04-05-2007 11:53 PM - edited 03-09-2019 05:45 PM
Hi, sorry for my poor english.
I have a problem with VPN on Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(3f), RELEASE SOFTWARE (fc3).
VPN is working proberly, but at some time http service from peer network "die".
I see that
1) The ping of web server is OK.
2) I dont think that is df-bit problem becouse:
a) ping -n -s 1490 192.168.202.29
PING 192.168.202.29 (192.168.202.29) 1490(1518) bytes of data.
1498 bytes from 192.168.202.29: icmp_seq=1 ttl=62 time=30.5 ms
1498 bytes from 192.168.202.29: icmp_seq=2 ttl=62 time=31.2 ms
1498 bytes from 192.168.202.29: icmp_seq=3 ttl=62 time=31.7 ms
tcpdump -n host 192.168.202.29
tcpdump: listening on eth0
09:59:53.966392 192.168.0.99 > 192.168.202.29: icmp: echo request (frag 30507:14 80@0+)
09:59:53.966406 192.168.0.99 > 192.168.202.29: icmp (frag 30507:18@1480)
09:59:53.995124 192.168.202.29 > 192.168.0.99: icmp: echo reply (frag 37884:744@ 0+)
b) telnet 192.168.202.29 80 cant connect:
see SYN packets, but no SYN ACK
3) show crypto ipsec sa details -
many #pkts no sa (send) erros on peer
and show there is no active sa:
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/6/0)
remote ident (addr/mask/prot/port): (192.168.202.29/255.255.255.255/6/80)
current_peer 222.111.111.111 port 500
PERMIT, flags={}
#pkts encaps: 63507, #pkts encrypt: 63507, #pkts digest: 63507
#pkts decaps: 76488, #pkts decrypt: 76488, #pkts verify: 76488
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 75, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 111.111.111.111, remote crypto endpt.: 222.222.222.222
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
4) clear crypto sa (or reload) resolve a problem.
5) if any traffic exists in isakmp lifetime (bash telnet 192.168.202.29 90 nightly in crontab every 15 min) - there is no problem with peer.
04-06-2007 06:50 AM
Can you configure the following command and see if it helps;
crypto isakmp keepalive 10 10
HTH
Sundar
04-06-2007 07:44 AM
--crypto isakmp keepalive 10 10
Thank you for unswer!
On both sides?
04-06-2007 09:45 AM
Yes.
04-07-2007 03:30 AM
This not resolve a problem (a peer steel "freez"):
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key TOP_SECRET address 222.222.222.222 no-xauth
crypto isakmp keepalive 10 10
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
A debuging show that:
debug crypto isakmp
debug crypto ipsec
IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820
04-09-2007 04:46 PM
I just noticed that you had indicated you can ping but http doesn't work. Hence, IPSEC connectivity isn't is the issue here. I know you had mentioned in your earlier post that it mightn't be a DF bit problem.
Just to rule out it's not a MTU problem can you configure the command 'ip tcp adjust-mss 1400' on the LAN interface on ONE router. If that doesn't help you may have to run crypto debug(s) to troubleshoot the problem.
HTH
Sundar
04-09-2007 10:19 PM
Sundar, thank you for your answer.
>> had indicated you can ping but http doesn't work
Just look for a part of the crypto-map access list:
"...
permit icmp 192.168.0.0 0.0.0.255 host 192.168.202.29 log
permit tcp 192.168.0.0 0.0.0.255 host 192.168.202.29 eq www 443 log
..."
and see that i have 2 peer - 1 for icmp packets and 1 for http/https packets. So, when "icmp peer" is working, the "http peer" is not.
show crypto ipsec sa details say -
"no outbound esp sa" for http - peer.
>>If that doesn't help you may have to run crypto debug(s) to troubleshoot the problem.
Yes, i do it in my prev.post:
debug crypto isakmp
debug crypto ipsec
term mon
and see many messages:
"IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. "pak->cryptoflags=0x820
I think, that is a some kind of IOS bug - "we have SA but couldn't find current outbound SA. dropping pak." So, the packets is dropping (SYN packets don't send, no HTTP connection)
PS
I can't find this "we have SA but couldn't find current" in cisco.com
04-10-2007 01:31 PM
Oleg,
''permit tcp 192.168.0.0 0.0.0.255 host 192.168.202.29 eq www 443 log''
How did you include both http & https in one access list entry?
Can you configure two separate statements in the crypto access list as below and test.
permit tcp 192.168.0.0 0.0.0.255 host 192.168.202.29 eq www log
permit tcp 192.168.0.0 0.0.0.255 host 192.168.202.29 eq https log
Moreover, after updating your config and bringing up the tunnel, can you capture the 'show crypto ipsec sa' and post it here.
HTH
Sundar
04-10-2007 02:41 PM
In addition to the above post, can you make sure your crypto access list mirrors each other on both the peers. The ACL on the far end peer would look like this.
permit tcp 192.168.0.0 0.0.0.255 eq www host 192.168.202.29 log
permit tcp 192.168.0.0 0.0.0.255 eq 443 host 192.168.202.29 log
HTH
Sundar
04-16-2007 01:16 AM
I made some simplification in crypto map ACL and resolve this problem. Thanks Sundar for idea.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide