02-03-2011 12:34 PM
After trying to configure remote client VPN access to a Cisco 2911 ISR using the CLI I tried to use the Cisco Configuration Professional. However, either way I have the same problem. A client can successfully connect and access servers but just once. When the client disconnects and tries to connect again there is no access to the servers even though the VPN tunnel appears to be up. I've tried multiple versions of the Cisco vpn client SW and all behave the same: 1st connection can access servers, subsequent connections can't. I've also tried a second (different) client after the original connection and still no luck. If I reload the router the client can get the vpn connection and access the servers but if the client disconnects from the vpn and tries again there is no access to the servers.
I've also tried it with and without NAT but it doesn't seem to make any difference. Has anybody seen this problem before?
The config generated using CCP is as follows:
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DTIL-Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$...2$aaib0cGJAQ539AbWGe40O/
enable password 7 01190B014F09040B33474A
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.49
ip dhcp excluded-address 10.10.10.100 10.10.10.254
!
ip dhcp pool DTIL-Users
import all
network 10.10.10.0 255.255.255.0
dns-server 10.10.10.43
default-router 10.10.10.1
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-3807507357
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3807507357
revocation-check none
rsakeypair TP-self-signed-3807507357
!
!
crypto pki certificate chain TP-self-signed-3807507357
certificate self-signed 01
30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383037 35303733 3537301E 170D3131 30323033 32303036
33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38303735
30373335 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B349 7D342B14 301C9C7F 29780308 CF072E04 5C44982B 7F71BEA6 10665DB8
8E6DEB31 34E6E6F4 5106CC6A 2C2519B6 F3B3D043 1FB1C9A4 033FEB92 BA2342F7
E09C12A6 9D697481 1CD43567 1C4826A3 E0287CF9 5B8F480B 838DEB55 847E6E4C
1A30223A 874F09ED B8C77DC9 8A432F73 B3A76D9E 9B40221C 529D0624 867C8E6D
B9B30203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF 30160603
551D1104 0F300D82 0B445449 4C2D526F 75746572 301F0603 551D2304 18301680
141FD4A8 CB27ADAD 1082220E 084C040C E0EEC095 EA301D06 03551D0E 04160414
1FD4A8CB 27ADAD10 82220E08 4C040CE0 EEC095EA 300D0609 2A864886 F70D0101
04050003 81810086 AD321D87 7615E692 4CD00150 69046141 36E4FD7F C94F4B52
2F400ACC A7DB4D14 FF47E8C3 0E4B0DEB C279E747 1C40BF65 CC6DC075 7106FFDB
F5D60F13 B789ABC7 A46CC775 F13D00B1 204B2968 E68FB8D2 FE0485E7 AC1B6FAF
50BEFDC3 978D4ED6 FF9014BF 57A86D93 6C5E49F2 A7C576F6 073623B9 A5770E6F
96B77B57 6397E6
quit
license udi pid CISCO2911/K9 sn FCZ1445213V
!
!
username user1 privilege 15 secret 5 $1$bKZQ$cjcCBYrh4TxKpFZ6xIokb/
username user2 privilege 15 secret 5 $1$AGkR$.KKEqeYX3TtRlgghNbyoL1
!
redundancy
!
!
no ip ftp passive
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group IPSec-VPN
key groupkey
dns 10.10.10.43
pool SDM_POOL_1
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group IPSec-VPN
client authentication list default
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Loopback0
ip address 172.16.1.1 255.240.0.0
!
!
interface GigabitEthernet0/0
description $ETH-WAN$
ip address 69.17.18.59 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
description $ETH-LAN$
ip address 192.168.70.1 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
ip local pool SDM_POOL_1 10.10.30.100 10.10.30.115
ip forward-protocol nd
!
no ip http server
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 69.17.18.33
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
transport input ssh
!
scheduler allocate 20000 1000
end
02-04-2011 07:23 PM
Hi,
When the VPN client connects for the first time it can access the servers fine. This is because this first time, the IPsec SAs are built to carry the traffic.
When the client disconnects and connect again it fails... can you verify if the IPsec SAs are built again? sh cry ips sa
Federico.
02-05-2011 07:06 AM
Yes, the SA is up. the output is:
interface: GigabitEthernet0/0
Crypto map tag: cmap1, local addr 69.17.18.59
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.20.1/255.255.255.255/0/0)
current_peer 96.255.48.154 port 4500
PERMIT, flags={}
#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 69.17.18.59, remote crypto endpt.: 96.255.48.154
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x9CA173BD(2627826621)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xB8BD1582(3099399554)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: cmap1
sa timing: remaining key lifetime (k/sec): (4563408/3468)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9CA173BD(2627826621)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: cmap1
sa timing: remaining key lifetime (k/sec): (4563409/3468)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
02-06-2011 05:21 PM
Let's see... we know this...
69.17.18.59 is the IP of the router.
96.255.48.154 is the IP where the VPN connection is coming from.
10.10.20.1 is the IP given to the VPN client from the router.
From the output...
It seems that packets are flowing both ways (encrypted/decrypted)
No sent or received errors.
Can you actually PING the servers from the VPN client this second time?
What I'm trying to determine is if there's no access to the servers at the application level or there's no IP connectivity at all when
the problem happens.
Federico.
02-07-2011 07:12 AM
The 1st VPN session I can ping all servers on the remote network (10.10.10.X) and can access all services on those machines. Subsequent VPN sessions have an active SA, but I can't ping anything or access any services on the 10.10.10.X. Once I reload the router I have full functionality for the 1st VPN sessions after reloading then any subsequent VPN session has the same result- active SA, but no access to remote hosts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide