cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
783
Views
0
Helpful
4
Replies

2911 ISR remote client VPN connects just once?

wzxh6wjjm
Beginner
Beginner

After trying to configure remote client VPN access to a Cisco 2911 ISR using the CLI I tried to use the Cisco Configuration Professional. However, either way I have the same problem. A client can successfully connect and access servers but just once. When the client disconnects and tries to connect again there is no access to the servers even though the VPN tunnel appears to be up. I've tried multiple versions of the Cisco vpn client SW and all behave the same: 1st connection can access servers, subsequent connections can't. I've also tried a second (different) client after the original connection and still no luck. If I reload the router the client can get the vpn connection and access the servers but if the client disconnects from the vpn and tries again there is no access to the servers.

I've also tried it with and without NAT but it doesn't seem to make any difference. Has anybody seen this problem before?

The config generated using CCP is as follows:

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname DTIL-Router

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 $1$...2$aaib0cGJAQ539AbWGe40O/

enable password 7 01190B014F09040B33474A

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

!

!

!

aaa session-id common

!

!

!

clock timezone NewYork -5

clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00

!

no ipv6 cef

no ip source-route

ip cef

!

!

ip dhcp excluded-address 10.10.10.1 10.10.10.49

ip dhcp excluded-address 10.10.10.100 10.10.10.254

!

ip dhcp pool DTIL-Users

   import all

   network 10.10.10.0 255.255.255.0

   dns-server 10.10.10.43

   default-router 10.10.10.1

!

!

no ip domain lookup

!

multilink bundle-name authenticated

!

!

!

crypto pki trustpoint TP-self-signed-3807507357

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3807507357

revocation-check none

rsakeypair TP-self-signed-3807507357

!

!

crypto pki certificate chain TP-self-signed-3807507357

certificate self-signed 01

  30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33383037 35303733 3537301E 170D3131 30323033 32303036

  33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38303735

  30373335 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B349 7D342B14 301C9C7F 29780308 CF072E04 5C44982B 7F71BEA6 10665DB8

  8E6DEB31 34E6E6F4 5106CC6A 2C2519B6 F3B3D043 1FB1C9A4 033FEB92 BA2342F7

  E09C12A6 9D697481 1CD43567 1C4826A3 E0287CF9 5B8F480B 838DEB55 847E6E4C

  1A30223A 874F09ED B8C77DC9 8A432F73 B3A76D9E 9B40221C 529D0624 867C8E6D

  B9B30203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF 30160603

  551D1104 0F300D82 0B445449 4C2D526F 75746572 301F0603 551D2304 18301680

  141FD4A8 CB27ADAD 1082220E 084C040C E0EEC095 EA301D06 03551D0E 04160414

  1FD4A8CB 27ADAD10 82220E08 4C040CE0 EEC095EA 300D0609 2A864886 F70D0101

  04050003 81810086 AD321D87 7615E692 4CD00150 69046141 36E4FD7F C94F4B52

  2F400ACC A7DB4D14 FF47E8C3 0E4B0DEB C279E747 1C40BF65 CC6DC075 7106FFDB

  F5D60F13 B789ABC7 A46CC775 F13D00B1 204B2968 E68FB8D2 FE0485E7 AC1B6FAF

  50BEFDC3 978D4ED6 FF9014BF 57A86D93 6C5E49F2 A7C576F6 073623B9 A5770E6F

  96B77B57 6397E6

  quit

license udi pid CISCO2911/K9 sn FCZ1445213V

!

!

username user1 privilege 15 secret 5 $1$bKZQ$cjcCBYrh4TxKpFZ6xIokb/

username user2 privilege 15 secret 5 $1$AGkR$.KKEqeYX3TtRlgghNbyoL1

!

redundancy

!

!

no ip ftp passive

!        

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group IPSec-VPN

key groupkey

dns 10.10.10.43

pool SDM_POOL_1

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group IPSec-VPN

   client authentication list default

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

!

!

!

!

!

interface Loopback0

ip address 172.16.1.1 255.240.0.0

!

!

interface GigabitEthernet0/0

description $ETH-WAN$

ip address 69.17.18.59 255.255.255.224

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

!

interface GigabitEthernet0/1

description $ETH-LAN$

ip address 192.168.70.1 255.255.255.0 secondary

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

!

interface GigabitEthernet0/2

no ip address

shutdown

duplex auto

speed auto

!

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

!

ip local pool SDM_POOL_1 10.10.30.100 10.10.30.115

ip forward-protocol nd

!

no ip http server

ip http secure-server

!

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 69.17.18.33

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.10.0 0.0.0.255

!

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

transport input ssh

!

scheduler allocate 20000 1000

end

4 Replies 4

Hi,

When the VPN client connects for the first time it can access the servers fine. This is because this first time, the IPsec SAs are built to carry the traffic.

When the client disconnects and connect again it fails... can you verify if the IPsec SAs are built again? sh cry ips sa

Federico.

Yes, the SA is up. the output is:

interface: GigabitEthernet0/0

    Crypto map tag: cmap1, local addr 69.17.18.59

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (10.10.20.1/255.255.255.255/0/0)

   current_peer 96.255.48.154 port 4500

     PERMIT, flags={}

    #pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2

    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 69.17.18.59, remote crypto endpt.: 96.255.48.154

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

     current outbound spi: 0x9CA173BD(2627826621)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0xB8BD1582(3099399554)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: cmap1

        sa timing: remaining key lifetime (k/sec): (4563408/3468)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x9CA173BD(2627826621)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: cmap1

        sa timing: remaining key lifetime (k/sec): (4563409/3468)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Let's see... we know this...

69.17.18.59 is the IP of the router.
96.255.48.154 is the IP where the VPN connection is coming from.
10.10.20.1 is the IP given to the VPN client from the router.

From the output...

It seems that packets are flowing both ways (encrypted/decrypted)
No sent or received errors.

Can you actually PING the servers from the VPN client this second time?

What I'm trying to determine is if there's no access to the servers at the application level or there's no IP connectivity at all when
the problem happens.

Federico.

The 1st VPN session I can ping all servers on the remote network (10.10.10.X) and can access all services on those machines. Subsequent VPN sessions have an active SA, but I can't ping anything or access any services on the 10.10.10.X. Once I reload the router I have full functionality for the 1st VPN sessions after reloading then any subsequent VPN session has the same result- active SA, but no access to remote hosts.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers