Re: 2911 ISR remote client VPN connects just once?

wzxh6wjjm · ‎02-03-2011

After trying to configure remote client VPN access to a Cisco 2911 ISR using the CLI I tried to use the Cisco Configuration Professional. However, either way I have the same problem. A client can successfully connect and access servers but just once. When the client disconnects and tries to connect again there is no access to the servers even though the VPN tunnel appears to be up. I've tried multiple versions of the Cisco vpn client SW and all behave the same: 1st connection can access servers, subsequent connections can't. I've also tried a second (different) client after the original connection and still no luck. If I reload the router the client can get the vpn connection and access the servers but if the client disconnects from the vpn and tries again there is no access to the servers.

I've also tried it with and without NAT but it doesn't seem to make any difference. Has anybody seen this problem before?

The config generated using CCP is as follows:

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname DTIL-Router

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 $1$...2$aaib0cGJAQ539AbWGe40O/

enable password 7 01190B014F09040B33474A

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

aaa session-id common

!

clock timezone NewYork -5

clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00

!

no ipv6 cef

no ip source-route

ip cef

!

ip dhcp excluded-address 10.10.10.1 10.10.10.49

ip dhcp excluded-address 10.10.10.100 10.10.10.254

!

ip dhcp pool DTIL-Users

import all

network 10.10.10.0 255.255.255.0

dns-server 10.10.10.43

default-router 10.10.10.1

!

no ip domain lookup

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-3807507357

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3807507357

revocation-check none

rsakeypair TP-self-signed-3807507357

!

crypto pki certificate chain TP-self-signed-3807507357

certificate self-signed 01

30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33383037 35303733 3537301E 170D3131 30323033 32303036

33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38303735

30373335 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100B349 7D342B14 301C9C7F 29780308 CF072E04 5C44982B 7F71BEA6 10665DB8

8E6DEB31 34E6E6F4 5106CC6A 2C2519B6 F3B3D043 1FB1C9A4 033FEB92 BA2342F7

E09C12A6 9D697481 1CD43567 1C4826A3 E0287CF9 5B8F480B 838DEB55 847E6E4C

1A30223A 874F09ED B8C77DC9 8A432F73 B3A76D9E 9B40221C 529D0624 867C8E6D

B9B30203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF 30160603

551D1104 0F300D82 0B445449 4C2D526F 75746572 301F0603 551D2304 18301680

141FD4A8 CB27ADAD 1082220E 084C040C E0EEC095 EA301D06 03551D0E 04160414

1FD4A8CB 27ADAD10 82220E08 4C040CE0 EEC095EA 300D0609 2A864886 F70D0101

04050003 81810086 AD321D87 7615E692 4CD00150 69046141 36E4FD7F C94F4B52

2F400ACC A7DB4D14 FF47E8C3 0E4B0DEB C279E747 1C40BF65 CC6DC075 7106FFDB

F5D60F13 B789ABC7 A46CC775 F13D00B1 204B2968 E68FB8D2 FE0485E7 AC1B6FAF

50BEFDC3 978D4ED6 FF9014BF 57A86D93 6C5E49F2 A7C576F6 073623B9 A5770E6F

96B77B57 6397E6

quit

license udi pid CISCO2911/K9 sn FCZ1445213V

!

username user1 privilege 15 secret 5 $1$bKZQ$cjcCBYrh4TxKpFZ6xIokb/

username user2 privilege 15 secret 5 $1$AGkR$.KKEqeYX3TtRlgghNbyoL1

!

redundancy

!

no ip ftp passive

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group IPSec-VPN

key groupkey

dns 10.10.10.43

pool SDM_POOL_1

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

match identity group IPSec-VPN

client authentication list default

isakmp authorization list ciscocp_vpn_group_ml_1

client configuration address respond

virtual-template 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

interface Loopback0

ip address 172.16.1.1 255.240.0.0

!

interface GigabitEthernet0/0

description $ETH-WAN$

ip address 69.17.18.59 255.255.255.224

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface GigabitEthernet0/1

description $ETH-LAN$

ip address 192.168.70.1 255.255.255.0 secondary

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/2

no ip address

shutdown

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

ip local pool SDM_POOL_1 10.10.30.100 10.10.30.115

ip forward-protocol nd

!

no ip http server

ip http secure-server

!

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 69.17.18.33

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.10.0 0.0.0.255

!

control-plane

!

line con 0

line aux 0

line vty 0 4

transport input ssh

!

scheduler allocate 20000 1000

end

Federico Coto Fajardo · ‎02-04-2011

Hi,

When the VPN client connects for the first time it can access the servers fine. This is because this first time, the IPsec SAs are built to carry the traffic.

When the client disconnects and connect again it fails... can you verify if the IPsec SAs are built again? sh cry ips sa

Federico.

wzxh6wjjm · ‎02-05-2011

Yes, the SA is up. the output is:

interface: GigabitEthernet0/0

Crypto map tag: cmap1, local addr 69.17.18.59

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.10.20.1/255.255.255.255/0/0)

current_peer 96.255.48.154 port 4500

PERMIT, flags={}

#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2

#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 69.17.18.59, remote crypto endpt.: 96.255.48.154

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0x9CA173BD(2627826621)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xB8BD1582(3099399554)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: cmap1

sa timing: remaining key lifetime (k/sec): (4563408/3468)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x9CA173BD(2627826621)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: cmap1

sa timing: remaining key lifetime (k/sec): (4563409/3468)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Federico Coto Fajardo · ‎02-06-2011

Let's see... we know this...

69.17.18.59 is the IP of the router.
96.255.48.154 is the IP where the VPN connection is coming from.
10.10.20.1 is the IP given to the VPN client from the router.

From the output...

It seems that packets are flowing both ways (encrypted/decrypted)
No sent or received errors.

Can you actually PING the servers from the VPN client this second time?

What I'm trying to determine is if there's no access to the servers at the application level or there's no IP connectivity at all when
the problem happens.

Federico.

wzxh6wjjm · ‎02-07-2011

The 1st VPN session I can ping all servers on the remote network (10.10.10.X) and can access all services on those machines. Subsequent VPN sessions have an active SA, but I can't ping anything or access any services on the 10.10.10.X. Once I reload the router I have full functionality for the 1st VPN sessions after reloading then any subsequent VPN session has the same result- active SA, but no access to remote hosts.