cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1543
Views
0
Helpful
6
Replies

S2S VPN is UP but couldn't reach either sides(to and from) of Interesting traffic

srikanth ath
Level 4
Level 4

Hello Friends,

 

I have this weird scenario where i couldnt reach either side (to and from) over S2S VPN(VPN is established Successfully). As when initiated traffic towards the other side(lets say SiteB), the IPSEC sa gets an hit count but couldnt get the response back. The issue persits even when SiteB initiates traffic towards SiteA.

Below is the output from SiteA, where i dont have access to show you the details of SiteB.

 

Thanks in advance, please need your expertise here.

Attached is the document for the VPN config at SiteA and below is the output from the router.

Let me know if you require anyother details

 

Router2#ping 10.254.168.10 source gi 0/0/0.150
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.254.168.10, timeout is 2 seconds:
Packet sent with a source address of 172.30.3.252
.....
Success rate is 0 percent (0/5)
Router2#

!
!
!
Router2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
5.5.5.5 1.1.1.1 QM_IDLE 1097 ACTIVE

IPv6 Crypto ISAKMP SA

Router2#sh crypto isakmp sa de
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1097 1.1.1.1 5.5.5.5 ACTIVE 3des sha psk 2 06:04:14 D
Engine-id:Conn-id = SW:97

IPv6 Crypto ISAKMP SA

Router2#


Router2#sh crypto ipsec sa peer 5.5.5.5

interface: GigabitEthernet0/0/1
Crypto map tag: CDKVPN, local addr 1.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (204.125.74.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.254.168.0/255.255.255.0/0/0)
current_peer 5.5.5.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 19906, #pkts decrypt: 19906, #pkts verify: 19906
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 5.5.5.5
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0xE18075A(236455770)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xDFA0D58E(3751859598)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5549, flow_id: ESG:3549, sibling_flags FFFFFFFF80000048, crypto map: CDKVPN
sa timing: remaining key lifetime (k/sec): (4608000/1098)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xE18075A(236455770)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5550, flow_id: ESG:3550, sibling_flags FFFFFFFF80000048, crypto map: CDKVPN
sa timing: remaining key lifetime (k/sec): (4608000/1098)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (206.92.10.32/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (10.254.168.0/255.255.255.0/0/0)
current_peer 5.5.5.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 321, #pkts encrypt: 321, #pkts digest: 321
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 5.5.5.5
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0xA8583F9D(2824355741)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xBF129BAC(3205667756)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5551, flow_id: ESG:3551, sibling_flags FFFFFFFF80000048, crypto map: CDKVPN
sa timing: remaining key lifetime (k/sec): (4608000/1324)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xA8583F9D(2824355741)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5552, flow_id: ESG:3552, sibling_flags FFFFFFFF80000048, crypto map: CDKVPN
sa timing: remaining key lifetime (k/sec): (4608000/1324)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (172.30.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.254.168.0/255.255.255.0/0/0)
current_peer 5.5.5.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 105, #pkts encrypt: 105, #pkts digest: 105
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 5.5.5.5
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0xABD84CCF(2883079375)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x544F2FD5(1414475733)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5547, flow_id: ESG:3547, sibling_flags FFFFFFFF80000048, crypto map: CDKVPN
sa timing: remaining key lifetime (k/sec): (4608000/924)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xABD84CCF(2883079375)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5548, flow_id: ESG:3548, sibling_flags FFFFFFFF80000048, crypto map: CDKVPN
sa timing: remaining key lifetime (k/sec): (4608000/924)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
Router2#

6 Replies 6

Hi @srikanth ath 

The IPSec SA related to the issue above confirms that traffic is encrypted, but not decrypted. This indicates a probable issue on the other device, it possibly requires a NAT exemption rule configured. Check the other devices, send outputs if required.

 

local ident (addr/mask/prot/port): (172.30.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.254.168.0/255.255.255.0/0/0)
current_peer 5.5.5.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 105, #pkts encrypt: 105, #pkts digest: 105
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Yes, I cross checked this before and I did had a deep look at the routes and NAT exemption it looks good for me but couldnt fix the issue. However, attached the complete VPN config in the original post above and here, In those, below is what you can refer too.

 

Thanks for your time, let me know if you need something else to cross check.
ip nat inside source route-map NAT-TO-INTERNET interface GigabitEthernet0/0/1 overload
ip access-list extended NAT-TO-INTERNET
permit ip 206.92.10.32 0.0.0.31 any
permit ip 204.125.74.0 0.0.0.255 any
permit ip 172.30.3.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
permit ip 172.30.4.0 0.0.0.255 any
permit ip 10.93.119.0 0.0.0.255 any

!

interface GigabitEthernet0/0/1
crypto map PANVPN
ip address 1.1.1.1 255.255.255.0
ip access-list extended INTERNET_IN
!
route-map PAN-IT-VPN permit 10
match ip address prefix-list REDISTRIBUTE-PAN-IT-VPN
route-map NAT-TO-INTERNET deny 5
match ip address PAN-IT-VPN
route-map NAT-TO-INTERNET permit 10
match ip address NAT-TO-INTERNET
match interface GigabitEthernet0/0/1
!
ip nat inside source route-map NAT-TO-INTERNET interface GigabitEthernet0/0/1 overload
!

Modify your ACL - "NAT-TO-INTERNET", the first few lines should deny traffic from the local network to the destination VPN network, this ensures traffic is not unintentially natted. These deny entries in the ACL should be above the permit entries, otherwise they will not work as expected.

 

HTH

srikanth ath
Level 4
Level 4

Yes, I agree traffic is getting encrypted but if you look at the below IPSEC SA where the traffic from other sides siteB towards SitaA over VPN is decrypted but failed to communicate the end host. I mean SiteB trying to reach 204.125.74.252 from 10.254.168.11.

 

local ident (addr/mask/prot/port): (204.125.74.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.254.168.0/255.255.255.0/0/0)
current_peer 5.5.5.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 19906, #pkts decrypt: 19906, #pkts verify: 19906

 

Also, please find the NAT exemption below and the same is shown in the attachment where you can find the complete config of VPN.

 


ip nat inside source route-map NAT-TO-INTERNET interface GigabitEthernet0/0/1 overload
ip access-list extended NAT-TO-INTERNET
permit ip 206.92.10.32 0.0.0.31 any
permit ip 204.125.74.0 0.0.0.255 any
permit ip 172.30.3.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
permit ip 172.30.4.0 0.0.0.255 any
permit ip 10.93.119.0 0.0.0.255 any

!
route-map NAT-TO-INTERNET deny 5
match ip address PAN-IT-VPN
route-map NAT-TO-INTERNET permit 10
match ip address NAT-TO-INTERNET
match interface GigabitEthernet0/0/1
!

 

Let me know if you need more outputs from the router side i.e.SiteA

Yes, I noticed you have multiple IPSec SA all seem to have some issue (probably all related). However you configuration is of only the one router, the pertinent information that would speed up resolution of this issue for you is not included.

 

From what I see so far amend your NAT rules to deny the traffic on both routers.

srikanth ath
Level 4
Level 4

Hello Rob,

 

I don't have access to the other side of the devices as it seems to be of clients. The output below now looks to be good, which implies both encypt and decryption is applied but either side we were not able to reach the end hosts. Now, with the below output I would like to see the live traffic from the tunnel and dig down the issue. can you help with how can i run the below with instructions to capture only icmp traffic as i dont want my router going dead while running debug.

1. dubug commands

2. pcap

 

r2#sh version
Cisco IOS XE Software, Version 16.06.04
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.4, RELEASE SOFTWARE (fc3)

r2#sh crypto ipsec sa

local ident (addr/mask/prot/port): (204.125.74.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.254.168.0/255.255.255.0/0/0)
current_peer 66.216.21.132 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 82930, #pkts encrypt: 82930, #pkts digest: 82930
#pkts decaps: 82916, #pkts decrypt: 82916, #pkts verify: 82916