05-01-2013 04:39 AM
Hi, I'm using the cisco 837 router as my VPN server. I get connected using Cisco VPN Client Version 5. But when I ping the router ip, i get request timed out. Here is my configuration :
Building configuration... Current configuration : 3704 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname michael ! boot-start-marker boot-end-marker ! memory-size iomem 5 no logging console enable secret 5 $1$pZLW$9RZ8afI8QdGRq0ssaEJVu0 ! aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local ! aaa session-id common ! resource policy ! ip subnet-zero no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.1 ! ip dhcp pool michael network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 202.134.0.155 ! ip dhcp pool excluded-address host 192.168.1.4 255.255.255.0 hardware-address 01c8.d719.957a.b9 ! ! ip cef ip name-server 202.134.0.155 ip name-server 203.130.193.74 vpdn enable ! ! ! ! username michael privilege 15 secret 5 $1$ZJQu$KDigCvYWKkzuzdYHBEY7f. username danny privilege 10 secret 5 $1$BDs.$Ez0u9wY7ywiBzVd1ECX0N/ ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp xauth timeout 15 ! crypto isakmp client configuration group michaelvpn key vpnpassword pool SDM_POOL_1 acl 199 netmask 255.255.255.0 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! interface Ethernet0 description $FW_INSIDE$ ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 hold-queue 100 out ! interface Ethernet2 no ip address shutdown hold-queue 100 out ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto pvc 0/35 pppoe-client dial-pool-number 1 ! ! interface FastEthernet1 duplex auto speed auto ! interface FastEthernet2 duplex auto speed auto ! interface FastEthernet3 duplex auto speed auto ! interface FastEthernet4 duplex auto speed auto ! interface Virtual-PPP1 no ip address ! interface Dialer1 description $FW_OUTSIDE$ mtu 1492 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 ppp chap hostname ispusername ppp chap password 0 isppassword ppp pap sent-username ispusername password 0 isppassword crypto map SDM_CMAP_1 ! ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server no ip http secure-server ! ip nat inside source static udp 192.168.1.0 1723 interface Dialer1 1723 ip nat inside source static tcp 192.168.1.4 21 interface Dialer1 21 ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload ! access-list 1 remark SDM_ACL Category=16 access-list 1 permit 192.0.0.0 0.255.255.255 access-list 102 remark SDM_ACL Category=2 access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 102 permit ip 192.168.1.0 0.0.0.255 any access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 route-map SDM_RMAP_1 permit 1 match ip address 102 ! ! control-plane ! banner motd ^C Authorized Access Only UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED You must have explicit permission to access this device. All activities performed on this device are logged. Any violations of access policy will result in disciplinary action. ^C ! line con 0 no modem enable line aux 0 line vty 0 4 ! scheduler max-task-time 5000 end
Thank you, anny help will be appreciated.
Solved! Go to Solution.
05-01-2013 08:08 AM
Hi Michael,
I have been through the logs they are inconclusive and only detrmine that the Phase 1 is coming up . However according to this error message %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81B50AD8, count=0 we are hiiting a bug on the ios. The bug id is CSCsl24693 and the fix is to upgrade to 12.4(11)XJ .
Can you run the debugs again and send me the detailed outputs .
Regards,
Aman
05-04-2013 08:47 PM
Hi Mike,
As per your problem details what i underatnd is that the VPN clinet gets connected but not able to pass the traffic.
Is this correct?
Please send me the output of
show cry is sa
show cry ipsec sa peer
What's the traffic that you are trying to reach?
05-01-2013 05:25 AM
Hi Michael,
Is your VPN clinet behind another device (router,firewall) that performs NAT? If so you'll need to enable nat traversal:
crypto isakmp nat-traversal
Regards
Ranil
05-01-2013 05:42 AM
Hi Michael/Ranil,
Configuring NAT Traversal
NAT Traversal is a feature that is auto detected by VPN devices. There are no configuration steps for a router running Cisco IOS Release 12.2(13)T. If both VPN devices are NAT-T capable, NAT Traversal is auto detected and auto negotiated.
Disabling NAT Traversal
You may wish to disable NAT traversal if you already know that your network uses IPSec-awareness NAT (spi-matching scheme). To disable NAT traversal, use the following commands:
SUMMARY STEPS:
1. enable
2. configure terminal
3. no crypto ipsec nat-transparency udp-encapsulation
However in our case it doesn't seem to be an issue with NAT-T , Take some debugs at the time of connection.
Debug cry isa
Debug cry Ipsec
Trm mon
To stop the debugs you can do UN ALL and Term no Mon. If you can then please attach the debugs or Logs here i will have a look at them.
Regards,
Aman
05-01-2013 06:07 AM
Thank you for the fast response. Here is my logs :
Syslog logging: enabled (1 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) Console logging: disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level debugging, 965 messages logged, xml disabled, filtering disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled No active filter modules. Trap logging: level informational, 579 message lines logged Log Buffer (4096 bytes): 23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 *Feb 17 15:19:52.803: ISAKMP (0:134217729): received packet from 120.168.1.24 dport 4500 sport 37662 Global (R) QM_IDLE *Feb 17 15:19:52.803: ISAKMP: set new node -423687995 to QM_IDLE *Feb 17 15:19:52.807: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -423687995 *Feb 17 15:19:52.807: ISAKMP:(0:1:SW:1): processing NOTIFY DPD/R_U_THERE protocol 1 spi 0, message ID = -423687995, sa = 81A5AE2C *Feb 17 15:19:52.807: ISAKMP:(0:1:SW:1):deleting node -423687995 error FALSE reason "Informational (in) state 1" *Feb 17 15:19:52.807: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Feb 17 15:19:52.811: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Feb 17 15:19:52.811: ISAKMP:(0:1:SW:1):DPD/R_U_THERE received from peer 120.168.1.24, sequence 0xCF41275D *Feb 17 15:19:52.811: ISAKMP: set new node -910486326 to QM_IDLE *Feb 17 15:19:52.815: ISAKMP:(0:1:SW:1):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 2182802952, message ID = -910486326 *Feb 17 15:19:52.815: ISAKMP:(0:1:SW:1): seq. no 0xCF41275D *Feb 17 15:19:52.815: ISAKMP:(0:1:SW:1): sending packet to 120.168.1.24 my_port 4500 peer_port 37662 (R) QM_IDLE *Feb 17 15:19:52.819: ISAKMP:(0:1:SW:1):purging node -910486326 *Feb 17 15:19:52.819: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE *Feb 17 15:19:52.819: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Feb 17 15:19:54.047: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81B50AD8, count=0 -Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 *Feb 17 15:19:54.047: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81B50AD8, count=0 -Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 *Feb 17 15:19:59.327: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81B50AD8, count=0 -Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 *Feb 17 15:19:59.327: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81B50AD8, count=0 -Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 *Feb 17 15:20:04.307: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81F84148, count=0 -Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 *Feb 17 15:20:04.307: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81F84148, count=0 -Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 *Feb 17 15:20:04.363: ISAKMP (0:134217729): received packet from 120.168.1.24 dport 4500 sport 37662 Global (R) QM_IDLE *Feb 17 15:20:04.363: ISAKMP: set new node -874301582 to QM_IDLE *Feb 17 15:20:04.367: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -874301582 *Feb 17 15:20:04.367: ISAKMP:(0:1:SW:1): processing NOTIFY DPD/R_U_THERE protocol 1 spi 0, message ID = -874301582, sa = 81A5AE2C *Feb 17 15:20:04.367: ISAKMP:(0:1:SW:1):deleting node -874301582 error FALSE reason "Informational (in) state 1" *Feb 17 15:20:04.367: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY *Feb 17 15:20:04.379: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE *Feb 17 15:20:04.379: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *Feb 17 15:20:29.659: ISAKMP:(0:1:SW:1):purging node 377453653 *Feb 17 15:20:33.367: ISAKMP:(0:1:SW:1):purging node -2142077949 *Feb 17 15:20:42.807: ISAKMP:(0:1:SW:1):purging node -423687995 *Feb 17 15:20:54.367: ISAKMP:(0:1:SW:1):purging node -874301582
05-01-2013 08:08 AM
Hi Michael,
I have been through the logs they are inconclusive and only detrmine that the Phase 1 is coming up . However according to this error message %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81B50AD8, count=0 we are hiiting a bug on the ios. The bug id is CSCsl24693 and the fix is to upgrade to 12.4(11)XJ .
Can you run the debugs again and send me the detailed outputs .
Regards,
Aman
05-01-2013 08:27 AM
Thank you for your response, here is the debug :
Log Buffer (4096 bytes): 1 15:19:47.011: ISAKMP: set new node 856647599 to QM_IDLE May 1 15:19:47.015: ISAKMP:(0:8:SW:1):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 2182802952, message ID = 856647599 May 1 15:19:47.015: ISAKMP:(0:8:SW:1): seq. no 0xA3285B8A May 1 15:19:47.015: ISAKMP:(0:8:SW:1): sending packet to 120.168.1.24 my_port 4500 peer_port 52667 (R) QM_IDLE May 1 15:19:47.019: ISAKMP:(0:8:SW:1):purging node 856647599 May 1 15:19:47.019: ISAKMP:(0:8:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE May 1 15:19:47.019: ISAKMP:(0:8:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE May 1 15:19:49.979: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81B4F274, count=0 -Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 May 1 15:19:49.983: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81B4F274, count=0 -Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 May 1 15:19:55.127: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81B51C44, count=0 -Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 May 1 15:19:55.127: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81B51C44, count=0 -Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 May 1 15:19:58.383: ISAKMP (0:134217736): received packet from 120.168.1.24 dport 4500 sport 52667 Global (R) QM_IDLE May 1 15:19:58.383: ISAKMP: set new node -1340288848 to QM_IDLE May 1 15:19:58.387: ISAKMP:(0:8:SW:1): processing HASH payload. message ID = -1340288848 May 1 15:19:58.387: ISAKMP:(0:8:SW:1): processing NOTIFY DPD/R_U_THERE protocol 1 spi 0, message ID = -1340288848, sa = 81A7DCEC May 1 15:19:58.387: ISAKMP:(0:8:SW:1):deleting node -1340288848 error FALSE reason "Informational (in) state 1" May 1 15:19:58.387: ISAKMP:(0:8:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY May 1 15:19:58.387: ISAKMP:(0:8:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE May 1 15:19:58.391: ISAKMP:(0:8:SW:1):DPD/R_U_THERE received from peer 120.168.1.24, sequence 0xA3285B8B May 1 15:19:58.391: ISAKMP: set new node -752454119 to QM_IDLE May 1 15:19:58.395: ISAKMP:(0:8:SW:1):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1 spi 2182802952, message ID = -752454119 May 1 15:19:58.395: ISAKMP:(0:8:SW:1): seq. no 0xA3285B8B May 1 15:19:58.395: ISAKMP:(0:8:SW:1): sending packet to 120.168.1.24 my_port 4500 peer_port 52667 (R) QM_IDLE May 1 15:19:58.399: ISAKMP:(0:8:SW:1):purging node -752454119 May 1 15:19:58.399: ISAKMP:(0:8:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE May 1 15:19:58.399: ISAKMP:(0:8:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE May 1 15:19:59.887: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81B51C44, count=0 -Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 May 1 15:19:59.887: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81B51C44, count=0 -Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 May 1 15:20:05.667: %SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=81F84148, count=0 -Traceback= 0x80137488 0x801DC350 0x801DDDA8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0 May 1 15:20:05.667: %SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=81F84148, count=0 -Traceback= 0x80137488 0x801D8830 0x801DDFD8 0x801E6860 0x807103F4 0x807F99F8 0x801E698C 0x8043FB10 0x8043FDC8 0x80D23CD0 0x80D24304 0x80D24400 0x8027B3C4 0x8027E9E0
After searching thru the internet, I've found :
Symptoms: When a dialer interface is configured as an endpoint for a IPSec+GRE tunnel, tracebacks with bad refcount may be generated.
Conditions: This symptom is observed on a Cisco 837 when router-generated packets such as routing updates are being switched.
Is that possible that the root of the problem was that ? Thank you.
05-04-2013 08:47 PM
Hi Mike,
As per your problem details what i underatnd is that the VPN clinet gets connected but not able to pass the traffic.
Is this correct?
Please send me the output of
show cry is sa
show cry ipsec sa peer
What's the traffic that you are trying to reach?
05-04-2013 11:04 PM
Thank you for the reply. I managed it solved by upgrading the ios to 12.4(25d). Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide