Weird behaviour of traffic forwarding on tunnel.

Unanswered Question
Sep 29th, 2008

Hi, we have the following problem. We have many tunnel connections with our customers. The custormer side is a cisco 871. And our side is a Cisco Vpn concentrator. The configs are identical for every customer, as we deliver a 871 to every customer when we start giving them the service. Now, the tunnel is always up. No ipsec or isakmp errors. But when I ping the only host on their side, it does the following:

64 bytes from 10.192.206.31: icmp_seq=183 ttl=62 time=61.2 ms

64 bytes from 10.192.206.31: icmp_seq=184 ttl=62 time=61.9 ms

64 bytes from 10.192.206.31: icmp_seq=185 ttl=62 time=61.1 ms

64 bytes from 10.192.206.31: icmp_seq=186 ttl=62 time=62.2 ms

64 bytes from 10.192.206.31: icmp_seq=187 ttl=62 time=62.6 ms

64 bytes from 10.192.206.31: icmp_seq=188 ttl=62 time=60.7 ms

64 bytes from 10.192.206.31: icmp_seq=189 ttl=62 time=60.9 ms

64 bytes from 10.192.206.31: icmp_seq=190 ttl=62 time=62.7 ms

64 bytes from 10.192.206.31: icmp_seq=191 ttl=62 time=60.5 ms

64 bytes from 10.192.206.31: icmp_seq=192 ttl=62 time=59.8 ms

64 bytes from 10.192.206.31: icmp_seq=193 ttl=62 time=71.9 ms

64 bytes from 10.192.206.31: icmp_seq=194 ttl=62 time=60.5 ms

64 bytes from 10.192.206.31: icmp_seq=195 ttl=62 time=59.9 ms

64 bytes from 10.192.206.31: icmp_seq=196 ttl=62 time=63.1 ms

From 192.168.3.11: icmp_seq=197 Redirect Network(New nexthop: 192.168.3.250)

64 bytes from 10.192.206.31: icmp_seq=197 ttl=62 time=73.0 ms

From 213.192.205.59 icmp_seq=201 Destination Host Unreachable

From 213.192.205.59 icmp_seq=202 Destination Host Unreachable

From 213.192.205.59 icmp_seq=204 Destination Host Unreachable

From 213.192.205.59 icmp_seq=206 Destination Host Unreachable

So the icmp sequence starts sending and receiving no problem. Then, it suddenly stops receiving data like there is no route to the host / network and it tries to get out by our internet gateway. I find it very strange as they say the ADSL connection they hired it's of a good quality, and we are not nating anything. They are not nating on their side also. Well they nat but they bypass our networks so they can reach the other side of the tunnel. Do you know what could be happening ?

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
godzilla0 Mon, 09/29/2008 - 04:26

3.11 is the Vpn concentrator.

3.250 is the firewall that goes to the inet.

The host on our network that is being accessed has the 3.11 as the gateway. So no redirection of any kind is done. It should work.

godzilla0 Mon, 09/29/2008 - 06:31

I'm sorry but I thought you were about to go further with your answer. I know it's being redirected, the packet wants to go to through the inet gateway because some issue. I want to know why. Thank you anyways.

Well the reason is:-

192.168.3.11 is sending an ICMP Redirect, informing that the best way to get to the remote end is via 192.168.3.250

So I guess you need to figure out why 192.168.3.11 which is your VPN concentrator right? Why is this device sending the ICMP redirect?

What device is the VPN conc? What version of code?

singhsaju Mon, 09/29/2008 - 08:54

Can you also post the routing table of the VPN Concentrator? and the routing table 3.250 Firewall?

Actions

This Discussion