Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1190
Views
0
Helpful
6
Replies

GRE Over IPSec ICMP works but TCP does not

shivani.sharma
Level 1
Level 1

‎12-08-2020 10:08 AM - edited ‎12-08-2020 10:50 AM

Hello,

 

I have a GRE over IPSec (VTI) between two routers. The tunnel comes up and I am able to pass icmp traffic, but any tcp sessions do not work. I try to initiate a ssh session to the router over the tunnel and I don't see it making it to the other end. One thing to note is that interface on one end of the tunnel is configured with MTU 1504. I have also tried setting the MTU to 1504 on both ends, but it does not help. Can you please help me figure this out.

 

Configurations

Router 1 

 

interface GigabitEthernet0/0/0
mtu 1504
no ip address
negotiation auto
!
interface GigabitEthernet0/0/0.14
description Interface - OUTSIDE -
encapsulation dot1Q 14
ip address 10.218.146.154 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp

 

crypto isakmp policy 1
authentication pre-share
crypto isakmp key testkey address 172.31.31.18
!
!
crypto ipsec transform-set VA-VPN-TRANSFORM esp-aes esp-sha256-hmac
mode tunnel
!
crypto ipsec profile VPN-PROFILE
set transform-set VPN-TRANSFORM
!
interface Tunnel1
ip address 172.31.80.2 255.255.255.252
tunnel source gi0/0/0.14
tunnel destination 172.31.31.18
tunnel protection ipsec profile VPN-PROFILE

 

ip prefix-list ROUTES-TO-HUB seq 5 deny 10.218.146.152/29
ip prefix-list ROUTES-TO-HUB seq 10 permit 10.0.0.0/8 le 32
ip prefix-list ROUTES-TO-HUB seq 15 permit 172.31.0.0/16 le 32

route-map ROUTES-TO-HUB_RM permit 10
match ip address prefix-list ROUTES-TO-HUB

 

router eigrp 10
distribute-list route-map ROUTES-TO-HUB_RM out
network 10.0.0.0
network 172.31.0.0

 

ip route 0.0.0.0 0.0.0.0 10.218.146.153

 

Router 2

 

interface GigabitEthernet0/0/0
mtu 1504
no ip address
media-type rj45
negotiation auto

 

interface GigabitEthernet0/0/0.14
encapsulation dot1Q 14
ip address 172.31.31.18 255.255.255.248

 

crypto isakmp policy 1
authentication pre-share
crypto isakmp key testkey address 0.0.0.0


crypto ipsec transform-set REM-VPN-TRANFORM esp-aes esp-sha256-hmac
mode tunnel

crypto ipsec profile REM-VPN-PROFILE
set transform-set REM-VPN-TRANFORM

 

interface Tunnel1
ip address 172.31.80.1 255.255.255.252
tunnel source gi0/0/0.14
tunnel destination 10.218.146.154
tunnel protection ipsec profile REM-VPN-PROFILE

 

ip prefix-list DENY-ALL seq 5 permit 0.0.0.0/0 le 32

 

route-map ROUTES-TO-REM deny 10
match ip address prefix-list DENY-ALL

 

router eigrp 10
distribute-list route-map ROUTES-TO-REM out
network 172.31.0.0

 

 

Outputs

 

Router 1

 

sh crypto ipsec sa

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 10.218.146.154

protected vrf: (none)
local ident (addr/mask/prot/port): (10.218.146.154/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.31.31.18/255.255.255.255/47/0)
current_peer 172.31.31.18 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 22, #pkts encrypt: 22, #pkts digest: 22
#pkts decaps: 111, #pkts decrypt: 111, #pkts verify: 111
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.218.146.154, remote crypto endpt.: 172.31.31.18
plaintext mtu 1438, path mtu 1504, ip mtu 1504, ip mtu idb GigabitEthernet0/0/0.14
current outbound spi: 0x6D97ECA1(1838673057)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xC3071437(3272021047)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2021, flow_id: ESG:21, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3516)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x582909FB(1479084539)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2023, flow_id: ESG:23, sibling_flags FFFFFFFF80004048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607986/3522)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xD6E7CE15(3605515797)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2022, flow_id: ESG:22, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3516)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x6D97ECA1(1838673057)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2024, flow_id: ESG:24, sibling_flags FFFFFFFF80004048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607998/3522)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

 

Router2

 

sh crypto ipsec sa

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 172.31.31.18

protected vrf: (none)
local ident (addr/mask/prot/port): (172.31.31.18/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.218.146.154/255.255.255.255/47/0)
current_peer 10.218.146.154 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 23, #pkts encrypt: 23, #pkts digest: 23
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.31.31.18, remote crypto endpt.: 10.218.146.154
plaintext mtu 1438, path mtu 1504, ip mtu 1504, ip mtu idb GigabitEthernet0/0/0.14
current outbound spi: 0x582909FB(1479084539)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xD6E7CE15(3605515797)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2035, flow_id: ESG:35, sibling_flags FFFFFFFF80004048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3580)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x6D97ECA1(1838673057)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2037, flow_id: ESG:37, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607999/3585)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xC3071437(3272021047)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2036, flow_id: ESG:36, sibling_flags FFFFFFFF80004048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/3580)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
spi: 0x582909FB(1479084539)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2038, flow_id: ESG:38, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607998/3585)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

 

 

 

Thank you.

Labels:
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎12-08-2020 10:16 AM

@shivani.sharma 

Is the tunnel up? Please provide the output of "show crypto ipsec sa"

How are you testing?

Do you have static routes defined on both ends?

Do you have an ACL configured?

0 Helpful

shivani.sharma
Level 1
Level 1
In response to Rob Ingram

‎12-08-2020 10:54 AM

Hello Rob,

 

I have updated the original post and added the interface configurations and routing. I am running eigrp over the tunnel so Router 2 gets the routes using EIGRP and Router 1 has a static default route. There is no ACL configured. I am testing using a computer behind router 2. I am able to ping router 1, 172.31.65.129 from the computer but I cannot establish ssh session to Router 1. I am able to SSH to router 1 from computer when I shut down the tunnel.

 

Thanks.

0 Helpful

Rob Ingram
VIP
VIP

‎12-08-2020 11:01 AM

The tunnel looks ok, ideally you test VPN by sending traffic through the VPN (between devices behind the VPN devices) not to the VPN headend device.

 

Do you have any NAT configuration?

 

Is there an ACL configured on the VTY lines on router 1

0 Helpful

shivani.sharma
Level 1
Level 1
In response to Rob Ingram

‎12-08-2020 11:09 AM

Rob,

 

There is no NAT configuration on either end. Yes there is an ACL on the Router 1 vty lines, but that allows the host ssh is coming from. I had also tested from behind the router. I had a laptop connected behind Router1 which was trying to browse some webpages and that did not work either and it worked when the tunnel is shutdown.

 

Any ideas how can I further troubleshoot this?

 

Thanks.

0 Helpful

Rob Ingram
VIP
VIP

‎12-08-2020 11:20 AM

Provide your full configuration and "show ip route" from both routers, because it's nothing obviously from just your VPN and routing configuration.

 

Run a packet capture, generate traffic, provide output.

0 Helpful

shivani.sharma
Level 1
Level 1
In response to Rob Ingram

‎12-08-2020 11:31 AM

I will try to get some packet captures. But I also have a switch behind Router 1. It's IP address is 172.31.65.130. I can ping and ssh to this switch when the tunnel is down. When I bring the tunnel up I can ping the switch but cannot ssh. I also have console sessions to Router 1 and the switch behind it. When the tunnel is up I run debug ip ssh on Router 1 and switch, but I dont see any ssh requests making it.

 

Thanks

 

0 Helpful
Customers Also Viewed These Support Documents