1 up 1
!
track 2 ip sla 2
delay down 1 up 1
!
no ip ftp passive
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 101
class-map type inspect match-all ccp-cls--1
match access-group name inside-nav
class-map type inspect match-all ccp-cls--3
match access-group name management-nav
class-map type inspect match-all ccp-cls--2
match access-group name wifi-nav
class-map type inspect match-all ccp-cls--5
match access-group name inside-to-management
class-map type inspect match-all ccp-cls--4
match access-group name management-to-inside
!
policy-map type inspect ccp-policy-ccp-cls--4
class type inspect ccp-cls--4
inspect
class class-default
drop log
policy-map type inspect ccp-policy-ccp-cls--5
class type inspect ccp-cls--5
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--1
class type inspect ccp-cls--1
inspect
class class-default
drop log
policy-map type inspect ccp-policy-ccp-cls--2
class type inspect ccp-cls--2
inspect
class class-default
drop log
policy-map type inspect ccp-policy-ccp-cls--3
class type inspect ccp-cls--3
inspect
class class-default
drop log
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
drop
!
zone security outside
zone security inside
zone security public-wifi
zone security management
zone-pair security sdm-zp-inside-outside source inside destination outside
service-policy type inspect ccp-policy-ccp-cls--1
zone-pair security sdm-zp-public-wifi-outside source public-wifi destination outside
service-policy type inspect ccp-policy-ccp-cls--2
zone-pair security sdm-zp-management-outside source management destination outside
service-policy type inspect ccp-policy-ccp-cls--3
zone-pair security sdm-zp-management-inside source management destination inside
service-policy type inspect ccp-policy-ccp-cls--4
zone-pair security sdm-zp-VPNOutsideToInside-1 source outside destination inside
service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security sdm-zp-inside-management source inside destination management
service-policy type inspect ccp-policy-ccp-cls--5
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key asdfasdf address REMOTE_SITE_IP 
!
crypto isakmp client configuration group management
key asdfasdf
pool SDM_POOL_1
acl roamers
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group management
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toREMOTE_SITE_IP
set peer REMOTE_SITE_IP
set transform-set ESP-3DES-SHA1
match address 100
!
!
!
!
!
interface Loopback0
ip address 192.168.252.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description FiberCorp$ETH-WAN$
ip dhcp client route track 1
ip address dhcp client-id GigabitEthernet0/0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
description Telecentro$ETH-WAN$
ip dhcp client route track 2
ip address dhcp client-id GigabitEthernet0/1
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description snlc-s02-roo-r6a/24
switchport mode trunk
no ip address
!
interface GigabitEthernet0/0/1
description snlc-s06-roo-r6a/25
switchport mode trunk
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
zone-member security management
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description Administrative
ip address 192.168.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security management
!
interface Vlan10
description Servers
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
!
interface Vlan11
description Telephony
ip address 192.168.24.1 255.255.255.0
ip helper-address 192.168.20.2
ip nat inside
ip virtual-reassembly in
zone-member security inside
!
interface Vlan12
description Public WiFi
ip address 192.168.28.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security public-wifi
!
interface Vlan13
description Cameras
ip address 192.168.32.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
!
interface Vlan20
description Private LAN & WiFi
ip address 172.16.101.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
!
interface Vlan21
description Development
ip address 172.16.128.1 255.255.255.0
ip helper-address 192.168.20.2
ip nat inside
ip virtual-reassembly in
zone-member security inside
!
ip local policy route-map router-local
ip local pool SDM_POOL_1 192.168.252.10 192.168.252.254
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source route-map FiberCorp-nat interface GigabitEthernet0/0 overload
ip nat inside source route-map Telecentro-nat interface GigabitEthernet0/1 overload
!
ip access-list standard secure_vty
permit 10.10.10.0 0.0.0.127
permit 192.168.16.0 0.0.0.255
permit 192.168.252.0 0.0.0.255
remark Secure VTY Access
deny any
!
ip access-list extended FiberCorp_Local
permit ip host ISP_1_ROUTER'S_IP any
ip access-list extended Telecentro_Local
permit ip host ISP_2_ROUTER'S_IP any
ip access-list extended inside-nav
remark CCP_ACL Category=128
permit ip 172.16.101.0 0.0.0.255 any
permit ip 172.16.128.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 192.168.24.0 0.0.0.255 any
permit ip 192.168.32.0 0.0.0.255 any
ip access-list extended inside-to-management
remark CCP_ACL Category=128
permit ip host 192.168.20.2 192.168.16.0 0.0.0.255
ip access-list extended management-nav
remark CCP_ACL Category=128
permit ip 192.168.16.0 0.0.0.255 any
ip access-list extended management-to-inside
remark CCP_ACL Category=128
permit ip 192.168.16.0 0.0.0.255 172.16.101.0 0.0.0.255
permit ip 192.168.16.0 0.0.0.255 172.16.128.0 0.0.0.255
permit ip 192.168.16.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.16.0 0.0.0.255 192.168.24.0 0.0.0.255
permit ip 192.168.16.0 0.0.0.255 192.168.32.0 0.0.0.255
permit ip 192.168.252.0 0.0.0.255 172.16.101.0 0.0.0.255
permit ip 192.168.252.0 0.0.0.255 172.16.128.0 0.0.0.255
permit ip 192.168.252.0 0.0.0.255 192.168.16.0 0.0.0.255
permit ip 192.168.252.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.252.0 0.0.0.255 192.168.24.0 0.0.0.255
permit ip 192.168.252.0 0.0.0.255 192.168.32.0 0.0.0.255
ip access-list extended navigation-nat
remark CCP_ACL Category=18
remark IPSec Rule
deny ip 172.16.128.0 0.0.0.255 172.16.100.0 0.0.0.255
permit ip 192.168.16.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 192.168.24.0 0.0.0.255 any
permit ip 192.168.28.0 0.0.0.255 any
permit ip 172.16.101.0 0.0.0.255 any
permit ip 172.16.128.0 0.0.0.255 any
deny ip any any
ip access-list extended roamers
remark CCP_ACL Category=4
permit ip 172.16.101.0 0.0.0.255 any
permit ip 172.16.128.0 0.0.0.255 any
permit ip 192.168.16.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
permit ip 192.168.24.0 0.0.0.255 any
permit ip 192.168.32.0 0.0.0.255 any
ip access-list extended wifi-nav
remark CCP_ACL Category=128
permit ip 192.168.28.0 0.0.0.255 any
!
ip sla 1
icmp-echo ISP_1_DG_IP source-interface GigabitEthernet0/0
threshold 40
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo ISP_2_DG_IP source-interface GigabitEthernet0/1
threshold 40
timeout 1000
frequency 3
ip sla schedule 2 life forever start-time now
!
route-map FiberCorp-nat permit 10
match ip address navigation-nat
match interface GigabitEthernet0/0
!
route-map router-local permit 10
match ip address FiberCorp_Local
set ip next-hop ISP_1_DG_IP
!
route-map router-local permit 20
match ip address Telecentro_Local
set ip next-hop ISP_2_DG_IP
!
route-map Telecentro-nat permit 10
match ip address navigation-nat
match interface GigabitEthernet0/1
!
!
access-list 23 permit 10.10.10.0 0.0.0.127
access-list 23 permit 192.168.16.0 0.0.0.255
access-list 23 permit 192.168.252.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.16.128.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip 172.16.100.0 0.0.0.255 172.16.128.0 0.0.0.255
!
!
!
ipv6 access-list secure_6vty
deny ipv6 any any
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class secure_vty in
privilege level 15
ipv6 access-class secure6_vty in
transport input ssh
line vty 5 15
access-class secure_vty in
privilege level 15
ipv6 access-class secure6_vty in
transport input ssh
!
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server 3.ar.pool.ntp.org
ntp server 0.ar.pool.ntp.org prefer
ntp server 2.ar.pool.ntp.org
ntp server 1.ar.pool.ntp.org
event manager applet CLEAR_NAT_ISP1_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 1.1 cli command "clear ip nat translation forced"
event manager applet CLEAR_NAT_ISP1_UP
event track 1 state up
action 1.0 cli command "enable"
action 1.1 cli command "clear ip nat translation forced"
event manager applet CLEAR_NAT_ISP2_DOWN
event track 2 state down
action 1.0 cli command "enable"
action 1.1 cli command "clear ip nat translation forced"
event manager applet CLEAR_NAT_ISP2_UP
event track 2 state up
action 1.0 cli command "enable"
action 1.1 cli command "clear ip nat translation forced"
!
end

 

Here is some CEF related output when in "failing" state:

 

bla#show ip cef exact-route 192.168.20.2 192.168.252.27 ! this one is connected through ISP 2

192.168.20.2 -> 192.168.252.27 =>IP adj out of GigabitEthernet0/1, addr ISP2_DG_IP

 

bla#ping 192.168.252.27
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.252.27, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/92/236 ms

 

bla#show ip cef exact-route 192.168.20.2 192.168.252.28 ! this one is connected through ISP 1
192.168.20.2 -> 192.168.252.28 =>IP adj out of GigabitEthernet0/1, addr ISP2_DG_IP

 

bla#ping 192.168.252.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.252.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 

I can be almost sure it's cef relate, because if I issue no ip cef and ip cef, everything works as expected again!!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
luchonat1
Level 1
Level 1

‎06-18-2018 01:11 PM

Using PBR for local traffic solved this problem!

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎03-08-2018 05:22 PM

Hi

 

What is the ios running? 

On your explanation, you talk about 2 IPs from vpn pool saying that they're reachable from isp 1 and isp 2.

However you're also saying that adj is on g0/1 to isp1. Can you clarify that please?

 

You're talking about 192.168.252.28 but your pinging 192.168.252.8.

 

Have you tried installing the latest IOS recommended by Cisco?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
luchonat1
Level 1
Level 1
In response to Francesco Molino

‎03-09-2018 06:29 AM

Hi:

#show version
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.4(3)M3, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Fri 05-Jun-15 12:31 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)

snlc-r01-roo-r6a uptime is 1 day, 16 hours, 11 minutes
System returned to ROM by reload at 19:14:32 GMT Wed Mar 7 2018
System restarted at 19:16:25 GMT Wed Mar 7 2018
System image file is "usbflash0:c1900-universalk9-mz.SPA.154-3.M3.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command

 

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco CISCO1921/K9 (revision 1.0) with 487424K/36864K bytes of memory.
Processor board ID FJC2131L12U
6 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
255K bytes of non-volatile configuration memory.
245744K bytes of USB Flash usbflash0 (Read/Write)


License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*1 CISCO1921/K9 FJC2131L12U

 

Technology Package License Information for Module:'c1900'

------------------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security securityk9 RightToUse securityk9
data datak9 RightToUse datak9
NtwkEss None None None

Configuration register is 0x2102

 

"You're talking about 192.168.252.28 but your pinging 192.168.252.8" -> That was just a typo!

I have not tried to change IOS version.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to luchonat1

‎03-09-2018 10:43 AM

OK please upgrade with the latest stable ios 15.5.3M7 i believe.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
luchonat1
Level 1
Level 1
In response to Francesco Molino

‎03-09-2018 02:06 PM

Do you know if any CEF related issue has been fixed? I don't want to force a system update just in case!

 

Thanks!

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to luchonat1

‎03-09-2018 02:12 PM

I'll check later and come back to you


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
luchonat1
Level 1
Level 1

‎06-18-2018 01:11 PM

Using PBR for local traffic solved this problem!

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to luchonat1

‎06-18-2018 01:43 PM

It is very interesting that using PBR solved the issue. Thanks for posting back to the forum and letting us know about this.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card