Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
272
Views
0
Helpful
0
Replies

Remote Access over WWAN, tunnel up, but need client traffic flow to enable data

Jasper van Stijn
Level 1
Level 1

‎03-04-2015 04:48 AM - edited ‎02-21-2020 08:07 PM

Greetings!

 

Let me give you a layout of my configuration

 

[Cisco 887VAG+7-K9 (15.3(3)M4)]  <<=== VODAFONE CELLULAR ===> INTERNET <=== LOCAL ISP ===> [Cisco ASA5512-X (9.3(1)]

 

The 887VAG router connects over the cellular 0 interface by ezvpn as a remote access client with Network Extension Mode enabled to the ASA

This deployment works perfectly for my DSL or Ethernet routers (887/881 resp.) but runs into a snag or two when using the cellular connection.

 

What I see is that the tunnel between the 887VAG and the ASA5512-X stays perfectly up. I can even kill the tunnel from both sides and it pops right back up (Phase 1 and Phase 2 stuff all runs smoothly). However.. when the tunnel has been idle for some time you are unable to access the 887VAG through the tunnel from the ASA5512-X (mind you; the tunnel is still operational!). Only after a client from the 887VAG initiates some data through the tunnel IP flow becomes possible again. 

When looking at the traffic counters you can see the Tx bytes counter counting up at the ASA5512-X side, however on the 887VAG side the Rx (or pkts decrypt) remains the same. Only when blowing bytes from the client to the ASA the reverse flow is enable again for an undetermined time.

You could say the cellular connection will go to some sort of sleep mode which could only be revived by the client (which is undesirable, but technically understandable). However, this is not the case because I can kill the IPSec tunnel from the ASA5512-X to which the 887VAG respons by rebuilding the tunnel immediately. So from this I can safely assume there is an active IP connection between the two endpoints (the IKE session is active, only the IPSec connection itself is behaving weirdly). Even after manually killing the IPSec connection the situation remains where you have to let the client spit out some bytes before being able to send from the ASA to the 887VAG.

I have observed this behaviour with another cellular router of another supplier before (also with an 5512-X). In this case we had the option to have a keep alive ping running each minute or so. But that doesn't solve the underlying problem obviously. I wonder if this is a ASA5512-X issue or perhaps something that is caused by the cellular connection (since I have never come across this behaviour with ethernet or DSL connections).

 

On a side note there seems to be some strange behaviour on the 887VAG+R7-K9 when fumbling with the configuration. For some reason the default transform sets or IKE policies seem to go corrupt when editing the running configuration. A reload will not fix it. Only removing the crypto configuration and re-adding it restores functionality. The running-config is absolutely the same in both cases; however phase 1 will fail when building a tunnel. Strange, no?

 

Here is the sanitized 887VA-R7-K9 running config:

 

version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname blah
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 blah
!
no aaa new-model
memory-size iomem 10
clock timezone Paris 1 0
clock summer-time DST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint blah
 enrollment selfsigned
 subject-name blah
 revocation-check none
 rsakeypair blah
!
crypto pki certificate chain blah
 certificate self-signed 01
  blahblahblahblah
        quit
no ip source-route
!
no ip bootp server
ip domain lookup source-interface Cellular0
ip domain name vodafone.nl
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
chat-script hspa-R7 "" "AT!SCACT=1,1" TIMEOUT 60 "OK"
license udi pid C887VAG+7-K9 sn blah
!
username blah secret 5 blah
username blah-blah privilege 15 secret 5 blah
!
controller VDSL 0
 shutdown
!
controller Cellular 0
 gsm gps mode standalone
 gsm gps nmea
!
ip ssh version 2
!
crypto isakmp keepalive 30 20 periodic
!
crypto ipsec client ezvpn VPN
 connect auto
 group blahblah blahblah
 mode network-extension
 peer AA.BB.CC.DD
 username blah password blah
 xauth userid mode local
!
interface Ethernet0
 no ip address
 shutdown
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Cellular0
 ip address negotiated
 encapsulation slip
 dialer in-band
 dialer idle-timeout 0
 dialer string hspa-R7
 dialer-group 1
 async mode interactive
 crypto ipsec client ezvpn VPN
!
interface Vlan1
 ip address EE.FF.GG.HH 255.255.255.0
 no autostate
 crypto ipsec client ezvpn VPN inside
!
ip forward-protocol nd
no ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 Cellular0
!
dialer-list 1 protocol ip permit
no cdp run
!
access-list 10 remark Access CCP/SSH
access-list 10 remark Remote Management subnet
access-list 10 permit II.JJ.KK.LL 0.0.0.255
access-list 10 remark Office WAN
access-list 10 permit MM.NN.OO.PP 0.0.0.7
!
control-plane
!
line con 0
 no modem enable
line aux 0
line 3
 exec-timeout 0 0
 script dialer hspa-R7
 modem InOut
 no exec
 rxspeed 21600000
 txspeed 5760000
line 6
 modem InOut
 no exec
 transport input all
 transport output all
 stopbits 1
 speed 4800
line vty 0 4
 access-class 10 in
 privilege level 15
 login local
 transport input ssh
!
ntp update-calendar
ntp server nl.pool.ntp.org prefer source Cellular0
!
end

 

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents