cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
696
Views
0
Helpful
5
Replies

Simple Hub and spoke

cisco
Level 1
Level 1

I am connecting a new site to an existing Hub 1700 series router.

I can get the tunnel up but can't flow any traffic.

Can someone interpret this output?

cisco851#show crypto session

Crypto session current status

Interface: Dialer0

Session status: DOWN

Peer: 207.61.224.71 port 500

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

Interface: Virtual-Access1

Session status: DOWN

Peer: 207.61.224.71 port 500

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

cisco851#ping 192.168.0.20 source 192.168.22.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.20, timeout is 2 seconds:

Packet sent with a source address of 192.168.22.1

.....

Success rate is 0 percent (0/5)

cisco851#show crypto session

Crypto session current status

Interface: Dialer0

Session status: UP-NO-IKE

Peer: 207.61.224.71 port 500

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 2, origin: crypto map

Interface: Virtual-Access1

Session status: DOWN

Peer: 207.61.224.71 port 500

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

Interface: Dialer0

Session status: UP-IDLE

Peer: 207.61.224.71 port 500

IKE SA: local 70.232.253.22/500 remote 207.61.224.71/500 Active

5 Replies 5

a.alekseev
Level 7
Level 7

sh run

sh crypto isakmp sa

sh crypto ipsec sa

Here's the spoke. I can't provide the Hub config at present. Others.txt contains the crypto output.

looks like the problem is on the HUB

I would agree with Aleksey.

If you have a sniffer on the WAN side of the router, you might want to look for asymmetrical operation (traffic that should be encapsulated, but is not), which can result from non-mirrored crypto ACLs.

If there is no evidence of this, consider whether your ICMP is being blocked, or test with a different passenger protocol.

On a separate (unrelated) issue, I noticed that Access Control Entries in some of your ACLs (103, 101) are erroneously sequenced.

e.g.:

access-list 103 permit ip 192.168.22.0 0.0.0.255 any

access-list 103 deny ip host 192.168.22.5 any

access-list 103 deny ip host 192.168.22.10 any

Packets that would match the deny ACEs would have already been permitted by the preceding permit ACE.

The following collection of ACEs prevent spoofing from specific source addresses, but they are placed after numerous permit ACEs with "source = any".

access-list 101 deny ip 192.168.22.0 0.0.0.255 any

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

You might want to move these ACEs to the top so they can do their job fully.

Thank you (all) for your input!

I will be getting access to the HUB and will post debugging info in the next day or so.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: