07-11-2008 01:55 PM - edited 03-09-2019 09:04 PM
I am connecting a new site to an existing Hub 1700 series router.
I can get the tunnel up but can't flow any traffic.
Can someone interpret this output?
cisco851#show crypto session
Crypto session current status
Interface: Dialer0
Session status: DOWN
Peer: 207.61.224.71 port 500
IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 0, origin: crypto map
Interface: Virtual-Access1
Session status: DOWN
Peer: 207.61.224.71 port 500
IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 0, origin: crypto map
cisco851#ping 192.168.0.20 source 192.168.22.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.20, timeout is 2 seconds:
Packet sent with a source address of 192.168.22.1
.....
Success rate is 0 percent (0/5)
cisco851#show crypto session
Crypto session current status
Interface: Dialer0
Session status: UP-NO-IKE
Peer: 207.61.224.71 port 500
IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
Interface: Virtual-Access1
Session status: DOWN
Peer: 207.61.224.71 port 500
IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.22.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 0, origin: crypto map
Interface: Dialer0
Session status: UP-IDLE
Peer: 207.61.224.71 port 500
IKE SA: local 70.232.253.22/500 remote 207.61.224.71/500 Active
07-11-2008 02:20 PM
sh run
sh crypto isakmp sa
sh crypto ipsec sa
07-11-2008 02:33 PM
07-11-2008 02:49 PM
looks like the problem is on the HUB
07-12-2008 09:33 AM
I would agree with Aleksey.
If you have a sniffer on the WAN side of the router, you might want to look for asymmetrical operation (traffic that should be encapsulated, but is not), which can result from non-mirrored crypto ACLs.
If there is no evidence of this, consider whether your ICMP is being blocked, or test with a different passenger protocol.
On a separate (unrelated) issue, I noticed that Access Control Entries in some of your ACLs (103, 101) are erroneously sequenced.
e.g.:
access-list 103 permit ip 192.168.22.0 0.0.0.255 any
access-list 103 deny ip host 192.168.22.5 any
access-list 103 deny ip host 192.168.22.10 any
Packets that would match the deny ACEs would have already been permitted by the preceding permit ACE.
The following collection of ACEs prevent spoofing from specific source addresses, but they are placed after numerous permit ACEs with "source = any".
access-list 101 deny ip 192.168.22.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
You might want to move these ACEs to the top so they can do their job fully.
07-14-2008 06:24 AM
Thank you (all) for your input!
I will be getting access to the HUB and will post debugging info in the next day or so.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: