- Cisco Community
- Technology and Support
- Networking
- Routing
- Help interpreting IOS ip packet debug detail results to help resolve VPN problem?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Help interpreting IOS ip packet debug detail results to help resolve VPN problem?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2013 09:02 AM - edited 03-04-2019 07:27 PM
Hello,
I am trying to diagnose a IPSec VPN issue. I can extablish VPN. Packets seem to be arriving. They are being decrypted but they are not exiting the router.
The setup uses an 1741w with 2 x ADSL router but for the purpose of my debug I have disabled one. Wireless is also disabled.
ip CEF is off but I have also tried with CEF on. The packet still does not exit thr router.
Wireshark is running on the target system (90.155.11.181) and is filtering for tcp port 80. It is picking up requests from other IPs.
I am using IOS 15.3 and have a working zone based firewall. I've established a site to site VPN using a crypto map as follows:
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 103
!
policy-map type inspect ccp-permit-inservice
class type inspect CCP_PPTP
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
drop log
!
zone-pair security ccp-zp-out-in source out-zone destination in-zone
service-policy type inspect ccp-permit-inservice
!
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 90.155.11.128 0.0.0.127 192.168.5.0 0.0.0.255
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip 192.168.5.0 0.0.0.255 90.155.11.128 0.0.0.127
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxx address 0.0.0.0 no-xauth
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA1
match address 101
!
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
!
interface Dialer1
description $FW_OUTSIDE$
bandwidth 6000
ip address negotiated
ip flow ingress
ip flow egress
zone-member security out-zone
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname xxx
ppp chap password 0 xxx
ppp pap sent-username xxx password 0 xxx
crypto map SDM_CMAP_1
!
The packet trace looks like this:
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50864 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 (GigabitEthernet0/0), len 48, output feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50863 | *Mar 30 15:24:25.285: TCP src=62148, dst=80, seq=1866716499, ack=0, win=65535 SYN, CCE Post NAT Classification(40), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50862 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 (GigabitEthernet0/0), len 48, output feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50861 | *Mar 30 15:24:25.285: IP: tableid=0, s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 (GigabitEthernet0/0), routed via RIB |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50860 | , MCI Check(90), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50859 | *Mar 30 15:24:25.285: TCP src=62148, dst=80, seq=1866716499, ack=0, win=65535 SYN |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50858 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181, len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50857 | *Mar 30 15:24:25.285: TCP src=62148, dst=80, seq=1866716499, ack=0, win=65535 SYN, Virtual Fragment Reassembly After IPSec Decryption(49), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50856 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181, len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50855 | *Mar 30 15:24:25.285: TCP src=62148, dst=80, seq=1866716499, ack=0, win=65535 SYN, Virtual Fragment Reassembly(33), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50854 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181, len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50853 | *Mar 30 15:24:25.285: TCP src=62148, dst=80, seq=1866716499, ack=0, win=65535 SYN, Ingress-NetFlow(29), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50852 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181, len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50851 | *Mar 30 15:24:25.285: TCP src=62149, dst=80, seq=1817213112, ack=0, win=65535 SYN, packet consumed, Firewall (firewall component)(42), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50850 | (GigabitEthernet0/0), len 48, output feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50849 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50848 | *Mar 30 15:24:25.285: TCP src=62149, dst=80, seq=1817213112, ack=0, win=65535 SYN, CCE Post NAT Classification(40), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50847 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 (GigabitEthernet0/0), len 48, output feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50846 | *Mar 30 15:24:25.285: IP: tableid=0, s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 (GigabitEthernet0/0), routed via RIB |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50845 | *Mar 30 15:24:25.285: TCP src=62149, dst=80, seq=1817213112, ack=0, win=65535 SYN, MCI Check(90), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50844 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181, len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50843 | *Mar 30 15:24:25.285: TCP src=62149, dst=80, seq=1817213112, ack=0, win=65535 SYN, Virtual Fragment Reassembly After IPSec Decryption(49), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50842 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181, len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50841 | *Mar 30 15:24:25.285: TCP src=62149, dst=80, seq=1817213112, ack=0, win=65535 SYN, Virtual Fragment Reassembly(33), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50840 | , len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50839 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50838 | *Mar 30 15:24:25.285: TCP src=62149, dst=80, seq=1817213112, ack=0, win=65535 SYN, Ingress-NetFlow(29), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50837 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181, len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50836 | *Mar 30 15:24:25.285: TCP src=62150, dst=80, seq=3741048627, ack=0, win=65535 SYN, packet consumed, Firewall (firewall component)(42), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50835 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 (GigabitEthernet0/0), len 48, output feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50834 | *Mar 30 15:24:25.285: TCP src=62150, dst=80, seq=3741048627, ack=0, win=65535 SYN, CCE Post NAT Classification(40), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50833 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 (GigabitEthernet0/0), len 48, output feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50832 | *Mar 30 15:24:25.285: IP: tableid=0, s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 (GigabitEthernet0/0), routed via RIB |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50831 | *Mar 30 15:24:25.285: TCP src=62150, dst=80, seq=3741048627, ack=0, win=65535 SYN, MCI Check(90), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50830 | , len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 |