cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
881
Views
0
Helpful
13
Replies

VPN Tunnel Established Without Traffic Passing

engineering
Level 1
Level 1

I am working with a VPN tunnel between a Cisco 1710 (branch) and Cisco 2610 (HQ). The tunnel is UP, however, the branch is unable to browse to a site using internal IP hosted at HQ. There are other branch connections with Cisco 1710 routers that use similar, but not exact, configurations. I have gone through line by line, but unable to identify the failure. I am prepared to paste both configurations if someone would care to review.

13 Replies 13

foxbatreco
Level 3
Level 3

Is this an IPSEC tunnel?

if so , pls check the hitcounts on the acl relaying the traffic on either side to see traces of data & check if the ip's involved in the tunnel are denied from being involved in NAT.

Pls paste the configs, it will help to check further.

I apologize for the delayed response. I will paste the current configuration below. I would greatly appreciate any insight.

This is a branch that is connected to the Internet via cable with a dynamic (DHCP) assigned external IP address. There is a tunnel which is successfully established via dynamic map to the headquarters (HQ).

On the LAN Internet connectivity is good, however, they need to access a web (www) site on the internal LAN at HQ (Headquarters) which fails. The local subnet is 10.7.x.x amd tje remote subnet is 10.0.x.x and the internal site is 10.0.0.110.

Unfortuantely, ping isn't available, so I can't test that, but I a traceroute shows the first hop does NOT appear to be routing properly. I have included the configuration of the branch office and at the bottom a snippet of another branch that can connect to the 10.0.0.110 web site and an illustration of that routing, however, the difference is that that site has a static IP address (perhaps I have something routing wrong on the branch with the DHCP Internet access).

sh crypto isakmp sa

sh crypto ipsec sa

Hi,

From the config sent out with respect to Bransch office, it appears that the trace is taking a fisrt hop :10.19.48.1. Can u pls do a sh ip route and find out which interface is next hop for this IP.This subnet is not available in the router config of this branch office router, hence I would be qurious to know the same.

Also try once after disabling nat statements from both the internal and external interfaces. Pls do send in trace run post removing the NAT statements.

Pls post these details.

by the way,

this is not correct.

ip route 0.0.0.0 0.0.0.0 Ethernet0

on broadcast media you should use ip-address instead of intreface (in this case Ethernet0)

I have detailed troubleshooting attached as a file. I did remove the ip route and Internet connectivity is good. Removing the NAT statements did not appear to have any effect (other than dropping Internet connectivity).

So, I guess it boils down to where is the first hop 10.19.48.1 coming from and how to get it to go through the correct gateway in order to get to the other side of the tunnel, because it appears that the first hop 10.19.48.1 is what is causing the problem.

As an additional measure, I also try to add a specific route for that network, but that did not have any effect either (so, I reverted that change).

Trexlertown(config)#ip route 10.19.0.0 255.255.0.0 207.xxx.xxx.1

Trexlertown(config)#^Z

Trexlertown#wr mem

Building configuration...

[OK]

Trexlertown#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 207.xxx.xxx.1 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.7.0.0/24 is directly connected, FastEthernet0

S 10.19.0.0/16 [1/0] via 207.xxx.xxx.1

C 207.xxx.xxx.0/24 is directly connected, Ethernet0

S* 0.0.0.0/0 [254/0] via 207.xxx.xxx.1

You have a problem on HQ router.

Could you show the configuration?

I appreciate the quick reply. As you will see from the current HQ configuration, there are MANY tunnels that are up and successfully routing to the internal 10.0.0.110 host via www.

could you try add an option

crypto dynamic-map dynmap 14

set transform-set cm-transformset-2

match address 120

set reverse-route

reestablish vpn

and "sh crypto ipsec sa" on HQ

sh ip route

can you ping Branch router's inside interface ip address 10.7.0.1 from HQ router sourcing from its inside interface 10.0.0.201?

Saju

Hi,

I strongly believe this is routing issue , probably on the HQ. Hence a reverse route issue. I also see Rip running.

So pls do a sh ip route on the HQ router fr the branch segment.

If it points correctly then, pls try pinging the branch interface. Also try finding out the 10.19.X.X segment on the HQ router which appears to be the fisrt hop on trace from branch router.

Also do a sh ip route fr 10.0.0.0 on the branch router and paste the out puts here.

singhsaju
Level 4
Level 4

what is output for

show crypto ipsec sa ?

do you see pkts encrypted on one side and decrypted on the other side. Then its a routing issue . Check the routing for the subnet on the side where packets are getting decrypted.

Hi,

Pls remove the route for 10.19.48.0 that you have applied. Its is only complicating the issue. This is probably a hop somewhere on the HQ side.

Pls paste the outputs as I have requested.

One more thing is to create two loopbacks interfaces, one on the Branch with branch pool lan ip & other one on HQ router with HQ segment that is inaccesible. Both IPs should be /32 .

Then try pinging and tracing to those IP with source as loopbacks from both ends.

If the ping and trace reaches, we are more or less very near to the solution.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco