Solved: LAN-to-LAN one-way traffic 837 to 3000series

mikesurtees · ‎10-09-2004

Hi,

Not even sure that there is even one way traffic. The 837 is encryting and the 3000series is getting Rx increments but zero on the decrypt and Tx respectively.

Followed cisco config guides for IOS and Concentrator religiously.

The 837 cypto ipsec debugs seem to show SAs created - when they actually decide to show them selves on the console.

Routing is not an issue - unless you consider static routes on the 3000. Am I supposed to create a static route sending traffic to the remote (837) LAN out the public interface? Or is it not nessesary to have a route as SA definition will determine the tunnel to go down?

Unfortunately no other LAN-to-LAN tnnnels on the 3000 to compare these issues to and I have no lab.

Any help would be very welcome. I can of course provide more info, whatever is needed. Am at my wits end with this one. So simple yet not working - bound to be doing somethin stupid.

Thanks

gfullage · ‎10-10-2004

If the tunnel is being built and your getting traffic in one direction and not the other, it's usually routing.

The 831 is sending traffic to the 3000 and the 3000 is receiving them, going by your counters. The issue is probably that the hosts behind the 3000 don't know how to get back to the LAN behind the 831. Your internal network behind the 3000 will need a route to the 831 LAN that points to the private interface of the 3000. The 3000 justs needs a default gateway pointing out the Public interface.

On the 3000 LAN, if you don't have any internal routers, and your inside hosts are directly connected to the same switch/hub as the 3000 private interface, then each host will need a static route for the 831 LAN that points to the 3000's private interface (that's assuming of course that the 3000 is not the hosts default gateway, which it usually isn't).

Keep in mind that if you're not seeing any TX packets on the 3000, then the 3000 is not even seeing the packets from it's inside hosts that are destined to the 831 LAN, so you need to check the local routing behind the 3000 to see what's going on.

View solution in original post

gfullage · ‎10-10-2004

If the tunnel is being built and your getting traffic in one direction and not the other, it's usually routing.

The 831 is sending traffic to the 3000 and the 3000 is receiving them, going by your counters. The issue is probably that the hosts behind the 3000 don't know how to get back to the LAN behind the 831. Your internal network behind the 3000 will need a route to the 831 LAN that points to the private interface of the 3000. The 3000 justs needs a default gateway pointing out the Public interface.

On the 3000 LAN, if you don't have any internal routers, and your inside hosts are directly connected to the same switch/hub as the 3000 private interface, then each host will need a static route for the 831 LAN that points to the 3000's private interface (that's assuming of course that the 3000 is not the hosts default gateway, which it usually isn't).

Keep in mind that if you're not seeing any TX packets on the 3000, then the 3000 is not even seeing the packets from it's inside hosts that are destined to the 831 LAN, so you need to check the local routing behind the 3000 to see what's going on.

mikesurtees · ‎10-10-2004

Thanks for your response ... Last night i did confirm it was a routing issue but it still find it strange. The Pix DMZ on the same subnet as the 3000 pvt int had the correct route on it and packet debugs showed the traffic leaving the DMZ int. There is also a static route on the 3000 sending the 10.x.x.x to Pix DMZ.

The allocated address space for the remote (837) network was a subnet of the 10.x.x.x. I had tried using a static sending this 10.150.0.x subnet traffic out the public inteface.

I realise the basic config guides do not create a static, but I was making a comparison to 3 instances of client pools on 2 3000s and also a LAN-to-LAN on another 3000 terminating on a VPN-1 device. All these were configured by someone else and all had statics to the remote LAN pointing out the public interface.

I imagined the smaller subnet would take precedence over the larger as in all cisco routing - but it seems not ... unless it is wroung to create a static for a network at the other end of a tunnel.

I eventually stubbled on 2-way traffic when I changed the remote (837) network to an unused 192.168.222.x network. In this instance it would only work if there was NOT an explicit static route. This begs the question of why the client pools and other LAN-to-LAN work?

Experience with IOS vpn's tells me that routing is not necessary with IPSec as the SA definitions encrypt the appropriate traffic and send it down the desired tunnel.

In short: thanks again for the routing tip - you are right. But there still seem to be some quirks with the 3000 series routing which don't seem to leave a clear situation.

Regards,

Mike