08-04-2011 10:17 PM
Hi mate
How are u feeling today?
Could someone assits me?
I have 2811 router which has site-site vpn via internet
when I check sh cry sess it shows me tunnel which i didn't recognise
it third time that i see such tunnel it appers like a ghost and dissappers
due troubleshooting there is no sign abt that tunnel
Could someone explain what's cause appearing such tunnel in my router and how to prevent such problems
Interface: FastEthernet0/0.2 (site-to-site via internet)
Session status: UP-ACTIVE
Peer: ********** port 500
IKEv1 SA: local ***********/500 remote ***********/500 Active
IPSEC FLOW: permit ip *****************/255.255.255.248 host **********
Active SAs: 2, origin: crypto map
Interface: FastEthernet0/0.3 (site-to-site via leased line)
Session status: UP-IDLE
Peer: ********** port 500
IKEv1 SA: local ********/500 remote **********/500 Active
IPSEC FLOW: permit ip host ************ host ************
Active SAs: 0, origin: crypto map
Interface: FastEthernet0/0.2 Ghost tunnel
Session status: DOWN-NEGOTIATING
Peer:*********** port 500
IKEv1 SA: local*********/500 remote **********/500 Inactive
Thanks
Solved! Go to Solution.
08-07-2011 01:31 AM
G'day mate
well without having a look at the config and "debug crypto isakmp" output I can only guess, but it seems like a reasonable explanation that someone is attempting to build a tunnel to you (but failing - note the session status).
This could be a misconfiguration (i.e. someone punched in your ip address on his router/vpnclient by mistake) or it could be caused by someone with malicious intent (i.e. either probing your IP address for open ports, or probing a large address space to find systems with UDP500 open, or possibly someone is trying to DoS you).
You could:
- try to find out who ows the ip address mentioned in the "Peer:***********" field and contact them to see what's going on.
- apply an ACL on your outside interface that drops all UDP500 except when coming from the legitimate L2L peer (assuming you only have this L2L tunnel, no legitimate clients connecting to you). Or for more fancy options, have a look here:
http://www.cisco.com/en/US/products/products_security_response09186a00806f33d4.html (specifically the section "Device-Specific Mitigation and Identification").
hth
Herbert
08-07-2011 01:31 AM
G'day mate
well without having a look at the config and "debug crypto isakmp" output I can only guess, but it seems like a reasonable explanation that someone is attempting to build a tunnel to you (but failing - note the session status).
This could be a misconfiguration (i.e. someone punched in your ip address on his router/vpnclient by mistake) or it could be caused by someone with malicious intent (i.e. either probing your IP address for open ports, or probing a large address space to find systems with UDP500 open, or possibly someone is trying to DoS you).
You could:
- try to find out who ows the ip address mentioned in the "Peer:***********" field and contact them to see what's going on.
- apply an ACL on your outside interface that drops all UDP500 except when coming from the legitimate L2L peer (assuming you only have this L2L tunnel, no legitimate clients connecting to you). Or for more fancy options, have a look here:
http://www.cisco.com/en/US/products/products_security_response09186a00806f33d4.html (specifically the section "Device-Specific Mitigation and Identification").
hth
Herbert
08-15-2011 02:04 AM
Thanks bro
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide