Trouble getting 851 to keep easyvpn tunnel up, pass traffic

Unanswered Question
Dec 30th, 2007

Ok let me start off by saying that a couple of years ago I configured an EasyVPN server to operate with software clients, and those remain functional without issue. The easyvpn server is a 2811-advsecurity (12.4.4T I think). At this point I am attempting to add a 851 router as a EasyVPN remote client. I have made no changes to the server except to allow the clients to save passwords.

Here's the gist of the network:

company LAN --> 2811 ---> ((Internet)) <--residential DSL <-- Linksys WRT54G3GST (using DSL but with 3G backup) <-- Cisco 851 Router

I can use Cisco soft VPN clients either connected to the Linksys router or behind the 851, so it would seem that the proper ports are open in the path. When I set up the 851 as a easyvpn client and save the credentials on the router, it brings up the tunnel (as indicated in the log and by the LED on the device. I am able to ping hosts on the corporate network from the CLI but I cannot reach them from hosts behind the 851, or from the 851's internal Vlan IP. Occasionally the tunnel will drop and from the console I can see it attempting to reconnect. It eventually fails enough attempts and gives up, but then a couple minutes later it retries and brings the tunnel back up right away. **This does not happen to our software clients in general**

The 851 is configured to provide NAT for its devices behind it. Do I need to make some other provisions to get the 851 router to pass traffic from its clients through the tunnel? maybe some sort of route-map to avoid NAT? This is where I'm lost. I don't see any packets denied from the CLI. I'm using the basic SDM-LOW firewall rules.

Also, a side note: It seems that even fresh out of the box the 851 cannot ping hosts on its internal VLAN. It can ping its own Vlan IP, and the routes appear to be in place, but it cannot ping 10.10.10.2, for example. 10.10.10.2 can access the internet via the 851 without issue.

Thanks for your help, and let me know if you need me to post snippets of the configs or logs.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
johnd2310 Mon, 12/31/2007 - 00:20

hi,

Do you have NAT configure on the 851? There should be no NAT statements in the config. The easyvpn config automatically takes care of the NAT. make sure you have the "crypto ipsec client ezvpn" and "crypto ipsec client ezvpn inside " statements in the right places.

thanks

John

cclarkacs Mon, 12/31/2007 - 14:34

I did have NAT configured on the 851. At your suggestion I removed the NAT configuration line and the nat inside/outside statements from the relative interfaces. Then I removed all the easyvpn remote lines and recreated that configuration via SDM. It appears now that the tunnel is stable (its not cycling up/down every couple of minutes like it was before). However, the router is still not passing traffic from clients to the company LAN.

I can still ping hosts on the company LAN via the router's CLI but not from PC's attached to the 851. I'm running wireshark on the PC to see what kind of traffic is coming back and nothing is ever replied to except for SDM traffic. I see all kinds of windows networking traffic like my PC trying to get updates from its domain controller, but wireshark doesn't see anything coming back.

What else can we check?

johnd2310 Mon, 12/31/2007 - 14:49

Hi,

post your config. Make sure you remove any sensitive stuff like passwords and public ip addresses.

John

cclarkacs Mon, 12/31/2007 - 16:27

Here you go... as noted in the attached file, the loopback0 address is assigned by the easyvpn server. I did not configure that ip manually. Thanks!

johnd2310 Mon, 12/31/2007 - 18:53

Hi,

A few questions about your config:

- you are using network extension mode. This means you would like to route between your network and the office network. Is this correct? is your rip config working? are you seeing routes from the office end?

- is 192.168.30.1 the linksys router?

cclarkacs Tue, 01/01/2008 - 10:14

I would eventually like to route between the office network on multiple hosts (for example a remote user's PC and an IP phone) on the SOHO network. That's why I selected the Network extension mode vs. client mode. I did try it in client mode and the problem was the same.

I have not seen any RIP messages come over the tunnel. Everything in the route table is S or C.

192.168.30.1 is indeed the linksys router's inside IP -- the 851's gateway to the internet.

I actually took the router down yesterday and set it all up again this morning. Here's what I'm seeing: The tunnel is apparently stable, I don't see any messages regarding it coming across the CLI. However, ability to pass traffic is unreliable at best. I can now *occasionally* connect to some hosts on the company LAN, but it never lasts long enough to do something useful. For example, I can browse a few directories on a file server but if I try to download a large file (I tried a 4MB file and a 10MB file) it always fails somewhere in the middle. Viewing this in wireshark I see lots of TCP resend packets going out as it notices that its not receiving packets anymore.

I don't see any of this behaviour when I use the Cisco soft VPN client. It just works.

johnd2310 Tue, 01/01/2008 - 10:40

Make sure the routing is setup correctly. Remove the RIP stuff and just use static routes for the time being. Make sure the other end(company network) has a route for your home network. Make sure you do not have overlapping networks i.e. you do not have a 10.10.10.0 255.255.255.248 network on the company lan end

cclarkacs Wed, 01/02/2008 - 07:59

Ok I understand what you're requesting, however I don't know how to set a static route (on the 2811 side) to a easyvpn client. There is no apparent entry in the routing table for the ezvpn pool subnet, even when software clients are connected and successfully passing traffic. There doesn't appear to be an interface specific to the ezvpn server.

There are two key subnets on the company LAN (192.168.1.0/24 and 10.10.12.0/24). As of now, the 851 itself can ping hosts on both, but the hosts behind the 851 can only ping hosts on 10.10.12.0/24. I suspect this has something to do with the NAT setup on the 2811.

johnd2310 Wed, 01/02/2008 - 21:58

Hi,

You do not need a static route for the for the easyvpn remote access clients. You just need one for your network 10.10.10.0 255.255.255.0. The fact that your network cannot ping 192.168.1.0/24 may indicate that 192.168.1.0/24 has no route to your network.On the 2811 you should have something like "ip route 10.10.10.0 255.255.255.248 "internet interface/router""

thanks

John

Actions

This Discussion