Simple Hub and spoke

Unanswered Question

I am connecting a new site to an existing Hub 1700 series router.


I can get the tunnel up but can't flow any traffic.


Can someone interpret this output?


cisco851#show crypto session

Crypto session current status


Interface: Dialer0

Session status: DOWN

Peer: 207.61.224.71 port 500

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map


Interface: Virtual-Access1

Session status: DOWN

Peer: 207.61.224.71 port 500

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map


cisco851#ping 192.168.0.20 source 192.168.22.1


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.20, timeout is 2 seconds:

Packet sent with a source address of 192.168.22.1

.....

Success rate is 0 percent (0/5)

cisco851#show crypto session

Crypto session current status


Interface: Dialer0

Session status: UP-NO-IKE

Peer: 207.61.224.71 port 500

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 2, origin: crypto map


Interface: Virtual-Access1

Session status: DOWN

Peer: 207.61.224.71 port 500

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map


Interface: Dialer0

Session status: UP-IDLE

Peer: 207.61.224.71 port 500

IKE SA: local 70.232.253.22/500 remote 207.61.224.71/500 Active

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.alekseev Fri, 07/11/2008 - 14:20
User Badges:
  • Gold, 750 points or more

sh run

sh crypto isakmp sa

sh crypto ipsec sa

a.alekseev Fri, 07/11/2008 - 14:49
User Badges:
  • Gold, 750 points or more

looks like the problem is on the HUB

michael.leblanc Sat, 07/12/2008 - 09:33
User Badges:
  • Silver, 250 points or more

I would agree with Aleksey.


If you have a sniffer on the WAN side of the router, you might want to look for asymmetrical operation (traffic that should be encapsulated, but is not), which can result from non-mirrored crypto ACLs.


If there is no evidence of this, consider whether your ICMP is being blocked, or test with a different passenger protocol.



On a separate (unrelated) issue, I noticed that Access Control Entries in some of your ACLs (103, 101) are erroneously sequenced.


e.g.:

access-list 103 permit ip 192.168.22.0 0.0.0.255 any

access-list 103 deny ip host 192.168.22.5 any

access-list 103 deny ip host 192.168.22.10 any


Packets that would match the deny ACEs would have already been permitted by the preceding permit ACE.



The following collection of ACEs prevent spoofing from specific source addresses, but they are placed after numerous permit ACEs with "source = any".


access-list 101 deny ip 192.168.22.0 0.0.0.255 any

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any


You might want to move these ACEs to the top so they can do their job fully.


Actions

This Discussion