Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
468
Views
5
Helpful
6
Replies

Cant ping down VPN tunnel

nik.sharp
Level 1
Level 1

‎06-11-2007 04:47 AM - edited ‎02-21-2020 03:06 PM

Hi,

I have a problem with a VPN tunnel on a 1841 series

The router has four tunnels, all of which show as UP with sh crypto sessions.

I can ping down three of the tunnels but not the fourth. This router has an almost identical config to a number of other routers on our network, which all work.

I have attached a modified config. The network I can't ping is 192.168.0.0.

Show version output

Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(3f), RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2006 by Cisco Systems, Inc.

Compiled Fri 18-Aug-06 17:42 by alnguyen

ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)

XXX uptime is 2 days, 21 hours, 2 minutes

System returned to ROM by reload at 15:36:59 UTC Fri Jun 8 2007

System image file is "flash:c1841-advipservicesk9-mz.124-3f.bin"

Cisco 1841 (revision 6.0) with 237568K/24576K bytes of memory.

Processor board ID FCZ104211TW

2 FastEthernet interfaces

2 Virtual Private Network (VPN) Modules

DRAM configuration is 64 bits wide with parity disabled.

191K bytes of NVRAM.

62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

Show crypto session for the tunnel in question

Interface: FastEthernet0/1

Session status: UP-NO-IKE

Peer: 84.12.90.XXX port 500

IPSEC FLOW: permit ip 172.16.164.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 2, origin: crypto map

Any help would be gratefully received

Nik

Labels:
Preview file
5 KB
0 Helpful
6 Replies 6

sundar.palaniappan
Level 10
Level 10

‎06-11-2007 11:11 AM

Nik,

Can you reconfigure the crypto map with different sequence numbers for each peer to something like this;

crypto map xxx 10

set peer 84.12.12.xxx

match address site_1

crypto map xxx 10

set peer 84.12.134.xxx

match address site_2

Let us know if you are still having problems.

HTH

Sundar

nik.sharp
Level 1
Level 1
In response to sundar.palaniappan

‎06-13-2007 02:04 AM

Sundar,

Thanks for the response.

I have tried this on my router and it now works although in a strange way.

By accident we discovered that if we put the geographically furthest destination first in the crypto map, it comes up every time. If we put it as the last entry it does not work! I can not think why this should be the case, any thoughts?

Also this router does not show its static static routes when you do a sh ip route, it only shows the directly connected interfaces.

Thanks again for the help, much appreciated

Nik

0 Helpful

sundar.palaniappan
Level 10
Level 10
In response to nik.sharp

‎06-14-2007 01:24 PM

Nik,

That's weird. I don't see why the geographically furthest destination needs to be entered in the sequence that you described. It should work as long as there is end-to-end IP connectivity between the VPN peers.

As far as your static route not showing up in the routing table if the next hop for the route is reachable the route should be installed in the routing table. If you are still having problems can you post the relevant portion of the config and the show ip route end.

HTH

Sundar

0 Helpful

nik.sharp
Level 1
Level 1
In response to sundar.palaniappan

‎06-15-2007 04:00 AM

Sundar,

The geographic thing made no sense to us either but it seems to work.

The static IP routes in the config are

ip classless

ip route 0.0.0.0 0.0.0.0 80.255.249.xxx

ip route 10.0.0.0 255.255.255.0 84.12.12.xxx

ip route 10.10.10.0 255.255.255.0 84.12.134.xxx

ip route 172.16.0.0 255.255.0.0 84.12.134.xxx

ip route 192.168.0.0 255.255.255.0 84.12.90.xxx

ip route 192.168.8.0 255.255.255.0 81.193.248.xxx

SH IP ROUTE output is as below

Gateway of last resort is 80.255.249.xxx to network 0.0.0.0

80.0.0.0/30 is subnetted, 1 subnets

C 80.255.249.xxx is directly connected, FastEthernet0/1

172.16.0.0/24 is subnetted, 1 subnets

C 172.16.164.0 is directly connected, FastEthernet0/0

S* 0.0.0.0/0 [1/0] via 80.255.249.xxx

All the next-hops are reachable, I have successfully pinged them all but still the routes are not entered in the table. Any thoughts or insights are much appreciated

Thanks

Nik

0 Helpful

sundar.palaniappan
Level 10
Level 10
In response to nik.sharp

‎06-18-2007 04:39 PM

Nik,

With IPSEC you don't need those static routes the router wouldn't know which peer it needs to use to route traffic to those remote networks based on your crypto ACL/peer info found in IPSEC SA. You just need the default route to your ISP and can safely remove all the other routes.

HTH

Sundar

0 Helpful

nik.sharp
Level 1
Level 1
In response to sundar.palaniappan

‎06-28-2007 01:18 AM

Sundar,

Thanks for the help. I have removed the routes and re-ordered the crypto maps and it is now working OK. Thanks Again

Nik

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents