Suddenly RealVNC access to network quit, think Cisco router? 2mpnth old set up and problem wasnt the...

Tony_MN · ‎02-01-2020

Hello,

I am currently using some of my lab equipment for my Routing and Switching studies where I have built a VPN to my woodshop. At home I use a Cisco 2911 router and at the shop I have a 2800 series router.

I had everything running good for about a couple weeks or more and then now I cannot access my computers there over Real VNC, real vnc not working. I have a IP camera in the shop that was working well, Now i cannot access that over the internet as i could before either.

Suddenly i do not have access other that my VPN still works and regular web surfing can be done on my shop computers and everything seems ok, But these IP cam and VNC programs quit connecting.....

I am lost right now, I currently am CCENT cert complete. Working on CCNA completion, to better explain where i am in knowledge. I hope someone can tell my if its my router or something else.... but as i said, with the cisco equipment up and running, everything was working to the best of my knowledge for the beginning and then now it doesnt. I cannot think of anything that has changed.

Here is my running-config

ShopV#show run

Building configuration...

Current configuration : 3927 bytes

!

! Last configuration change at 17:30:30 UTC Sat Feb 1 2020 by axxxx

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Shoxx

!

boot-start-marker

boot-end-marker

!

no logging console

enable secret 4 A1J2dxxZrIu/FxxxM.OMCIgDsjtV0suxxxxiHY2ME

!

no aaa new-model

!

dot11 syslog

ip source-route

!

ip dhcp excluded-address 10.0.10.1 10.0.10.50

!

ip dhcp pool Shoxx

network 10.0.10.0 255.255.255.0

default-router 10.0.10.1

dns-server 1.0.0.1 1.1.1.1

!

ip cef

ip domain name wxxxx.boxy

no ipv6 cef

!

multilink bundle-name authenticated

!

vty-async

!

voice-card 0

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-95xx3xx0

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-95xxx580

revocation-check none

rsakeypair TP-self-signed-9591xx580

!

crypto pki certificate chain TP-self-signed-95xx580

certificate self-signed 01

30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 39353931 33333538 30301E17 0D313931 31313032 31353633

325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3935 39313333

35383030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

B16F7A06 62B5C856 63D4B7CF E9A39787 F3D4133A D4B739D8 E19BE18C 9B15E4F3

63395D59 5FCC76AF 072F5515 6D6C66FB 233BE9DD 3F5EFB10 0976D0C1 BD550B4C

D9D7754D 56699BF3 8D02EF97 792CC01F 1C654A48 0EF7E780 EBBB1A5B 7388C5C2

2637F53B 3072848D 5774DC03 5C3FA451 A69B05AC A4C55B24 730EF986 48940551

0905DC19 0A727CBB 509CEF2B 7F2A883C 159F8474 42E162D1 699BA062 6D5AAE53

1DD6BDC9 BD4B5285 66CA21BE 9B

quit

!

license udi pid CISCO2801 sn FTX112xxxx

license accept end user agreement

username axxxx privilege 15 secret 4 A1J2dpGZrIxxxxM.OMCIgDsjtV0su9XSECiHY2ME

!

redundancy

!

ip ssh version 2

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

crypto isakmp key Wxxx address 68.xxx.xx.xx

crypto isakmp invalid-spi-recovery

crypto isakmp nat keepalive 10

!

crypto ipsec transform-set MY-SET esp-aes esp-md5-hmac

!

crypto map MY-MAP 10 ipsec-isakmp

set peer 68.xx.xx.xxx

set transform-set MY-SET

match address VPN-TRAFFIC

!

interface FastEthernet0/0

ip address 192.168.1.24 255.255.255.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map MY-MAP

!

interface FastEthernet0/1

ip address 10.0.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Serial0/1/0

no ip address

shutdown

no fair-queue

!

ip default-gateway 192.168.1.1

ip forward-protocol nd

!

no ip http server

ip http secure-server

ip nat inside source list 101 interface FastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 192.168.1.1

!

ip access-list extended VPN-TRAFFIC

permit ip 10.0.10.0 0.0.0.255 172.25.252.0 0.0.1.255 log

!

access-list 101 remark -=[Define NAT Service]=-

access-list 101 deny ip 10.0.10.0 0.0.0.255 172.25.252.0 0.0.1.255 log

access-list 101 permit ip 10.0.10.0 0.0.0.255 any log

access-list 101 remark

!

control-plane

!

mgcp profile default

!

line con 0

password xxxxxxx

line aux 0

line vty 0 4

password xxxxxxx

login local

transport input ssh

!

scheduler allocate 20000 1000

end

ShopV#

Thanks for any help!

Tony

Richard Burts · ‎02-01-2020

Tony

If I am understanding your post correctly the site to site vpn still works and computers at the shop are able to access the Internet. If this is the case it does not seem that the issue is a problem with the router at the shop. In looking at the posted config I am puzzled how the IP camera or RealVNC would be accessible other than through the vpn. Can you clarify where you are trying to access them from? Also can you provide details about the IP addresses that they use? Are they in the range of excluded addresses for your DHCP? Can you post the output of show arp from the shop router and identify in the output the addresses used for IP camera and RealVNC?

HTH

Rick

Georg Pauwen · ‎02-02-2020

Hello,

in addition to Richard's remarks, the first thing I would do is to reboot/restart all devices (don't forget to save the configuration of the router first with 'wr mem').

I have made a few changes to your configuration, not sure what difference these make. Remove the 'log' statements from the access lists, as NAT and 'log' usually don't work well together. Changes are marked in bold:

Current configuration : 3927 bytes

!

! Last configuration change at 17:30:30 UTC Sat Feb 1 2020 by axxxx
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Shoxx
!
boot-start-marker
boot-end-marker
!
no logging console

enable secret 4 A1J2dxxZrIu/FxxxM.OMCIgDsjtV0suxxxxiHY2ME
!
no aaa new-model
!
dot11 syslog
ip source-route
!
ip dhcp excluded-address 10.0.10.1 10.0.10.50
!
ip dhcp pool Shoxx
network 10.0.10.0 255.255.255.0
default-router 10.0.10.1
dns-server 1.0.0.1 1.1.1.1
!
ip cef
ip domain name wxxxx.boxy
no ipv6 cef
!
multilink bundle-name authenticated
!
vty-async
!
voice-card 0
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-95xx3xx0
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-95xxx580
revocation-check none
rsakeypair TP-self-signed-9591xx580
!
crypto pki certificate chain TP-self-signed-95xx580
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39353931 33333538 30301E17 0D313931 31313032 31353633
325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3935 39313333
35383030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B16F7A06 62B5C856 63D4B7CF E9A39787 F3D4133A D4B739D8 E19BE18C 9B15E4F3
63395D59 5FCC76AF 072F5515 6D6C66FB 233BE9DD 3F5EFB10 0976D0C1 BD550B4C
D9D7754D 56699BF3 8D02EF97 792CC01F 1C654A48 0EF7E780 EBBB1A5B 7388C5C2
2637F53B 3072848D 5774DC03 5C3FA451 A69B05AC A4C55B24 730EF986 48940551
0905DC19 0A727CBB 509CEF2B 7F2A883C 159F8474 42E162D1 699BA062 6D5AAE53
1DD6BDC9 BD4B5285 66CA21BE 9B
quit
!
license udi pid CISCO2801 sn FTX112xxxx
license accept end user agreement
username axxxx privilege 15 secret 4 A1J2dpGZrIxxxxM.OMCIgDsjtV0su9XSECiHY2ME
!
redundancy
!
ip ssh version 2
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key Wxxx address 68.xxx.xx.xx
crypto isakmp invalid-spi-recovery
crypto isakmp nat keepalive 10
!
crypto ipsec transform-set MY-SET esp-aes esp-md5-hmac
!
crypto map MY-MAP 10 ipsec-isakmp
set peer 68.xx.xx.xxx
set transform-set MY-SET
match address VPN-TRAFFIC
!
interface FastEthernet0/0
ip address 192.168.1.24 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map MY-MAP
!
interface FastEthernet0/1
ip address 10.0.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/1/0
no ip address
shutdown
no fair-queue
!
--> no ip default-gateway 192.168.1.1
ip forward-protocol nd
!
no ip http server
ip http secure-server
ip nat inside source list 101 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip access-list extended VPN-TRAFFIC
permit ip 10.0.10.0 0.0.0.255 172.25.252.0 0.0.1.255
!
access-list 101 remark -=[Define NAT Service]=-
access-list 101 deny ip 10.0.10.0 0.0.0.255 172.25.252.0 0.0.1.255
access-list 101 permit ip 10.0.10.0 0.0.0.255 any
access-list 101 remark
!
control-plane
!
mgcp profile default
!
line con 0
password xxxxxxx
line aux 0
line vty 0 4
password xxxxxxx
login local
transport input ssh
!
scheduler allocate 20000 1000
end

Tony_MN · ‎02-02-2020

This setup is behind landlord router at location of my shop that i cannot control. 20 miles away from my house... everything seemed to work fine until recently.. I managed to use VPN and VNC to the ip address of a raspberrypi that i have there and REALVNC says network error is preventing server from working... also speedtest on chrome browser has good download value, upload doesnt work, says socket error occured. However, speedtest-cli on the command line on my pi works and i can do good download and upload...? No clue when landlord restarted his router last,, he isn't too technical:) i wish i knew how to set this up easier but i'm needing more study. I got it working with some of this being static and maybe i need some other methods..

I like to be able to access the camera and vnc from wherever and currently only works if i am connectd to my vpn. before when worked i could do this all anywhere...

I added the "log" stuff yesterday to try to get some info on what was going on... problem was there before adding "log"

not sure what would happen right now if i removed the default-gateway address... i wont have access to equipment if router vpn quits until monday...

Shooo#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.0.10.1 - 001b.xxx5.2f99 ARPA FastEthernet0/1
Internet 10.0.10.3 1 0023.xxx5.c839 ARPA FastEthernet0/1
Internet 10.0.10.51 0 50c7.xxx6.31bc ARPA FastEthernet0/1
Internet 10.0.10.52 145 b827.cca3.9493 ARPA FastEthernet0/1
Internet 10.0.10.53 0 00e1.xx10.102c ARPA FastEthernet0/1
Internet 10.0.10.54 6 606d.cc74.0a4f ARPA FastEthernet0/1
Internet 10.0.10.55 70 0080.bbde.73eb ARPA FastEthernet0/1
Internet 10.0.10.56 0 442c.mmd1.2a1e ARPA FastEthernet0/1
Internet 10.0.10.57 6 441c.amm1.c552 ARPA FastEthernet0/1
Internet 10.0.10.58 0 3c33.uu19.3b50 ARPA FastEthernet0/1
Internet 10.0.10.59 26 0024.kk3b.3e6d ARPA FastEthernet0/1
Internet 10.0.10.250 1 7403.pp53.5103 ARPA FastEthernet0/1
Internet 192.168.1.1 4 6cb0.cii2.04e9 ARPA FastEthernet0/0
Internet 192.168.1.6 1 a040.uu82.faf6 ARPA FastEthernet0/0
Internet 192.168.1.24 - 001b.dyy5.2f98 ARPA FastEthernet0/0
Internet 192.168.1.101 0 98de.oof9.97ee ARPA FastEthernet0/0
Shoxx#

Richard Burts · ‎02-02-2020

Tony

Thanks for the additional information. I agree with @Georg Pauwen about removing the log parameter from the access list statements. It is good to know that it was a recent addition. You should remove it. But if it was a recent addition it is not likely that it is related to your problem.

I would suggest leaving the default gateway command in the config. It does no harm in the config and there is an unusual situation in which it might be useful. If there is no harm and a potential benefit then leave it.

You gave us the arp output that I asked for but no indication of which addresses relate to the IP camera or to vnc.

If it worked ok in the beginning and then stopped working then I believe there is merit in the suggestion to save all configs and reboot all your equipment. Try that and let us know the result.

Also if it worked ok in the beginning then a question we need to ask is whether there have been any changes or any events that you know of which might impact the network.

Do you have the realvnc software loaded on the pi? Is this a purchased version or is it perhaps the free trial version?

HTH

Rick

Tony_MN · ‎02-02-2020

My ipcam is currently 10.0.10.58

My pi is currently 10.0.10.52

They should both be set to dhcp so it can change any time i reload the router...

I was really impressed with RealVNC's ability to lock on and keep things working on various devices so i have them on many things. The cameras have done a good job for inexpensive china cam's. I'm guessing at this point maybe the landlord's router is/has changed but i cannot tell.

I have rebooted my router and the 'log' portion has since disappeared because i did not save that config. Its easier to just reload when i have tried lots of stuff and nothing changes, just reboot and the changes disappear. Until i have something good happen then i will save.

Everything has been rebooted and same results. VNC is free version, up to 5 computers thing.

Speed test is saying socket issue....gui version, cli version works fine

I just cant seem to put my finger on it....

Super stoked my tunnel works and still is working though. I just am upset that something changed and my camera and realvnc quit working as good as they did before.

Richard Burts · ‎02-03-2020

Tony

Thanks for the additional information. The addresses for Realvnc and for the camera are in the DHCP range and do appear as normal in the arp output. So it looks like communication with them should be normal. And thanks for confirming that a reboot has not improved the situation. It was worth a try.

Reading again through the complete discussion I am struck by the fact that computers in that network can successfully access the Internet and that the vpn still works. So I am thinking that the problem is not something about your router, which seems to be working, but is something else. The issues you describe are about accessing resources in that remote network from outside. And I am trying to understand how that would work. Usually when we want some resource inside the network (with a private IP address) to be accessible from outside we would have some configuration of static address translation or of some port forwarding. But there is not any of that in your config. So how does access to those devices work?

I assume that Realvnc has something that can make the inside device accessible from the Internet but do not know enough about the product to know what that is and how it works. But I am wondering if it is not working correctly. And I am thinking that the fact that speed test does not work from the gui but does work from cli indicates some malfunction in the software.

I do not know how your camera is set up and how it would become accessible from the Internet but suspect that something about that is not working correctly. Perhaps you can tell us a bit more about how the camera is set up?

HTH

Rick

Tony_MN · ‎02-03-2020

Ok,

Today i bypassed the cisco router device and used the old router that i replaced. It should have solved the problem if it was the cisco device. It did not. So i put cisco router back into service and will look at the issue being outside of my shop.

So, Moving on now knowing it isnt that, I have to see if i can get the landlord router to reboot.

Is there any good reason a Netgear router might start blocking ports for IPCAM and VNC?

I'll move on from this post soon, Thanks for everyone's help.

Richard Burts · ‎02-04-2020

Tony

Thanks for the update. Using your old router in place of the Cisco router was a good test. I am not surprised that the problem remained. This confirms the opinion in my previous response that the problem was not your Cisco router. Trying to get a reboot of the landlord router is wroth trying - mostly to eliminate possible causes of the problem. I will be surprised if a reboot of the landlord router fixes the problem.

We do not know which Netgear router your landlord uses which makes it difficult to know what he may have changed. My limited experience with Netgear routers makes me think it not likely that Netgear is blocking ports for IPCAM or VNC. But it would certainly be good to ask the landlord if he has made any changes that would restrict inbound traffic. Many firewalls have a default security policy that allows traffic from outside that is response to something initiated from inside but blocks traffic that is initiated from outside to inside.

I continue to wonder if the problem is something about RealVNC. You say that you have other devices using it. How many other devices? Are all of the other devices still working well with RealVNC? How long have the other devices been using it?

HTH

Rick

Suddenly RealVNC access to network quit, think Cisco router? 2mpnth old set up and problem wasnt there right away...