Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1645
Views
0
Helpful
10
Replies

Lose Connectivity when IPSEC tunnel comes up

CompuVision Admin
Level 1
Level 1

‎09-11-2012 02:58 PM - edited ‎03-04-2019 05:32 PM

Normally I'd have a rough idea of where to start, but I'm not sure if this is a NAT/ZBF or IPSEC issue at this stage.

Without the crypto map map1 assigned to the outside interface, everything works fine. Internal hosts can access the internet, I can ping the router externally. So the ZBF is allowing the required traffic.

As soon as I assign crypto map map1 to GigabitEthernet0 (WAN), the inside hosts can no longer access the internet. They can however ping/access hosts across the VPN tunnel. So basically, as soon as the tunnel comes up, access to anything outside that cryptomap ceases to function.

As far as I can tell everything is correct, so I'm a bit baffled. Hoping someone can take a look over the config.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.11 15:38:47 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...
Current configuration : 7711 bytes
!
! No configuration change since last restart
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname RTR1
!
boot-start-marker
boot system flash c890-universalk9-mz.151-4.M2.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096
logging console critical
!
aaa new-model
!
!
aaa authentication login NetworkAdmins group radius local
aaa authorization console
!
!
!
!
!
aaa session-id common
!
crypto pki token default removal timeout 0
!
!
no ip source-route
!
!
!
ip dhcp excluded-address 10.4.1.1 10.4.1.99
ip dhcp excluded-address 10.4.1.201 10.4.1.254
 ip dhcp excluded-address 10.4.2.1 10.4.2.99
ip dhcp excluded-address 10.4.2.201 10.4.2.254
!
ip dhcp pool lv-data
 network 10.4.1.0 255.255.255.0
 domain-name XXXXX.com
 dns-server 10.1.10.1 8.8.8.8 
 default-router 10.4.1.254 
 lease 7
!
ip dhcp pool lv-voice
 network 10.4.2.0 255.255.255.0
 domain-name XXXXX.com
 default-router 10.4.2.254 
 dns-server 10.1.10.1 
 lease 7
!
!
ip cef
no ip bootp server
ip domain name XXXX.com
ip name-server 10.1.10.1
ip name-server 8.8.8.8
no ipv6 cef
 !
!
!
!
multilink bundle-name authenticated
!
!
object-group network locationB-networks 
 10.4.1.0 255.255.255.0
 10.4.2.0 255.255.255.0
!
object-group network locationA-networks 
 10.1.10.0 255.255.255.0
 10.1.11.0 255.255.255.0
 10.1.12.0 255.255.255.0
 10.1.13.0 255.255.255.0
!
 username admin privilege 15 secret 
crypto ikev2 proposal ESP-AES-SHA 
 encryption aes-cbc-128
 integrity sha1
 group 2
!
crypto ikev2 policy policy1 
 proposal ESP-AES-SHA
!
crypto ikev2 keyring keyring1
 peer locationA
  address 209.XX.XX.130
  pre-shared-key XXXXXXX
 !
!
!
crypto ikev2 profile locationA
 match identity remote address 209.XX.XX.130 255.255.255.255 
 authentication local pre-share
 authentication remote pre-share
 keyring keyring1
!
!
!
 ip tcp synwait-time 10
ip ssh time-out 60
!
class-map type inspect match-all management
 match access-group name manage-ports
 match access-group name manage-hosts
 match protocol tcp
class-map type inspect match-all icmp
 match protocol icmp
class-map type inspect match-all vpn-traffic
 match access-group name vpn-protocols
class-map type inspect match-any all-protocols
 match protocol tcp
 match protocol udp
 match protocol icmp
!
!
policy-map type inspect inside-to-inside
 class class-default
  pass
policy-map type inspect inside-to-self
 class class-default
   pass
policy-map type inspect self-to-any
 class class-default
  pass
policy-map type inspect inside-to-outside
 class type inspect all-protocols
  inspect 
 class class-default
  drop
policy-map type inspect outside-to-self
 class class-default
  pass
!
zone security inside
zone security outside
zone-pair security inside-to-inside source inside destination inside
 service-policy type inspect inside-to-inside
zone-pair security inside-to-outside source inside destination outside
 service-policy type inspect inside-to-outside
zone-pair security inside-to-self source inside destination self
 service-policy type inspect inside-to-self
 zone-pair security outside-to-self source outside destination self
 service-policy type inspect outside-to-self
! 
!
!
!
crypto map map1 10 ipsec-isakmp 
 set peer 209.XX.XX.130
 set ikev2-profile locationA
 match address locationA-cryptomap
!
!
!
!
!
interface FastEthernet0
 switchport voice vlan 6
 no ip address
!
interface FastEthernet1
 switchport voice vlan 6
 no ip address
!
interface FastEthernet2
  switchport voice vlan 6
 no ip address
!
interface FastEthernet3
 switchport voice vlan 6
 no ip address
!
interface FastEthernet4
 switchport voice vlan 6
 no ip address
!
interface FastEthernet5
 switchport voice vlan 6
 no ip address
!
interface FastEthernet6
 switchport voice vlan 6
 no ip address
!
interface FastEthernet7
 switchport voice vlan 6
 no ip address
!
interface FastEthernet8
  no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
 duplex auto
 speed auto
 no cdp enable
!
interface GigabitEthernet0
 description $FW_OUTSIDE$$ETH-WAN$
 ip address 24.120.XXX.10X 255.255.255.224
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 ip verify unicast reverse-path
 zone-member security outside
 duplex auto
 speed auto
 no cdp enable
!
 interface Vlan1
 description Data$FW_INSIDE$
 ip address 10.4.1.254 255.255.255.0
 no ip redirects
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 zone-member security inside
 ip tcp adjust-mss 1452
!
interface Vlan6
 description Voice$FW_INSIDE$
 ip address 10.4.2.254 255.255.255.0
 no ip redirects
 no ip proxy-arp
 zone-member security inside
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
  no ip proxy-arp
 encapsulation slip
!
ip forward-protocol nd
!
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source route-map nat-default interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 24.XXX.135.XX
!
ip access-list extended manage-hosts
 permit ip 209.XX.XX.128 0.0.0.15 any
ip access-list extended manage-protocols
 permit tcp any any eq 443
 permit tcp any any eq 22
ip access-list extended nat-default
deny ip object-group locationB object-group locationA 
permit ip 10.4.1.0 0.0.0.255 any
 permit ip 10.4.2.0 0.0.0.255 any
ip access-list extended locationA-cryptomap
 permit ip object-group locationB-networks object-group locationA-networks
ip access-list extended vpn-protocols
 permit esp any any
  permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit ahp any any
ip access-list extended vty-access
 permit tcp 10.4.1.0 0.0.0.255 any eq 22 log
 permit tcp 10.1.10.0 0.0.0.255 any eq 22 log
 permit tcp 10.1.5.0 0.0.0.255 any eq 22 log
!
logging trap debugging
no cdp run
!
!
!
!
route-map nat-default permit 10
 match ip address nat-default
!
!
!
!
!
control-plane
!
 !
!
!
mgcp profile default
!
!
!
!
banner login ^C
*************** >>>  AUTHORIZED ACCESS ONLY!  <<< ***************
 Disconnect IMMEDIATELY if you are not an authorized user!!! 
 All actions are monitored and recorded.
*************** >>>  AUTHORIZED ACCESS ONLY!  <<< ***************
^C
banner motd ^C
*************** >>>  AUTHORIZED ACCESS ONLY!  <<< ***************
 Disconnect IMMEDIATELY if you are not an authorized user!!! 
 All actions are monitored and recorded.
*************** >>>  AUTHORIZED ACCESS ONLY!  <<< ***************
 ^C
!
line con 0
 exec-timeout 30 0
 logging synchronous
 transport output telnet ssh
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 transport output telnet ssh
line vty 0 4
 access-class vty-access in
 privilege level 15
 logging synchronous
 login authentication NetworkAdmins
 transport input ssh
 transport output telnet ssh
line vty 5 15
 access-class vty-access in
 privilege level 15
 logging synchronous
  login authentication NetworkAdmins
 transport input ssh
 transport output telnet ssh
!
scheduler interval 500
ntp update-calendar
ntp server 208.73.56.29 prefer source GigabitEthernet0
end

Labels:
0 Helpful
10 Replies 10

Julio Carvajal
VIP Alumni
VIP Alumni

‎09-11-2012 04:11 PM

hello,

I just checked the Nat configuration and its perfect as you suggested.

The crypto ACL is also fine.

I just review the ZBFW setup and it looks perfect, any logs from the time you attemtp to connect to the internet with the crypto map on?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

CompuVision Admin
Level 1
Level 1
In response to Julio Carvajal

‎09-11-2012 06:40 PM

NAT appears to be working correctly. I took the ZBF completely out so the router was free for all. Confirmed traffic was working. Applied the crypto map again. Once again tunnel traffic worked but everything else ceased to pass.

I'm completely baffled.

debug ip nat detailed

000074: Sep 11 18:12:15.223 PDT: NAT*: s=10.4.1.124->24.XXX.XXX.104, d=10.1.6.249 [31251]
000075: Sep 11 18:12:15.595 PDT: NAT*: i: tcp (10.4.1.107, 58031) -> (10.1.6.249, 135) [10195]
000076: Sep 11 18:12:15.595 PDT: NAT*: s=10.4.1.107->24.XXX.XXX.104, d=10.1.6.249 [10195]
000077: Sep 11 18:12:15.611 PDT: NAT: expiring 24.XXX.XXX.104 (10.4.1.117) tcp 54027 (54027)
000078: Sep 11 18:12:15.611 PDT: NAT-SymDB: DB is either not enabled or not initiated.
000079: Sep 11 18:12:15.719 PDT: NAT*: i: tcp (10.4.1.107, 58030) -> (10.1.6.249, 5440) [10196]
000080: Sep 11 18:12:15.719 PDT: NAT*: s=10.4.1.107->24.XXX.XXX.104, d=10.1.6.249 [10196]
000081: Sep 11 18:12:16.567 PDT: NAT*: i: tcp (10.4.1.110, 3882) -> (50.18.50.50, 443) [6311]
000082: Sep 11 18:12:16.567 PDT: NAT*: s=10.4.1.110->24.XXX.XXX.104, d=50.18.50.50 [6311]
000083: Sep 11 18:12:17.147 PDT: NAT: expiring 24.XXX.XXX.104 (10.4.1.104) tcp 56051 (56051)

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to CompuVision Admin

‎09-11-2012 09:49 PM

Hello,

Pretty weird issue, have not seen it before, looks like the router is not being able to route properly or to Nat properly

Can you check the IP routing table while you have the crypto map enabled please?

Also post the configuration with the crypto map applied

I will check my database to see if I found something,

I will keep you posted.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to CompuVision Admin

‎09-12-2012 08:25 AM

Hello,

ip access-list extended nat-default

deny ip object-group locationB object-group locationA

permit ip 10.4.1.0 0.0.0.255 any

permit ip 10.4.2.0 0.0.0.255 any

object-group network locationB-networks

10.4.1.0 255.255.255.0

10.4.2.0 255.255.255.0

!

object-group network locationA-networks

10.1.10.0 255.255.255.0

10.1.11.0 255.255.255.0

10.1.12.0 255.255.255.0

10.1.13.0 255.255.255.0

ip nat inside source route-map nat-default interface GigabitEthernet0 overload

On the ACL you are using the objects  locationB and localtionA and I do not see them on the config.

Can you change them to locationB-networks and locationA-networks

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

CompuVision Admin
Level 1
Level 1
In response to Julio Carvajal

‎09-12-2012 09:02 AM

Thanks for following up. That is just a typo on my part. The dumped config was missing that deny ACE so I typed it in manually when I posted the running-config. It is correct on the device itself.

Going to take another stab at this later today. Unfortunately it's a production router so my time windows are limited. I'm also going to upgrade to IOS 15.2 on the off chance that what I'm experiencing is a bug. This is the first time I've used IKEv2 so I'm wondering if I'm missing something on that front.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to CompuVision Admin

‎09-12-2012 10:15 AM

Hello,

Okey, please attached the updated configuration with the crypto map applied.

Also can you do a show crypto ipsec sa and placed it in here as well

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

CompuVision Admin
Level 1
Level 1
In response to Julio Carvajal

‎09-14-2012 10:46 PM

Ok update. I had to wait for some down time.

With the tunnel up I'm seeing the following. From what I can tell that indicates to is seeing packets it thinks should be going over the tunnel but aren't encrypted so it drops them, which would indicate an access-list problem.. I don't see a problem with the ACL's though.

debug ip icmp

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

sh crypto ipsec sa

interface: GigabitEthernet0
    Crypto map tag: map1, local addr 24.XXX.XXX.104
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 209.XX.XX.130 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 411, #recv errors 0
     local crypto endpt.: 24.XXX.XXX.104, remote crypto endpt.: 209.XX.XX.130
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.4.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.10.0/255.255.255.0/0/0)
   current_peer 209.XX.XX.130 port 500
     PERMIT, flags={}
    #pkts encaps: 422, #pkts encrypt: 422, #pkts digest: 422
    #pkts decaps: 389, #pkts decrypt: 389, #pkts verify: 389
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 24.XXX.XXX.104, remote crypto endpt.: 209.XX.XX.130
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
     current outbound spi: 0x4ABEC199(1254015385)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x62C01C4E(1656757326)
        transform: esp-aes esp-sha-hmac ,
    in use settings ={Tunnel, }
        conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: map1
        sa timing: remaining key lifetime (k/sec): (4519480/3519)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x4ABEC199(1254015385)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: map1
        sa timing: remaining key lifetime (k/sec): (4519472/3519)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to CompuVision Admin

‎09-15-2012 10:53 AM

Hello,

Here is the issue:

local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

Based on this looks like all traffic is going over the VPN tunnel.

The question is why as the configuration is the right one.

Is there a way you could reboot your router?

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

CompuVision Admin
Level 1
Level 1
In response to Julio Carvajal

‎09-15-2012 04:58 PM

It has been rebooted a few times now. I'm dumbfounded myself. I've gone over the config 1000+ times an I just don't see anything wrong.

Currently waiting on my service contract for entitlement to download the latest IOS. See if's a bug. Other than that I'm stumped.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to CompuVision Admin

‎09-15-2012 11:28 PM

Agree with you.

I run a lab just to make sure the IKEV2 setup was correct and mine work with no problem.

Please upgrade and let us know the result,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card