10-02-2013 07:00 AM - edited 03-07-2019 03:48 PM
Greetings.
We encountered some problems in our network setup, more exactly with our vpn and looking for help. We own a Cisco 1921 with a
Cisco HWIC-2FE expansion card. The GE interface is connected to our LAN, two of the FE interfaces are connected to the WAN, one using an ADSL PPPoE dial-up connection, the second connected via SDSL. Therefore, the ADSL interface has a "dynamic" IP (although provided as fixed ip) and the SDSL interface is part of an public /29 network.
ISP 1 -------
\
Cisco 1921 --------- LAN
/
ISP 2 -------
Our problem now is, that we use client-to-site vpn through IPSEC. If only one of the ISP connections is up, everything works as intended. But as soon, as we bring up the second connection, the vpn dial in still works, but after that, no connection from the vpn user to the internal LAN is possible anymore. The vpn user inspite is able to connect to the Cisco 1921.
We planned to use split tunneling, which works on the conditions mentioned above. We also planned to have both ISP online with sla tracked routing entries for failover and load balancing. This works too, but then, as I stated, the vpn breaks.
Could someone give us a hint on this? Config (scrubbed) provided.
Best regards
Thomas Pulzer
----- Config Cisco 1921 ------
Building configuration...
Current configuration : 21593 bytes
!
! Last configuration change at 15:44:48 CET Wed Oct 2 2013 by thopu
version 15.2
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
no service password-encryption
service sequence-numbers
!
hostname cisco1921-02
!
boot-start-marker
boot-end-marker
!
!
logging userinfo
logging buffered 8096
logging console informational
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPNUSERS local
aaa authorization exec default local
aaa authorization network VPNGROUP local
!
!
!
!
!
aaa session-id common
!
clock timezone CET 1 0
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
!
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
!
!
no ip domain lookup
ip domain name XXX
ip name-server 172.20.x.x
ip name-server 172.20.x.x
ip cef
ip cef load-sharing algorithm universal 00AABBDD
!
multilink bundle-name authenticated
!
!
license udi pid CISCO1921/K9 sn FCZ1645C5CS
!
!
archive
log config
logging enable
logging size 500
hidekeys
path usbflash1:
write-memory
!
redundancy
!
!
!
!
!
ip ssh authentication-retries 2
ip ssh version 2
!
track 10 ip sla 1 reachability
delay down 1 up 2
!
track 97 ip sla 97 reachability
delay down 1 up 2
!
track 98 ip sla 98 reachability
delay down 1 up 2
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28400
crypto isakmp keepalive 60
!
crypto isakmp client configuration group VST1
dns xxx
domain xxx
pool VST1-VPN-IP-Pool
acl 190
save-password
split-dns xxx
netmask 255.240.0.0
!
crypto isakmp profile VST1
description VPN Profile for VST1
match identity group VST1
client authentication list VPNUSERS
isakmp authorization list VPNGROUP
client configuration address respond
virtual-template 10
!
!
crypto ipsec transform-set vpn-transform esp-3des esp-sha-hmac
!
crypto ipsec profile VST1
set security-association lifetime seconds 28400
set transform-set vpn-transform
!
!
!
crypto dynamic-map dyn-vpn-map 5
set transform-set vpn-transform
reverse-route
!
!
crypto map vpn-crypt-map 10 ipsec-isakmp dynamic dyn-vpn-map
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 172.20.x.x 255.240.0.0 secondary
ip address 172.20.x.x 255.240.0.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip policy route-map StaticWebservices
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/0/0
description SDSL 85.x.x.x
ip address 85.x.x.x 255.255.255.248
ip nat outside
no ip virtual-reassembly in
ip tcp adjust-mss 1452
ip policy route-map VPN
duplex auto
speed auto
crypto map vpn-crypt-map
!
interface FastEthernet0/0/1
description ADSL 87.x.x.x
no ip address
ip tcp adjust-mss 1452
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 97
!
interface Virtual-Template10 type tunnel
ip unnumbered FastEthernet0/0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VST1
!
!
interface Dialer97
description ADSL 87.x.x.x
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 97
dialer-group 1
ppp authentication pap callin
ppp chap hostname xxx
ppp chap password 0 xxx
ppp pap sent-username xxx password 0 xxx
ppp ipcp dns request
ppp ipcp wins request
ppp ipcp mask request
no cdp enable
!
ip local policy route-map VPN
ip local pool Generic-VPN-IP-Pool 172.20.8.x 172.20.8.x
ip local pool VST1-VPN-IP-Pool 172.20.2.x
ip forward-protocol nd
!
no ip http server
ip http access-class 3
no ip http secure-server
!
ip nat pool SDSL-IP-Pool 85.x.x.x 85.x.x.x netmask 255.255.255.248
ip nat inside source route-map ADSL-Uplink interface Dialer97 overload
ip nat inside source route-map SDSL-Uplink pool SDSL-IP-Pool overload
ip nat inside source static tcp 172.x.x.x 8080 85.x.x.x 8080 extendable
ip route 0.0.0.0 0.0.0.0 85.x.x.x track 10
ip route 0.0.0.0 0.0.0.0 Dialer97 track 97
!
ip sla 1
icmp-echo 85.x.x.x source-ip 85.x.x.x
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 97
icmp-echo 87.x.x.x source-interface Dialer97
frequency 5
ip sla schedule 97 life forever start-time now
logging trap debugging
logging 172.20.1.x
access-list 30 remark --- unser Netzwerk ---
access-list 30 permit 172.16.0.0 0.15.255.255
access-list 100 remark --- Zugriff auf diesen Router ---
access-list 100 remark --- Zugriff von intern ---
access-list 100 permit tcp 172.16.0.0 0.15.255.255 host xxx eq telnet
access-list 100 permit tcp 172.16.0.0 0.15.255.255 host xxx eq telnet
access-list 100 permit tcp 172.16.0.0 0.15.255.255 host xxx eq 22
access-list 100 permit tcp 172.16.0.0 0.15.255.255 host xxx eq 22
access-list 100 permit tcp 172.16.0.0 0.15.255.255 host xxx eq www
access-list 100 permit tcp 172.16.0.0 0.15.255.255 host xxx eq www
access-list 100 permit tcp 172.16.0.0 0.15.255.255 host xxx eq 443
access-list 100 permit tcp 172.16.0.0 0.15.255.255 host xxx eq 443
access-list 100 permit tcp 172.16.0.0 0.15.255.255 host xxx eq cmd
access-list 100 permit tcp 172.16.0.0 0.15.255.255 host xxx eq cmd
access-list 100 remark --- Zugriff von woanders ---
access-list 100 deny tcp any host xxx eq telnet
access-list 100 deny tcp any host xxx eq 22
access-list 100 deny tcp any host xxx eq www
access-list 100 deny tcp any host xxx eq 443
access-list 100 deny tcp any host xxx eq cmd
access-list 100 permit ip any any
access-list 100 permit icmp any any
access-list 110 remark --- allen internen IP Verkehr erlauben ---
access-list 110 permit ip 172.16.0.0 0.15.255.255 any
access-list 120 permit ip any any
access-list 130 remark --- webclient ---
access-list 130 permit tcp host 172.20.x.x eq 8080 any
access-list 130 permit tcp host 172.20.x.x any eq ftp
access-list 130 permit tcp host 172.20.x.x any eq ftp-data
access-list 130 remark --- ftp fuer 172.20.x.x ---
access-list 130 permit tcp 172.20.x.x 0.0.0.255 any eq ftp
access-list 130 permit tcp 172.20.x.x 0.0.0.255 any eq ftp-data
access-list 150 remark --- VPN-Kanaele ---
access-list 150 deny ip 172.16.0.0 0.15.255.255 172.20.8.0 0.0.0.255
access-list 150 deny ip 172.16.0.0 0.15.255.255 host 172.20.2.x
access-list 150 remark --- Server ---
access-list 150 remark --- wsus ---
access-list 150 permit udp host 172.20.x.x any eq ntp
access-list 150 permit tcp host 172.20.x.x any eq www
access-list 150 permit tcp host 172.20.x.x any eq 443
access-list 150 remark --- main-dns ---
access-list 150 permit tcp host 172.20.x.x any eq domain
access-list 150 permit udp host 172.20.x.x any eq domain
access-list 150 permit tcp host 172.20.x.x any eq 953
access-list 150 permit udp host 172.20.x.x any eq 953
access-list 150 remark --- webclient.kniel.local ---
access-list 150 permit tcp host 172.20.x.x any eq ftp
access-list 150 permit tcp host 172.20.x.x any eq ftp-data
access-list 150 remark --- genereller Internetzugang ---
access-list 150 permit tcp 172.20.2.0 0.0.0.255 any eq www
access-list 150 permit tcp 172.20.2.0 0.0.0.255 any eq 8080
access-list 150 permit tcp 172.20.2.0 0.0.0.255 any eq 443
access-list 150 permit tcp 172.20.2.0 0.0.0.255 any eq ftp
access-list 150 permit tcp 172.20.2.0 0.0.0.255 any eq ftp-data
access-list 150 permit tcp 172.20.1.192 0.0.0.63 any eq www
access-list 150 permit tcp 172.20.1.192 0.0.0.63 any eq 8080
access-list 150 permit tcp 172.20.1.192 0.0.0.63 any eq 443
access-list 150 permit tcp 172.20.1.192 0.0.0.63 any eq ftp
access-list 150 permit tcp 172.20.1.192 0.0.0.63 any eq ftp-data
access-list 160 remark --- DNS fuer alle ---
access-list 160 permit udp any any eq domain
access-list 160 permit tcp any any eq domain
access-list 170 permit udp host 85.x.x.x eq isakmp any
access-list 170 permit udp host 85.x.x.x eq non500-isakmp any
access-list 190 remark --- VPN-Zugaenge ---
access-list 190 permit ip 172.16.0.0 0.15.255.255 172.20.8.0 0.0.0.255
access-list 190 remark --- VPN-Zugaenge AD ---
access-list 190 permit ip 172.16.0.0 0.15.255.255 host 172.20.2.x
access-list 190 remark --- VPN-Zugaenge generisch---
access-list 190 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.1
access-list 190 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.2
access-list 190 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.3
access-list 190 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.4
access-list 190 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.5
access-list 190 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.6
access-list 190 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.7
access-list 190 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.8
access-list 190 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.9
dialer-list 1 protocol ip permit
!
no cdp run
route-map SDSL-Uplink permit 10
description normaler Verkehr via SDSL-Uplink
match ip address 150
match interface FastEthernet0/0/0
!
route-map VPN permit 10
description VPN via SDSL-Uplink
match ip address 170
set interface FastEthernet0/0/0
!
!
route-map ADSL-Uplink permit 10
match ip address 150
match interface Dialer97
!
route-map StaticWebservices permit 10
description webclient
match ip address 130
set interface FastEthernet0/0/0
!
route-map StaticWebservices permit 30
description DNS fuer alle
match ip address 160
set interface FastEthernet0/0/0
!
!
!
!
!
control-plane
!
!
alias exec ifchange tclsh usbflash0:ifchange.tcl
alias exec edit_acl tclsh usbflash0:edit_acl.tcl
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 110 in
exec-timeout 0 0
length 0
transport input ssh
!
scheduler allocate 20000 1000
ntp server 172.20.1.2
!
end
10-02-2013 07:48 AM
Hi
There seems to be some routing issue. When only one link is up, there is only one route to go out but when both the links are up then there are chances of conflict to choose outgoing path. If you can post output of your routing table.
Regards
Bharat
10-02-2013 08:12 AM
Hi kniel
Try to modify your config as follows:
no ip route 0.0.0.0 0.0.0.0 85.x.x.x track 10
ip route 0.0.0.0 0.0.0.0 85.x.x.x 200
Let me know
Regards
Carlo
Please rate all helpful posts
"The more you help the more you learn"
10-06-2013 11:13 PM
If I change the config, according to your advice, we lost routing to the internet as well as the abillity to establish a vpn connection.
10-03-2013 05:08 AM
Hi Kniel EDV
Please update.
Regards
Bharat
10-06-2013 11:07 PM
We had a public holiday in Germany, therefore the office was closed.
The routing table with the config above and both wan connections online is:
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 85.182.195.201 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 85.182.195.201
is directly connected, Dialer97
85.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 85.182.195.200/29 is directly connected, FastEthernet0/0/0
L 85.182.195.202/32 is directly connected, FastEthernet0/0/0
87.0.0.0/32 is subnetted, 1 subnets
C 87.139.88.97 is directly connected, Dialer97
C 172.16.0.0/12 is directly connected, GigabitEthernet0/0
172.20.0.0/32 is subnetted, 2 subnets
L 172.20.0.51 is directly connected, GigabitEthernet0/0
L 172.20.0.52 is directly connected, GigabitEthernet0/0
217.0.117.0/32 is subnetted, 1 subnets
C 217.0.117.218 is directly connected, Dialer97
For a better analysis, I do not scrub the output. The 85.182.195.201 is the remote router of our SDSL uplink.
10-06-2013 11:44 PM
In dual ISP setup while using IPSEC we have following conditions
L2L can work on primary ISP as well as backup ISP
IPsec with mobility it will only work on primary ISP , if primary goes down then on backup ISP
Share the following info
Sh run | in ip route
Sh run | sec ip sla
Sh ip route 0.0.0.0
What is the remote subnet and local subnert trying to communicate over ipsec
Gaurav
Sent from Cisco Technical Support Android App
10-07-2013 12:02 AM
Here are the requested infos:
cisco1921-02#sh run | in ip route
ip route 0.0.0.0 0.0.0.0 85.182.195.201 track 10
ip route 0.0.0.0 0.0.0.0 Dialer97 track 97
ip route 0.0.0.0 0.0.0.0 Dialer98 track 98
cisco1921-02#sh run | sec ip sla
track 10 ip sla 1 reachability
delay down 1 up 2
track 97 ip sla 97 reachability
delay down 1 up 2
track 98 ip sla 98 reachability
delay down 1 up 2
ip sla 1
icmp-echo 85.182.195.201 source-ip 85.182.195.202
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 97
icmp-echo 87.139.88.97 source-interface Dialer97
frequency 5
ip sla schedule 97 life forever start-time now
ip sla 98
icmp-echo 87.139.88.98 source-interface Dialer98
frequency 5
ip sla schedule 98 life forever start-time now
cisco1921-02#sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "static", distance 1, metric 0 (connected), candidate default path
Routing Descriptor Blocks:
85.182.195.201
Route metric is 0, traffic share count is 1
* directly connected, via Dialer97
Route metric is 0, traffic share count is 1
I think, it's because of the subnets, you mentioned. Our local subnet is 172.16.0.0 255.240.0.0
We'd like to put our vpn clients in 172.20.8.0 255.255.255.0 for some clients getting an ip dynamically and with 3 static ips, 172.20.2.241, 172.20.2.244 and 172.20.2.246 respectively for 3 special clients, though I scrubed 2 of 3 from posted config.
I considered moving away from this config and using a subnet not overlapping the local subnet already. Will try this and posting the results.
10-07-2013 12:58 AM
Thanks for all your help. After Gaurav Sood's request I reconsidered Carlo Poggiarelli's advice with the routing metrics.
I modified his config changed and added the metric to the dialer interface, which connects through the ADSL modem.
So, I changed
ip route 0.0.0.0 0.0.0.0 Dialer97 track 97
to
ip route 0.0.0.0 0.0.0.0 Dialer97 200 track 97
and this seems to work.
I will monitor the connections but leave the post unanswered, if you please. If everything is stable, I considered the post answered and will update.
Again, thanks for all your help.
Best regards,
Thomas Pulzer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide