Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
645
Views
0
Helpful
3
Replies

Cisco IOS trouble

Olle Johansson
Level 1
Level 1

‎12-28-2012 02:48 AM - edited ‎03-04-2019 06:31 PM

Hi!

I have two 3925 routers running Version 15.0(1r)M13, RELEASE SOFTWARE (fc1)

I have about 10 IPSec tunnelns running to ASA5505 on the remote end, and they are connected to a inside VRF (outside interface is connected to a FVRF)

All 10 tunnels have the about the same ACL:

ip access-list extended <SITE-NAME>

permit ip 10.0.0.0 0.255.255.255 <192.168.SITE-NET>

permit ip 172.16.0.0 0.15.255.255 <192.168.SITE-NET>

permit ip 192.168.0.0 0.0.255.255 <192.168.SITE-NET>

All are working fine except 2. ISAKMP works, and IPSec works and buidling SA between the site-net and to nets in the 172.16.0.0/12 range and to 192.168.0.0/16 range... But not to 10.0.0.0/8 range.

When sending traffic to sat 10.1.1.1 from Site I can see packets comming in to my router and packets get decaped.... but if I send from packets from 10.1.1.1 to site it neever hits the ACL or SA.

I have tested varius ACL with only one row ans so on, and nothing works.

I tried to remove the crypto map and start over from scratch with te tunnel that is not working, but the static route that RRI added does not disappear. Tried to clear crypto sessions, clear ipsec sa and isakmp, but it does not go away! I have not yet tried to reload the router.

Any suggestion?

crypto keyring VRF460_xxxxxx vrf OUTSIDE

  pre-shared-key address 3.3.3.3 key A-PRE-SHARED-KEY

crypto isakmp profile VRF460_xxxxxx

   vrf 460

   keyring VRF460_xxxxxx

   match identity address 3.3.3.3 255.255.255.255 OUTSIDE

   keepalive 10 retry 3

crypto map VPN 30 ipsec-isakmp

description Connection to <site>

set peer 3.3.3.3

set transform-set AES256-SHA

set isakmp-profile VRF460_xxxxxx

match address SITE

reverse-route remote-peer 5.5.5.5(Next hop on local outside network) static

Labels:
0 Helpful
3 Replies 3

Olle Johansson
Level 1
Level 1

‎12-28-2012 03:05 AM

Wrote the wrong title

Should be: Cisco IOS IPsec problem

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎12-29-2012 10:21 AM

There is not enough detail here for us to be able to really identify the specific problem. In general when there are problems in which traffic is not being sent through a site to site VPN I look either for some routing issue which is not sending the traffic through the tunnel or for something that is causing the traffic to not match the criteria for the tunnel.

Since you say that the tunnel is working ok for traffic from 172.16 and 192.168 the first reaction is to assume that routing is working as expected. But since we do not know what is the topology of the network I would still ask if there is any possibility that traffic from 10 network is not routed correctly when going to the site. Perhaps the results of traceroute from some 10 network source to the site might shed some light on the issue.

The other possibility is that something in the criteria is not being matched. To investigate this it might be helpful if you would provide the specific access lists being used for the site that does not work and for a site that does work.

I also wonder if there is some possibility that there is something like address translation which may affect traffic from the 10 network to this site that might cause the VPN criteria to not match.

HTH

Rick

HTH

Rick
0 Helpful

Olle Johansson
Level 1
Level 1
In response to Richard Burts

‎12-31-2012 12:42 AM

First of all. I live in sweden, it is early morgnin and my 3 year old boy just woke up, so I dont have the time to correct my spelling. Hope you can read it any way

I reallise now that I just gave you half of the info

We have solved the mysteri. The router needed to reload. So there was no config error.

But to give you all the info. Our VPN router does only VPN LAN LAN termination. Both standard IPSec with crypto maps and serves as our DMVPN hubs. So no NAT. And they are pat of our MPLS cloud (only3 routers so far, but we stared to build MPLS this summer ).

Before I posted here I had ruled out all the standard VPN problems like routing issue, missmatching ACL and so on.

I found a strange behavior. I was to move this tunnel that was not working to another VPN router. But when I removed the crypto map and all other config there was still routing for the remote network in the routing tabel. So it seems that RRI route had hanged in some way, and I could not figure out how to clear it so I had to reload the router.

I have not had the time to go deeper after I reloded the router other than it it now working correctly. Will have to wait and see if it happens again

Could it be a bug that RRI is hanging and affecting parts of the SAs?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card