cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20810
Views
5
Helpful
7
Replies

VPN client get connect but Request Timed out when ping

michaelchandra
Level 1
Level 1

Hi, I'm using the cisco 837 router as my VPN server. I get  connected using Cisco VPN Client Version 5. But when I ping the router  ip, i get request timed out. Here is my configuration :

Building configuration...

Current configuration : 3704 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname michael
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
no logging console
enable secret 5 $1$pZLW$9RZ8afI8QdGRq0ssaEJVu0
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool michael
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   dns-server 202.134.0.155 
!
ip dhcp pool excluded-address
   host 192.168.1.4 255.255.255.0
   hardware-address 01c8.d719.957a.b9
!
!
ip cef
ip name-server 202.134.0.155
ip name-server 203.130.193.74
vpdn enable
!
!
!
!
username michael privilege 15 secret 5 $1$ZJQu$KDigCvYWKkzuzdYHBEY7f.
username danny privilege 10 secret 5 $1$BDs.$Ez0u9wY7ywiBzVd1ECX0N/
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group michaelvpn
 key vpnpassword
 pool SDM_POOL_1
 acl 199
 netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA 
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
!
!
interface Ethernet0
 description $FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 hold-queue 100 out
!
interface Ethernet2
 no ip address
 shutdown
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/35 
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet1
 duplex auto
 speed auto
!
interface FastEthernet2
 duplex auto
 speed auto
!
interface FastEthernet3
 duplex auto
 speed auto
!
interface FastEthernet4
 duplex auto
 speed auto
!
interface Virtual-PPP1
 no ip address
!
interface Dialer1
 description $FW_OUTSIDE$
 mtu 1492
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 ppp chap hostname ispusername
 ppp chap password 0 isppassword
 ppp pap sent-username ispusername password 0 isppassword
 crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
ip nat inside source static udp 192.168.1.0 1723 interface Dialer1 1723
ip nat inside source static tcp 192.168.1.4 21 interface Dialer1 21
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.0.0.0 0.255.255.255
access-list 102 remark SDM_ACL Category=2
access-list 102 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
control-plane
!
banner motd ^C
Authorized Access Only
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit permission to access this device.
All activities performed on this device are logged.
Any violations of access policy will result in disciplinary action.
^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end

Thank you, anny help will be appreciated.

2 Accepted Solutions

Accepted Solutions

Hi Michael,

I have been through the logs they are inconclusive and  only detrmine that the Phase 1 is coming up . However according to this  error message %SYS-2-BADSHARE: Bad refcount in pak_enqueue,  ptr=81B50AD8, count=0 we are hiiting a bug on the ios. The bug id is  CSCsl24693   and the fix is to upgrade to 12.4(11)XJ .

Can you run the debugs again and send me the detailed outputs .

Regards,

Aman

View solution in original post

rkumar5
Level 1
Level 1

Hi Mike,

As per your problem details what i underatnd is that the VPN clinet gets connected but not able to pass the traffic.

Is this correct?

Please send me the output of

show cry is sa

show cry ipsec sa peer

What's the traffic that you are trying to reach?

View solution in original post

7 Replies 7

Ranil Herath
Level 1
Level 1

Hi Michael,

Is your VPN clinet behind another device (router,firewall) that performs NAT? If so you'll need to enable nat traversal:

crypto isakmp nat-traversal

Regards

Ranil

amanshar
Level 1
Level 1

Hi Michael/Ranil,

Configuring NAT Traversal

NAT Traversal is a feature that is  auto detected by VPN devices. There are no configuration steps for a  router running Cisco IOS Release 12.2(13)T. If both VPN devices are  NAT-T capable, NAT Traversal is auto detected and auto negotiated.

Disabling NAT Traversal

You  may wish to disable NAT traversal if you already know that your network  uses IPSec-awareness NAT (spi-matching scheme). To disable NAT  traversal, use the following commands:

SUMMARY STEPS:

1. enable

2. configure terminal

3. no crypto ipsec nat-transparency udp-encapsulation

However in our case it doesn't seem to be an issue with NAT-T , Take some debugs at the time of connection.

Debug cry isa

Debug cry Ipsec

Trm mon

To stop the debugs you can do UN ALL and Term no Mon. If you can then please attach the debugs or Logs here i will have a look at them.

Regards,

Aman

Thank you for the fast response. Here is my logs :

Syslog logging: enabled (1 messages dropped, 1 messages rate-limited,                 0 flushes, 0 overruns, xml disabled, filtering disabled)     Console logging: disabled     Monitor logging: level debugging, 0 messages logged, xml disabled,                      filtering disabled     Buffer logging: level debugging, 965 messages logged, xml disabled,                     filtering disabled     Logging Exception size (4096 bytes)     Count and timestamp logging messages: disabled No active filter modules.     Trap logging: level informational, 579 message lines logged Log Buffer (4096 bytes): 23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 *Feb 17 15:19:52.803: ISAKMP (0:134217729): received packet from 120.168.1.24 dport 4500 sport 37662 Global (R) QM_IDLE      *Feb 17 15:19:52.803: ISAKMP: set new node -423687995 to QM_IDLE      *Feb 17 15:19:52.807: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -423687995 *Feb 17 15:19:52.807: ISAKMP:(0:1:SW:1): processing NOTIFY DPD/R_U_THERE protocol 1      spi 0, message ID = -423687995, sa = 81A5AE2C *Feb 17 15:19:52.807: ISAKMP:(0:1:SW:1):deleting node -423687995 error FALSE reason "Informational (in) state 1" *Feb 17 15:19:52.807: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Feb 17 15:19:52.811: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE *Feb 17 15:19:52.811: ISAKMP:(0:1:SW:1):DPD/R_U_THERE received from peer 120.168.1.24, sequence 0xCF41275D *Feb 17 15:19:52.811: ISAKMP: set new node -910486326 to QM_IDLE      *Feb 17 15:19:52.815: ISAKMP:(0:1:SW:1):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1      spi 2182802952, message ID = -910486326 *Feb 17 15:19:52.815: ISAKMP:(0:1:SW:1): seq. no 0xCF41275D *Feb 17 15:19:52.815: ISAKMP:(0:1:SW:1): sending packet to 120.168.1.24 my_port 4500 peer_port 37662 (R) QM_IDLE      *Feb 17 15:19:52.819: ISAKMP:(0:1:SW:1):purging node -910486326 *Feb 17 15:19:52.819: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE *Feb 17 15:19:52.819: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE *Feb 17 15:19:54.047: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81B50AD8, count=0 -Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 *Feb 17 15:19:54.047: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81B50AD8, count=0 -Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 *Feb 17 15:19:59.327: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81B50AD8, count=0 -Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 *Feb 17 15:19:59.327: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81B50AD8, count=0 -Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 *Feb 17 15:20:04.307: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81F84148, count=0 -Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 *Feb 17 15:20:04.307: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81F84148, count=0 -Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 *Feb 17 15:20:04.363: ISAKMP (0:134217729): received packet from 120.168.1.24 dport 4500 sport 37662 Global (R) QM_IDLE      *Feb 17 15:20:04.363: ISAKMP: set new node -874301582 to QM_IDLE      *Feb 17 15:20:04.367: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -874301582 *Feb 17 15:20:04.367: ISAKMP:(0:1:SW:1): processing NOTIFY DPD/R_U_THERE protocol 1      spi 0, message ID = -874301582, sa = 81A5AE2C *Feb 17 15:20:04.367: ISAKMP:(0:1:SW:1):deleting node -874301582 error FALSE reason "Informational (in) state 1" *Feb 17 15:20:04.367: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Feb 17 15:20:04.379: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE *Feb 17 15:20:04.379: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE *Feb 17 15:20:29.659: ISAKMP:(0:1:SW:1):purging node 377453653 *Feb 17 15:20:33.367: ISAKMP:(0:1:SW:1):purging node -2142077949 *Feb 17 15:20:42.807: ISAKMP:(0:1:SW:1):purging node -423687995 *Feb 17 15:20:54.367: ISAKMP:(0:1:SW:1):purging node -874301582

Hi Michael,

I have been through the logs they are inconclusive and  only detrmine that the Phase 1 is coming up . However according to this  error message %SYS-2-BADSHARE: Bad refcount in pak_enqueue,  ptr=81B50AD8, count=0 we are hiiting a bug on the ios. The bug id is  CSCsl24693   and the fix is to upgrade to 12.4(11)XJ .

Can you run the debugs again and send me the detailed outputs .

Regards,

Aman

Thank you for your response, here is the debug :

Log Buffer (4096 bytes):
  1 15:19:47.011: ISAKMP: set new node 856647599 to QM_IDLE      
May  1 15:19:47.015: ISAKMP:(0:8:SW:1):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
     spi 2182802952, message ID = 856647599
May  1 15:19:47.015: ISAKMP:(0:8:SW:1): seq. no 0xA3285B8A
May  1 15:19:47.015: ISAKMP:(0:8:SW:1): sending packet to 120.168.1.24 my_port 4500 peer_port 52667 (R) QM_IDLE      
May  1 15:19:47.019: ISAKMP:(0:8:SW:1):purging node 856647599
May  1 15:19:47.019: ISAKMP:(0:8:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
May  1 15:19:47.019: ISAKMP:(0:8:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

May  1 15:19:49.979: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81B4F274, count=0
-Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
May  1 15:19:49.983: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81B4F274, count=0
-Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
May  1 15:19:55.127: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81B51C44, count=0
-Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
May  1 15:19:55.127: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81B51C44, count=0
-Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
May  1 15:19:58.383: ISAKMP (0:134217736): received packet from 120.168.1.24 dport 4500 sport 52667 Global (R) QM_IDLE      
May  1 15:19:58.383: ISAKMP: set new node -1340288848 to QM_IDLE      
May  1 15:19:58.387: ISAKMP:(0:8:SW:1): processing HASH payload. message ID = -1340288848
May  1 15:19:58.387: ISAKMP:(0:8:SW:1): processing NOTIFY DPD/R_U_THERE protocol 1
     spi 0, message ID = -1340288848, sa = 81A7DCEC
May  1 15:19:58.387: ISAKMP:(0:8:SW:1):deleting node -1340288848 error FALSE reason "Informational (in) state 1"
May  1 15:19:58.387: ISAKMP:(0:8:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
May  1 15:19:58.387: ISAKMP:(0:8:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

May  1 15:19:58.391: ISAKMP:(0:8:SW:1):DPD/R_U_THERE received from peer 120.168.1.24, sequence 0xA3285B8B
May  1 15:19:58.391: ISAKMP: set new node -752454119 to QM_IDLE      
May  1 15:19:58.395: ISAKMP:(0:8:SW:1):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
     spi 2182802952, message ID = -752454119
May  1 15:19:58.395: ISAKMP:(0:8:SW:1): seq. no 0xA3285B8B
May  1 15:19:58.395: ISAKMP:(0:8:SW:1): sending packet to 120.168.1.24 my_port 4500 peer_port 52667 (R) QM_IDLE      
May  1 15:19:58.399: ISAKMP:(0:8:SW:1):purging node -752454119
May  1 15:19:58.399: ISAKMP:(0:8:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
May  1 15:19:58.399: ISAKMP:(0:8:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

May  1 15:19:59.887: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81B51C44, count=0
-Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
May  1 15:19:59.887: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81B51C44, count=0
-Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
May  1 15:20:05.667: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81F84148, count=0
-Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
May  1 15:20:05.667: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81F84148, count=0
-Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0

After searching thru the internet, I've found :

CSCsb46264

Symptoms: When a dialer interface is configured as an endpoint for a  IPSec+GRE tunnel, tracebacks with bad refcount may be generated.

Conditions: This symptom is observed on a Cisco 837 when router-generated packets such as routing updates are being switched.

Is that possible that the root of the problem was that ? Thank you.

rkumar5
Level 1
Level 1

Hi Mike,

As per your problem details what i underatnd is that the VPN clinet gets connected but not able to pass the traffic.

Is this correct?

Please send me the output of

show cry is sa

show cry ipsec sa peer

What's the traffic that you are trying to reach?

Thank you for the reply. I managed it solved by upgrading the ios to 12.4(25d). Thank you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: