06-11-2007 04:47 AM - edited 02-21-2020 03:06 PM
Hi,
I have a problem with a VPN tunnel on a 1841 series
The router has four tunnels, all of which show as UP with sh crypto sessions.
I can ping down three of the tunnels but not the fourth. This router has an almost identical config to a number of other routers on our network, which all work.
I have attached a modified config. The network I can't ping is 192.168.0.0.
Show version output
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(3f), RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 18-Aug-06 17:42 by alnguyen
ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)
XXX uptime is 2 days, 21 hours, 2 minutes
System returned to ROM by reload at 15:36:59 UTC Fri Jun 8 2007
System image file is "flash:c1841-advipservicesk9-mz.124-3f.bin"
Cisco 1841 (revision 6.0) with 237568K/24576K bytes of memory.
Processor board ID FCZ104211TW
2 FastEthernet interfaces
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
Show crypto session for the tunnel in question
Interface: FastEthernet0/1
Session status: UP-NO-IKE
Peer: 84.12.90.XXX port 500
IPSEC FLOW: permit ip 172.16.164.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
Any help would be gratefully received
Nik
06-11-2007 11:11 AM
Nik,
Can you reconfigure the crypto map with different sequence numbers for each peer to something like this;
crypto map xxx 10
set peer 84.12.12.xxx
match address site_1
crypto map xxx 10
set peer 84.12.134.xxx
match address site_2
Let us know if you are still having problems.
HTH
Sundar
06-13-2007 02:04 AM
Sundar,
Thanks for the response.
I have tried this on my router and it now works although in a strange way.
By accident we discovered that if we put the geographically furthest destination first in the crypto map, it comes up every time. If we put it as the last entry it does not work! I can not think why this should be the case, any thoughts?
Also this router does not show its static static routes when you do a sh ip route, it only shows the directly connected interfaces.
Thanks again for the help, much appreciated
Nik
06-14-2007 01:24 PM
Nik,
That's weird. I don't see why the geographically furthest destination needs to be entered in the sequence that you described. It should work as long as there is end-to-end IP connectivity between the VPN peers.
As far as your static route not showing up in the routing table if the next hop for the route is reachable the route should be installed in the routing table. If you are still having problems can you post the relevant portion of the config and the show ip route end.
HTH
Sundar
06-15-2007 04:00 AM
Sundar,
The geographic thing made no sense to us either but it seems to work.
The static IP routes in the config are
ip classless
ip route 0.0.0.0 0.0.0.0 80.255.249.xxx
ip route 10.0.0.0 255.255.255.0 84.12.12.xxx
ip route 10.10.10.0 255.255.255.0 84.12.134.xxx
ip route 172.16.0.0 255.255.0.0 84.12.134.xxx
ip route 192.168.0.0 255.255.255.0 84.12.90.xxx
ip route 192.168.8.0 255.255.255.0 81.193.248.xxx
SH IP ROUTE output is as below
Gateway of last resort is 80.255.249.xxx to network 0.0.0.0
80.0.0.0/30 is subnetted, 1 subnets
C 80.255.249.xxx is directly connected, FastEthernet0/1
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.164.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 80.255.249.xxx
All the next-hops are reachable, I have successfully pinged them all but still the routes are not entered in the table. Any thoughts or insights are much appreciated
Thanks
Nik
06-18-2007 04:39 PM
Nik,
With IPSEC you don't need those static routes the router wouldn't know which peer it needs to use to route traffic to those remote networks based on your crypto ACL/peer info found in IPSEC SA. You just need the default route to your ISP and can safely remove all the other routes.
HTH
Sundar
06-28-2007 01:18 AM
Sundar,
Thanks for the help. I have removed the routes and re-ordered the crypto maps and it is now working OK. Thanks Again
Nik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide