cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7792
Views
55
Helpful
18
Replies

INTERNET is not working while VPN ON

CSCO11638397
Beginner
Beginner

Hi,

I have being working to resolve an issue on cisco eazy vpn network extented for a week. while the VPN is connected the internet is not working, I thought it was from remote side, now I believe it might be server side configuration issue because of I try on serveral place the same config for remote side the internet is getting lost for the user. still can ping 4.2.2.2 from the router itself. please help me to solve this issue.,,,

              

HO Router config


!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common
memory-size iomem 15
ip cef
!
!
!
!

!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Head-office
key pass123
pool ippool
acl 101
save-password
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address xx.xx.xx.xy 255.255.255.248
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map clientmap
!
interface FastEthernet0/1
ip address 192.168.0.166 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip local pool ippool 10.10.10.10 10.10.10.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.yx
!

ip http server
ip http secure-server
ip dns server
ip nat inside source list 111 interface FastEthernet0/0 overload
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.200.192.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.172.16.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 104 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 permit ip 192.168.0.0 0.0.0.255 any log
access-list 111 deny ip host 192.168.0.16 any
access-list 111 deny ip host 192.168.0.16 any log
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255 log
access-list 111 deny ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.200.192.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.172.16.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any
access-list 133 deny ip host 192.168.0.16 10.10.10.0 0.0.0.255
!

Remote office

Router#show run
Building configuration...

Current configuration : 2243 bytes
!
! Last configuration change at 08:34:12 UTC Tue Sep 18 2012
! NVRAM config last updated at 08:34:14 UTC Tue Sep 18 2012
! NVRAM config last updated at 08:34:14 UTC Tue Sep 18 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 6Uhgk1ATmwo4j3eoSZScCqsB/Q1llvengtFuqfN8mh6
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
ip name-server m
ip name-server m
no ipv6 cef
!
!
!
username user password 0 cisco
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
crypto ipsec client ezvpn REMOTE-OFFICE-VPN
connect auto
group Head-office key pass123
mode network-extension
peer xx.xx.xx.xy
username user password cisco
xauth userid mode local
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 10.200.192.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
crypto ipsec client ezvpn REMOTE-OFFICE-VPN inside
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname xxxxxxx
ppp chap password 0 yyyyy
crypto ipsec client ezvpn REMOTE-OFFICE-VPN
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 120 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 120 deny ip 10.200.192.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 120 permit ip 10.200.192.0 0.0.0.255 any

Note: no issue when using VPN clinet software

1 Accepted Solution

Accepted Solutions

Looks like you are hitting this bug: CSCtj63428:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtj63428

You can either change the configuration from Easy VPN NEM mode to just LAN-to-LAN VPN tunnel, or downgrade as per the workaround listed in the bug to resolve the issue.

View solution in original post

18 Replies 18

Hi Mohamed,

You have an ACL on the server which seems to allow split-tunneling.

The remote office has NAT configured so it should work.

Could you please share the "show crypto ipsec sa" from the Remote office while connected?

Thanks.

Portu.

Hi Javier,

Please find the below config,

Router#show cryp ipse sa

interface: Dialer0
    Crypto map tag: Dialer0-head-0, local addr yx.yx.xy.xy

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.200.192.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer xx.xx.yy.yy port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: yx.yx.xy.xy, remote crypto endpt.: xx.xx.yy.yy
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0xCCBB2B8C(3434818444)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x82289776(2183698294)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 15, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: Dialer0-head-0
        sa timing: remaining key lifetime (k/sec): (4466047/2703)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xCCBB2B8C(3434818444)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 16, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: Dialer0-head-0
        sa timing: remaining key lifetime (k/sec): (4466047/2703)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2
    Crypto map tag: Dialer0-head-0, local addr yx.yx.xy.xy

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.200.192.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer xx.xx.yy.yy port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: yx.yx.xy.xy, remote crypto endpt.: xx.xx.yy.yy

     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0xCCBB2B8C(3434818444)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x82289776(2183698294)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 15, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: Dialer0-head-0
        sa timing: remaining key lifetime (k/sec): (4466047/2703)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xCCBB2B8C(3434818444)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 16, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: Dialer0-head-0
        sa timing: remaining key lifetime (k/sec): (4466047/2703)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
Router#

Dear Mohamed,

The SA's look fine.

You should not lose your Internet connection while connected to the VPN.

When you try to access the Internet, if you do a "show ip nat translation", do you see any NAT entry?

Thanks.

Portu.