cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1017
Views
0
Helpful
4
Replies
Highlighted
Beginner

EZVPN Tunnel encaps just stop

I have an odd situation folks.  I least I've never seen it before.   I have a Cisco 851W running ezvpn back to a 5510 ASA with Security+  We have approximately 17 other tunnels running without issue.  This one, however, comes up and stays up, but about every few thousand packets it stops encaps based on the show crypto ipsec sa output.  This failed condition lasts for about 30 pings give or take 1 or 2.  Then encaps resume for another few thousand packets.  obviously with no encaps decaps on the 851 there aren't any on the ASA either.  Throughout all this I can ping the public IP address of the 851 over the Internet.  Cox seems to be passing traffic fine, which would makes sense since I'm not even sending encaps from the 851.  Does anyone have any idea where to start?  I've run through a couple debugs and show commands as well as checked the logs but I'm not seeing anything that doesn't appear correctly.  It's like the 851 just decides to take a coffee break for a few seconds and then comes back to resume work forwarding tunnel traffic.

I appreciate any assistance anyone can offer. 

Thanks,

Dave

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

EZVPN Tunnel encaps just stop

Dave,

Odd stuff.

A packet sourced by the router itself will not show in outbound ACL (might be different for different kind of packets depending on version).

If you're possitive those packets are leaked there might be a feature interaction ... most likely NAT or something before.

What i would like you to check if you're interested:

1) Try to change software to what is running on other routers (if relevant)

2) Remove any additional features from interfaces and global.

3) Verify NAT config and NAT table during the problem.

Doesn't look like VPN component is screwing up here.

Marcin

View solution in original post

4 REPLIES 4
Cisco Employee

EZVPN Tunnel encaps just stop

Dave,

Odd situaion indeed. I would like to first understand if the packets are leaked out in clear intead of encapsulated OR if they are being dropped by something else before encryption.

For the first part you can apply an outbound ACL on outside interface matching the internal traffic (with a permit ip any any at the end).

If the traffic is dropped it might be in a few common places:

- traffic accelarator

- cef (COULD be a bug in cef itself but it can be a bug of a feature using cef)

etc etc.

If traffic is not neing sent in clear you can try disabling CEF as first step OR watching "show crypto engine accelarator stati" to get crypto accell static.

I assumed that during "no encaps" period there are not errors inceasing on the IPsec SA?

Marcin

Beginner

EZVPN Tunnel encaps just stop

Hi Marcin,

Thank you for the reply!  I was able to replicate the issue in a controlled environment and it does appear to be leaking out.  Not per the access list I created though.  It didn't show in the acl.  It did show up in debug ip packet though.  I have included that below.  The successful pings show the encapsulated packet with the tunnel IPs on it.  The unsuccessful just show the private addresses going out fa4.

I also noticed that pings on the inside NOT sourced directly from the router do not have this problem.  That is encouraging.  It wasn't something we could test remotely from the client site but I could in my lab.  Pinging through always seems to provide more accurate results, but I'm still unsure about what is going on and if it is something that could be troublesome later on down the road.

#############FAILED PING SOURCED FROM INSIDE INTERFACE OF EZVPN CLIENT##############

000229: *Feb 28 21:33:14.339 central: IP: tableid=0, s=192.168.66.1 (local), d=192.168.223.253 (FastEthernet4), routed via FIB

000230: *Feb 28 21:33:14.339 central: IP: s=192.168.66.1 (local), d=192.168.223.253 (FastEthernet4), len 100, sending.

#############SUCCESSFUL PING SOURCE FROM INSIDE INTERFACE OF EZVPN CLIENT#############

000234: *Feb 28 21:33:18.339 central: IP: s=1.1.1.1 (local), d=2.2.2.2 (FastEthernet4), g=1.1.1.2, len 168, forward

000235: *Feb 28 21:33:18.347 central: IP: tableid=0, s=1.1.1.1 (local), d=2.2.2.2 (FastEthernet4), routed via FIB

Thanks for all your help!

Dave

Cisco Employee

EZVPN Tunnel encaps just stop

Dave,

Odd stuff.

A packet sourced by the router itself will not show in outbound ACL (might be different for different kind of packets depending on version).

If you're possitive those packets are leaked there might be a feature interaction ... most likely NAT or something before.

What i would like you to check if you're interested:

1) Try to change software to what is running on other routers (if relevant)

2) Remove any additional features from interfaces and global.

3) Verify NAT config and NAT table during the problem.

Doesn't look like VPN component is screwing up here.

Marcin

View solution in original post

Beginner

EZVPN Tunnel encaps just stop

Hi Marcin,

I must thank you for the suggestions. By working through some of what you suggested I did discover a routing issue.  It was getting a default route from the tunnel when it came up and also from the dhcp server.  For some reason it didn't just preference one.  We elimitated the dhcp default and statically routed the tunnel peer out the public interface and it worked fine.  We made note of that little bit of fun for future reference.