Hi,

sebastianm1 · ‎11-21-2016

Hi All,

We have set up a VPN tunnel between our Cisco and 3 remote sites.

We have been able to get traffics flowing to some degree, however not everything appears to be working correctly.

When we try to run an application from one of the remote sites it appears to no be getting packets back.

Any assistance would be greatly appreciated.

redundancy
!
crypto ikev2 proposal azure-proposal
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
!
crypto ikev2 policy azure-policy
proposal azure-proposal
!
crypto ikev2 keyring azure-keyring
peer 191.x.x.x
address 191.x.x.x
pre-shared-key ABCD123
!
!
!
crypto ikev2 profile azure-profile
match address local interface GigabitEthernet0/0
match identity remote address 191.x.x.x 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local azure-keyring
!
!
no cdp run
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-all lan_traffic
match access-group 101
!
policy-map 100M-Out
class lan_traffic
shape average 100000000
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key Site1 address 165.1.x.x
crypto isakmp key Site2 address 165.2.x.x
crypto isakmp key Site3 address 203.x.x.x
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile vti
set transform-set azure-ipsec-proposal-set
set ikev2-profile azure-profile
!
!
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to165.1.x.x
set peer 165.1.x.x
set transform-set ESP-3DES-SHA
match address 102
crypto map SDM_CMAP_1 4 ipsec-isakmp
description Tunnel to165.2.x.x
set peer 165.2.x.x
set transform-set ESP-3DES-SHA1
match address 103
crypto map SDM_CMAP_1 5 ipsec-isakmp
description Tunnel to203.x.x.x
set peer 203.x.x.x
set transform-set ESP-3DES-SHA2
match address 104
!
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface Tunnel1
ip address 169.x.x.x 255.255.255.0
ip tcp adjust-mss 1350
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 191.x.x.x
tunnel protection ipsec profile vti
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface GigabitEthernet0/0
bandwidth 100000
ip address 203.x.x.x 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip nat outside
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 100
ip tcp adjust-mss 1452
duplex auto
speed auto
no mop enabled
crypto map SDM_CMAP_1
service-policy output 100M-Out
!
interface GigabitEthernet0/1
ip address 192.168.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.202.4 25 203.x.x.x 25 extendable
ip nat inside source static tcp 192.168.202.6 47 203.x.x.x 47 extendable
ip nat inside source static udp 192.168.202.6 47 203.x.x.x 47 extendable
ip nat inside source static tcp 192.168.202.211 80 203.x.x.x 80 extendable
ip nat inside source static tcp 192.168.202.6 443 203.x.x.x 443 extendable
ip nat inside source static tcp 192.168.202.6 1723 203.x.x.x 1723 extendable
ip nat inside source static udp 192.168.202.6 1723 203.x.x.x 1723 extendable
ip nat inside source static tcp 192.168.202.210 7620 203.x.x.x 7620 extendable
ip nat inside source static tcp 192.168.202.211 7630 203.x.x.x 7630 extendable
ip route 0.0.0.0 0.0.0.0 203.x.x.x
ip route 192.168.200.0 255.255.255.0 Tunnel1
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
!
route-map SDM_RMAP_1 permit 1
match ip address 118
!
!
access-list 1 permit 192.168.202.0 0.0.0.255
access-list 1 permit any
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.202.0 0.0.0.255 192.168.204.0 0.0.0.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.202.0 0.0.0.255 192.168.203.0 0.0.0.255
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.202.0 0.0.0.255 192.168.205.0 0.0.0.255
access-list 114 permit ip 192.168.202.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 118 remark CCP_ACL Category=2
access-list 118 remark IPSec Rule
access-list 118 deny   ip 192.168.202.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 118 remark IPSec Rule
access-list 118 deny   ip 192.168.202.0 0.0.0.255 192.168.205.0 0.0.0.255
access-list 118 remark IPSec Rule
access-list 118 deny   ip 192.168.202.0 0.0.0.255 192.168.204.0 0.0.0.255
access-list 118 remark IPSec Rule
access-list 118 deny   ip 192.168.202.0 0.0.0.255 192.168.203.0 0.0.0.255
access-list 118 permit ip any any
access-list 118 permit ip 192.168.202.0 0.0.0.255 any
!
!
!
control-plane

teatrodelsogno · ‎11-22-2016

Hi,

what about the output of:

"show crypto ipsec sa"

regards

sebastianm1 · ‎11-22-2016

Please see below:

We are looking into this an believe that it may actually be caused by a DNS issue.

Each remote site has a VPN to headoffice and to Azure (Domain)

interface: GigabitEthernet0/0
Crypto map tag: SDM_CMAP_1, local addr 203.x.x.x.

   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.202.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.203.0/255.255.255.0/0/0)
   current_peer 165.x.x.x port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 12971, #pkts encrypt: 12971, #pkts digest: 12971
    #pkts decaps: 6438, #pkts decrypt: 6438, #pkts verify: 6438
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 203.x.x.x, remote crypto endpt.: 165.x.x.x
     plaintext mtu 1350, path mtu 1400, ip mtu 1400, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xCAF325F9(3404932601)
     PFS (Y/N): Y, DH group: group2

     inbound esp sas:
      spi: 0xF8693C17(4167646231)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2075, flow_id: Onboard VPN:75, sibling_flags 80000040, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4334788/2978)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0xCAF325F9(3404932601)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2076, flow_id: Onboard VPN:76, sibling_flags 80000040, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4334773/2978)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.202.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.204.0/255.255.255.0/0/0)
   current_peer 165.x.x.x port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 6115, #pkts encrypt: 6115, #pkts digest: 6115
    #pkts decaps: 39, #pkts decrypt: 39, #pkts verify: 39
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 203.x.x.x, remote crypto endpt.: 165.x.x.x
     plaintext mtu 1350, path mtu 1400, ip mtu 1400, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xAA6CC721(2859255585)
     PFS (Y/N): Y, DH group: group2

     inbound esp sas:
      spi: 0x323493C(52644156)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2053, flow_id: Onboard VPN:53, sibling_flags 80000040, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4281520/266)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0xAA6CC721(2859255585)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2054, flow_id: Onboard VPN:54, sibling_flags 80000040, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4281105/266)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.202.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.205.0/255.255.255.0/0/0)
   current_peer 203.x.x.x port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 185, #pkts encrypt: 185, #pkts digest: 185
    #pkts decaps: 207, #pkts decrypt: 207, #pkts verify: 207
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 203.x.x.x, remote crypto endpt.: 203.x.x.x
     plaintext mtu 1350, path mtu 1400, ip mtu 1400, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xF123C732(4045653810)
     PFS (Y/N): Y, DH group: group2

     inbound esp sas:
      spi: 0x3665C73D(912639805)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2079, flow_id: Onboard VPN:79, sibling_flags 80000040, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4277568/3437)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0xF123C732(4045653810)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2080, flow_id: Onboard VPN:80, sibling_flags 80000040, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4277569/3437)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 203.x.x.x

   protected vrf: (none)
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 191.x.x.x port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 19998, #pkts encrypt: 19998, #pkts digest: 19998
    #pkts decaps: 21139, #pkts decrypt: 21139, #pkts verify: 21139
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 203.x.x.x, remote crypto endpt.: 191.x.x.x
     plaintext mtu 1342, path mtu 1400, ip mtu 1400, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xBC4C4268(3159114344)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x7E524854(2119321684)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2072, flow_id: Onboard VPN:72, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4370689/2750)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0xBC4C4268(3159114344)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2071, flow_id: Onboard VPN:71, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4370705/2750)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

Can Ping Remote Server but Ports not responding