Buy or Renew
Buy or Renew
Join the Catalyst Center Onboarding Ask Me Anything event happening now!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
513
Views
0
Helpful
2
Replies

What's blocking my traffic on C927-4PM?

BeckyBoo123
Level 1
Level 1

‎05-20-2021 07:52 AM

Hi all,

You have all been so helpful in the past, I was wondering if anyone can assist in a small problem I have with traffic being blocked and finding the cause?

 

We have a remote site using a C927-4PM which then connects back to our ASA at HQ via a secure tunnel.

All remote traffic is supposed to reach out to the internet via the tunnel and hit or ASA for an appropriate ACL.

 

Users on the remote site can do almost anything they need to except use Google Meet. We have an ACL on the ASA allowing all users to access all Google services and this works for every other site we have.

 

Is there any command I can run on the C927 to find out what ports or IP's its not sending down the tunnel?

This is my current config. Not sure if anything looks as though it would single out just Google Meet traffic and drop it.

 

Building configuration...


Current configuration : 4740 bytes
!
! Last configuration change at 13:57:07 gmt Thu May 20 2021 by administrator
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname myrouter
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 xxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
!
!
!
!
!
!
aaa session-id common
clock timezone gmt 0 0
clock summer-time gmt recurring
!
!
!
!
!
no ip source-route
!
!
!
!
!
!
ip domain name companyx.local
ip name-server 8.8.8.8
ip cef
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid C927-4PM sn xxxx
!
!
object-group network CANON-PRINTER
 host 202.247.100.75
!
object-group network X-IPs
 host x.x.x.x
 host x.x.x.x
 host x.x.x.x
!
vtp mode transparent
username administrator privilege 15 secret 5 xxxx
!
redundancy
!
!
!
!
!
controller VDSL 0
!
vlan 102
!
!
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key xxxx address x.x.x.x
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
 mode tunnel
!
!
!
crypto map VPN-TO-HQ 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set TS
 match address VPN-TRAFFIC
!
!
!
!
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0
 no ip address
 shutdown
!
interface GigabitEthernet0
 switchport mode trunk
 no ip address
!
interface GigabitEthernet1
 switchport access vlan 102
 no ip address
!
interface GigabitEthernet2
 switchport access vlan 102
 no ip address
!
interface GigabitEthernet3
 switchport access vlan 102
 no ip address
!
interface GigabitEthernet4
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan102
 ip address 10.11.102.254 255.255.255.0
 ip helper-address 10.11.202.1
 no ip proxy-arp
 ip virtual-reassembly in
!
interface Dialer0
 description **** pppoe dialer interface ****
 mtu 1492
 ip address negotiated
 ip access-group LOCKDOWN-IN in
 ip access-group LOCKDOWN-OUT out
 no ip redirects
 no ip proxy-arp
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname xxxx
 ppp chap password 7 xxxx
 ppp pap sent-username xxxx password 7 xxxx
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
 crypto map VPN-TO-HQ
!
interface Dialer1
 no ip address
 shutdown
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended LOCKDOWN-IN
 permit udp any any eq bootps
 permit udp any any eq bootpc
 permit gre object-group x-IPs any
 permit esp object-group x-IPs any
 permit ahp object-group x-IPs any
 permit ip object-group x-IPs any
 permit ip object-group CANON-PRINTER any
ip access-list extended LOCKDOWN-OUT
 permit udp any any eq bootps
 permit udp any any eq bootpc
 permit ahp any object-group x-IPs
 permit esp any object-group x-IPs
 permit gre any object-group x-IPs
 permit ip any object-group x-IPs
 permit ip object-group CANON-PRINTER any
 deny   ip any any log
ip access-list extended NATINSIDE
 permit ip host 10.11.102.50 object-group CANON-PRINTER
ip access-list extended VPN-TRAFFIC
 permit ip 10.11.102.0 0.0.0.255 any
!
!
!
snmp-server community x-ro RO
snmp-server location Here
snmp-server contact Me
snmp-server chassis-id myrouter
tftp-server flash:/firmware/vadsl_module_img.bin
!
!
!
control-plane
!
banner motd ^C
*************************************************************
*                                                           *
* This device is owned and managed by Me. *
* Unauthorized access is strictly prohibited.               *
*                                                           *
*************************************************************
^C
!
line con 0
 privilege level 15
line 4
 no activation-character
 transport preferred none
 transport input all
 transport output all
 stopbits 1
line vty 0 4
 exec-timeout 1440 0
 privilege level 15
 password 7 xxx
 transport input ssh
line vty 5 15
 exec-timeout 1440 0
 privilege level 15
 password 7 xxx
 transport input ssh
!
scheduler allocate 20000 1000
!
end

 

 

 

Labels:
0 Helpful
2 Replies 2

BeckyBoo123
Level 1
Level 1

‎05-24-2021 01:52 AM

While I have been attempting to research this, the only think that stands out on this setup is the switch attached to the router mentioned above.

It has a lot of class-map's that were left over from the default config which I don't think are being used.

Every time I try to remove these though I get a message saying they are in use.

How can I see where they are in use and how can I remove them to rule this out of the problem I am seeing?

 

Thanks in advance!

 

class-map match-any system-cpp-police-ewlc-control
  description EWLC Control 
class-map match-any system-cpp-police-topology-control
  description Topology control
class-map match-any system-cpp-police-sw-forward
  description Sw forwarding, L2 LVX data packets, LOGGING, Transit Traffic
class-map match-any system-cpp-default
  description EWLC data, Inter FED Traffic 
class-map match-any system-cpp-police-sys-data
  description Openflow, Exception, EGR Exception, NFL Sampled Data, RPF Failed
class-map match-any system-cpp-police-punt-webauth
  description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
  description L2 LVX control packets
class-map match-any system-cpp-police-forus
  description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
  description MCAST END STATION
class-map match-any system-cpp-police-high-rate-app
  description High Rate Applications 
class-map match-any system-cpp-police-multicast
  description MCAST Data
class-map match-any system-cpp-police-l2-control
  description L2 control
class-map match-any system-cpp-police-dot1x-auth
  description DOT1X Auth
class-map match-any system-cpp-police-data
  description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
  description Stackwise Virtual OOB
class-map match-any system-cpp-police-routing-control
  description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
  description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
  description DHCP snooping
class-map match-any system-cpp-police-ios-routing
  description L2 control, Topology control, Routing control, Low Latency
class-map match-any system-cpp-police-system-critical
  description System Critical and Gold Pkt
class-map match-any system-cpp-police-ios-feature
  description ICMPGEN,BROADCAST,ICMP,L2LVXCntrl,ProtoSnoop,PuntWebauth,MCASTData,Transit,DOT1XAuth,Swfwd,LOGGING,L2LVXData,ForusTraffic,ForusARP,McastEndStn,Openflow,Exception,EGRExcption,NflSampled,RpfFailed
!
policy-map system-cpp-policy
0 Helpful

Elliot Dierksen
VIP
VIP

‎05-24-2021 06:33 AM

Are you sure the tunnel is up? I would check your ISAKMP security associations with "show cry is sa". Those should should be main mode (MM). If that looks good, check packets on both sides by looking at the IPSec security associations. Use this command and note where there are (and are not) spaces. It will summarize things. "sh cry ip sa | i caps|ident". What you are really looking for is if one of your IPSec SA's is encrypting traffic, but no getting any return traffic (0 in decaps).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card