Hello,

The bug on the software was on the 12.4 version, I have version 15.0, I hope that they fix the problem until now. Regarding the crypto map I erase it , it was remaining from a previous configuration. I check also the routing table but it doesn't appear any reverse route. The client is getting the IP from the router but in the router there is no reverse route. Can you help me please to fix it .

Thank you and regards,

Lazar Sinevici MIhail

You might want to check out this bug CSCth39861to see if it is affecting your version.

Hy,

I couldn't find the bug on the cisco website. Unfortunately I don't know how to fix the problem related the reverse route and I need some help from you guys because I'm stuck. The weird thing is that yesterday I create a VPN connection and it worked to access the resources from LAN network but after I disconnect and connect again it doesn't work anymore. Now  I'm more confused. Please help me to fix this issue.

Hi Lazar,

Could you post the output of "show cry isa sa" and "show cry ips sa" fomr the router when connected to the VPN and trying to ping/access something on the internal network?

Also, try enabling "ip inspect log drop-pkt" to see if there any dropped packets by the ZBF.

If possible, please do post the output of show ip route from the router as well when connected to the router, From the ZBF config, i noticed something interesting:

zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip

The source and destination zones are the same (ezvpn-zone) and its not needed (not sure how this got into the config). Please remove the above and let me know how it goes!!

Cheers,

Prapanch

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCth39861

Symptom: RRI route may not be added to the routing table. This breaks connectivity with the remote peer.  Conditions: DVTI is configured on the router. In case of Cisco VPN Client connecting  to the router everything works fine on first connect. RRI route isn't  added for all subsequent connections.  Workaround: None.  It is possible to trigger addition of the RRI route by configuring a  static route to the assigned IP address once the IPSec tunnel is  connected (and remove it once the session is over), but this needs to be  done upon each connect. It is not possible to configure permanent  static route through the virtual-template interface.

I guess this is similar to the symptom you are hitting?

CSHIPPING#show cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
81.196.74.225   194.187.120.219 QM_IDLE           2003 ACTIVE

IPv6 Crypto ISAKMP SA

CSHIPPING#show cry ips sa

interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr 81.196.74.225

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.10.3/255.255.255.255/0/0)
   current_peer 194.187.120.219 port 50961
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 81.196.74.225, remote crypto endpt.: 194.187.120.219
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x4A8CC168(1250738536)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xB18D8359(2978841433)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4531938/3462)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x4A8CC168(1250738536)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4531942/3462)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

For Rahul,

Exactly the problem that is explained in the bug is my problem. The problem is that I can't download and upgrade to 15.1(2)T version because I don't have access to download section, the router was purchased thru a reseller and when I ask them to give me the product contract number they didn't know what is that, and because of that I can't even open a TAC Service request.

Is there any way to get the new version or fix the problem in another way ?

Best way would be to ask the reseller to provide the image to you. You can given them your serial number and ask them to enquire with Cisco. Or you could call up the Cisco 800 number and ask them if they have a contract number for the serial number that you have and then provide that to the reseller.

Thank you for your quick reply.

I will try to speak with them in order to solve the problem.

Regards,

Lazar Sinevici Mihail

Cool Mark this thread as answered if the upgrade does fix the issue.

Thanks