cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1413
Views
0
Helpful
13
Replies
Alcides Miguel
Beginner

Remote VPN on 2801 up but no traffic

I decided to setup a remote vpn on router 2801. so after a time a get my VPN tunnel up and state QM_IDLE but all traffic on VPN Client are being bypass or discarded so i can not access my internal network through VPN tunnel.
can some one please help?
1 ACCEPTED SOLUTION

Accepted Solutions

Ahhhhhhhhhhhhhhhhhhh, now I know, k firstly if it is WWAN card it is not supported by vpn client

Now we have one work around, setup your 3 g as a dialup connection and boom it should start working

Regards,

Jitendriya

View solution in original post

13 REPLIES 13
Jitendriya Athavale
Cisco Employee

from what you have written i understand that you are able to connect the vpn but nothing flows

please try using a std access-list instead of extended

acl IT-VPN-ACL

use the std access-list and just match the internal network in this

thanks for your reply jathaval

yes right i can connect succefull but no traffic...

as you said i removed the ext acl and put a std acl a match only the internal network if i understand

ip access-list standard IT-VPN-ACL
permit 10.10.0.0 0.0.1.255

but no traffic at all(traffic being discarded)

thanks!

can you please post the output of "show crypto ipsec sa" on the router when you are connected...

also please mention the value in the routing table on the client, you will find this in client under statitics and routing

also if this is a new setup you can try configuring it without using profiles, please see if you can configure using this link

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml#enablingsplittunneling

i think you must have configured this using ccp or sdm

Hi, Jathaval! thanks for your atention

i don't have access to the link you provide me after change de acl the routing table on my client become 0.0.0.0 0.0.0.0 and all traffic are being discarded

here the output of the SH CRYPTO IPSEC SA

#sh crypto ipsec sa

interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr 64.30.154.85

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.255.11/255.255.255.255/0/0)
   current_peer 41.78.17.174 port 54858
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 64.30.154.85, remote crypto endpt.: 41.78.17.174
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1.10
     current outbound spi: 0x2A77D608(712496648)

     inbound esp sas:
      spi: 0x2903FFDA(688127962)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2033, flow_id: FPGA:33, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4460451/3571)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x2A77D608(712496648)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2034, flow_id: FPGA:34, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4460451/3549)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

see the atachement for  the route table on the client

1> What if you use the acl that you used before, that is the extended one

Wht do you see in the routing table on the client

2> See if you can remove split tunneling and by removing the acl from the group and check the routing table

Regards,

Jitendriya

1> What if you use the acl that you used before, that is the extended one

   Wht do you see in the routing table on the client

if i re-use the acl that i used before the routing table on vpn client is: see atach file

2> See if you can remove split tunneling and by removing the acl from the group and check the routing table

sory! but i don't understand what you meen by rmove split... and acl...

best regards

Now with the old acl that is the extended can you ping something in inside and paste the output of show crypto ipsec sa from router and also can you show the statistics on the client (encaps, decaps)

Regards,

Jitendriya

Thanks! for attention

sory but i don't know where i'm missing i tried the exact config before and work perfectly.

with the primary acl the route table seems ok, but no traffic s well

sh crypto ipsec sa

interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr 64.30.154.85

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.255.13/255.255.255.255/0/0)
   current_peer 41.78.17.170 port 45422
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 64.30.154.85, remote crypto endpt.: 41.78.17.170
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1.10
     current outbound spi: 0xD6DAB211(3604656657)

     inbound esp sas:
      spi: 0xFECA5FF6(4274675702)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2037, flow_id: FPGA:37, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4408813/3227)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xD6DAB211(3604656657)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2038, flow_id: FPGA:38, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4408813/3226)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

I do not see anything encrypted by the client, are you using win 7 with 3 g connection by any chance

Regards,

Jitendriya

Yes i do...

i'm using Win 7x64 with 3G connection

Ahhhhhhhhhhhhhhhhhhh, now I know, k firstly if it is WWAN card it is not supported by vpn client

Now we have one work around, setup your 3 g as a dialup connection and boom it should start working

Regards,

Jitendriya

View solution in original post

thanks a lot!   it's working now!!!

nice job...

best regards

Awesome I am glad it worked

Regards,

Jitendriya

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (36%)

Content for Community-Ad