Re: ASK THE EXPERTS - IP SECURITY VPN - Page 4

ciscomoderator · ‎06-18-2010

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on IP Security VPN with Cisco experts Syed Ziaullah and Sundar Srinivasaraghavan. Syed is a customer support engineer at Cisco's Technical Assistance Center in the VPN and security domain, where he has worked for more than four years. He helps a variety of Cisco customers in configuring new network setups as well as troubleshooting their existing network issues related to security. Syed holds CCIE certification (CCIE # 19264) in Security. Sundar is a customer support engineer at Cisco in the High Touch Technical Support (HTTS) Security team, providing configuration and troubleshooting assistance to customers through service requests. He has been with Cisco for more than 10 years and has extensive experience in installation, configuration, and troubleshooting of IPsec VPNs. He holds CCIE certification (CCIE # 6415) in both Routing & Switching and Security.

Remember to use the rating system to let Syed and Sundar know if you have received an adequate response.

Syed and Sundar might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 2, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

gadholwi1 · ‎06-28-2010

Hi Sundar,

unfortunately I'm not able to post information about the crypto status, because I tested the setup half a year ago. Because of the problems with the setup of the VPN gateway it is now configured to use one fvrf for each ivrf.

Nethertheless, both crypto tunnel were up-active, and as I can remember that I could not see any packets encrypted.

Enclosed we can find the router config with one fvrf to two ivrf and nat statements without match-in-vrf extension.

In generell, is it possible to set up an vpn gateway with one fvrf to many ivrfs with independent (sometimes indeed the same) nat statements for each ivrf?

thx

Holger

sunsrini · ‎06-28-2010

Hi Holger

Thanks for the config. If you didnt see the encap, i suspect there may be some routing issue between IVRFs and FVRF. I tried out similar config with overlapping and bidirectional NAT statements between IVRFs and a single FVRF, it seems to be working fine with latest release like 12.4(22)Ts. However, I noticed there were some issues with CEF dropping packets after decrypt in older releases, ipsec was still doing encrypt/decrypt fine though.

So you might want to try out with latest release and see if it works. I just attached the following for reference, rest of the config are the same like regular IVRF and FVRFs.

ip route vrf ivrf1 10.79.2.0 255.255.255.0 GigabitEthernet0/0 x.x.x.x

ip route vrf ivrf2 10.79.2.0 255.255.255.0 GigabitEthernet0/0 x.x.x.y

ip nat inside source static 10.1.1.2 10.79.1.1 vrf ivrf1 extendable match-in-vrf

ip nat inside source static 11.1.1.2 10.79.1.1 vrf ivrf2 extendable match-in-vrf

ip nat outside source static 1.1.1.1 10.79.2.2 vrf ivrf1

ip nat outside source static 5.1.1.1 10.79.2.2 vrf ivrf2

Hope this helps.

Thanks

Sundar

ROBERTO TACCON · ‎06-26-2010

Hi,

about the configuration of a VPN IPSec C2L with local authentication of the IPsec user like the following:

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

are there any show command in IOS cli to check which VPN users (by username) are connected ?

Regards,

Roberto Taccon

sziaulla · ‎06-28-2010

Hi Roberto,

You can use the command

show crypto session brief

thanks

-Syed

mbroberson1 · ‎06-26-2010

Hi Syed / Sundar,

Having an interesting issue (occurs randomly) with an ASA 5520 and it's IPSec and AnyConnect clients. ASA is running 8.0(4)32. What occurs is clients (IPSec and AnyConnect) will all of a sudden not be able to connect to the ASA (existing RA VPN clients seem to remain connected...in most occurances) and establish a session, they will be denied access and get the classic 433 error...most of the time. All vitals (CPU, total memory, address pool(/24)...etc) on the ASA seem perfectly normal other than new sessions cannot be established. It may happen like once every three or four weeks. To correct the issue we usually clear all RA vpn sessions which seems to be the temp work around until several weeks later when the issue re-occurs. At any given time there are around 30 or 40 clients connected. I am begining to wonder if maybe it's a bug. Any suggestions for troubleshooting this senario are very welcomed.

Kind Regards,

Brandon

sziaulla · ‎06-28-2010

Hi Brandon,

When your client is unable to connect to the ASA, can you pls enable debugs on the ASA side e.g.

Debug crypto isakmp 254

Debug crypto ipsec 254

This will give us some idea as to what ASA is thinking. Also, if you want you can enable conditional debugging and get the debugs just for one specific peer.

Thanks

-Syed

mbroberson1 · ‎06-29-2010

Hi Syed,

I have used those commands before for debugging IPSec vpn clients, will these debugs also pick up the AnyConnect/SSL vpn sessions?

Thanks,

Brandon

sunsrini · ‎06-30-2010

Hi Brandon,

No, those debugs are specific to ipsec. For anyconnect/sslvpn, you can enable "debug webvpn svc". Also its preferred to have logging enabled with debugging level.

Thanks

Sundar

sziaulla · ‎06-30-2010

Hi Brandon,

Sorry about the late replay as I was out sick. Here is the link which will help you in troubleshooting various scenarios of anyconnect.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809b4754.shtml

pls let me know if you have any further questions.

Thanks

-Syed

ROBERTO TACCON · ‎06-27-2010

Hi,

it's possible to know when will be available in multiple context mode ASA the following Unsupported Features:

- VPN IPSEC

- SSL VPN

- dynamic routing (OSPF, RIP, or EIGRP)

- Threat Detection

- Phone Proxy

Thanks,

Roberto Taccon

sziaulla · ‎06-28-2010

For VPN it was on the roadmap to be tentatively supported in FY10 but not finalized yet. Rest of the features are not even in the roadmap yet. I will check the latest on that front as well.

Thanks

-Syed

ROBERTO TACCON · ‎06-27-2010

Hi,

as indicated by the following documents the performance for VPN IPSEC and SSL VPN are:

Cisco IPsec and SSL VPN Solutions Portfolio

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure09186a00801f0a72.html

for example:

the Cisco 3845 Integrated Services Router with onboard VPN

Maximum Tunnels: 700

Maximum AES Throughput: 180 Mbps

the Cisco 3845 Integrated Services Router with AIM-VPN/SSL-3

Maximum Tunnels: 2500

Maximum AES Throughput: 210 Mbps

Portable Product Sheets

http://www.cisco.com/web/partners/tools/quickreference/index.html

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn_performance_eng.pdf

*** Q.: it's possibile to have a doc. about the performance (Maximum THROUGHPUT for IPSEC VPN and SSL VPN ) for the ISR G2 (19xx/29xx/39xx) ?

*** Q.: are there any Cisco doc. about the performance with IPv6 ?

Regards,

Roberto Taccon

sziaulla · ‎07-01-2010

Hi Roberto,

VPN performance can be found at the following link

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

i am unable to find any document with respect to IPV6 and my assumption is that the performance should remains the same but i am checking internally to see if i can find the answer for your question. I apologize for my ignorance on this subject.

thanks

-Syed

ROBERTO TACCON · ‎07-01-2010

Hi,

the link isn't for the VPN performance ...

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

These are "only" Router Switching Performance in Packets Per Second (PPS)

Numbers are given with 64 byte packet size, IP only, and are only an indication of raw switching performance.

These are testing numbers, usually with FE to FE, GigE to GigE or POS to POS, no services enabled. As you add ACL's,

encryption, compression, etc - performance will decline significantly from the given numbers, unless it is a hardware-assisted

platform (BUT NOT INDICATED CLEARLY as different performance are available for VPN IPSec and SSL VPN when a hardware assist is installed), such as the ASR 1000, 7600 or 12000, which process QoS, ACL's, and other features in hardware (or when a hardware assist is installed, for instance an AIM-VPN in a 3745 will offload the encryption from the CPU).

For the VPN IPsec performance I need to check tha available docs as indicated previosly ....

For IPv6 not all the hardware assist will offload the encryption and the performance I think it's different but not indicated (for example for all the ASA appliances the hardware will offload the IPSec IPv6 and the SSL IPv6 ? and which are the performace ?)

Thanks for all the reply (in particular for the release 2011 of the ASA module for the 6500 !),

Roberto Taccon

ROBERTO TACCON · ‎06-27-2010

Hi,

when does the new firewall "ASA service module" for 65xx switches will be available ? Are there any reference about the firewall throughput performace ?

Best regards,

Roberto Taccon