02-04-2014 03:17 PM - edited 02-21-2020 07:28 PM
Hi,
I have a hub and spoke setup with IPSEC.
If interesting traffic comes from the spoke, the IPSEC SA starts and works perfectly. However, once the link idles out and there is no more traffic, the hub shows this with the sh crypto isa sa command
196.47.133.38 185.20.242.61 QM_IDLE 1017 ACTIVE
sh cryp ips sa peer 196.47.133.38 shows nothing at all.
I have checked my routing and NAT deny's to make sure that is not the issue.
I then checked the crypto ACL's when i send traffic, i see the crypto ACL's are incrementing correctly but still the SA wont activate. If i look at the ipsec debug i also see nothing.
I am using a dynamic map with each spoke end on its own ACL, as follows;
crypto dynamic-map dynmap 5
set peer 111.116.206.92
set transform-set des-transform
match address 171
crypto dynamic-map dynmap 10
set peer 111.47.132.38
set transform-set des-transform
match address 172
crypto dynamic-map dynmap 15
set peer 111.174.150.47
set transform-set des-transform
match address 173
crypto dynamic-map dynmap 20
set peer 111.166.108.250
set transform-set des-transform
match address 174
crypto dynamic-map dynmap 100
set transform-set des-transform
match address 170
c2800nm-adventerprisek9_ivs_li-mz.151-4.m6.bin on a 2811
Any ideas?
Thanks
Alan
Solved! Go to Solution.
02-05-2014 09:33 AM
HI Alan,
1. Please always remember that when you user dynamic cryptomaps they are most of the times used for site to client or say Remote access VPN but can also be used in site to site vpn when you wan to restrict that only one party can initiate the tunnel and other party with dynamic map can never inititte a tunnel , and in those condition your gateways never knows the IP of the other side clientand hence will never initiate a connection for Home or Internet users so as to build a tunnel. Only home user have to inititite a connection for establising a tunnel as and when needed as there IP could be dynamic and you HUB never know hihc IP they will come from as IP could change based on the location or vendor internet you connect from.
2. Once you give a dynamic cryptomap on you ASA, you mean to say you dont knwo other side peer IP as told above, and only when other side Peer in this case client will initiate a tunnel and hence set peer IP have no meaning within dyanamic crypto map.
3. Once you define a dynamic crypto maps , you always havve to associate it to the statsic crypto map as you cannot associate dynamic crypto map directly to an device our=tside interface.
example
step 1
define dyanmic crypto map as follows:
crypto dynamic-map mymap 1 set transform-set myset crypto dynamic-map mymap 1 set reverse-route
(in line 2 you are instructing your ASA or HUB device that
other client after establishing a client to site tunnel with this machine can insert
a static route dynamically on the rop of the routing table so that the trafic for client can use static route instead of using defaut route and could save tie else it has to traverse through all the router to reach deault route very time communication happens between
the new IP of the cleint machine from HOme iNternet to office firewall /ASAthe so that )step 2
Now call this above dynamic map named mymap into a static crypto map(named dyn-map) as follows
crypto map dyn-map 10 IPSec-isakmp dynamic mymap
step 3
Assign this static crypto map to an interface so as to actually apply dynamic crpto map as told befor eit cant be applied directly:
crypto map dyn-map interface outside
Please share the configuration of HUB and spoke ina separate separate fille and state who is HU and who are spoke 1 spoke 2 spoke 3 and so on.
Hope I could offer you more clear help after that.
best regards
sachin garg
sachin.koenig@gmail.com
02-05-2014 09:33 AM
HI Alan,
1. Please always remember that when you user dynamic cryptomaps they are most of the times used for site to client or say Remote access VPN but can also be used in site to site vpn when you wan to restrict that only one party can initiate the tunnel and other party with dynamic map can never inititte a tunnel , and in those condition your gateways never knows the IP of the other side clientand hence will never initiate a connection for Home or Internet users so as to build a tunnel. Only home user have to inititite a connection for establising a tunnel as and when needed as there IP could be dynamic and you HUB never know hihc IP they will come from as IP could change based on the location or vendor internet you connect from.
2. Once you give a dynamic cryptomap on you ASA, you mean to say you dont knwo other side peer IP as told above, and only when other side Peer in this case client will initiate a tunnel and hence set peer IP have no meaning within dyanamic crypto map.
3. Once you define a dynamic crypto maps , you always havve to associate it to the statsic crypto map as you cannot associate dynamic crypto map directly to an device our=tside interface.
example
step 1
define dyanmic crypto map as follows:
crypto dynamic-map mymap 1 set transform-set myset crypto dynamic-map mymap 1 set reverse-route
(in line 2 you are instructing your ASA or HUB device that
other client after establishing a client to site tunnel with this machine can insert
a static route dynamically on the rop of the routing table so that the trafic for client can use static route instead of using defaut route and could save tie else it has to traverse through all the router to reach deault route very time communication happens between
the new IP of the cleint machine from HOme iNternet to office firewall /ASAthe so that )step 2
Now call this above dynamic map named mymap into a static crypto map(named dyn-map) as follows
crypto map dyn-map 10 IPSec-isakmp dynamic mymap
step 3
Assign this static crypto map to an interface so as to actually apply dynamic crpto map as told befor eit cant be applied directly:
crypto map dyn-map interface outside
Please share the configuration of HUB and spoke ina separate separate fille and state who is HU and who are spoke 1 spoke 2 spoke 3 and so on.
Hope I could offer you more clear help after that.
best regards
sachin garg
sachin.koenig@gmail.com
02-06-2014 05:30 AM
Thanks Sachin,
I suspected this was the case with dynamic maps. but your help has guided me to a better approach.
I have now gone for a bunch of static map entries for ky known endpoints and a dynamic at the bottom for the non known endpoints
Now, I just need to find out why my spoke to spoke isn't very robust, lots of packet loss. I am suspecting the 2811 though
Config really looks fine
02-06-2014 05:48 AM
HI Alan,
Please share the configuration on the router 2811 so that I can offer you more details in detecting why there is packet loss, is it reaching the limit of traffic that it can handle.
Best Regards
Sachin Garg
02-06-2014 07:48 AM
Here you go Sachin
Edge routers are 1801's
Hub is a 2811
Edge ACL's are a mirror of what is in the ACL's associated to each map line
As far as I can see the default route is correct and that all the crypo traffic should not be NAT'd or go elsewhere but hit po1.100 on the way out.
Symptoms are that a person pinging from say 10.192.112.5 (spoke) to the dest 10.192.40.10 (hub) will work perfectly, but the same user 10.192.112.5 wont be able to ping 10.192.73.10 (spoke) or 10.192.113.5 (spoke)
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname c2811-test
!
boot-start-marker
boot system flash:/c2800nm-adventerprisek9_ivs_li-mz.151-4.m6.bin
boot-end-marker
!
!
no logging console
!
aaa session-id common
!
!
dot11 syslog
no ip source-route
!
!
ip cef
!
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1226746475
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1226746475
revocation-check none
rsakeypair TP-self-signed-1226746475
!
!
crypto pki certificate chain TP-self-signed-1226746475
certificate self-signed 01
quit
!
!
license udi pid CISCO2811 sn FCZ1047729M
archive
log config
hidekeys
!
redundancy
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key
crypto isakmp key
crypto isakmp keepalive 10 10
crypto isakmp nat keepalive 360
!
!
crypto ipsec transform-set des-transform esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 100
set transform-set des-transform
match address 170
!
!
crypto map dyntrans 10 ipsec-isakmp
set peer 81.174.150.47
set transform-set des-transform
match address 173
crypto map dyntrans 20 ipsec-isakmp
set peer 196.47.132.38
set transform-set des-transform
set reverse-route tag 1
match address 172
crypto map dyntrans 30 ipsec-isakmp
set peer 62.116.206.92
set transform-set des-transform
match address 171
crypto map dyntrans 40 ipsec-isakmp
set peer 95.166.108.250
set transform-set des-transform
match address 174
crypto map dyntrans 50 ipsec-isakmp
set peer 78.193.137.76
set transform-set des-transform
match address 175
crypto map dyntrans 100 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
!
interface Port-channel1
no ip address
hold-queue 150 in
!
interface Port-channel1.8
encapsulation dot1Q 8
ip address 10.192.8.1 255.255.255.0
!
interface Port-channel1.16
encapsulation dot1Q 16
ip address 10.192.16.1 255.255.255.0
ip information-reply
ip nat inside
ip virtual-reassembly in
!
interface Port-channel1.32
encapsulation dot1Q 32
ip address 10.192.32.1 255.255.255.0
ip information-reply
!
interface Port-channel1.40
encapsulation dot1Q 40
ip address 10.192.40.1 255.255.255.0
ip information-reply
ip nat inside
ip virtual-reassembly in
!
interface Port-channel1.100
encapsulation dot1Q 100
ip address 185.20.242.61 255.255.255.248
ip access-group WORLD-IN in
ip nat outside
ip virtual-reassembly in
crypto map dyntrans
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
channel-group 1
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
channel-group 1
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 115 interface Loopback2 overload
ip nat inside source list 116 interface Loopback0 overload
ip nat inside source list 161 interface Port-channel1.100 overload
ip nat inside source static tcp 10.192.16.11 25 185.20.242.50 25 extendable
ip nat inside source static tcp 10.192.16.11 143 185.20.242.50 143 extendable
ip nat inside source static tcp 10.192.16.11 993 185.20.242.50 993 extendable
ip nat inside source static tcp 10.192.16.11 25 185.20.242.50 1025 extendable
ip nat inside source static tcp 10.192.16.11 80 185.20.242.51 80 extendable
ip nat inside source static tcp 10.192.16.11 443 185.20.242.51 443 extendable
ip nat inside source static udp 10.192.16.2 5060 185.20.242.52 5060 extendable
ip nat inside source static tcp 10.192.16.32 80 185.20.242.53 80 extendable
ip nat inside source static tcp 10.192.16.31 8081 185.20.242.54 8081 extendable
ip route 0.0.0.0 0.0.0.0 185.20.242.57
ip route 185.20.242.32 255.255.255.240 185.20.242.58
!
ip access-list standard OAM-IN
permit 10.209.2.0 0.0.0.255 log
permit 10.29.32.0 0.0.3.255
permit 10.192.0.0 0.0.255.255 log
!
ip access-list extended WORLD-IN
remark General Stuff
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any ttl-exceeded
permit icmp any any packet-too-big
permit icmp any any traceroute
permit icmp any any administratively-prohibited
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 255.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
remark Drop SMB/Netbios noise
deny tcp any any eq 445
deny tcp any any eq 137
permit tcp any any established
remark Nianet/TDC NTP servers
permit udp host 83.136.89.6 any eq ntp
permit udp host 83.136.89.4 any eq ntp
permit udp host 193.162.159.194 any eq ntp
remark Nianet DNS
permit udp host 83.136.89.6 eq domain any
permit udp host 83.136.89.4 eq domain any
remark Any DNS to infon
permit udp any eq domain host 185.20.242.61
remark Services
permit tcp any host 185.20.242.50 eq smtp
permit tcp any host 185.20.242.50 eq 143
permit tcp any host 185.20.242.50 eq 993
permit tcp any host 185.20.242.51 eq www
permit tcp any host 185.20.242.51 eq 443
permit tcp any host 185.20.242.54 eq 8081
permit esp host 62.116.206.92 host 185.20.242.61
permit ip host 62.116.206.92 host 185.20.242.61
permit esp host 81.174.150.47 host 185.20.242.61
permit ip host 81.174.150.47 host 185.20.242.61
permit ip host 92.26.172.37 host 185.20.242.61
permit esp host 92.26.172.37 host 185.20.242.61
permit ip 78.147.0.0 0.0.255.255 host 185.20.242.61
permit ip host 78.193.137.76 host 185.20.242.61
permit esp 78.147.0.0 0.0.255.255 host 185.20.242.61
permit ip host 95.166.108.250 host 185.20.242.61
permit esp host 95.166.108.250 host 185.20.242.61
permit ip host 78.147.99.41 host 185.20.242.61
permit tcp any host 185.20.242.61 eq 443
permit udp any host 185.20.242.61 eq netbios-ns
permit ip host 79.170.187.234 host 185.20.242.55
permit tcp any host 185.20.242.61 eq 1723
permit gre any host 185.20.242.61
permit udp host 194.247.61.32 host 185.20.242.52
permit udp host 194.247.61.31 host 185.20.242.52
permit udp 62.41.83.0 0.0.0.255 host 185.20.242.52
permit udp 77.72.168.0 0.0.0.255 host 185.20.242.52
permit udp 77.192.32.0 0.0.0.255 host 185.20.242.52
permit udp 80.239.235.0 0.0.0.255 host 185.20.242.52
permit udp 194.120.0.0 0.0.0.255 host 185.20.242.52
permit udp 195.219.64.0 0.0.0.255 host 185.20.242.52
permit udp 203.192.180.224 0.0.0.15 host 185.20.242.52
permit udp 208.176.230.112 0.0.0.15 host 185.20.242.52
permit tcp any host 185.20.242.50 eq 1025
permit tcp any host 185.20.242.53 eq www
permit udp any eq non500-isakmp host 185.20.242.61 eq non500-isakmp
permit udp any eq isakmp host 185.20.242.61 eq isakmp
permit esp any host 185.20.242.61
deny ip any any log
!
access-list 1 permit 196.47.132.38
access-list 15 permit 10.192.16.2
access-list 80 permit 10.192.69.0 0.0.0.255
access-list 115 deny ip host 10.192.16.2 10.192.0.0 0.0.255.255
access-list 115 permit ip host 10.192.16.2 any
access-list 116 permit tcp 10.192.0.0 0.0.255.255 any eq smtp
access-list 161 deny ip any 10.0.0.0 0.255.255.255
access-list 161 permit ip 10.192.40.0 0.0.0.255 any
access-list 161 permit ip 10.192.16.0 0.0.0.255 any
access-list 170 permit ip 10.209.0.0 0.0.255.255 10.192.72.0 0.0.3.255
access-list 170 permit ip 10.209.0.0 0.0.255.255 10.192.112.0 0.0.15.255
access-list 170 permit ip 10.192.0.0 0.0.63.255 10.192.72.0 0.0.3.255
access-list 170 permit ip 10.192.0.0 0.0.63.255 10.192.112.0 0.0.15.255
access-list 170 permit ip 10.192.72.0 0.0.7.255 10.192.112.0 0.0.15.255
access-list 170 permit ip 10.192.112.0 0.0.15.255 10.192.72.0 0.0.3.255
access-list 171 permit ip 10.209.0.0 0.0.255.255 10.192.72.0 0.0.3.255
access-list 171 permit ip 10.192.0.0 0.0.63.255 10.192.72.0 0.0.3.255
access-list 171 permit ip 10.192.64.0 0.0.31.255 10.192.72.0 0.0.3.255
access-list 171 permit ip 10.192.112.0 0.0.15.255 10.192.72.0 0.0.3.255
access-list 171 permit ip 10.192.128.0 0.0.15.255 10.192.72.0 0.0.3.255
access-list 172 permit ip 10.192.0.0 0.0.63.255 10.192.128.0 0.0.0.63
access-list 172 permit ip 10.192.112.0 0.0.15.255 10.192.128.0 0.0.0.63
access-list 172 permit ip 10.192.72.0 0.0.7.255 10.192.128.0 0.0.0.63
access-list 172 permit ip 10.209.2.0 0.0.0.255 10.192.128.0 0.0.0.63
access-list 173 permit ip 10.192.0.0 0.0.63.255 10.192.112.64 0.0.0.63
access-list 173 permit ip 10.192.64.0 0.0.31.255 10.192.112.64 0.0.0.63
access-list 173 permit ip 10.192.112.0 0.0.15.255 10.192.112.64 0.0.0.63
access-list 173 permit ip 10.192.128.0 0.0.15.255 10.192.112.64 0.0.0.63
access-list 173 permit ip 10.209.0.0 0.0.255.255 10.192.112.64 0.0.0.63
access-list 174 permit ip 10.192.0.0 0.0.63.255 10.192.112.0 0.0.0.63
access-list 174 permit ip 10.192.64.0 0.0.31.255 10.192.112.0 0.0.0.63
access-list 174 permit ip 10.192.112.0 0.0.15.255 10.192.112.0 0.0.0.63
access-list 174 permit ip 10.192.128.0 0.0.15.255 10.192.112.0 0.0.0.63
access-list 174 permit ip 10.209.0.0 0.0.255.255 10.192.112.0 0.0.0.63
access-list 175 permit ip 10.192.0.0 0.0.63.255 10.192.113.64 0.0.0.63
access-list 175 permit ip 10.192.64.0 0.0.31.255 10.192.113.64 0.0.0.63
access-list 175 permit ip 10.192.112.0 0.0.15.255 10.192.113.64 0.0.0.63
access-list 175 permit ip 10.192.128.0 0.0.15.255 10.192.113.64 0.0.0.63
access-list 175 permit ip 10.209.0.0 0.0.255.255 10.192.113.64 0.0.0.63
access-list 185 permit udp any any eq 1813
access-list 185 permit udp any any eq 1646
nls resp-timeout 1
cpd cr-id 1
!
!
!
!
control-plane
!
bridge 1 protocol ieee
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
shutdown
!
!
!
line con 0
line aux 0
line vty 0 4
access-class OAM-IN in
password hasldfhohdsah
transport input all
!
scheduler allocate 20000 1000
ntp master
ntp server 193.162.159.194
!
c2811-test#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide