Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1544
Views
0
Helpful
6
Replies

S2S VPN is UP but couldn't reach either sides(to and from) of Interesting traffic

srikanth ath
Level 4
Level 4

‎10-05-2020 02:14 AM

Hello Friends,

 

I have this weird scenario where i couldnt reach either side (to and from) over S2S VPN(VPN is established Successfully). As when initiated traffic towards the other side(lets say SiteB), the IPSEC sa gets an hit count but couldnt get the response back. The issue persits even when SiteB initiates traffic towards SiteA.

Below is the output from SiteA, where i dont have access to show you the details of SiteB.

 

Thanks in advance, please need your expertise here.

Attached is the document for the VPN config at SiteA and below is the output from the router.

Let me know if you require anyother details

 

Router2#ping 10.254.168.10 source gi 0/0/0.150
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.254.168.10, timeout is 2 seconds:
Packet sent with a source address of 172.30.3.252
.....
Success rate is 0 percent (0/5)
Router2#

!
!
!
Router2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
5.5.5.5 1.1.1.1 QM_IDLE 1097 ACTIVE

IPv6 Crypto ISAKMP SA

Router2#sh crypto isakmp sa de
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1097 1.1.1.1 5.5.5.5 ACTIVE 3des sha psk 2 06:04:14 D
Engine-id:Conn-id = SW:97

IPv6 Crypto ISAKMP SA

Router2#


Router2#sh crypto ipsec sa peer 5.5.5.5

interface: GigabitEthernet0/0/1
Crypto map tag: CDKVPN, local addr 1.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (204.125.74.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.254.168.0/255.255.255.0/0/0)
current_peer 5.5.5.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 19906, #pkts decrypt: 19906, #pkts verify: 19906
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 5.5.5.5
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0xE18075A(236455770)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xDFA0D58E(3751859598)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5549, flow_id: ESG:3549, sibling_flags FFFFFFFF80000048, crypto map: CDKVPN
sa timing: remaining key lifetime (k/sec): (4608000/1098)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xE18075A(236455770)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5550, flow_id: ESG:3550, sibling_flags FFFFFFFF80000048, crypto map: CDKVPN
sa timing: remaining key lifetime (k/sec): (4608000/1098)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (206.92.10.32/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (10.254.168.0/255.255.255.0/0/0)
current_peer 5.5.5.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 321, #pkts encrypt: 321, #pkts digest: 321
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 5.5.5.5
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0xA8583F9D(2824355741)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xBF129BAC(3205667756)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5551, flow_id: ESG:3551, sibling_flags FFFFFFFF80000048, crypto map: CDKVPN
sa timing: remaining key lifetime (k/sec): (4608000/1324)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xA8583F9D(2824355741)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5552, flow_id: ESG:3552, sibling_flags FFFFFFFF80000048, crypto map: CDKVPN
sa timing: remaining key lifetime (k/sec): (4608000/1324)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (172.30.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.254.168.0/255.255.255.0/0/0)
current_peer 5.5.5.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 105, #pkts encrypt: 105, #pkts digest: 105
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 5.5.5.5
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0xABD84CCF(2883079375)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x544F2FD5(1414475733)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5547, flow_id: ESG:3547, sibling_flags FFFFFFFF80000048, crypto map: CDKVPN
sa timing: remaining key lifetime (k/sec): (4608000/924)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xABD84CCF(2883079375)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5548, flow_id: ESG:3548, sibling_flags FFFFFFFF80000048, crypto map: CDKVPN
sa timing: remaining key lifetime (k/sec): (4608000/924)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
Router2#

Labels:
Preview file
3 KB
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎10-05-2020 02:29 AM

Hi @srikanth ath 

The IPSec SA related to the issue above confirms that traffic is encrypted, but not decrypted. This indicates a probable issue on the other device, it possibly requires a NAT exemption rule configured. Check the other devices, send outputs if required.

 

local ident (addr/mask/prot/port): (172.30.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.254.168.0/255.255.255.0/0/0)
current_peer 5.5.5.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 105, #pkts encrypt: 105, #pkts digest: 105
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

0 Helpful

srikanth ath
Level 4
Level 4
In response to Rob Ingram

‎10-05-2020 02:38 AM - edited ‎10-05-2020 02:39 AM

Yes, I cross checked this before and I did had a deep look at the routes and NAT exemption it looks good for me but couldnt fix the issue. However, attached the complete VPN config in the original post above and here, In those, below is what you can refer too.

 

Thanks for your time, let me know if you need something else to cross check.
ip nat inside source route-map NAT-TO-INTERNET interface GigabitEthernet0/0/1 overload
ip access-list extended NAT-TO-INTERNET
permit ip 206.92.10.32 0.0.0.31 any
permit ip 204.125.74.0 0.0.0.255 any
permit ip 172.30.3.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
permit ip 172.30.4.0 0.0.0.255 any
permit ip 10.93.119.0 0.0.0.255 any

!

interface GigabitEthernet0/0/1
crypto map PANVPN
ip address 1.1.1.1 255.255.255.0
ip access-list extended INTERNET_IN
!
route-map PAN-IT-VPN permit 10
match ip address prefix-list REDISTRIBUTE-PAN-IT-VPN
route-map NAT-TO-INTERNET deny 5
match ip address PAN-IT-VPN
route-map NAT-TO-INTERNET permit 10
match ip address NAT-TO-INTERNET
match interface GigabitEthernet0/0/1
!
ip nat inside source route-map NAT-TO-INTERNET interface GigabitEthernet0/0/1 overload
!

Preview file
3 KB
0 Helpful

Rob Ingram
VIP
VIP

‎10-05-2020 02:45 AM

Modify your ACL - "NAT-TO-INTERNET", the first few lines should deny traffic from the local network to the destination VPN network, this ensures traffic is not unintentially natted. These deny entries in the ACL should be above the permit entries, otherwise they will not work as expected.

 

HTH

0 Helpful

srikanth ath
Level 4
Level 4

‎10-05-2020 03:00 AM

Yes, I agree traffic is getting encrypted but if you look at the below IPSEC SA where the traffic from other sides siteB towards SitaA over VPN is decrypted but failed to communicate the end host. I mean SiteB trying to reach 204.125.74.252 from 10.254.168.11.

 

local ident (addr/mask/prot/port): (204.125.74.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.254.168.0/255.255.255.0/0/0)
current_peer 5.5.5.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 19906, #pkts decrypt: 19906, #pkts verify: 19906

 

Also, please find the NAT exemption below and the same is shown in the attachment where you can find the complete config of VPN.

 


ip nat inside source route-map NAT-TO-INTERNET interface GigabitEthernet0/0/1 overload
ip access-list extended NAT-TO-INTERNET
permit ip 206.92.10.32 0.0.0.31 any
permit ip 204.125.74.0 0.0.0.255 any
permit ip 172.30.3.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
permit ip 172.30.4.0 0.0.0.255 any
permit ip 10.93.119.0 0.0.0.255 any

!
route-map NAT-TO-INTERNET deny 5
match ip address PAN-IT-VPN
route-map NAT-TO-INTERNET permit 10
match ip address NAT-TO-INTERNET
match interface GigabitEthernet0/0/1
!

 

Let me know if you need more outputs from the router side i.e.SiteA

Preview file
3 KB
0 Helpful

Rob Ingram
VIP
VIP

‎10-05-2020 03:10 AM

Yes, I noticed you have multiple IPSec SA all seem to have some issue (probably all related). However you configuration is of only the one router, the pertinent information that would speed up resolution of this issue for you is not included.

 

From what I see so far amend your NAT rules to deny the traffic on both routers.

0 Helpful

srikanth ath
Level 4
Level 4

‎10-06-2020 11:03 PM - edited ‎10-06-2020 11:05 PM

Hello Rob,

 

I don't have access to the other side of the devices as it seems to be of clients. The output below now looks to be good, which implies both encypt and decryption is applied but either side we were not able to reach the end hosts. Now, with the below output I would like to see the live traffic from the tunnel and dig down the issue. can you help with how can i run the below with instructions to capture only icmp traffic as i dont want my router going dead while running debug.

1. dubug commands

2. pcap

 

r2#sh version
Cisco IOS XE Software, Version 16.06.04
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.4, RELEASE SOFTWARE (fc3)

r2#sh crypto ipsec sa

local ident (addr/mask/prot/port): (204.125.74.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.254.168.0/255.255.255.0/0/0)
current_peer 66.216.21.132 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 82930, #pkts encrypt: 82930, #pkts digest: 82930
#pkts decaps: 82916, #pkts decrypt: 82916, #pkts verify: 82916

 

0 Helpful
Customers Also Viewed These Support Documents