Simple Hub and spoke

Unanswered Question

I am connecting a new site to an existing Hub 1700 series router.

I can get the tunnel up but can't flow any traffic.

Can someone interpret this output?

cisco851#show crypto session

Crypto session current status

Interface: Dialer0

Session status: DOWN

Peer: 207.61.224.71 port 500

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

Interface: Virtual-Access1

Session status: DOWN

Peer: 207.61.224.71 port 500

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

cisco851#ping 192.168.0.20 source 192.168.22.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.20, timeout is 2 seconds:

Packet sent with a source address of 192.168.22.1

.....

Success rate is 0 percent (0/5)

cisco851#show crypto session

Crypto session current status

Interface: Dialer0

Session status: UP-NO-IKE

Peer: 207.61.224.71 port 500

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 2, origin: crypto map

Interface: Virtual-Access1

Session status: DOWN

Peer: 207.61.224.71 port 500

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

Interface: Dialer0

Session status: UP-IDLE

Peer: 207.61.224.71 port 500

IKE SA: local 70.232.253.22/500 remote 207.61.224.71/500 Active

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
michael.leblanc Sat, 07/12/2008 - 09:33

I would agree with Aleksey.

If you have a sniffer on the WAN side of the router, you might want to look for asymmetrical operation (traffic that should be encapsulated, but is not), which can result from non-mirrored crypto ACLs.

If there is no evidence of this, consider whether your ICMP is being blocked, or test with a different passenger protocol.

On a separate (unrelated) issue, I noticed that Access Control Entries in some of your ACLs (103, 101) are erroneously sequenced.

e.g.:

access-list 103 permit ip 192.168.22.0 0.0.0.255 any

access-list 103 deny ip host 192.168.22.5 any

access-list 103 deny ip host 192.168.22.10 any

Packets that would match the deny ACEs would have already been permitted by the preceding permit ACE.

The following collection of ACEs prevent spoofing from specific source addresses, but they are placed after numerous permit ACEs with "source = any".

access-list 101 deny ip 192.168.22.0 0.0.0.255 any

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

You might want to move these ACEs to the top so they can do their job fully.

Actions

This Discussion