12-21-2016 03:56 PM
Hi Everyone,
I'd appreciate if someone can help me with this.
We have a Cisco VPN concentrator 3030 in the datacenter connecting to a remote site. The VPN was working fine and then we moved datacenters, the public IP address of the vpn concentrator changed. I updated the peer IP address on remote site's router (cisco 2811) but for some reason still cannot pass traffic between the sites. I can see, under "sessions" that session is established and VPN concentrator is receiving traffic from the remote site but unable to transmit back.
What could be causing this issue? Even though no configuration has changed other than the public IP on vpn concentrator, do I need to erase vpn configuration on remote router and redo it?
PLEASE help.
thanks
12-21-2016 07:09 PM
Here is the configuration from the router:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key KEY123 address 128.100.101.12
crypto ipsec transform-set VPN2DC esp-3des esp-md5-hmac
crypto map VPN2DC 10 ipsec-isakmp
description to DataCenter
set peer 128.100.101.12
set transform-set VPN2DC
match address 185
int f0/1 (public interface)
crypto map VPN2DC
access-list 185 remark VPN2DC TRAFFIC_START
access-list 185 permit ip 192.168.66.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 185 remark VPN2DC TRAFFIC END
access-list 199 remark LOCAL_NAT_TRAFFIC_START
access-list 199 deny ip 192.168.66.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 199 permit ip 192.168.66.0 0.0.0.255 any
access-list 199 remark LOCAL_NAT_TRAFFIC_END
12-23-2016 12:45 AM
Hello,
I had such a similar issue in the days.
If traffic is decapsulated on the concentrator but won't be encapsulated when sending traffic back to the remote site, it can be a routing issue in the outbound direction towards the remote site (as was the problem in my case as well).
Additionally, it's also possible that you have some firewall in the DC on which this traffic traverses through and the appropriate ports on which the remote site would like to communicate is not allowed, therefore traffic on that port can't be sent back towards the remote site because the FW denies it.
Otherwise, it would be useful to run a debug on it with debug crypto ipsec to see the details.
Hope it helps.
12-23-2016 09:59 AM
Hi,
Thank you for the reply. There is no firewall between either of the sites, its direct connection to the internet and I can reach external networks.
Attaching a screenshot from the concentrator.
I have not looked at it for couple of days, will go back and recheck the configuration again... the static routes were already inplace before in both sites, and also for datacenter network to reach the remote network....
I think it is still a routing issue since connection is being established.
12-23-2016 05:06 PM
Can you share both phase isakmp & ipsec states and details ?
Additonally share running config 2811.
Thanks ,
Manj
12-25-2016 02:11 PM
Here is more detailed config running on 2811:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key KEY123 address 128.100.101.12
!
crypto ipsec transform-set VPN2DC esp-3des esp-md5-hmac
!
crypto map to_vpn 10 ipsec-isakmp
description to DataCenter
set peer 128.100.101.12
set transform-set VPN2DC
match address 185
!
interface FastEthernet0/0
description Connected to the INTERNAL LAN
ip address 192.168.66.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
service-policy input P2P
!
interface FastEthernet0/1
description Connected to the INTERNET
ip address 107.1.2.3 255.255.255.240
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map to_vpn
!
ip route profile
ip route 0.0.0.0 0.0.0.0 107.1.56.45
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
!
ip http server
no ip http secure-server
ip nat pool mypool 107.1.2.3 107.1.2.6 netmask 255.255.255.240
ip nat inside source route-map NoNat pool mypool overload
access-list 185 remark VPN2DC TRAFFIC_START
access-list 185 permit ip 192.168.66.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 185 remark VPN2DC TRAFFIC END
access-list 199 remark LOCAL_NAT_TRAFFIC_START
access-list 199 deny ip 192.168.66.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 199 permit ip 192.168.66.0 0.0.0.255 any
access-list 199 remark LOCAL_NAT_TRAFFIC_END
route-map NoNat permit 10
match ip address 199
2811-Router#show crypto ipsec sa detail
interface: FastEthernet0/1
Crypto map tag: VPN2DC, local addr 107.1.2.3
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.66.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 128.100.101.12 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 195056, #pkts encrypt: 195056, #pkts digest: 195056
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 1, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 107.1.2.3, remote crypto endpt.: 128.100.101.12
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x6E4FF7B5(1850734517)
inbound esp sas:
spi: 0xDA4473DC(3661919196)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2321, flow_id: NETGX:321, crypto map: to_vpn
sa timing: remaining key lifetime (k/sec): (4408428/2956)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6E4FF7B5(1850734517)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2322, flow_id: NETGX:322, crypto map: to_vpn
sa timing: remaining key lifetime (k/sec): (4408380/2956)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
2811-Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
107.1.2.3 128.100.101.12 QM_IDLE 1014 0 ACTIVE
12-25-2016 09:21 PM
Hi ,
Please do check below procedures .
The problem shows that Phase 1 of the tunnel is successfully establishing but phase 2 has problems. Specifically the firewall is encrypting packets but not decrypting them.
If an ASA or router is getting encaps but not decaps, this means it is encrypting the data and sending it but has not received anything to decrypt in return.
give Rate if this helps you .
Thanks,
Mani
12-25-2016 08:58 PM
I deleted the route to remote network in vpn concentrator and I was able to connect to servers. It doesn't make sense at all, that route has been there for last 6 years and it worked then...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide