WebVPN - no connectivity from outside interface

Answered Question
Feb 16th, 2008

Hello,

I have configured WebVPN on a 1811W router running IOS 12.4(11)XW5, and although the gateway is set directly on an outside interface, the 443 port appears filtered to clients connecting through that interface (inside interface traffic is allowed). What can I do to force the router to listen for incoming connections on the outside interface (as it is supposed to)? I have no firewall or ACLs that could potentially interfere with the VPN.

Thanks!

I have this problem too.
0 votes
Correct Answer by a.alekseev about 8 years 4 months ago

This is you main route

ip route 0.0.0.0 0.0.0.0 FastEthernet0 10 track 123

This is you backup route

ip route 0.0.0.0 0.0.0.0 Dialer0 20 track 124

If you try access Dialer0 from outside, you return traffic goes through FastEthernet0.

You need do "Local PBR" for correction...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Jason Gervia Sun, 02/17/2008 - 09:09

do a

'show tcp brief all num'

And that will show you what ports the router is listening on. If you see an IPADDRESS:443 vs *:443, then it's listening on that IP address.

Please post your configuration for more assistance.

mateid1234 Sun, 02/17/2008 - 09:53

The command returned the ip address assigned by the ISP followed by ".443" and (state) as "LISTEN". I have attached my current config for reference.

Attachment: 
mateid1234 Mon, 02/18/2008 - 19:10

Yes, the context is up (AS/up, OS/up) and I can access the portal from the inside interface by using the public ip address. It's only when I try to connect from the Internet that the router fails to respond.

It's like the router is blocking all connections to itself from the outside interfaces based on some default rule/policy/ACl/etc., but I have no idea what that may be or how it can be altered.

The only way I was able to open port 443 was by forwarding it to some computer behind the router, which obviously is of no help.

mateid1234 Sat, 06/21/2008 - 04:01

After analyzing the problem in more detail I came to the conclusion that the port is indeed open on the outside interface, but the tcp connections are dropped during the initial handshake. Here is what actually happens:

TCB84E12BD4 created

Reserved port 443 in Transport Port Agent for TCP IP type 1

TCP0: state was LISTEN -> SYNRCVD [443 -> y.y.y.y(4718)]

TCP: tcb 84E12BD4 connection to y.y.y.y:4718, peer MSS 1460, MSS is 516

TCP: sending SYN, seq 2578099390, ack 3152674293

TCP0: Connection to y.y.y.y:4718, advertising MSS 536

x.x.x.x:3 <---> y.y.y.y:4718 congestion window changes

cwnd from 536 to 536, ssthresh from 65535 to 1072

TCP0: timeout #1 - timeout is 4000 ms, seq 2578099390

TCP: (443) -> y.y.y.y(4718)

TCP0: bad seg from y.y.y.y -- bad sequence number: port 443 seq 3152674292 ack 0 rcvnxt 315267429

3 rcvwnd 4128 len 0

TCP0: timeout #2 - timeout is 4000 ms, seq 2578099390

TCP: (443) -> y.y.y.y(4718)

connection attempt to port 36109

TCP: sending RST, seq 0, ack 2677520110

TCP: sent RST to 92.84.106.222:2777 from x.x.x.x:36109

TCP0: bad seg from y.y.y.y -- bad sequence number: port 443 seq 3152674292 ack 0 rcvnxt 315267429

3 rcvwnd 4128 len 0

Released port 443 in Transport Port Agent for TCP IP type 1 delay 240000

TCP0: state was SYNRCVD -> CLOSED [443 -> y.y.y.y(4718)]

TCB 0x84E12BD4 destroyed

where x.x.x.x is the address of the router and y.y.y.y is the address of the remote client (a 2003 server machine)

I would very much appreciate any ideas on how to solve this problem!

mcornhill Tue, 07/15/2008 - 05:54

I am having the same issues. How was this condition resolved?

mateid1234 Wed, 07/16/2008 - 05:21

Unfortunately, I am still trying to find a solution for this problem. Maybe you could post your configuration, so we can try to at least rule out what is not causing this behavior.

a.alekseev Wed, 07/16/2008 - 05:29

Exclude ip address of the local interface from the NAT.

[Pls RATE if HELPS]

mateid1234 Wed, 07/16/2008 - 07:28

Please elaborate a bit more on your solution, because I'm not sure that I understand what I'm supposed to do. The ip address of the virtual interface (BVI1) is not being natted directly, but several computers behind the router (sharing the same IP class) are. Is this the problem?

a.alekseev Wed, 07/16/2008 - 10:22

ip access-list ext NAT

deny ip host 172.16.0.100 any

permit ip 172.16.0.0 0.0.0.255 any

route-map ISP1nat permit 10

match ip address NAT

match interface FastEthernet0

!

route-map ASYNCnat permit 10

match ip address NAT

match interface Dialer2

!

route-map ISP2nat permit 10

match ip address NAT

match interface Dialer0

!

mateid1234 Wed, 07/16/2008 - 18:18

Yes, this works, but now I cannot use different ISPs for different computers. If I create two access lists like

ip access-list ext THRUISP1

deny ip host 172.16.0.100 any

permit ip host 172.16.0.1 any

or

permit ip 172.16.0.0 0.0.0.7 any

and

ip access-list ext THRUISP2

deny ip host 172.16.0.100 any

permit ip host 172.16.0.9 any

or

permit ip 172.16.0.8 0.0.0.7 any

the problem reappears! I think I'm missing the logic behind this.

Is there an alternative way of using concurrent NAT translations without having this problem?

My ultimate goal is to allow

access list 1 -> ISP1 -> ISP2 -> ASYNC

access list 2 -> ISP2 -> ISP1 -> ASYNC

while using ISP2 for incoming webvpn connections.

Is this possible? Thanks!

a.alekseev Wed, 07/16/2008 - 22:56

Use policy based routing and stay NAT as it is.

[Pls RATE if HELPS]

mateid1234 Wed, 07/16/2008 - 23:19

This is what I'm using right now (leaving the ASYNC interface aside):

interface BVI1

ip policy route-map RMAP

ip access-list ext NAT

deny ip host 172.16.0.100 any

permit ip 172.16.0.0. 0.0.0.255 any

ip access-list standard THRUISP1

permit 172.16.0.1

permit 172.16.0.2

ip access-list standard THRUISP2

permit 172.16.0.3

permit 172.16.0.4

route-map RMAP permit 10

match ip address THRUISP1

set ip next-hop verify-availability x.x.x.x 10 track 123

set ip next-hop verify-availability y.y.y.y 20 track 124

!

route-map RMAP permit 20

match ip address THRUISP2

set ip next-hop verify-availability y.y.y.y 10 track 124

set ip next-hop verify-availability x.x.x.x 20 track 123

!

route-map ISP1nat permit 10

match ip address NAT

match interface FastEthernet0

!

route-map ISP2nat permit 10

match ip address NAT

match interface Dialer0

ip nat inside source route-map ISP1nat interface FastEthernet0 overload

ip nat inside source route-map ISP2nat interface Dialer0 overload

In this configuration the problem remains the same. As soon as I try to add a specific host to either THRUISP1 or THRUISP2 the router stops responding to incoming connections! The only way it works is if I replace both acces lists with the NAT list. Am I doing something wrong?

mateid1234 Wed, 07/16/2008 - 23:57

I've switched to extended ACLs, but without success. Any other suggestions? I feel like I'm getting close to finally solving this issue!

mateid1234 Thu, 07/17/2008 - 01:35

I've attached my current config.

The problem is that the router does not return packets for connections initiated from an untrusted interface to the router itself (like in the case of webvpn), as long as NAT is enabled only for specific computers behind the network (as opposed to the entire LAN).

mateid1234 Thu, 07/17/2008 - 01:36

I've attached my current config.

The problem is that the router does not return packets for connections initiated from an untrusted interface to the router itself (like in the case of webvpn), as long as NAT is enabled only for specific computers behind the network (as opposed to the entire LAN).

a.alekseev Thu, 07/17/2008 - 04:31

Do you have static ip or dynamic ip for interfaces FastEthernet0 and Dialer0?

mateid1234 Thu, 07/17/2008 - 04:35

Both interfaces have dynamic IPs. Fa0 aquires the ip address thru DHCP and Di0 thru IPCP (PPPoE).

a.alekseev Thu, 07/17/2008 - 05:42

if you have dynamic IPs,

so how could you access them?

or maybe you static binding...

mateid1234 Thu, 07/17/2008 - 05:48

I use a free DDNS service for Di0, but I removed the relevant lines from the config file because the username and password were shown in clear.

Correct Answer
a.alekseev Thu, 07/17/2008 - 06:46

This is you main route

ip route 0.0.0.0 0.0.0.0 FastEthernet0 10 track 123

This is you backup route

ip route 0.0.0.0 0.0.0.0 Dialer0 20 track 124

If you try access Dialer0 from outside, you return traffic goes through FastEthernet0.

You need do "Local PBR" for correction...

mateid1234 Thu, 07/17/2008 - 10:35

Problem solved!

It wasn't even necessary to implement a local policy route-map, since I don't intend to access the router from both interfaces.

What I did was to simply switch the metrics on the default routes and thus force the router to use the correct interface.

This, combined with the explicit removal of the local interface from NAT was the solution to this issue.

Thank you very much a.alekseev!

Actions

This Discussion