04-09-2008 07:10 AM - edited 03-03-2019 09:29 PM
I have a odd problem with a new VPN we setup. Its a 2851 <--> Openswan Linux box. They tunnel comes up just fine. On the 2851 side we have a /24 and on the Openswan side we have a /19 and a /26. You can ping from any device in these ranges to any other. Even adjusting the ping to 1500 bytes it all works. Now the first thing we tried to do after this was SSH. We can ssh from the /19 (site b, behind the Openswan) to the /24 (site a, 2851) all day long without issue. We can also do the opposite (site a to site b /19). We also can SSH from the 2851 /24 to the Openswan /26. However the /26 at site b can not ssh to the 2851 /24. Watching the logs and such we can see the ssh packet gets to the box and the box sends a response just the 2851 does not sends the reply down the tunnel. It just seems to ignore it. I can not seem to find why 2851 will not send an ssh session initiated from b /26 back to it when it will send a session initiated from a /24 down to the b /26.
Both the /19 and /26 are in the same ACL, just the /26 is not working fully.
Used the SDM to setup the tunnel.
That make sense? Need configs?
04-09-2008 09:41 AM
Can you post the crypto ACL that you have configured on both ends?
04-09-2008 10:09 AM
Forgot to mention I have two tunnels, one is working fine, the other is 3/4 way working. crypto map SDM_CMAP_1 2 with ACL 110 is the problem one.
10.1.7.0 is site a, behind 2851
10.8.0.0 is site b (working)
10.2.3.0 is site b (not fully working, can ping to/from but only ssh from site a, not to this range at site b)
10.3.5.0 is site c (working, not being discussed now)
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 104
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 107
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 106
class-map type inspect match-all sdm-cls-VPNOutsideToInside-5
match access-group 109
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
match access-group 108
class-map type inspect match-all sdm-cls-VPNOutsideToInside-7
match access-group 112
class-map type inspect match-all sdm-cls-VPNOutsideToInside-6
match access-group 111
class-map type inspect match-all sdm-cls-VPNOutsideToInside-9
match access-group 114
class-map type inspect match-all sdm-cls-VPNOutsideToInside-8
match access-group 113
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 103
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-cls-sdm-inspect-1
match access-group name any
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
pass
class type inspect sdm-cls-VPNOutsideToInside-3
pass
class type inspect sdm-cls-VPNOutsideToInside-4
pass
class type inspect sdm-cls-VPNOutsideToInside-5
pass
class type inspect sdm-cls-VPNOutsideToInside-6
inspect
class type inspect sdm-cls-VPNOutsideToInside-7
pass
class type inspect sdm-cls-VPNOutsideToInside-8
pass
class type inspect sdm-cls-VPNOutsideToInside-9
inspect
class class-default
drop log
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-cls-sdm-inspect-1
inspect
class class-default
drop log
policy-map type inspect sdm-permit
class type inspect SDM_VPN_PT
pass
class type inspect sdm-access
inspect
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
04-09-2008 10:10 AM
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key
crypto isakmp key
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to
set peer
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
set pfs group2
match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to
set peer
set transform-set ESP-3DES-SHA1
set pfs group2
match address 110
!
!
interface GigabitEthernet0/1
description $FW_OUTSIDE$$ETH-WAN$
ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed 100
no cdp enable
standby 2 ip
standby 2 timers 5 15
standby 2 priority 200
standby 2 preempt
standby 2 track GigabitEthernet1/0 150
no mop enabled
crypto map SDM_CMAP_1
!
!
interface Vlan1
description $FW_INSIDE$
ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
standby 1 ip
standby 1 timers 5 15
standby 1 priority 200
standby 1 preempt
standby 1 track GigabitEthernet0/1 150
!
ip route 0.0.0.0 0.0.0.0
!
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
ip access-list extended any
remark SDM_ACL Category=128
permit ip 10.1.7.0 0.0.0.63 any
!
04-09-2008 10:11 AM
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.1.7.0 0.0.0.63
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 69.90.79.24 0.0.0.7 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.1.7.0 0.0.0.63 10.3.5.0 0.0.0.255
access-list 103 remark SDM_ACL Category=128
access-list 103 permit ip host
access-list 103 permit ip host
access-list 104 remark SDM_ACL Category=0
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.3.5.0 0.0.0.255 10.1.7.0 0.0.0.63
access-list 105 remark SDM_ACL Category=2
access-list 105 remark IPSec Rule
access-list 105 deny ip 10.1.7.0 0.0.0.63 10.2.3.0 0.0.0.127
access-list 105 remark IPSec Rule
access-list 105 deny ip 10.1.7.0 0.0.0.63 10.8.0.0 0.0.31.255
access-list 105 remark IPSec Rule
access-list 105 deny ip 10.1.7.0 0.0.0.63 10.3.50 0.0.0.255
access-list 105 permit ip 10.1.7.0 0.0.0.63 any
access-list 106 remark SDM_ACL Category=0
access-list 106 remark IPSec Rule
access-list 106 permit ip 10.3.5.0 0.0.0.255 10.1.7.0 0.0.0.63
access-list 107 remark SDM_ACL Category=0
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.3.5.0 0.0.0.255 10.1.7.0 0.0.0.63
access-list 108 remark SDM_ACL Category=0
access-list 108 remark IPSec Rule
access-list 108 permit ip 10.3.5.0 0.0.0.255 10.1.7.0 0.0.0.63
access-list 108 remark IPSec Rule
access-list 108 permit ip 10.8.31.0 0.0.0.255 10.1.7.0 0.0.0.63
access-list 109 remark SDM_ACL Category=0
access-list 109 remark IPSec Rule
access-list 109 permit ip 10.3.5.0 0.0.0.255 10.1.7.0 0.0.0.63
access-list 110 remark SDM_ACL Category=4
access-list 110 remark IPSec Rule
access-list 110 permit ip 10.1.7.0 0.0.0.63 10.8.0.0 0.0.31.255
access-list 110 remark IPSec Rule
access-list 110 permit ip 10.1.7.0 0.0.0.63 10.2.3.0 0.0.0.127
access-list 111 remark SDM_ACL Category=0
access-list 111 remark IPSec Rule
access-list 111 permit ip 10.8.0.0 0.0.31.255 10.1.7.0 0.0.0.63
access-list 111 remark IPSec Rule
access-list 111 permit ip 10.3.5.0 0.0.0.255 10.1.7.0 0.0.0.63
access-list 112 remark SDM_ACL Category=0
access-list 112 remark IPSec Rule
access-list 112 permit ip 10.8.0.0 0.0.31.255 10.1.7.0 0.0.0.63
access-list 112 remark IPSec Rule
access-list 112 permit ip 10.2.3.0 0.0.0.127 10.1.7.0 0.0.0.63
access-list 112 remark IPSec Rule
access-list 112 permit ip 10.3.5.0 0.0.0.255 10.1.7.0 0.0.0.63
access-list 113 remark SDM_ACL Category=0
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.8.0.0 0.0.31.255 10.1.7.0 0.0.0.63
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.2.3.0 0.0.0.127 10.1.7.0 0.0.0.63
access-list 113 remark IPSec Rule
access-list 113 permit ip 10.3.5.0 0.0.0.255 10.1.7.0 0.0.0.63
access-list 114 remark SDM_ACL Category=0
access-list 114 remark IPSec Rule
access-list 114 permit ip 10.8.0.0 0.0.31.255 10.1.7.0 0.0.0.63
access-list 114 remark IPSec Rule
access-list 114 permit ip 10.2.3.0 0.0.0.127 10.1.7.0 0.0.0.63
access-list 114 remark IPSec Rule
access-list 114 permit ip 10.3.5.0 0.0.0.255 10.1.7.0 0.0.0.63
04-09-2008 10:23 AM
access-list 110 remark IPSec Rule
access-list 110 permit ip 10.1.7.0 0.0.0.63 10.2.3.0 0.0.0.127
Shouldn't this be (based on the /24 and /26 mentioned in your original posting):
access-list 110 permit ip 10.1.7.0 0.0.0.255 10.2.3.0 0.0.0.192
04-09-2008 10:27 AM
oops, sorry about the typo. Shouldn't it be:
access-list 110 permit ip 10.1.7.0 0.0.0.255 10.2.3.0 0.0.0.63
04-09-2008 10:40 AM
Looks like I described it wrong. I have checked and its a /25
04-09-2008 10:54 AM
The traffic that needs to be encrypted has to match on both sides. The symptom you are describing points to a problem with that. If you have checked that part and still are having problems can you capture the output of the following commands when you are having the problem.
debug crypto ipsec
debug crypto isakmp
04-09-2008 12:01 PM
Debug is not showing anything. I did term mon and logging console debug.
10.1.7.0 to 10.8.0.0 works 100%
10.8.0.0 to 10.1.7.0 works 100%
10.1.7.0 to 10.2.3.0 works 100%
10.2.3.0 to 10.1.7.0 I see the traffic come in the tunnel and hit a box in 10.2.3.0/24 and I see traffic leave the host in 10.2.3.0/24 but the router does not put the traffic in the tunnel and I can't get the logs/debug to show anything at all.
04-09-2008 12:13 PM
Am I understanding this correct? The host that you aren't able to SSH to but you are able ping. If that indeed is the case can you try to SSH to a different box in the same subnet as that wouldn't have anything to do with Crypto configuration in the 2811.
04-09-2008 12:57 PM
I can SSH from 10.1.7.0 to 10.8.0.0, I can ssh from 10.8.0.0 to 10.1.70.0. I can SSH from 10.1.7.0 to 10.2.3.0 but if I try to SSH from 10.2.3.0 that does not work. The packet makes it though the tunnel to the host, the host sends the response but the 2851 will not encode the reply packet even though it will encode new sessions and decrypted the incoming packet.
I don't have another hose on 10.1.7.0 but I can ssh to/from it from multiple subnets. I can also ssh to it from the 2851 itself.
04-09-2008 02:36 PM
Is it just not SSH to the host 10.1.7.x not working or you can't ping the host from the 10.2.3.0 subnet? If you can ping but not SSH you may have to do a sniffer capture on the LAN behind the 2811 to see if the host's response indeed get to the 2811. One other thing you can try is configure the command 'ip tcp adjust-mss 1440' under the LAN facing interface on the 2811 to rule out any MTU problems.
04-10-2008 12:56 PM
I can ping and ssh from 10.1.7.x to 10.2.3.x. I can ping but NOT ssh from 10.2.3.x to 10.1.7.x.
I ran that command (as well as adjusting the size on the nic's of the hosts) but the result is the same.
A tcpdump shows the packets from 10.2.3.x get to the hosts on 10.1.7.x and the host sends a response but the router seems to just ignore it.
04-14-2008 07:10 AM
Found the issue. It was with ACL 111. The SDM created it so not sure why it did not add all the IP ranges but I still should have caught it much earlier.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide