Weird behaviour of traffic forwarding on tunnel.

godzilla0 · ‎09-29-2008

Hi, we have the following problem. We have many tunnel connections with our customers. The custormer side is a cisco 871. And our side is a Cisco Vpn concentrator. The configs are identical for every customer, as we deliver a 871 to every customer when we start giving them the service. Now, the tunnel is always up. No ipsec or isakmp errors. But when I ping the only host on their side, it does the following:

64 bytes from 10.192.206.31: icmp_seq=183 ttl=62 time=61.2 ms

64 bytes from 10.192.206.31: icmp_seq=184 ttl=62 time=61.9 ms

64 bytes from 10.192.206.31: icmp_seq=185 ttl=62 time=61.1 ms

64 bytes from 10.192.206.31: icmp_seq=186 ttl=62 time=62.2 ms

64 bytes from 10.192.206.31: icmp_seq=187 ttl=62 time=62.6 ms

64 bytes from 10.192.206.31: icmp_seq=188 ttl=62 time=60.7 ms

64 bytes from 10.192.206.31: icmp_seq=189 ttl=62 time=60.9 ms

64 bytes from 10.192.206.31: icmp_seq=190 ttl=62 time=62.7 ms

64 bytes from 10.192.206.31: icmp_seq=191 ttl=62 time=60.5 ms

64 bytes from 10.192.206.31: icmp_seq=192 ttl=62 time=59.8 ms

64 bytes from 10.192.206.31: icmp_seq=193 ttl=62 time=71.9 ms

64 bytes from 10.192.206.31: icmp_seq=194 ttl=62 time=60.5 ms

64 bytes from 10.192.206.31: icmp_seq=195 ttl=62 time=59.9 ms

64 bytes from 10.192.206.31: icmp_seq=196 ttl=62 time=63.1 ms

From 192.168.3.11: icmp_seq=197 Redirect Network(New nexthop: 192.168.3.250)

64 bytes from 10.192.206.31: icmp_seq=197 ttl=62 time=73.0 ms

From 213.192.205.59 icmp_seq=201 Destination Host Unreachable

From 213.192.205.59 icmp_seq=202 Destination Host Unreachable

From 213.192.205.59 icmp_seq=204 Destination Host Unreachable

From 213.192.205.59 icmp_seq=206 Destination Host Unreachable

So the icmp sequence starts sending and receiving no problem. Then, it suddenly stops receiving data like there is no route to the host / network and it tries to get out by our internet gateway. I find it very strange as they say the ADSL connection they hired it's of a good quality, and we are not nating anything. They are not nating on their side also. Well they nat but they bypass our networks so they can reach the other side of the tunnel. Do you know what could be happening ?

Thanks.

andrew.prince · ‎09-29-2008

Well looks like you have somekind of issue there.

What device is 192.168.3.11 ??

What device is 192.168.3.250 ??

godzilla0 · ‎09-29-2008

3.11 is the Vpn concentrator.

3.250 is the firewall that goes to the inet.

The host on our network that is being accessed has the 3.11 as the gateway. So no redirection of any kind is done. It should work.

andrew.prince · ‎09-29-2008

Well the debug line is quite clear

"From 192.168.3.11: icmp_seq=197 Redirect Network(New nexthop: 192.168.3.250)

64 bytes from 10.192.206.31: icmp_seq=197 ttl=62 time=73.0 ms "

It is being re-directed

godzilla0 · ‎09-29-2008

I'm sorry but I thought you were about to go further with your answer. I know it's being redirected, the packet wants to go to through the inet gateway because some issue. I want to know why. Thank you anyways.

andrew.prince · ‎09-29-2008

Well the reason is:-

192.168.3.11 is sending an ICMP Redirect, informing that the best way to get to the remote end is via 192.168.3.250

So I guess you need to figure out why 192.168.3.11 which is your VPN concentrator right? Why is this device sending the ICMP redirect?

What device is the VPN conc? What version of code?

singhsaju · ‎09-29-2008

Can you also post the routing table of the VPN Concentrator? and the routing table 3.250 Firewall?