Solved: Site to Site VPN Status Active but can't ping remote LAN

chris.fletcher1 · ‎10-10-2016

I have to remote LAN's that I'm trying to connect.

At the end of one I have an RV082 small business router and at the other one, I've got an RV180 small business router.

I've made sure that the encryption and authentication match with what I've got on my 2851.

It appears as though the tunnel is created properly and is active but I cannot ping from the 2851 to either of the other two routers.

IP address below are of course fake.

Here's the output from sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

10.10.10.10    20.20.20.20    QM_IDLE           1029 ACTIVE

10.10.10.10    30.30.30.30    QM_IDLE           1028 ACTIVE

Here's the output from sh crypto ipsec sa

    Crypto map tag: vpnset, local addr 10.10.10.10

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.252.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)

   current_peer 20.20.20.20 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 4109, #pkts encrypt: 4109, #pkts digest: 4109

    #pkts decaps: 3922, #pkts decrypt: 3922, #pkts verify: 3922

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 6, #recv errors 0

     local crypto endpt.: 10.10.10.10, remote crypto endpt.: 20.20.20.20

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)

   current_peer 20.20.20.20 port 500

     PERMIT, flags={}

    #pkts encaps: 11349, #pkts encrypt: 11349, #pkts digest: 11349

    #pkts decaps: 14169, #pkts decrypt: 14169, #pkts verify: 14169

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 10.10.10.10, remote crypto endpt.: 20.20.20.20

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

     current outbound spi: 0xD1CEC2A(219999274)

     PFS (Y/N): Y, DH group: group1

     inbound esp sas:

      spi: 0x1F851ADD(528816861)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2327, flow_id: Onboard VPN:327, sibling_flags 80000046, crypto map: vpnset

        sa timing: remaining key lifetime (k/sec): (4545766/1711)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xD1CEC2A(219999274)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2328, flow_id: Onboard VPN:328, sibling_flags 80000046, crypto map: vpnset

        sa timing: remaining key lifetime (k/sec): (4541630/1711)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.252.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

   current_peer 30.30.30.30 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 10.10.10.10, remote crypto endpt.: 30.30.30.30

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

   current_peer 30.30.30.30 port 500

     PERMIT, flags={}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 10.10.10.10, remote crypto endpt.: 30.30.30.30

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

     current outbound spi: 0x7730C889(1999685769)

     PFS (Y/N): Y, DH group: group1

     inbound esp sas:

      spi: 0x96D989C7(2530838983)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2329, flow_id: Onboard VPN:329, sibling_flags 80000046, crypto map: vpnset

        sa timing: remaining key lifetime (k/sec): (4428983/2778)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x7730C889(1999685769)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2330, flow_id: Onboard VPN:330, sibling_flags 80000046, crypto map: vpnset

        sa timing: remaining key lifetime (k/sec): (4428983/2778)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

I've got a Cisco 2851 Router configured as follows:

Building configuration...

Current configuration : 4677 bytes

! Last configuration change at 17:15:44 UTC Mon Oct 10 2016

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

hostname ORIONRT01

boot-start-marker

boot-end-marker

enable secret 4 InTtoRkWqyUp3aameBRcn5XPvgoeWpqm4eGwGnsdKHc

no aaa new-model

dot11 syslog

ip source-route

ip cef

ip name-server 192.168.1.55

no ipv6 cef

multilink bundle-name authenticated

voice-card 0

crypto pki token default removal timeout 0

license udi pid CISCO2851 sn FTX1226A1PU

archive

 log config

  hidekeys

redundancy

crypto isakmp policy 10

 encr 3des

 authentication pre-share

crypto isakmp key supersecretkey address 20.20.20.20

crypto isakmp key supersecretkey address 30.30.30.30

crypto ipsec transform-set vpnset esp-3des esp-sha-hmac

crypto map vpnset 10 ipsec-isakmp

 set peer 20.20.20.20

 set transform-set vpnset

 match address 101

crypto map vpnset 20 ipsec-isakmp

 set peer 30.30.30.30

 set transform-set vpnset

 match address 102

interface GigabitEthernet0/0

 description WAN

 ip address 10.10.10.10 255.255.255.248

 ip nat outside

 ip virtual-reassembly in

 duplex auto

 speed auto

 crypto map vpnset

interface GigabitEthernet0/1

 description LAN

 ip address 192.168.1.1 255.255.252.0 secondary

 ip address 192.168.1.6 255.255.252.0

 ip nat inside

 ip virtual-reassembly in

 duplex auto

 speed auto

ip forward-protocol nd

no ip http server

no ip http secure-server

ip nat inside source route-map nonat interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.1.4 80 10.10.10.10 80 extendable

".. lots more static NAT rules "

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.3.255 192.168.4.0 0.0.0.255

access-list 102 permit ip 192.168.0.0 0.0.3.255 192.168.10.0 0.0.0.255

access-list 110 deny   ip 192.168.0.0 0.0.3.255 192.168.4.0 0.0.0.255

access-list 110 permit ip 192.168.0.0 0.0.3.255 any

access-list 115 deny   ip 192.168.0.0 0.0.3.255 192.168.10.0 0.0.0.255

access-list 115 permit ip 192.168.0.0 0.0.3.255 any

access-list 120 permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.3.255

access-list 130 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.3.255

route-map nonat permit 10

 match ip address 110 115

Richard Burts · ‎10-10-2016

Thanks for the additional information which does clarify the issue quite nicely. The issue is that you are pinging from the 2851. By default when the router pings it will make the source address of the packet to be the IP of the outbound interface. So the source address of your ping is 10.10.10.10. But the crypto map of the router does not identify any traffic with source address of 10.10.10.10 to be carried through the tunnel.

The easy way to fix this is that in your ping you specify the source address to be Gig0/1.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎10-10-2016

We do not know enough yet to accurately identify the source of the issue. Here are some observations and questions that I hope may help us more forward in solving this issue.

- the output shows that the tunnel to 20.20.20.20 is passing traffic in both directions and as such we can mostly assume that this VPN tunnel is working correctly.

- the output shows that the tunnel to 30.30.30.30 is not passing traffic in either direction. The tunnel comes up but does not pass traffic. This suggests that the crypto parameters are probably correct but that there is some issue with identifying and processing the IP traffic to be carried through the tunnel.

- can you clarify how you are testing? are you pinging from the router itself or from something connected to the router? What address on the remote side are you pinging to?

HTH

Rick

HTH

Rick

chris.fletcher1 · ‎10-10-2016

Hi Richard thanks for the reply.

I am pinging from the 2851.

The 192.168.4.0 network is on the inside of 20.20.20.20.

I tried pinging various hosts on that network from the 2851.

Here's an output showing ping and traceroute

ORIONRT01#ping 192.168.4.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

ORIONRT01#ping 192.168.4.200

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.4.200, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

ORIONRT01#tracero

ORIONRT01#traceroute 192.168.4.1

Type escape sequence to abort.

Tracing the route to 192.168.4.1

VRF info: (vrf in name/id, vrf out name/id)

1 192.168.0.1 4 msec 8 msec 8 msec

2 * * *

I'm not too worried about 30.30.30.30 yet. I'm more worried about making the other tunnel work first.

Richard Burts · ‎10-10-2016

Thanks for the additional information which does clarify the issue quite nicely. The issue is that you are pinging from the 2851. By default when the router pings it will make the source address of the packet to be the IP of the outbound interface. So the source address of your ping is 10.10.10.10. But the crypto map of the router does not identify any traffic with source address of 10.10.10.10 to be carried through the tunnel.

The easy way to fix this is that in your ping you specify the source address to be Gig0/1.

HTH

Rick

HTH

Rick

chris.fletcher1 · ‎10-10-2016

Richard, thank you so much for clarifying this for me.

It does indeed ping successfully when specifying the source interface.

Richard Burts · ‎10-10-2016

I am glad that my suggestion did provide a solution to the problem with pinging to the remote site. I continue to believe that there is still a problem with the tunnel to 30.30.30.30 which needs to be resolved.

HTH

Rick

HTH

Rick

chris.fletcher1 · ‎10-11-2016

Hi Richard and thanks for the follow up. I was able to get that tunnel up as well. Thank you for all your help.

Richard Burts · ‎10-11-2016

Thanks for the update. I am glad that you were able to get the other tunnel up. So now both VPNs are working as expected?

HTH

Rick

HTH

Rick