Cant ping down VPN tunnel

Unanswered Question
Jun 11th, 2007
User Badges:

Hi,


I have a problem with a VPN tunnel on a 1841 series


The router has four tunnels, all of which show as UP with sh crypto sessions.

I can ping down three of the tunnels but not the fourth. This router has an almost identical config to a number of other routers on our network, which all work.


I have attached a modified config. The network I can't ping is 192.168.0.0.


Show version output


Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(3f), RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2006 by Cisco Systems, Inc.

Compiled Fri 18-Aug-06 17:42 by alnguyen


ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)


XXX uptime is 2 days, 21 hours, 2 minutes

System returned to ROM by reload at 15:36:59 UTC Fri Jun 8 2007

System image file is "flash:c1841-advipservicesk9-mz.124-3f.bin"


Cisco 1841 (revision 6.0) with 237568K/24576K bytes of memory.

Processor board ID FCZ104211TW

2 FastEthernet interfaces

2 Virtual Private Network (VPN) Modules

DRAM configuration is 64 bits wide with parity disabled.

191K bytes of NVRAM.

62720K bytes of ATA CompactFlash (Read/Write)


Configuration register is 0x2102


Show crypto session for the tunnel in question


Interface: FastEthernet0/1

Session status: UP-NO-IKE

Peer: 84.12.90.XXX port 500

IPSEC FLOW: permit ip 172.16.164.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 2, origin: crypto map


Any help would be gratefully received


Nik



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
sundar.palaniappan Mon, 06/11/2007 - 11:11
User Badges:
  • Green, 3000 points or more

Nik,


Can you reconfigure the crypto map with different sequence numbers for each peer to something like this;


crypto map xxx 10

set peer 84.12.12.xxx

match address site_1


crypto map xxx 10

set peer 84.12.134.xxx

match address site_2


Let us know if you are still having problems.


HTH


Sundar

nik.sharp Wed, 06/13/2007 - 02:04
User Badges:

Sundar,


Thanks for the response.


I have tried this on my router and it now works although in a strange way.


By accident we discovered that if we put the geographically furthest destination first in the crypto map, it comes up every time. If we put it as the last entry it does not work! I can not think why this should be the case, any thoughts?


Also this router does not show its static static routes when you do a sh ip route, it only shows the directly connected interfaces.


Thanks again for the help, much appreciated


Nik

sundar.palaniappan Thu, 06/14/2007 - 13:24
User Badges:
  • Green, 3000 points or more

Nik,


That's weird. I don't see why the geographically furthest destination needs to be entered in the sequence that you described. It should work as long as there is end-to-end IP connectivity between the VPN peers.


As far as your static route not showing up in the routing table if the next hop for the route is reachable the route should be installed in the routing table. If you are still having problems can you post the relevant portion of the config and the show ip route end.


HTH


Sundar

nik.sharp Fri, 06/15/2007 - 04:00
User Badges:

Sundar,


The geographic thing made no sense to us either but it seems to work.


The static IP routes in the config are



ip classless

ip route 0.0.0.0 0.0.0.0 80.255.249.xxx

ip route 10.0.0.0 255.255.255.0 84.12.12.xxx

ip route 10.10.10.0 255.255.255.0 84.12.134.xxx

ip route 172.16.0.0 255.255.0.0 84.12.134.xxx

ip route 192.168.0.0 255.255.255.0 84.12.90.xxx

ip route 192.168.8.0 255.255.255.0 81.193.248.xxx



SH IP ROUTE output is as below


Gateway of last resort is 80.255.249.xxx to network 0.0.0.0


80.0.0.0/30 is subnetted, 1 subnets

C 80.255.249.xxx is directly connected, FastEthernet0/1

172.16.0.0/24 is subnetted, 1 subnets

C 172.16.164.0 is directly connected, FastEthernet0/0

S* 0.0.0.0/0 [1/0] via 80.255.249.xxx


All the next-hops are reachable, I have successfully pinged them all but still the routes are not entered in the table. Any thoughts or insights are much appreciated


Thanks

Nik

sundar.palaniappan Mon, 06/18/2007 - 16:39
User Badges:
  • Green, 3000 points or more

Nik,


With IPSEC you don't need those static routes the router wouldn't know which peer it needs to use to route traffic to those remote networks based on your crypto ACL/peer info found in IPSEC SA. You just need the default route to your ISP and can safely remove all the other routes.


HTH


Sundar

nik.sharp Thu, 06/28/2007 - 01:18
User Badges:

Sundar,


Thanks for the help. I have removed the routes and re-ordered the crypto maps and it is now working OK. Thanks Again


Nik

Actions

This Discussion