cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8562
Views
55
Helpful
18
Replies

INTERNET is not working while VPN ON

CSCO11638397
Level 1
Level 1

Hi,

I have being working to resolve an issue on cisco eazy vpn network extented for a week. while the VPN is connected the internet is not working, I thought it was from remote side, now I believe it might be server side configuration issue because of I try on serveral place the same config for remote side the internet is getting lost for the user. still can ping 4.2.2.2 from the router itself. please help me to solve this issue.,,,

              

HO Router config


!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common
memory-size iomem 15
ip cef
!
!
!
!

!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Head-office
key pass123
pool ippool
acl 101
save-password
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address xx.xx.xx.xy 255.255.255.248
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map clientmap
!
interface FastEthernet0/1
ip address 192.168.0.166 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip local pool ippool 10.10.10.10 10.10.10.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.yx
!

ip http server
ip http secure-server
ip dns server
ip nat inside source list 111 interface FastEthernet0/0 overload
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.200.192.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.172.16.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 104 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 permit ip 192.168.0.0 0.0.0.255 any log
access-list 111 deny ip host 192.168.0.16 any
access-list 111 deny ip host 192.168.0.16 any log
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.10.10.0 0.0.0.255 log
access-list 111 deny ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.200.192.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 10.172.16.0 0.0.0.255
access-list 111 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any
access-list 133 deny ip host 192.168.0.16 10.10.10.0 0.0.0.255
!

Remote office

Router#show run
Building configuration...

Current configuration : 2243 bytes
!
! Last configuration change at 08:34:12 UTC Tue Sep 18 2012
! NVRAM config last updated at 08:34:14 UTC Tue Sep 18 2012
! NVRAM config last updated at 08:34:14 UTC Tue Sep 18 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 6Uhgk1ATmwo4j3eoSZScCqsB/Q1llvengtFuqfN8mh6
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
ip name-server m
ip name-server m
no ipv6 cef
!
!
!
username user password 0 cisco
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
crypto ipsec client ezvpn REMOTE-OFFICE-VPN
connect auto
group Head-office key pass123
mode network-extension
peer xx.xx.xx.xy
username user password cisco
xauth userid mode local
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 10.200.192.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
crypto ipsec client ezvpn REMOTE-OFFICE-VPN inside
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname xxxxxxx
ppp chap password 0 yyyyy
crypto ipsec client ezvpn REMOTE-OFFICE-VPN
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 120 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 120 deny ip 10.200.192.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 120 permit ip 10.200.192.0 0.0.0.255 any

Note: no issue when using VPN clinet software

1 Accepted Solution

Accepted Solutions

Looks like you are hitting this bug: CSCtj63428:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtj63428

You can either change the configuration from Easy VPN NEM mode to just LAN-to-LAN VPN tunnel, or downgrade as per the workaround listed in the bug to resolve the issue.

View solution in original post

18 Replies 18

Hi Mohamed,

You have an ACL on the server which seems to allow split-tunneling.

The remote office has NAT configured so it should work.

Could you please share the "show crypto ipsec sa" from the Remote office while connected?

Thanks.

Portu.

Hi Javier,

Please find the below config,

Router#show cryp ipse sa

interface: Dialer0
    Crypto map tag: Dialer0-head-0, local addr yx.yx.xy.xy

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.200.192.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer xx.xx.yy.yy port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: yx.yx.xy.xy, remote crypto endpt.: xx.xx.yy.yy
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0xCCBB2B8C(3434818444)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x82289776(2183698294)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 15, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: Dialer0-head-0
        sa timing: remaining key lifetime (k/sec): (4466047/2703)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xCCBB2B8C(3434818444)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 16, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: Dialer0-head-0
        sa timing: remaining key lifetime (k/sec): (4466047/2703)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2
    Crypto map tag: Dialer0-head-0, local addr yx.yx.xy.xy

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.200.192.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer xx.xx.yy.yy port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: yx.yx.xy.xy, remote crypto endpt.: xx.xx.yy.yy

     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0xCCBB2B8C(3434818444)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x82289776(2183698294)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 15, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: Dialer0-head-0
        sa timing: remaining key lifetime (k/sec): (4466047/2703)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xCCBB2B8C(3434818444)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 16, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: Dialer0-head-0
        sa timing: remaining key lifetime (k/sec): (4466047/2703)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
Router#

Dear Mohamed,

The SA's look fine.

You should not lose your Internet connection while connected to the VPN.

When you try to access the Internet, if you do a "show ip nat translation", do you see any NAT entry?

Thanks.

Portu.

Dear Javier,

No I dont see any records on show ip nat translation.

Router#show ip nat translations

Router#

This does not sound like a VPN problem.

Please include "show ip route" while connected and disconnected.

Thanks.

Dear Javier,

Router#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer0

      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.16.1.0/24 is directly connected, Vlan2

L        172.16.1.1/32 is directly connected, Vlan2

      178.152.0.0/32 is subnetted, 2 subnets

C        178.152.0.1 is directly connected, Dialer0

C        178.152.14.249 is directly connected, Dialer0

Ping from router

Router#ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 216/220/228 ms

Router#ping 4.2.2.2 sou

Router#ping 4.2.2.2 source 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 172.16.1.1

.....

Success rate is 0 percent (0/5)

Router#

Router#ping 192.168.0.166

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.166, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Router#ping 192.168.0.166 sour 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.166, timeout is 2 seconds:

Packet sent with a source address of 172.16.1.1     --- HO

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 52/60/76 ms

Router#

Dear Javier,

Please find the below config, the above is from another remote router.

Router#show ip int bri

Interface                  IP-Address      OK? Method Status                Protocol

ATM0                       unassigned      YES NVRAM  up                    up 

ATM0.1                     unassigned      YES unset  deleted               down

Dialer0                    178.152.27.149  YES IPCP   up                    up 

Ethernet0                  unassigned      YES NVRAM  administratively down down

FastEthernet0              unassigned      YES unset  up                    up 

FastEthernet1              unassigned      YES unset  down                  down

FastEthernet2              unassigned      YES unset  down                  down

FastEthernet3              unassigned      YES unset  down                  down

NVI0                       unassigned      YES unset  administratively down down

Virtual-Access1            unassigned      YES unset  up                    up 

Virtual-Access2            unassigned      YES unset  up                    up 

Vlan1                      10.200.192.1    YES NVRAM  up                    up 

Router#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer0

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        10.200.192.0/24 is directly connected, Vlan1

L        10.200.192.1/32 is directly connected, Vlan1

      178.152.0.0/32 is subnetted, 2 subnets

C        178.152.16.1 is directly connected, Dialer0

C        178.152.27.149 is directly connected, Dialer0

Router#

Router#ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 176/180/184 ms

Router#ping 4.2.2.2 10.200.192.1

                    ^

% Invalid input detected at '^' marker.

Router#ping 4.2.2.2 source 10.200.192.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 10.200.192.1

.....

Success rate is 0 percent (0/5)

Router#ping 192.168.0.166

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.166, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Router#ping 192.168.0.166 source 10.200.192.1    ------------------- HO Private IP

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.166, timeout is 2 seconds:

Packet sent with a source address of 10.200.192.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms

Router#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer0

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        10.200.192.0/24 is directly connected, Vlan1

L        10.200.192.1/32 is directly connected, Vlan1

      178.152.0.0/32 is subnetted, 2 subnets

C        178.152.16.1 is directly connected, Dialer0

C        178.152.27.149 is directly connected, Dialer0

Router#

No different on IP routing table even the VPN is off

Hi Mohamed,

The routing portion seems to be ok, please do this while connected:

1- Run a continues ping from a machine behind the Router (ping something like 4.2.2.2).

2- Run the following command on the Router: "debug ip icmp".

What do you see?

Thanks.

Portu.

No records

Router#debug ip icmp

ICMP packet debugging is on

Router#

Hi,

Is "terminal monitor" enabled?

Do you notice any difference without the Easy VPN connection (does the output display any packets)?

Thanks.

Hi

Router#

Sep 20 06:13:29.827: ICMP: dst (10.200.192.1) port unreachable sent to 10.200.192.2

Sep 20 06:13:30.575: ICMP: dst (10.200.192.1) port unreachable sent to 10.200.192.2

Sep 20 06:13:31.587: ICMP: dst (10.200.192.1) port unreachable sent to 10.200.192.2

Is there any issue with this new new router IOS...

Router#show version

Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2012 by Cisco Systems, Inc.

Compiled Wed 21-Mar-12 00:27 by prod_rel_team

ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)

Router uptime is 6 hours, 45 minutes

System returned to ROM by power-on

System restarted at 06:08:20 UTC Thu Sep 20 2012

System image file is "flash:c880data-universalk9-mz.151-4.M4.bin"

Last reload type: Normal Reload

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 887VA (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memory.

Processor board ID FCZ1633C3JL

1 DSL controller

1 Ethernet interface

4 FastEthernet interfaces

1 ATM interface

1 Virtual Private Network (VPN) Module

256K bytes of non-volatile configuration memory.

125496K bytes of ATA CompactFlash (Read/Write)

License Info:

License UDI:

-------------------------------------------------

Device#   PID                   SN

-------------------------------------------------

*0        CISCO887VA-SEC-K9     FCZ1633C3JL

License Information for 'c880-data'

    License Level: advipservices   Type: Permanent

    Next reboot license Level: advipservices

Configuration register is 0x2102

Router#

Looks like you are hitting this bug: CSCtj63428:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtj63428

You can either change the configuration from Easy VPN NEM mode to just LAN-to-LAN VPN tunnel, or downgrade as per the workaround listed in the bug to resolve the issue.

Hi Jennifer,

as you mention how can i change the config into LAN-to-LAN vpn tunnel?, I have seen ref:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/site2sit.html for ASA 5500 not for 3700 series.

is this work same as NEM ! and please tell me how can I downgrade the IOS, [we have 3 new router]. thanks for the prompt reply.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: