Solved: INTERNET is not working while VPN ON

CSCO11638397 · ‎09-19-2012

Hi,

I have being working to resolve an issue on cisco eazy vpn network extented for a week. while the VPN is connected the internet is not working, I thought it was from remote side, now I believe it might be server side configuration issue because of I try on serveral place the same config for remote side the internet is getting lost for the user. still can ping 4.2.2.2 from the router itself. please help me to solve this issue.,,,

HO Router config

!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common
memory-size iomem 15
ip cef
!
!
!
!

!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Head-office
key pass123
pool ippool
acl 101
save-password
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address xx.xx.xx.xy 255.255.255.248
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map clientmap
!
interface FastEthernet0/1
ip address 192.168.0.166 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip local pool ippool 10.10.10.10 10.10.10.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.yx
!

ip http server
ip http secure-server
ip dns server
ip nat inside source list 111 interface FastEthernet0/0 overload
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.200.192.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.172.16.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 104 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 permit ip 192.168.0.0 0.0.0.255 any log
access-list 111 deny ip host 192.168.0.16 any
access-list 111 deny ip host 192.168.0.16 any log
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255 log
access-list 111 deny ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.200.192.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.172.16.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any
access-list 133 deny ip host 192.168.0.16 10.10.10.0 0.0.0.255
!

Remote office

Router#show run
Building configuration...

Current configuration : 2243 bytes
!
! Last configuration change at 08:34:12 UTC Tue Sep 18 2012
! NVRAM config last updated at 08:34:14 UTC Tue Sep 18 2012
! NVRAM config last updated at 08:34:14 UTC Tue Sep 18 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 6Uhgk1ATmwo4j3eoSZScCqsB/Q1llvengtFuqfN8mh6
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
ip name-server m
ip name-server m
no ipv6 cef
!
!
!
username user password 0 cisco
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
crypto ipsec client ezvpn REMOTE-OFFICE-VPN
connect auto
group Head-office key pass123
mode network-extension
peer xx.xx.xx.xy
username user password cisco
xauth userid mode local
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 10.200.192.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
crypto ipsec client ezvpn REMOTE-OFFICE-VPN inside
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname xxxxxxx
ppp chap password 0 yyyyy
crypto ipsec client ezvpn REMOTE-OFFICE-VPN
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 120 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 120 deny ip 10.200.192.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 120 permit ip 10.200.192.0 0.0.0.255 any

Note: no issue when using VPN clinet software

Jennifer Halim · ‎09-20-2012

Looks like you are hitting this bug: CSCtj63428:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtj63428

You can either change the configuration from Easy VPN NEM mode to just LAN-to-LAN VPN tunnel, or downgrade as per the workaround listed in the bug to resolve the issue.

View solution in original post

Javier Portuguez · ‎09-19-2012

Hi Mohamed,

You have an ACL on the server which seems to allow split-tunneling.

The remote office has NAT configured so it should work.

Could you please share the "show crypto ipsec sa" from the Remote office while connected?

Thanks.

Portu.

CSCO11638397 · ‎09-19-2012

Hi Javier,

Please find the below config,

Router#show cryp ipse sa

interface: Dialer0
Crypto map tag: Dialer0-head-0, local addr yx.yx.xy.xy

   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.200.192.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer xx.xx.yy.yy port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: yx.yx.xy.xy, remote crypto endpt.: xx.xx.yy.yy
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0xCCBB2B8C(3434818444)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x82289776(2183698294)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 15, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: Dialer0-head-0
        sa timing: remaining key lifetime (k/sec): (4466047/2703)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0xCCBB2B8C(3434818444)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 16, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: Dialer0-head-0
        sa timing: remaining key lifetime (k/sec): (4466047/2703)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:

interface: Virtual-Access2
Crypto map tag: Dialer0-head-0, local addr yx.yx.xy.xy

   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.200.192.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer xx.xx.yy.yy port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

local crypto endpt.: yx.yx.xy.xy, remote crypto endpt.: xx.xx.yy.yy

     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0xCCBB2B8C(3434818444)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x82289776(2183698294)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 15, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: Dialer0-head-0
        sa timing: remaining key lifetime (k/sec): (4466047/2703)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0xCCBB2B8C(3434818444)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 16, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: Dialer0-head-0
        sa timing: remaining key lifetime (k/sec): (4466047/2703)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:
Router#

Javier Portuguez · ‎09-19-2012

Dear Mohamed,

The SA's look fine.

You should not lose your Internet connection while connected to the VPN.

When you try to access the Internet, if you do a "show ip nat translation", do you see any NAT entry?

Thanks.

Portu.

CSCO11638397 · ‎09-19-2012

Dear Javier,

No I dont see any records on show ip nat translation.

Router#show ip nat translations

Router#

Javier Portuguez · ‎09-19-2012

This does not sound like a VPN problem.

Please include "show ip route" while connected and disconnected.

Thanks.

CSCO11638397 · ‎09-19-2012

Dear Javier,

Router#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Dialer0

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C 172.16.1.0/24 is directly connected, Vlan2

L 172.16.1.1/32 is directly connected, Vlan2

178.152.0.0/32 is subnetted, 2 subnets

C 178.152.0.1 is directly connected, Dialer0

C 178.152.14.249 is directly connected, Dialer0

Ping from router

Router#ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 216/220/228 ms

Router#ping 4.2.2.2 sou

Router#ping 4.2.2.2 source 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 172.16.1.1

.....

Success rate is 0 percent (0/5)

Router#

Router#ping 192.168.0.166

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.166, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Router#ping 192.168.0.166 sour 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.166, timeout is 2 seconds:

Packet sent with a source address of 172.16.1.1 --- HO

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 52/60/76 ms

Router#

CSCO11638397 · ‎09-19-2012

Dear Javier,

Please find the below config, the above is from another remote router.

Router#show ip int bri

Interface IP-Address OK? Method Status Protocol

ATM0 unassigned YES NVRAM up up

ATM0.1 unassigned YES unset deleted down

Dialer0 178.152.27.149 YES IPCP up up

Ethernet0 unassigned YES NVRAM administratively down down

FastEthernet0 unassigned YES unset up up

FastEthernet1 unassigned YES unset down down

FastEthernet2 unassigned YES unset down down

FastEthernet3 unassigned YES unset down down

NVI0 unassigned YES unset administratively down down

Virtual-Access1 unassigned YES unset up up

Virtual-Access2 unassigned YES unset up up

Vlan1 10.200.192.1 YES NVRAM up up

Router#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Dialer0

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.200.192.0/24 is directly connected, Vlan1

L 10.200.192.1/32 is directly connected, Vlan1

178.152.0.0/32 is subnetted, 2 subnets

C 178.152.16.1 is directly connected, Dialer0

C 178.152.27.149 is directly connected, Dialer0

Router#

Router#ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 176/180/184 ms

Router#ping 4.2.2.2 10.200.192.1

^

% Invalid input detected at '^' marker.

Router#ping 4.2.2.2 source 10.200.192.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 10.200.192.1

.....

Success rate is 0 percent (0/5)

Router#ping 192.168.0.166

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.166, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Router#ping 192.168.0.166 source 10.200.192.1 ------------------- HO Private IP

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.166, timeout is 2 seconds:

Packet sent with a source address of 10.200.192.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms

Router#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Dialer0

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.200.192.0/24 is directly connected, Vlan1

L 10.200.192.1/32 is directly connected, Vlan1

178.152.0.0/32 is subnetted, 2 subnets

C 178.152.16.1 is directly connected, Dialer0

C 178.152.27.149 is directly connected, Dialer0

Router#

No different on IP routing table even the VPN is off

Javier Portuguez · ‎09-19-2012

Hi Mohamed,

The routing portion seems to be ok, please do this while connected:

1- Run a continues ping from a machine behind the Router (ping something like 4.2.2.2).

2- Run the following command on the Router: "debug ip icmp".

What do you see?

Thanks.

Portu.

CSCO11638397 · ‎09-19-2012

No records

Router#debug ip icmp

ICMP packet debugging is on

Router#

Javier Portuguez · ‎09-20-2012

Hi,

Is "terminal monitor" enabled?

Do you notice any difference without the Easy VPN connection (does the output display any packets)?

Thanks.

CSCO11638397 · ‎09-20-2012

Hi

Router#

Sep 20 06:13:29.827: ICMP: dst (10.200.192.1) port unreachable sent to 10.200.192.2

Sep 20 06:13:30.575: ICMP: dst (10.200.192.1) port unreachable sent to 10.200.192.2

Sep 20 06:13:31.587: ICMP: dst (10.200.192.1) port unreachable sent to 10.200.192.2

Is there any issue with this new new router IOS...

Router#show version

Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Wed 21-Mar-12 00:27 by prod_rel_team

ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)

Router uptime is 6 hours, 45 minutes

System returned to ROM by power-on

System restarted at 06:08:20 UTC Thu Sep 20 2012

System image file is "flash:c880data-universalk9-mz.151-4.M4.bin"

Last reload type: Normal Reload

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 887VA (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memory.

Processor board ID FCZ1633C3JL

1 DSL controller

1 Ethernet interface

4 FastEthernet interfaces

1 ATM interface

1 Virtual Private Network (VPN) Module

256K bytes of non-volatile configuration memory.

125496K bytes of ATA CompactFlash (Read/Write)

License Info:

License UDI:

-------------------------------------------------

Device# PID SN

-------------------------------------------------

*0 CISCO887VA-SEC-K9 FCZ1633C3JL

License Information for 'c880-data'

License Level: advipservices Type: Permanent

Next reboot license Level: advipservices

Configuration register is 0x2102

Router#

Jennifer Halim · ‎09-20-2012

Looks like you are hitting this bug: CSCtj63428:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtj63428

You can either change the configuration from Easy VPN NEM mode to just LAN-to-LAN VPN tunnel, or downgrade as per the workaround listed in the bug to resolve the issue.

CSCO11638397 · ‎09-20-2012

Hi Jennifer,

as you mention how can i change the config into LAN-to-LAN vpn tunnel?, I have seen ref:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/site2sit.html for ASA 5500 not for 3700 series.

is this work same as NEM ! and please tell me how can I downgrade the IOS, [we have 3 new router]. thanks for the prompt reply.

Javier Portuguez · ‎09-20-2012

Please check this out:

ASA/PIX : Security Appliance to an IOS Router LAN-to-LAN IPsec Tunnel Configuration Example

Let us know if you have any questions.

Thanks.