FlexVPN Cannot Ping From Spoke LAN only

John McNumara · ‎01-05-2014

Topology:

Hub:

(hub lan: 10.0.1.0/24) > (lan int [ip nat inside], g0/0: 10.0.1.1) > (flex interface, loopback100: 172.31.100.1) > (flex virtual interface, Virtual-Template1: ip unnumbered loopback100) > (wan int [ip nat outside], dialer0 - g0/1) > ISP

Spoke:

(hub lan: 10.0.3.0/24) > (lan int [ip nat inside], vlan1: 10.0.3.1) > (flex interface, Tunnel0 ip address negotiated, tunnel source vlan 1) > (wan int, dialer0 [ip nat inside] - f0/4) > ISP

--

I have full reachability from both routers.

Hub router can ping 172.31.100.x, 10.0.3.1 and hosts on 10.0.3.0/24 via standard ping, or extended and sourced from 10.0.1.1 or g0/0

Spoke router can ping 172.31.100.1, 10.0.1.1 and hosts on 10.0.1.0/24 via standard ping, or extended and sourced from 10.0.3.1 or vlan1

Partial reachability from lan hosts

Hub hosts can ping 172.31.100.x and 10.0.3.1, but not hosts on 10.0.3.0/24 (Possibly because host cannot reply to echo request?)

Spoke hosts cannot ping 172.31.100.1, 10.0.1.1 or hosts on 10.0.1.0/24

Any help would be appreciated

Tarik Admani · ‎01-05-2014

Are you sending ip any any in your route acl? Also.do you have the route set interface keyword?

That should help bring your eigrp process up if it wasnt working before.

Also are you using a fvrf or are you using the global routing table?

Sent from Cisco Technical Support Android App

John McNumara · ‎01-05-2014

Tarik,

Thanks for the response.

I am using route set on both the hub and spoke

Not using any any in my ACLs

EIGRP was up with routes exchanged fine

I removed EIGRP and tried with just static routes without success

No FVRF

John McNumara · ‎01-05-2014

If I remove EIGRP and use static routes, I get the same result. Traffic physically originating from the spoke lan cannot ping past the negotiated IP on the spokes Tunnel0 interface. However, extended ping with a source vlan1 (spoke's lan) is able to ping across the tunnel just fine.

Tarik Admani · ‎01-05-2014

I follow the problem you are running into now, I thought I was reading a different thread on my phone.

Anyways, are you using zone based firewall? How does your NAT configuration look for both hub and spoke. Can you post those configs?

Thanks,

Tarik Admani
*Please rate helpful posts*

John McNumara · ‎01-06-2014

We've been working with these confs for a while, so they aren't as clean as they could be, but here they are

-------------

---HUB---

-------------

version 15.2

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname HUB

!

boot-start-marker

boot system flash:c1900-universalk9-mz.SPA.152-4.M5.bin

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

enable secret xxxxx

!

aaa new-model

!

aaa group server radius FLEXVPN_AUTH-C_SERVER_GROUP

server-private 10.0.1.15 key xxxxx

!

aaa authentication login default local

aaa authentication login xxxxxVPN_VPN_XAUTH local

aaa authentication login FLEXVPN_AUTH-C_LIST group FLEXVPN_AUTH-C_SERVER_GROUP

aaa authorization exec default local

aaa authorization network default local

aaa authorization network xxxxxVPN_VPN_GROUP local

aaa authorization network FLEXVPN_AUTH-Z_LIST local

!

aaa session-id common

clock timezone CST -6 0

clock summer-time CDT recurring

clock calendar-valid

!

no ip source-route

no ip gratuitous-arps

ip cef

!

no ip bootp server

ip domain name xxxxx.net

ip name-server 166.102.165.13

ip name-server 166.102.165.11

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip name-server 4.2.2.1

no ipv6 cef

!

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group VPN_GROUP

!

key chain EIGRP_KEY_CHAIN

key 1

key-string xxxxx

!

crypto pki trustpoint FLEXVPN_RA_TP

enrollment terminal

serial-number none

fqdn vpn.xxxxx.net

ip-address none

subject-name cn=vpn.xxxxx.net

revocation-check crl

eckeypair FLEXVPN_RA_TP-Key

!

crypto pki certificate chain FLEXVPN_RA_TP

certificate 460000.. nvram:xxxxx#2.cer

certificate ca 59A43A15.. nvram:xxxxx#BC60CA.cer

license udi pid CISCO1921/K9 sn xxxxx

!

archive

path ftp://xxxxx

write-memory

username xxxxx privilege 15 password xxxxx

crypto ikev2 authorization policy default

route set interface

!

crypto ikev2 keyring FLEX_KEY

peer ALL

address 0.0.0.0 0.0.0.0

pre-shared-key local xxxxx

pre-shared-key remote xxxxx

!

crypto ikev2 profile FLEX_IKEv2

match identity remote address 0.0.0.0

authentication remote pre-share

authentication local pre-share

keyring local FLEX_KEY

aaa authorization group psk list default default

virtual-template 1

!

crypto ikev2 dpd 30 5 on-demand

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

crypto ipsec transform-set IKEv2 esp-gcm

mode transport

!

crypto ipsec profile default

set transform-set IKEv2

set ikev2-profile FLEX_IKEv2

!

interface Loopback101

ip address 172.31.101.3 255.255.255.255

!

interface Tunnel0

description FlexVPN tunnel

ip address negotiated

ip mtu 1400

ip nhrp network-id 1

ip nhrp shortcut virtual-template 1

ip nhrp redirect

ip tcp adjust-mss 1360

delay 1000

tunnel source Vlan1

tunnel destination x.x.x.x

tunnel path-mtu-discovery

tunnel protection ipsec profile default

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

ip address dhcp

no ip unreachables

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

description FlexVPN spoke-to-spoke

ip unnumbered Loopback101

ip nhrp network-id 1

ip nhrp shortcut virtual-template 1

ip nhrp redirect

tunnel protection ipsec profile default

!

interface Vlan1

ip address 10.0.3.1 255.255.255.0

ip helper-address 10.0.1.15

no ip unreachables

ip nat inside

ip virtual-reassembly in

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip dns server

ip nat inside source list INTERNET_BOUND_ACL interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 dhcp

!

ip access-list standard INTERNET_BOUND_ACL

permit 10.0.3.0 0.0.0.255

ip access-list standard MGMT_ACL

permit 172.30.255.0 0.0.0.255

permit 172.31.100.0 0.0.0.255

permit 10.0.1.0 0.0.0.255

permit 10.0.3.0 0.0.0.255

permit 172.30.200.0 0.0.0.255

!

access-list 99 permit 10.0.3.0

!

control-plane

!

banner motd xxxxx

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class MGMT_ACL in

privilege level 15

transport input telnet ssh

!

ntp update-calendar

ntp server 0.pool.ntp.org prefer

ntp server 1.pool.ntp.org

!

end

Tarik Admani · ‎01-06-2014

John,

Lets give this NAT configuration a shot:

Hub

remove

ip nat inside source list 1 interface Dialer0 overload

add

ip access-list extended NAT-hub

deny ip 10.0.1.0 0.0.0.255 10.0.3.0 0.0.0.255

permit ip 10.0.1.0 0.0.0.255 any

route-map NATMAP-h permit 10

match ip address NAT-hub

ip nat inside source route-map NATMAP-h interface Dialer0 overload

On the spoke lets shoot for this -

remove

ip nat inside source list INTERNET_BOUND_ACL interface FastEthernet4 overload

ip access-list extended NAT-spoke

deny ip 10.0.3.0 0.0.0.255 10.0.1.0 0.0.0.255

permit ip 10.0.3.0 0.0.0.255 any

route-map NATMAP-s permit 10

match ip address NAT-spoke

ip nat inside source route-map NATMAP-s interface FastEthernet4 overload

drop your tunnel on the remote end by shutting and no shutting the interface and see how things turn out.

Tarik Admani
*Please rate helpful posts*

John McNumara · ‎01-10-2014

I have been on vacation and my team just rolled back to DMVPN. I am going to have a similar project within a month or so, and will try the exact same settings to see if this fixes it and let you know.

Thanks again!