cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2186
Views
0
Helpful
7
Replies

FlexVPN Cannot Ping From Spoke LAN only

John McNumara
Level 1
Level 1

Topology:

Hub:

(hub lan: 10.0.1.0/24) > (lan int [ip nat inside], g0/0: 10.0.1.1) > (flex interface, loopback100: 172.31.100.1) > (flex virtual interface, Virtual-Template1: ip unnumbered loopback100) > (wan int [ip nat outside], dialer0 - g0/1) > ISP

Spoke:

(hub lan: 10.0.3.0/24) > (lan int [ip nat inside], vlan1: 10.0.3.1) > (flex interface, Tunnel0 ip address negotiated, tunnel source vlan 1) > (wan int, dialer0 [ip nat inside] - f0/4) > ISP

--

I have full reachability from both routers. 

Hub router can ping 172.31.100.x, 10.0.3.1 and hosts on 10.0.3.0/24 via standard ping, or extended and sourced from 10.0.1.1 or g0/0

Spoke router can ping 172.31.100.1, 10.0.1.1 and hosts on 10.0.1.0/24 via standard ping, or extended and sourced from 10.0.3.1 or vlan1

Partial reachability from lan hosts

Hub hosts can ping 172.31.100.x and 10.0.3.1, but not hosts on 10.0.3.0/24 (Possibly because host cannot reply to echo request?)

Spoke hosts cannot ping 172.31.100.1, 10.0.1.1 or hosts on 10.0.1.0/24

Any help would be appreciated

7 Replies 7

Tarik Admani
VIP Alumni
VIP Alumni

Are you sending ip any any in your route acl? Also.do you have the route set interface keyword?

That should help bring your eigrp process up if it wasnt working before.

Also are you using a fvrf or are you using the global routing table?


Sent from Cisco Technical Support Android App

Tarik,

Thanks for the response. 

I am using route set on both the hub and spoke

Not using any any in my ACLs

EIGRP was up with routes exchanged fine

I removed EIGRP and tried with just static routes without success

No FVRF

John McNumara
Level 1
Level 1

If I remove EIGRP and use static routes, I get the same result.  Traffic physically originating from the spoke lan cannot ping past the negotiated IP on the spokes Tunnel0 interface.  However, extended ping with a source vlan1 (spoke's lan) is able to ping across the tunnel just fine.

I follow the problem you are running into now, I thought I was reading a different thread on my phone.

Anyways, are you using zone based firewall? How does your NAT configuration look for both hub and spoke. Can you post those configs?

Thanks,

Tarik Admani
*Please rate helpful posts*

We've been working with these confs for a while, so they aren't as clean as they could be, but here they are

-------------

---HUB---

-------------

version 15.2

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname HUB

!

boot-start-marker

boot system flash:c1900-universalk9-mz.SPA.152-4.M5.bin

boot-end-marker

!

!

security authentication failure rate 3 log

security passwords min-length 6

enable secret xxxxx

!

aaa new-model

!

!

aaa group server radius FLEXVPN_AUTH-C_SERVER_GROUP

server-private 10.0.1.15 key xxxxx

!

aaa authentication login default local

aaa authentication login xxxxxVPN_VPN_XAUTH local

aaa authentication login FLEXVPN_AUTH-C_LIST group FLEXVPN_AUTH-C_SERVER_GROUP

aaa authorization exec default local

aaa authorization network default local

aaa authorization network xxxxxVPN_VPN_GROUP local

aaa authorization network FLEXVPN_AUTH-Z_LIST local

!

!

!

!

!

aaa session-id common

clock timezone CST -6 0

clock summer-time CDT recurring

clock calendar-valid

!

no ip source-route

no ip gratuitous-arps

ip cef

!

!

!

!

!

!

no ip bootp server

ip domain name xxxxx.net

ip name-server 166.102.165.13

ip name-server 166.102.165.11

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip name-server 4.2.2.1

no ipv6 cef

!

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group VPN_GROUP

!

!

key chain EIGRP_KEY_CHAIN

key 1

  key-string xxxxx

!

crypto pki trustpoint FLEXVPN_RA_TP

enrollment terminal

serial-number none

fqdn vpn.xxxxx.net

ip-address none

subject-name cn=vpn.xxxxx.net

revocation-check crl

eckeypair FLEXVPN_RA_TP-Key

!

!

crypto pki certificate chain FLEXVPN_RA_TP

certificate 460000.. nvram:xxxxx#2.cer

certificate ca 59A43A15.. nvram:xxxxx#BC60CA.cer

license udi pid CISCO1921/K9 sn xxxxx

!

!

archive

path ftp://xxxxx

write-memory

username xxxxx privilege 15 password xxxxx

!

redundancy

crypto ikev2 authorization policy default

pool FLEX_SPOKES_POOL

route set interface

!

crypto ikev2 authorization policy FLEXVPN_RA_LOCAL_POLICY

pool FLEXVPN_RA_POOL

dns 10.0.1.15

netmask 255.255.255.0

def-domain xxxxx.net

route set access-list FLEXVPN_RA_ACL

!

crypto ikev2 proposal SHA1-only

encryption aes-cbc-256

integrity sha1

group 5

!

crypto ikev2 policy SHA1-only

match fvrf any

proposal SHA1-only

!

crypto ikev2 keyring FLEX_KEY

peer ALL

  address 0.0.0.0 0.0.0.0

  pre-shared-key local xxxxx

  pre-shared-key remote xxxxx

!

!

!

crypto ikev2 profile FLEX_IKEv2

match identity remote address 0.0.0.0

authentication remote pre-share

authentication local pre-share

keyring local FLEX_KEY

aaa authorization group psk list default default

virtual-template 1

!

crypto ikev2 profile FLEXVPN_RA_IKEv2_PROFILE

match identity remote key-id xxxxx.net

identity local dn

authentication remote eap query-identity

authentication local rsa-sig

pki trustpoint FLEXVPN_RA_TP

dpd 60 2 on-demand

aaa authentication eap FLEXVPN_AUTH-C_LIST

aaa authorization group eap list FLEXVPN_AUTH-Z_LIST FLEXVPN_RA_LOCAL_POLICY

virtual-template 10

!

crypto ikev2 dpd 30 5 on-demand

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

crypto logging session

!

crypto isakmp client configuration group xxxxxVPN

key xxxxx

pool xxxxxVPN_POOL

acl xxxxxVPN_ACL

netmask 255.255.255.0

crypto isakmp profile xxxxxVPN_IKE_PROFILE

   match identity group xxxxxVPN

   client authentication list xxxxxVPN_VPN_XAUTH

   isakmp authorization list xxxxxVPN_VPN_GROUP

   client configuration address respond

   virtual-template 100

!

!

crypto ipsec transform-set xxxxxVPN_SET esp-3des esp-sha-hmac

mode tunnel

crypto ipsec transform-set IKEv2 esp-gcm

mode transport

!

crypto ipsec profile xxxxxVPN_IPSEC_PROFILE

set transform-set xxxxxVPN_SET

set isakmp-profile xxxxxVPN_IKE_PROFILE

!

crypto ipsec profile FLEXVPN_RA_IPSEC_PROFILE

set ikev2-profile FLEXVPN_RA_IKEv2_PROFILE

!

crypto ipsec profile default

set transform-set IKEv2

set ikev2-profile FLEX_IKEv2

!

!

!

!

!

!

interface Loopback100

ip address 172.31.100.1 255.255.255.255

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 10.0.1.1 255.255.255.0

no ip unreachables

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Virtual-Template1 type tunnel

description FlexVPN hub-to-spokes

ip unnumbered Loopback100

ip mtu 1400

ip nhrp network-id 1

ip nhrp redirect

ip tcp adjust-mss 1360

tunnel path-mtu-discovery

tunnel protection ipsec profile default

!

interface Virtual-Template10 type tunnel

ip unnumbered GigabitEthernet0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile FLEXVPN_RA_IPSEC_PROFILE

!

interface Dialer0

mtu 1492

ip address negotiated

no ip unreachables

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1450

dialer pool 1

dialer idle-timeout 0

dialer persistent

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxx@windstream.net

ppp chap password xxxxx

ppp pap sent-username xxxxx@windstream.net password xxxxx

no cdp enable

!

!

router eigrp 1

distribute-list EIGRP_SUMMARY_PFLIST out Virtual-Template1

network 10.0.1.0 0.0.0.255

network 172.30.200.0 0.0.0.255

network 172.31.100.1 0.0.0.0

passive-interface GigabitEthernet0/0

!

ip local pool xxxxxVPN_POOL 172.30.255.1 172.30.255.254

ip local pool FLEX_SPOKES_POOL 172.31.100.10 172.31.100.254

ip local pool FLEXVPN_RA_POOL 172.30.200.1 172.30.200.254

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip dns server

ip nat inside source list 1 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 172.30.200.0 255.255.255.0 Null0

!

ip access-list standard FLEXVPN_RA_ACL

permit 10.0.1.0 0.0.0.255

permit 10.0.2.0 0.0.0.255

permit 10.0.3.0 0.0.0.255

permit 10.0.4.0 0.0.0.255

ip access-list standard MGMT_ACL

permit 172.30.200.0 0.0.0.255

permit 172.31.254.0 0.0.0.255

permit 10.0.1.0 0.0.0.255

!

ip access-list extended xxxxxVPN_ACL

permit ip 172.30.255.0 0.0.0.255 any

permit ip 10.0.1.0 0.0.0.255 any

permit ip 172.31.254.0 0.0.0.255 any

!

!

ip prefix-list EIGRP_SUMMARY_PFLIST seq 10 permit 10.0.1.0/24

ip prefix-list EIGRP_SUMMARY_PFLIST seq 20 permit 172.30.200.0/24

ip prefix-list EIGRP_SUMMARY_PFLIST seq 30 permit 172.31.100.1/32

access-list 1 permit 10.0.1.0 0.0.0.255

!

route-map EIGRP_SUMMARY_RMAP permit 10

match ip address prefix-list EIGRP_SUMMARY_PFLIST

!

!

!

!

!

control-plane

!

!

banner motd  Cxxxxx

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class MGMT_ACL in

privilege level 15

transport input telnet ssh

line vty 5 15

transport input all

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server 1.pool.ntp.org

ntp server 0.pool.ntp.org prefer

!

end

-----------------

---SPOKE---

----------------

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname SPOKE

!

boot-start-marker

boot system flash:c880data-universalk9-mz.152-4.M5.bin

boot-end-marker

!

!

security authentication failure rate 3 log

security passwords min-length 6

enable secret xxxxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

aaa authorization network default local

!

!

!

!

!

aaa session-id common

memory-size iomem 10

clock timezone CST -6 0

clock summer-time CDT recurring

clock calendar-valid

!

!

no ip source-route

no ip gratuitous-arps

!

!

!

!

!

!

!

!

no ip bootp server

ip domain name xxxxx.net

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip name-server 4.2.2.1

ip cef

no ipv6 cef

!

!

multilink bundle-name authenticated

!

key chain EIGRP_KEY_CHAIN

key 1

  key-string xxxxx

license udi pid CISCO881-SEC-K9 sn FTX1740854N

!

!

archive

path ftp://xxxxx

write-memory

username xxxxx privilege 15 password xxxxx

crypto ikev2 authorization policy default

route set interface

!

!

!

crypto ikev2 keyring FLEX_KEY

peer ALL

  address 0.0.0.0 0.0.0.0

  pre-shared-key local xxxxx

  pre-shared-key remote xxxxx

!

!

!

crypto ikev2 profile FLEX_IKEv2

match identity remote address 0.0.0.0

authentication remote pre-share

authentication local pre-share

keyring local FLEX_KEY

aaa authorization group psk list default default

virtual-template 1

!

crypto ikev2 dpd 30 5 on-demand

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

crypto ipsec transform-set IKEv2 esp-gcm

mode transport

!

crypto ipsec profile default

set transform-set IKEv2

set ikev2-profile FLEX_IKEv2

!

!

!

!

!

!

interface Loopback101

ip address 172.31.101.3 255.255.255.255

!

interface Tunnel0

description FlexVPN tunnel

ip address negotiated

ip mtu 1400

ip nhrp network-id 1

ip nhrp shortcut virtual-template 1

ip nhrp redirect

ip tcp adjust-mss 1360

delay 1000

tunnel source Vlan1

tunnel destination x.x.x.x

tunnel path-mtu-discovery

tunnel protection ipsec profile default

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

ip address dhcp

no ip unreachables

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

description FlexVPN spoke-to-spoke

ip unnumbered Loopback101

ip nhrp network-id 1

ip nhrp shortcut virtual-template 1

ip nhrp redirect

tunnel protection ipsec profile default

!

interface Vlan1

ip address 10.0.3.1 255.255.255.0

ip helper-address 10.0.1.15

no ip unreachables

ip nat inside

ip virtual-reassembly in

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip dns server

ip nat inside source list INTERNET_BOUND_ACL interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 dhcp

!

ip access-list standard INTERNET_BOUND_ACL

permit 10.0.3.0 0.0.0.255

ip access-list standard MGMT_ACL

permit 172.30.255.0 0.0.0.255

permit 172.31.100.0 0.0.0.255

permit 10.0.1.0 0.0.0.255

permit 10.0.3.0 0.0.0.255

permit 172.30.200.0 0.0.0.255

!

access-list 99 permit 10.0.3.0

!

!

!

!

control-plane

!

!

banner motd  xxxxx

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class MGMT_ACL in

privilege level 15

transport input telnet ssh

!

ntp update-calendar

ntp server 0.pool.ntp.org prefer

ntp server 1.pool.ntp.org

!

end

John,

Lets give this NAT configuration a shot:

Hub

remove

ip nat inside source list 1 interface Dialer0 overload

add

ip access-list extended NAT-hub

deny   ip 10.0.1.0 0.0.0.255 10.0.3.0 0.0.0.255

permit ip 10.0.1.0 0.0.0.255 any

route-map NATMAP-h permit 10

match ip address NAT-hub

ip nat inside source route-map NATMAP-h interface Dialer0 overload

On the spoke lets shoot for this -

remove

ip nat inside source list INTERNET_BOUND_ACL interface FastEthernet4 overload

ip access-list extended NAT-spoke

deny   ip 10.0.3.0 0.0.0.255 10.0.1.0 0.0.0.255

permit ip 10.0.3.0 0.0.0.255 any

route-map NATMAP-s permit 10

match ip address NAT-spoke

ip nat inside source route-map NATMAP-s interface FastEthernet4 overload

drop your tunnel on the remote end by shutting and no shutting the interface and see how things turn out.

Tarik Admani
*Please rate helpful posts*

I have been on vacation and my team just rolled back to DMVPN.  I am going to have a similar project within a month or so, and will try the exact same settings to see if this fixes it and let you know.

Thanks again!