01-13-2006 09:04 AM - edited 02-21-2020 02:11 PM
Hi!
I have a 3 hub-and-spoke network having all 3 CS2801 a L2L IPSec tunnel to the other 2 routers. I have also VPN Client connections to all 3 routers and here is where the problem begins:
- SITE A (main site) has 3 diferent internet links: 1 for IPSec L2L to site B, 1 for IPSec L2L to site C and the other gives regular local Internet access and is the link we use to connect the VPN Clients and we have some problems with some kind of remote connections where the local modem/router has no capability to do VPN-Relay or IPSec port forwarding.
- SITE B and C: both use just one Internet link for the 2 L2L IPSec tunnels plus the VPN Client connections and all is working fine.
After several hours of troubleshooting i have no more sugestions.
Thanks for your help.
01-19-2006 09:29 AM
use debug commands to find the symptoms causing this problem
debug crypto ipsecDisplays information about IPsec events.
debug crypto isakmpDisplays messages about Internet Key Exchange (IKE) events.
debug packet if_name [src source_ip [netmask mask]] [dst dest_ip [netmask mask]] [[proto icmp] | [proto tcp [sport src_port] [dport dest_port]] | [proto udp [sport src_port] [dport dest_port]] [rx | tx | both]Displays the packets that hit the specified interface. This command is useful when you determine the type of traffic on the inside interface of PIXfirst. This command is also used to verify that the translation intended does occur.
logging buffered levelSends syslog messages to an internal buffer that is viewed with the show logging command. Use the clear logging command to clear the message buffer. New messages append to the end of the buffer. This command is used to view the translation that is built. Logging to the buffer must be turned on when required. Turn off logging to buffer with no logging buffer level and/or no logging on.
debug icmp traceShows Internet Control Message Protocol (ICMP) packet information, the source IP address, and the destination address of the packets that arrive at, depart from, and traverse the PIX Firewall. This includes pings to the PIX Firewall unit's own interfaces. Use no debug icmp trace to turn off debug icmp trace.
01-19-2006 08:11 PM
" we use to connect the VPN Clients and we have some problems with some kind of remote connections where the local modem/router has no capability to do VPN-Relay or IPSec port forwarding. "
Dont get this. Did u do a debug on the router for these VPN connections. Can you show the relevant config pls
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide