- Cisco Community
- Technology and Support
- Networking
- Routing
- Help interpreting IOS ip packet debug detail results to help resolve VPN problem?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Help interpreting IOS ip packet debug detail results to help resolve VPN problem?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2013 09:02 AM - edited 03-04-2019 07:27 PM
Hello,
I am trying to diagnose a IPSec VPN issue. I can extablish VPN. Packets seem to be arriving. They are being decrypted but they are not exiting the router.
The setup uses an 1741w with 2 x ADSL router but for the purpose of my debug I have disabled one. Wireless is also disabled.
ip CEF is off but I have also tried with CEF on. The packet still does not exit thr router.
Wireshark is running on the target system (90.155.11.181) and is filtering for tcp port 80. It is picking up requests from other IPs.
I am using IOS 15.3 and have a working zone based firewall. I've established a site to site VPN using a crypto map as follows:
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 103
!
policy-map type inspect ccp-permit-inservice
class type inspect CCP_PPTP
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
drop log
!
zone-pair security ccp-zp-out-in source out-zone destination in-zone
service-policy type inspect ccp-permit-inservice
!
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 90.155.11.128 0.0.0.127 192.168.5.0 0.0.0.255
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip 192.168.5.0 0.0.0.255 90.155.11.128 0.0.0.127
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxx address 0.0.0.0 no-xauth
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA1
match address 101
!
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
!
interface Dialer1
description $FW_OUTSIDE$
bandwidth 6000
ip address negotiated
ip flow ingress
ip flow egress
zone-member security out-zone
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname xxx
ppp chap password 0 xxx
ppp pap sent-username xxx password 0 xxx
crypto map SDM_CMAP_1
!
The packet trace looks like this:
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50864 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 (GigabitEthernet0/0), len 48, output feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50863 | *Mar 30 15:24:25.285: TCP src=62148, dst=80, seq=1866716499, ack=0, win=65535 SYN, CCE Post NAT Classification(40), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50862 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 (GigabitEthernet0/0), len 48, output feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50861 | *Mar 30 15:24:25.285: IP: tableid=0, s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 (GigabitEthernet0/0), routed via RIB |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50860 | , MCI Check(90), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50859 | *Mar 30 15:24:25.285: TCP src=62148, dst=80, seq=1866716499, ack=0, win=65535 SYN |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50858 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181, len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50857 | *Mar 30 15:24:25.285: TCP src=62148, dst=80, seq=1866716499, ack=0, win=65535 SYN, Virtual Fragment Reassembly After IPSec Decryption(49), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50856 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181, len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50855 | *Mar 30 15:24:25.285: TCP src=62148, dst=80, seq=1866716499, ack=0, win=65535 SYN, Virtual Fragment Reassembly(33), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50854 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181, len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50853 | *Mar 30 15:24:25.285: TCP src=62148, dst=80, seq=1866716499, ack=0, win=65535 SYN, Ingress-NetFlow(29), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50852 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181, len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50851 | *Mar 30 15:24:25.285: TCP src=62149, dst=80, seq=1817213112, ack=0, win=65535 SYN, packet consumed, Firewall (firewall component)(42), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50850 | (GigabitEthernet0/0), len 48, output feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50849 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50848 | *Mar 30 15:24:25.285: TCP src=62149, dst=80, seq=1817213112, ack=0, win=65535 SYN, CCE Post NAT Classification(40), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50847 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 (GigabitEthernet0/0), len 48, output feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50846 | *Mar 30 15:24:25.285: IP: tableid=0, s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 (GigabitEthernet0/0), routed via RIB |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50845 | *Mar 30 15:24:25.285: TCP src=62149, dst=80, seq=1817213112, ack=0, win=65535 SYN, MCI Check(90), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50844 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181, len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50843 | *Mar 30 15:24:25.285: TCP src=62149, dst=80, seq=1817213112, ack=0, win=65535 SYN, Virtual Fragment Reassembly After IPSec Decryption(49), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50842 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181, len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50841 | *Mar 30 15:24:25.285: TCP src=62149, dst=80, seq=1817213112, ack=0, win=65535 SYN, Virtual Fragment Reassembly(33), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50840 | , len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50839 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50838 | *Mar 30 15:24:25.285: TCP src=62149, dst=80, seq=1817213112, ack=0, win=65535 SYN, Ingress-NetFlow(29), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50837 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181, len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50836 | *Mar 30 15:24:25.285: TCP src=62150, dst=80, seq=3741048627, ack=0, win=65535 SYN, packet consumed, Firewall (firewall component)(42), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50835 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 (GigabitEthernet0/0), len 48, output feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50834 | *Mar 30 15:24:25.285: TCP src=62150, dst=80, seq=3741048627, ack=0, win=65535 SYN, CCE Post NAT Classification(40), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50833 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 (GigabitEthernet0/0), len 48, output feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50832 | *Mar 30 15:24:25.285: IP: tableid=0, s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 (GigabitEthernet0/0), routed via RIB |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50831 | *Mar 30 15:24:25.285: TCP src=62150, dst=80, seq=3741048627, ack=0, win=65535 SYN, MCI Check(90), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50830 | , len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50829 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181 |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50828 | *Mar 30 15:24:25.285: TCP src=62150, dst=80, seq=3741048627, ack=0, win=65535 SYN, Virtual Fragment Reassembly After IPSec Decryption(49), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50827 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181, len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50826 | *Mar 30 15:24:25.285: TCP src=62150, dst=80, seq=3741048627, ack=0, win=65535 SYN, Virtual Fragment Reassembly(33), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50825 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181, len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50824 | *Mar 30 15:24:25.285: TCP src=62150, dst=80, seq=3741048627, ack=0, win=65535 SYN, Ingress-NetFlow(29), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50823 | *Mar 30 15:24:25.285: IP: s=192.168.5.254 (GigabitEthernet0/1), d=90.155.11.181, len 48, input feature |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50822 | *Mar 30 15:24:25.285: Punt packet to process switch |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50821 | *Mar 30 15:24:25.285: crypto_ceal_post_decrypt_switch: calling process switch |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50820 | *Mar 30 15:24:25.285: post_crypto_ip_decrypt: Data just decrypted, 48 bytes |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50819 | 0E311420: 1F7E0000 020405B4 04020000 .~.....4.... |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50818 | 0E311410: F2C40050 6F43D553 00000000 7002FFFF rD.PoCUS....p... |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50817 | 0E311400: 5AA84000 3F06B429 C0A805FE 5A9B0BB5 Z(@.?.4)@(.~Z..5 |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50816 | 0E3113F0: 45000030 E..0 |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50815 | *Mar 30 15:24:25.281: After decryption: |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50814 | 0E311400: 181A7FC8 9087856B ...H...k ... |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50813 | 0E3113F0: 00000025 23E8EB50 F31507F7 EDAC2AA9 ...%#hkPs..wm,*) |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50812 | 0E3113E0: 3F3233E8 51BBFCF6 5A9B5E2F 3B3D2F31 ?23hQ;|vZ.^/;=/1 |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50811 | 0E3113D0: 45000068 00004000 E..h..@. |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50810 | *Mar 30 15:24:25.281: Before decryption: |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50809 | *Mar 30 15:24:25.281: Punt packet to process switch |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50808 | *Mar 30 15:24:25.281: crypto_ceal_post_decrypt_switch: calling process switch |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50807 | *Mar 30 15:24:25.281: post_crypto_ip_decrypt: Data just decrypted, 48 bytes |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50806 | 0D5A77A0: 7F0B0000 020405B4 04020000 .......4.... |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50805 | 0D5A7790: F2C50050 6C5078B8 00000000 7002FFFF rE.PlPx8....p... |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50804 | 0D5A7780: 888D4000 3F068644 C0A805FE 5A9B0BB5 ..@.?..D@(.~Z..5 |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50803 | 0D5A7770: 45000030 E..0 |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50802 | *Mar 30 15:24:25.281: After decryption: |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50801 | 0D5A7780: 698DFA02 CD87BD21 i.z.M.=! ... |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50800 | 0D5A7770: 00000024 839DC02B 9884796E 82DBC77A ...$..@+..yn.[Gz |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50799 | 0D5A7760: 3F3233E8 51BBFCF6 5A9B5E2F 3B3D2F31 ?23hQ;|vZ.^/;=/1 |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50798 | 0D5A7750: 45000068 00004000 E..h..@. |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50797 | *Mar 30 15:24:25.281: Before decryption: |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50796 | *Mar 30 15:24:25.281: Punt packet to process switch |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50795 | *Mar 30 15:24:25.281: crypto_ceal_post_decrypt_switch: calling process switch |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50794 | *Mar 30 15:24:25.281: post_crypto_ip_decrypt: Data just decrypted, 48 bytes |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50793 | 0E317420: A5E30000 020405B4 04020000 %c.....4.... |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50792 | 0E317410: F2C60050 DEFBDF33 00000000 7002FFFF rF.P^{_3....p... |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50791 | 0E317400: C6D64000 3F0647FB C0A805FE 5A9B0BB5 FV@.?.G{@(.~Z..5 |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50790 | 0E3173F0: 45000030 E..0 |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50789 | *Mar 30 15:24:25.281: After decryption: |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50788 | 0E317400: EB77106D C78EA197 kw.mG.!. ... |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50787 | 0E3173F0: 00000023 B33F5C0D 00F29B2B 394EF8D6 ...#3?\..r.+9NxV |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50786 | 0E3173E0: 3F3233E8 51BBFCF6 5A9B5E2F 3B3D2F31 ?23hQ;|vZ.^/;=/1 |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50785 | 0E3173D0: 45000068 00004000 E..h..@. |
| 2013-03-30 | 15:24:14 | debug | 90.155.11.129 | local7 | 50784 | *Mar 30 15:24:25.281: Before decryption: |
At 50784 the packet enters and is being decrypted.
At 50822 - The packet is 'punted' to process switch
From then on the packet seems in transiit up to 'output feature'
Can anyone here tell what's happening to the packet. The router seem to know that the destination address (90155.11.181) is on GigabitEthernet0/0 but the packet never arrives. Wireshark never regesteres the request so as far as I can see the packet is not exiting the router.
Can anyone help interpret the packet debug? Can anyone tell where the packet is going?
Thanks
Chris
- Labels:
-
Other Routing
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
