IOS router VPN Client issue

Unanswered Question
Sep 7th, 2007

Hi,

I do have an issue with VPN clients. The VPN client can connect, but no traffic is routed. I switched on debugging and notice that a packet is decrypted sucessful but dropped by CEF.

I got following messages:

post_crypto_ip_decrypt: Data just decrypted, 52 bytes

PostDecrypt: Particle based pak cef switched 3

CEF-Drop: Stalled adjacency for 0.0.0.0 on Virtual-Access2 for destination ...

Does anybody have an idea?

C2811 IOS 12.4(15)T1

VPN Client WindowsXP 5.0, MacOS X, ...

Here is a part of the config

ip cef

!

interface Loopback0

no ip address

!

interface FastEthernet0/0

description LAN

ip address 192.168.2.1 255.255.255.0

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

interface Virtual-Template2 type tunnel

ip unnumbered Loopback0

ip virtual-reassembly

tunnel source Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!

crypto isakmp client configuration group XXX

key YYY

dns 192.168.2.21 192.168.2.22

wins 192.168.2.2 192.168.2.23

domain mydomain.com

pool Pool_VPN

acl 100

save-password

split-dns mydomain.com

max-users 4

!

crypto isakmp profile sdm-ike-profile-1

match identity group XXX

client authentication list sdm_vpn_xauth_ml_1

isakmp authorization list sdm_vpn_group_ml_1

client configuration address respond

virtual-template 2

!

This config was working with IOS 12.4(11)XJ2.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
amritpatek Thu, 09/13/2007 - 05:49

When running CEF, a static arp can cause CEF to loose that mac address as an adjacency. On a static, the arp timeout is set to zero. When the adjacency is lost, packets gets punted to process-level. Doing a shut/noshut of the affected interface may help you. Configuring a static route to the client also may help.

Actions

This Discussion