Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1602
Views
0
Helpful
2
Replies

ghost vpn tunnel

Go to solution
dreams_as_money
Level 1
Level 1

‎08-04-2011 10:17 PM

Hi mate

How are u feeling  today?

Could  someone assits me?

I have 2811 router which has site-site vpn via  internet

when I check sh cry sess  it shows me tunnel which i  didn't recognise

it third time that  i see such tunnel  it appers like a  ghost and dissappers

due troubleshooting  there is no sign abt that tunnel 

Could  someone explain  what's cause appearing such tunnel in my router and   how  to prevent such problems

Interface: FastEthernet0/0.2       (site-to-site via internet)

Session status: UP-ACTIVE    

Peer: ********** port 500

  IKEv1 SA: local ***********/500 remote ***********/500 Active

  IPSEC FLOW: permit ip *****************/255.255.255.248 host **********

        Active SAs: 2, origin: crypto map

Interface: FastEthernet0/0.3  (site-to-site  via leased line)

Session status: UP-IDLE

Peer: ********** port 500

  IKEv1 SA: local ********/500 remote **********/500 Active

  IPSEC FLOW: permit ip host ************ host ************

        Active SAs: 0, origin: crypto map

Interface: FastEthernet0/0.2         Ghost tunnel

Session status: DOWN-NEGOTIATING

Peer:*********** port 500

  IKEv1 SA: local*********/500 remote **********/500 Inactive

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎08-07-2011 01:31 AM

G'day mate

well  without having a look at the config and "debug crypto isakmp" output I  can only guess, but it seems like a reasonable explanation that someone  is attempting to build a tunnel to you (but failing - note the session  status).

This could be a misconfiguration (i.e. someone punched in  your ip address on his router/vpnclient by mistake) or it could be  caused by someone with malicious intent (i.e. either probing your IP  address for open ports, or probing a large address space to find systems  with UDP500 open, or possibly someone is trying to DoS you).

You could:

- try to find out who ows the ip address mentioned in the "Peer:***********" field and contact them to see what's going on.

-  apply an ACL on your outside interface that drops all UDP500 except  when coming from the legitimate L2L peer (assuming you only have this  L2L tunnel, no legitimate clients connecting to you). Or for more fancy  options, have a look here:

http://www.cisco.com/en/US/products/products_security_response09186a00806f33d4.html  (specifically the section "Device-Specific Mitigation and  Identification").

hth

Herbert

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎08-07-2011 01:31 AM

G'day mate

well  without having a look at the config and "debug crypto isakmp" output I  can only guess, but it seems like a reasonable explanation that someone  is attempting to build a tunnel to you (but failing - note the session  status).

This could be a misconfiguration (i.e. someone punched in  your ip address on his router/vpnclient by mistake) or it could be  caused by someone with malicious intent (i.e. either probing your IP  address for open ports, or probing a large address space to find systems  with UDP500 open, or possibly someone is trying to DoS you).

You could:

- try to find out who ows the ip address mentioned in the "Peer:***********" field and contact them to see what's going on.

-  apply an ACL on your outside interface that drops all UDP500 except  when coming from the legitimate L2L peer (assuming you only have this  L2L tunnel, no legitimate clients connecting to you). Or for more fancy  options, have a look here:

http://www.cisco.com/en/US/products/products_security_response09186a00806f33d4.html  (specifically the section "Device-Specific Mitigation and  Identification").

hth

Herbert

0 Helpful

Go to solution
dreams_as_money
Level 1
Level 1
In response to Herbert Baerten

‎08-15-2011 02:04 AM

Thanks bro

0 Helpful
Customers Also Viewed These Support Documents