Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
0
Helpful
2
Replies

Dynamic vpn over 4G does allow remote initiated traffic in except for ping

feisalb
Level 1
Level 1

‎05-30-2015 12:49 PM - edited ‎03-05-2019 01:34 AM

Hello All

 

I have created a dynamic vpn over a 4G in a 1921 router and established a lan to lan tunnel.

The peer with the dynamic peer  initiates traffic. Once  the tunnel is up I can't telnet to the subinterface albiet I can ping the destination.

I can't even do this from a loopback on the vpn gateway.

When I try to ping from a host behind a firewall, it fails until the remote end pings the host first and then the host can ping the remote end although the tunnel has already been established.

It seems like all incoming traffic is being denied when the tunnel is up unless the remote end has initiated the communication.

I have posted my config below. The support guys want to RDP to the devices but that is being denied.

Do you think it could be the 4g service provider.causing the issue?

chat-script lte "" "AT!CALL" TIMEOUT 60 "OK"
cts logging verbose
!
crypto pki trustpoint TP-self-signed-133751086
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-133751086
 revocation-check none
 rsakeypair TP-self-signed-133751086

controller Cellular 0/0
 lte modem link-recovery rssi onset-threshold -110
 lte modem link-recovery monitor-timer 20
 lte modem link-recovery wait-timer 10
 lte modem link-recovery debounce-count 6
!

crypto keyring KR-21SCHO_DYNA_1  
  description Footwear VPN TO RUNCORN RTR-A
  pre-shared-key address x.x.x.x key <>
!

rypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp profile ISAKMP-21SCHO_DYNA_1
   description Footwear VPN TO RTR-A 
   keyring KR-21SCHO_DYNA_1
   match identity address x.x.x.x 255.255.255.255 
   keepalive 10 retry 2

crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set TUN-ESP-3DES-MD5 esp-3des esp-md5-hmac 
 mode tunnel
crypto ipsec transform-set TUN-ESP-AES-SHA256 esp-aes esp-sha256-hmac 
 mode tunnel

crypto map VPN_CRYPTO 10 ipsec-isakmp 
 description VPN TO RUNCORN RTR-A 
 set peer x.x.x.x
 set transform-set TUN-ESP-3DES-MD5 TUN-ESP-AES-SHA256 
 set isakmp-profile ISAKMP-21SCHO_DYNA_1
 match address VPNACL-21SCHO_DYNA_1

interface GigabitEthernet0/0.1
 encapsulation dot1Q 1 native
!
interface GigabitEthernet0/0.318
 description Client VLAN
 encapsulation dot1Q 318
 ip address 10.108.26.1 255.255.255.0
 ip helper-address 10.251.120.141
 ip helper-address 10.251.120.142
!
interface GigabitEthernet0/0.319
 description Management VLAN
 encapsulation dot1Q 319
 ip address 10.108.28.1 255.255.255.0
!
interface GigabitEthernet0/0.320
 description WIFI_CORP VLAN
 encapsulation dot1Q 320
 ip address 10.108.29.1 255.255.255.0
 ip helper-address 10.251.120.141
 ip helper-address 10.251.120.142
!
interface GigabitEthernet0/0.321
 description WIFI_GUEST VLAN
 encapsulation dot1Q 321
 ip address 10.108.30.1 255.255.255.0
 ip helper-address 10.251.120.141
 ip helper-address 10.251.120.142
!
interface GigabitEthernet0/0.330
 description TRANSIT VLAN TO CONVERGENCE DSL
 encapsulation dot1Q 330
 ip address 10.108.31.1 255.255.255.240
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 no keepalive
!
interface Cellular0/0/0
 ip address negotiated
 encapsulation slip
 dialer in-band
 dialer string lte
 dialer-group 1
 crypto map VPN_CRYPTO
!
ip forward-protocol nd
!         
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list NAT interface Cellular0/0/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 250
!
ip access-list extended NAT
 permit ip 10.108.0.0 0.0.255.255 any
ip access-list extended VPNACL-21SCHO_DYNA_1
 remark VPN TO RUNCORN
 permit ip 10.108.24.0 0.0.7.255 10.251.0.0 0.0.255.255
 permit ip 10.108.24.0 0.0.7.255 199.23.10.0 0.0.0.255
 permit ip 10.108.24.0 0.0.7.255 129.18.140.64 0.0.0.31
 permit ip 10.108.24.0 0.0.7.255 94.12.98.64 0.0.0.31
 permit ip 10.108.24.0 0.0.7.255 92.7.18.48 0.0.0.15
 permit ip 10.108.32.0 0.0.7.255 10.251.0.0 0.0.255.255
 permit ip 10.108.32.0 0.0.7.255 199.23.10.0 0.0.0.255
 permit ip 10.108.32.0 0.0.7.255 129.18.140.64 0.0.0.31
 permit ip 10.108.32.0 0.0.7.255 94.12.98.64 0.0.0.31
 permit ip 10.108.32.0 0.0.7.255 92.7.18.48 0.0.0.15
 permit ip 10.108.40.0 0.0.7.255 10.251.0.0 0.0.255.255
 permit ip 10.108.40.0 0.0.7.255 199.23.10.0 0.0.0.255
 permit ip 10.108.40.0 0.0.7.255 129.18.140.64 0.0.0.31
 permit ip 10.108.40.0 0.0.7.255 94.12.98.64 0.0.0.31
 permit ip 10.108.40.0 0.0.7.255 92.7.18.48 0.0.0.15
 permit ip 10.108.48.0 0.0.7.255 10.251.0.0 0.0.255.255
 permit ip 10.108.48.0 0.0.7.255 199.23.10.0 0.0.0.255
 permit ip 10.108.48.0 0.0.7.255 129.18.140.64 0.0.0.31
 permit ip 10.108.48.0 0.0.7.255 94.12.98.64 0.0.0.31
 permit ip 10.108.48.0 0.0.7.255 92.7.18.48 0.0.0.15
 permit ip 10.108.56.0 0.0.7.255 10.251.0.0 0.0.255.255
 permit ip 10.108.56.0 0.0.7.255 199.23.10.0 0.0.0.255
 permit ip 10.108.56.0 0.0.7.255 129.18.140.64 0.0.0.31
 permit ip 10.108.56.0 0.0.7.255 94.12.98.64 0.0.0.31
 permit ip 10.108.56.0 0.0.7.255 92.7.18.48 0.0.0.15
 permit ip 10.108.24.0 0.0.7.255 10.255.251.0 0.0.0.255
 permit ip 10.108.32.0 0.0.7.255 10.255.251.0 0.0.0.255
 permit ip 10.108.40.0 0.0.7.255 10.255.251.0 0.0.0.255
 permit ip 10.108.48.0 0.0.7.255 10.255.251.0 0.0.0.255
 permit ip 10.108.56.0 0.0.7.255 10.255.251.0 0.0.0.255
!
dialer-list 1 protocol ip permit
!         
!
!
control-plane
!
!
banner exec ^C


^C
!
line con 0
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line 0/0/0
 script dialer lte
 no exec
 rxspeed 100000000
 txspeed 50000000
line vty 0 4
 privilege level 15
 login local
 transport input all
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

FRA-MAS-4G-RTR#

!

I can't see anything in the configuration that would cause the above scenario. Ping to all remote devices works but nothing else does.

Any help is greatly appreciated as I can't manage the routers or switches on the remote end.

Thanks

Feisal

 

 

 

Labels:
0 Helpful
2 Replies 2

feisalb
Level 1
Level 1

‎05-31-2015 04:24 PM

Good old RELOAD did the trick.

0 Helpful

whiteson12
Level 1
Level 1

‎05-24-2023 12:45 AM - edited ‎06-12-2023 09:56 PM

Great work on setting up the dynamic VPN over a 4G connection! It seems like you've successfully established a LAN-to-LAN tunnel using a 1921 router. However, you're facing some issues with accessing certain services once the tunnel is up. From your description, it appears that you can ping the destination but are unable to telnet to the sub-interface, even from the VPN gateway's loopback. Additionally, when trying to ping from a host behind a firewall, the ping fails until the remote end pings the host first.

Based on the provided configuration, I don't see any obvious issues that could cause this behavior. It's possible that the 4G service provider might be causing the problem, as incoming traffic seems to be denied when the tunnel is up, unless initiated from the remote end. It's worth exploring this possibility further and discussing it with your support team.

In the meantime, keep up the great work and continue to troubleshoot the issue. I hope you can resolve it soon, as it's crucial for managing the routers and switches on the remote end.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card