Re: Cisco router blocking some computers

kben4cisco · ‎06-26-2024

Have two Cisco C1101-4p routers set for a site-to-site ipsec vpn. There is no nat. The issue is some computers cannot use the resources on the other end. Some have no problem. Some can access some resources. Some cannot access anything. The version of windows does not matter i.e Win2000, Win7, Win8.1, Win10, Win11, and Linux. It appears the router just drops the packets. Tried with firewall off, no difference. There must have been a software update in May because the situation got worse. Some computers that did have access, suddenly did not.

What am I looking for to troubleshoot this issue?

Joseph W. Doherty · ‎06-26-2024

You might first try pinging resources, from one side's host to the side's hosts.

For failure, try traceroute next.

kben4cisco · ‎06-28-2024

No help. If I can ping the resource, I can access it. Same with traceroute. Packet goes to first router and disappears.

Joseph W. Doherty · ‎06-28-2024

The (possibly) help is what ping and/or traceroute tell us.

So traceroute does get a reply from gateway IP? For hosts that have no problem, what does traceroute show for them?

Joseph W. Doherty · ‎06-28-2024

Oh, and try traceroute to far side router interface.

kben4cisco · ‎06-28-2024

Traceroute does not see the remote router vlan; going to it ends at the first router.

kben4cisco · ‎06-28-2024

Traceroute sees the first router and the destination computer, nothing in between.

Joseph W. Doherty · ‎06-28-2024

Did you try traceroute to router's far side interface? (If that's unclear, let me know.)

MHM Cisco World · ‎06-26-2024

first thing to check is are the workstation get IP from same subnet
are this subnet is permit in ACL of IPSec VPN

MHM

kben4cisco · ‎06-28-2024

All workstations on both ends use their respective subnets with static IP's. Routers set to allow entire subnet. Issue is why one computer can access one resource and another can access a different one and another computer can access both with a different computer not being able to access neither.

MHM Cisco World · ‎06-28-2024

Do traceroute for non workstation and see what is first hops appear

MHM

Richard Burts · ‎06-28-2024

Are there any messages in the logs that relate to issues with site to site vpn?

In working with site to site vpn I have sometimes observed issues with access that turned out to be because of MTU. Is it possible that some of your devices use a different MTU? Perhaps you might try setting a lower MTU for the interface where the vpn is?

You might post the router configuration (with sensitive information like Public IP obscured) so that we can understand better what is going on.

HTH

Rick

kben4cisco · ‎06-28-2024

The vlan on both routers have the setting - ip tcp adjust-mss 1452 - which I got from the cisco documentation.

A preliminary quick check of the logs did not show anything.

Joseph W. Doherty · ‎06-28-2024

@kben4cisco wrote:

The vlan on both routers have the setting - ip tcp adjust-mss 1452 - which I got from the cisco documentation.

What Cisco documentation?

Reason I ask, that would be a PPPoE adjustment. For an IPSec tunnel, the usual MSS recommendation would be 1360 (along with a 1400 IP MTU, and possibly PMTUD too).

kben4cisco · ‎06-28-2024

Google ip tcp adjust-mss 1452 for cisco diocument