Loop-back IP is not pingable from my DC network sometimes

sreejithsree · ‎10-22-2019

Hello All,

I have the below configs on my ADSL VPN router where i run an IPSEC tunnel to may corporate Palo firewall to establish the VPN connection.

VPn ADSL Cisco 877 Router--> internet--> Palo Firewall (where IPSec VPn terminated)--> Core switch-->10.127.50.50 (Gateway for the sever is on Core switch)

i have everything working except my loopback IP is not pingable from DC server behind my Palo firewall where the VPNs are connected.

Loopback will start pingable once i initiate some traffic from my VPN router to DC server making loopback as source like below.

(ping 10.127.50.50 source Loopback1)

it's works well after i do a source ping until i reboot router, it's looks totally strange for me, Can someone is help i have lost mind :)

==================================================

Building configuration...

Current configuration : 6324 bytes
!
!
!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname xxxxvpn05
!
boot-start-marker
boot-end-marker
!
logging buffered 16384
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
!
dot11 syslog
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name XXXXX
!
multilink bundle-name authenticated
!
!
username xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address xxxxxxxxxxxxxxxx
crypto isakmp keepalive 10 5 periodic
!
crypto isakmp peer address xxxxxxxxxxxxx
set aggressive-mode password xxxxxxxxxxxxxxxx
set aggressive-mode client-endpoint fqdn xxxxvpn05
!
!
crypto ipsec transform-set xxxx-VPN-SET esp-aes 256 esp-sha-hmac
!
crypto map xxxxxx 10 ipsec-isakmp
set peer xxxxx
set transform-set xxxx-VPN-SET
match address VPN-SUBNET
qos pre-classify
!
archive
log config
hidekeys
!
!
ip tftp source-interface Vlan1
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any HIGH
match access-group name CITRIX-TRAFFIC
match access-group name ICMP-TRAFFIC
match access-group name SNMP-TRAFFIC
class-map match-any MEDIUM
match access-group name SKYPE-TRAFFIC
match access-group name WEB-TRAFFIC
class-map match-any LOW
match access-group name SCCM-TRAFFIC
match access-group name SEP-TRAFFIC
match access-group name SMB-TRAFFIC
!
!
policy-map xxxx-COS
class HIGH
bandwidth percent 30
class MEDIUM
bandwidth percent 20
class LOW
bandwidth percent 10
class class-default
bandwidth percent 15
!
!
!
!
interface Loopback1
ip address 192.168.85.1 255.255.255.0
ip nat inside
ip virtual-reassembly

!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
vbr-nrt 284 284
tx-ring-limit 3
encapsulation aal5mux ppp dialer
dialer pool-member 1
service-policy output xxxx-COS
!
dsl operating-mode auto
!
interface FastEthernet0
duplex full
speed 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description ***LAN Interface***
ip address 10.150.253.5 255.255.255.252
ip helper-address 10.127.73.20
ip helper-address 10.127.73.30
ip nat inside
ip virtual-reassembly
no autostate
!
interface Dialer1
description --- xxxxxxxxxxx
ip address negotiated
ip mtu 1400
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1360
load-interval 30
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxx
ppp chap password 7 xxxxxxxxxxxxx
ppp ipcp dns request
crypto map xxxx-VPN
!
ip forward-protocol nd
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
ip route 0.0.0.0 0.0.0.0 Dialer1 name DEFAULT
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map NO-NAT interface Dialer1 overload
!
ip access-list standard xxxx-MGT
remark --- xxxx Management Networks
permit 194.74.241.94
permit 10.150.253.5
permit 81.144.223.254
permit 192.168.85.0 0.0.0.255
permit 10.127.0.0 0.0.255.255
permit 10.146.0.0 0.0.255.255
!
ip access-list extended CITRIX-TRAFFIC
remark --- Citrix Traffic ---
permit tcp any any eq 1494
permit tcp any eq 1494 any
permit tcp any any eq 2598
permit tcp any eq 2598 any
permit udp any any range 16500 16509
permit udp any range 16500 16509 any
permit tcp any host 10.127.71.255 eq www
permit tcp any host 10.127.71.255 eq 443
ip access-list extended ICMP-TRAFFIC
remark --- ICMP Traffic ---
permit icmp any any
ip access-list extended NOT-VPN-SUBNET
deny ip 192.168.85.0 0.0.0.255 any
deny ip host 10.150.253.5 any
ip access-list extended SCCM-TRAFFIC
remark --- SCCM Traffic ---
permit tcp any host 10.127.99.99 eq www
permit tcp any host 10.127.99.99 eq 443
permit tcp any any eq 8530
permit tcp any eq 8530 any
ip access-list extended SEP-TRAFFIC
remark --- SEP Traffic ---
permit tcp any host 10.127.99.102 eq www
permit tcp any host 10.127.99.102 eq 443
permit tcp any any eq 8014
permit tcp any eq 8014 any
permit tcp any any eq 9005
permit tcp any eq 9005 any
ip access-list extended SKYPE-TRAFFIC
remark --- Skype for Business Traffic ---
permit tcp any 172.28.254.0 0.0.0.255 eq 443
permit tcp any 172.28.254.0 0.0.0.255 eq 5061
permit udp any 172.28.254.0 0.0.0.255 eq 3478
ip access-list extended SMB-TRAFFIC
remark --- Generic SMB Traffic ---
permit tcp any any eq 139
permit tcp any eq 139 any
permit tcp any any eq 445
permit tcp any eq 445 any
permit udp any any eq 445
permit udp any eq 445 any
ip access-list extended SNMP-TRAFFIC
remark --- Management Traffic ---
permit udp any any eq snmp
permit udp any eq snmp any
ip access-list extended VPN-SUBNET
permit ip 192.168.85.0 0.0.0.255 any
permit ip host 10.150.253.5 any
ip access-list extended WEB-TRAFFIC
remark --- WEB Traffic ---
permit tcp any any eq www
permit tcp any eq www any
permit tcp any any eq 443
permit tcp any eq 443 any
!
dialer-list 1 protocol ip permit
snmp-server community public RO
snmp-server enable traps tty
no cdp run
!
!
!
route-map NO-NAT permit 10
match ip address NOT-VPN-SUBNET
!
!
control-plane
!
!
line con 0
no modem enable
transport preferred telnet
transport output all
line aux 0
transport preferred telnet
transport output all
line vty 0 4
access-class xxxx-MGT in
exec-timeout 120 0
password 7 xxxxxxxxx
length 0
transport preferred telnet
transport input ssh
transport output all
!
scheduler max-task-time 5000
ntp clock-period 17183670
ntp source Vlan1
ntp server 10.127.80.101 source Vlan1
ntp server 10.127.80.102 source Vlan1 prefer
end

xxxxvpn05#

Georg Pauwen · ‎10-22-2019

Hello,

your configuration looks somewhat confusing, as you don't seem to NAT anything ? Either way, if you want the loopback to be reachable through the VPN, you need to remove the 'ip nat inside' command:

interface Loopback1
ip address 192.168.85.1 255.255.255.0
--> no ip nat inside
ip virtual-reassembly

sreejithsree · ‎10-22-2019

Hello,

I have tried removing ip nat inside as well, but not much difference .

Everything works as expected the moment i do a source ping to my server by setting loopback IP as as source IP from Router, even i have tried deleting the IP from loopback and configured same ip as secondary IP inside Vlan , the behavior looks same.

I tried swapping the IPs as well, so its nowhere related to policy or a NAT i hope.

Please advice!

Thanks.

Georg Pauwen · ‎10-22-2019

Hello,

what is defined as interesting traffic on the other side (the Palo Alto), is traffic from the DC server to the Loopback included ?

sreejithsree · ‎10-22-2019

Yes it is allowed, as the nature i have explained everything is good once initiate a single ping from loopback or secondary IP as i explained before.

Georg Pauwen · ‎10-22-2019

Hello,

on the Cisco, configure the line in bold:

crypto map xxxxxx 10 ipsec-isakmp
set peer xxxxx
set transform-set xxxx-VPN-SET

--> set pfs group2
match address VPN-SUBNET
qos pre-classify

Georg Pauwen · ‎10-22-2019

And replace the 'any' with the actual subnet on the other side...

ip access-list extended VPN-SUBNET
permit ip 192.168.85.0 0.0.0.255 any
permit ip host 10.150.253.5 any

sreejithsree · ‎10-22-2019

Hello,

I have tried with specific subnet but no changes.

sreejithsree · ‎10-22-2019

It seems tunnel is not coming up post pfs group & no changes to the behavior as well.

Georg Pauwen · ‎10-22-2019

Hello,

make sure the PFS group is set at the other end as well.

Have you tried to change the 'any' to the actual remote subnets ?

sreejithsree · ‎10-23-2019

Hello,

Thanks for your time!

yes, i did change PFS at both sides & Tunnel is UP post that.

I tried changing any to specific remote subnet but no difference , i need to initiate a source ping with loopback from router to make the loopback IP pingable from DC server.

sreejithsree · ‎11-07-2019

Hello All,

Can i please have any more suggestions, this is almost killing my efforts,anything else to be checked OR is their anyone else who faced same issue !!!

Thanks in advance for your time!

Cheers !!!!