Site To Site Config I can't ping the remote host

Unanswered Question
Apr 24th, 2010

Hi

I has setup vpn site to site.  local network with 192.168.48.0 and  public address on 877w...

the other site has netgear fs338. local network is 192.168.100.0 and  public address.

My problem is i got 877w ON LINE. and can ping the other  end public  address. but not the remote host in far end of the other side of the  network. 



Here is the actual config ....I did change only the public address and  usename and password...

Router#sh run
Building configuration...

Current configuration : 4980 bytes
!
! Last configuration change at 14:38:54 PCTime Sat Apr 24 2010 by ccna23
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1704409952
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1704409952
revocation-check none
rsakeypair TP-self-signed-1704409952
!
!
crypto pki certificate chain TP-self-signed-1704409952
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101  04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D  43657274
69666963 6174652D 31373034 34303939 3532301E 170D3032 30333032  30343138
34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504  03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31  37303434
30393935 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030  81890281
8100B278 8726B494 0E1EFEDF 6277B8F0 26322B9A C5E725CE 4BA4F15D  24CFD106
95317141 E52E9A02 131F5931 7E40E3B0 B13E62F5 3626EE69 7610D959  4CFF8FAD
BFC90810 E6673275 36C3B158 88271FEE 1C0A3201 42A74B48 B6C8E1C8  0570D2AE
53646B5D 8360EE33 0C8AD3B1 50E4D59A 51BBE347 0F32DAD8 567D99F8  97B1009D
575B0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF  30110603
551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014  285840B2
B99D3776 439837BD 7D4317C7 543D0000 301D0603 551D0E04 16041428  5840B2B9
9D377643 9837BD7D 4317C754 3D000030 0D06092A 864886F7 0D010104  05000381
81009F66 47479F67 EFD044AD 578693F6 EA4543AB 1E6D278A FA263A78  1C0625BB
354E02C9 17586558 59DDB57C 0D8E0495 549C63AD 68E472EC 9C447342  39DD0037
52CEA8C3 37A41BFE 3CEE8A8D 5A7C0A21 1B723EF5 38877317 AC647EA7  9A55B35F
2724F940 E91AC7F9 971E148F 63A508AF B5278E13 A84DA714 044E70D3  B1257A86 086F
quit
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.47.1 192.168.47.99
ip dhcp excluded-address 192.168.47.151 192.168.47.254
ip dhcp excluded-address 192.168.48.151 192.168.48.254
ip dhcp excluded-address 192.168.48.1 192.168.48.99
!
ip dhcp pool ccp-pool1
network 192.168.48.0 255.255.255.0
default-router 192.168.48.1
dns-server 194.75.33.166 194.75.33.166
!
!
ip name-server 194.75.33.166
ip name-server 194.75.33.166
!
!
!
username ccna23 privilege 15 secret 5 $1$h3P5$9INCksY0V7njBqndDZaSX.
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key tgh100wig8 address 194.75.33.5
!
crypto ipsec security-association lifetime seconds 57600
!
crypto ipsec transform-set international esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to194.75.33.5
set peer 194.75.33.5
set transform-set international
match address 101
!
archive
log config
hidekeys
!
!
!
!
!
interface Loopback1
ip address 192.168.48.10 255.255.255.0
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0  36.0 48.0
54.0
station-role root
!
interface Vlan1
ip address 192.168.48.1 255.255.255.0
ip nat inside
ip virtual-reassembly
shutdown
!
interface Dialer0
ip address 194.75.45.211 255.255.255.0
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ccna23
ppp chap password 0 ccna23
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.100.0 255.255.255.0 195.72.33.5
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
access-list 100 remark CCP_ACL Category=18
access-list 100 remark IPSec Rule
access-list 100 deny   ip 192.168.48.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.48.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.48.0 0.0.0.255 192.168.100.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
alias exec s sh ip int brief
alias exec C copy r s
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Sat, 04/24/2010 - 09:12

Hi,

You seem to have the VPN configuration in place on the Cisco router.

Try to PING an available IP on the remote site from the 877w like this:

ping 192.168.100.x source 192.168.48.1

Check if that brings up the tunnel with the commands:

sh cry isa sa

sh cry ips sa

If you don't get a reply, you can enable the debugs to see what's happening:

debug cry isa

debug cry ips

I notice that you have a loopback belonging to the 192.168.48.x/24 networks as well, is this for any particular reason?

CSCO11177557 Sat, 04/24/2010 - 09:43

Hi

Thanks for reply ...here is the outcome.. do you think...it has to do with NAT or CLI ..or because VLAN1 shows it is down.

Router#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

IPv6 Crypto ISAKMP SA

Router#sh ip int brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
ATM0                       unassigned      YES NVRAM  up                    up

ATM0.1                     unassigned      YES unset  up                    up

Dialer0                    194.72.45.211   YES TFTP   up                    up

Dot11Radio0                unassigned      YES NVRAM  administratively down down

FastEthernet0              unassigned      YES unset  up                    down

FastEthernet1              unassigned      YES unset  up                    down

FastEthernet2              unassigned      YES unset  down                  down

FastEthernet3              unassigned      YES unset  up                    down

Loopback1                  192.168.48.10   YES manual up                    up

NVI0                       194.72.45.211   YES unset  up                    up

Virtual-Access1            unassigned      YES unset  up                    up

Virtual-Access2            unassigned      YES unset  up                    up

Vlan1                      192.168.48.1    YES TFTP   administratively down down


Router#sh int vlan1
Vlan1 is administratively down, line protocol is down
  Hardware is EtherSVI, address is 0064.400f.901b (bia 0064.400f.901b)
  Internet address is 192.168.48.1/24
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 1d00h, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     117855 packets input, 10835039 bytes, 0 no buffer
     Received 1043 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     178127 packets output, 239073822 bytes, 0 underruns
     0 output errors, 2 interface resets
     418 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

Router#sh int vlan1 summary

*: interface is up
IHQ: pkts in input hold queue     IQD: pkts dropped from input queue
OHQ: pkts in output hold queue    OQD: pkts dropped from output queue
RXBS: rx rate (bits/sec)          RXPS: rx rate (pkts/sec)
TXBS: tx rate (bits/sec)          TXPS: tx rate (pkts/sec)
TRTL: throttle count

  Interface              IHQ   IQD  OHQ   OQD  RXBS RXPS  TXBS TXPS TRTL
------------------------------------------------------------------------
  Vlan1                    0     0    0     0     0    0     0    0    0

Router#sh int vlan1 status
Router#ping 192.168.100.223 source 192.168.48.1

% Invalid source address- IP address not on any of our up interfaces
Router#

i did created lookback address for testing only ..when i was on the lan..

Federico Coto F... Sat, 04/24/2010 - 09:48

I did not notice that from the original configuration.

VLAN 1 needs to be up in order for the tunnel to be established.

Try it and let us know.

Federico.

CSCO11177557 Sat, 04/24/2010 - 10:08

Thanks for your help. i have issue no sh on vlan1 but i notice the protocol is down!!!.. also when i ping the other end as you said i get no reply:-(

Router#s
Interface                  IP-Address      OK? Method Status                Prot
ocol
ATM0                       unassigned      YES NVRAM  up                    up

ATM0.1                     unassigned      YES unset  up                    up

Dialer0                    194.72.45.211   YES TFTP   up                    up

Dot11Radio0                unassigned      YES NVRAM  administratively down down

FastEthernet0              unassigned      YES unset  up                    down

FastEthernet1              unassigned      YES unset  up                    down

FastEthernet2              unassigned      YES unset  down                  down

FastEthernet3              unassigned      YES unset  up                    down

Loopback1                  192.168.48.10   YES manual administratively down down

NVI0                       194.72.45.211   YES unset  up                    up

Virtual-Access1            unassigned      YES unset  up                    up

Virtual-Access2            unassigned      YES unset  up                    up

Vlan1                      192.168.48.1    YES TFTP   administratively down down

Router#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#int vlan1
Router(config-if)#no sh
Router(config-if)#exit
Router(config)#exit
Router#s
Interface                  IP-Address      OK? Method Status                Prot
ocol
ATM0                       unassigned      YES NVRAM  up                    up

ATM0.1                     unassigned      YES unset  up                    up

Dialer0                    194.72.45.211   YES TFTP   up                    up

Dot11Radio0                unassigned      YES NVRAM  administratively down down

FastEthernet0              unassigned      YES unset  up                    down

FastEthernet1              unassigned      YES unset  up                    down

FastEthernet2              unassigned      YES unset  down                  down

FastEthernet3              unassigned      YES unset  up                    down

Loopback1                  192.168.48.10   YES manual administratively down down

NVI0                       194.72.45.211   YES unset  up                    up

Virtual-Access1            unassigned      YES unset  up                    up

Virtual-Access2            unassigned      YES unset  up                    up

Vlan1                      192.168.48.1    YES TFTP   up                    down

Router#ping 192.168.100.x source 192.168.48.x

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.x, timeout is 2 seconds:
Packet sent with a source address of 192.168.48.x
.....
Success rate is 0 percent (0/5)
Router#

Federico Coto F... Sat, 04/24/2010 - 10:14

You have turned VLAN1 interface up, but the protocol is still down.

This means, that VLAN1 senses a physical connection, but no Layer 2 protocol is being established correctly.

What do you have connected to VLAN1?

What physical interface on the router is part of VLAN1 and is up/up and has a working device connected to it?

This means, that you should be able to PING devices on the 192.168.48.0/24 (inside LAN of the router) from the router itself, before being able to establish the tunnel to the remote site.

Federico.

CSCO11177557 Sat, 04/24/2010 - 10:23

Hi

Yes, i can ping inside the Lan.. no problems.. i had pc connected directly with dynamic ip ..for my initial configuration...right now that pc is OFF...or shut down...also i am sure if i add more clients i can ping too ..

I am telneting from home to the router 877w.

my problem is it can ping the other remote router PUBLIC address but not hosts in the other Lan 192.168.100.x

Federico Coto F... Sat, 04/24/2010 - 10:30

Ok, but to bring the VPN tunnel up, traffic needs to flow between 192.168.48.x and 192.168.100.x

This means there's no way to establish the tunnel until you get VLAN1 up/up because that's wherre 192.168.48.x resides.

If you want to test from the loopback (which has a 192.168.48.x address as well) that might be a test (since the loopbacks are always up).

Try adding the ip nat inside command to the loopback.

Federico.

CSCO11177557 Sat, 04/24/2010 - 10:48

Hi

still no luck ... i really have on idea what is wrong.. it become nightmare.

thanks once again

Federico Coto F... Sat, 04/24/2010 - 11:00

Do the following:

Check which of the switchports on the router belong to VLAN1 (Fast0/1/2/3)

Check that the FastEthernet port where you have a device on the 192.168.48.x subnet connected is part of VLAN 1 and that the interface is up/up.

If this is the case, the interface VLAN1 should be up/up as well and you can bring up the tunnel.

In other words,

Until you have the interface VLAN1 and the Fast interface protocol down, can't bring up the tunnel.

Federico.

CSCO11177557 Sat, 04/24/2010 - 11:04

Hi ;

Thanks..

I will do that . on monday when i am near the router.. i will keep you posted.

have nice w/end

regards,

Federico Coto F... Sat, 04/24/2010 - 11:10

sh cry isa sa -->  will show the status of phase 1  (should be active or QM_IDLE)

sh cry ips sa --> will show the status of phase 2 (should see packets encrypted/decrypted)

Hope it helps.

Federico.

CSCO11177557 Sat, 04/24/2010 - 11:23

Thanks.. this is the output ..of those two commands

Router#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
195.72.33.5     195.72.45.211   QM_IDLE           2008    0 ACTIVE

IPv6 Crypto ISAKMP SA


===================================================

Router#sh cry ips sa

interface: Dialer0
    Crypto map tag: SDM_CMAP_1, local addr 195.72.45.211

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.48.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
   current_peer 194.72.33.5 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 61, #pkts encrypt: 61, #pkts digest: 61
    #pkts decaps: 361, #pkts decrypt: 361, #pkts verify: 361
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 194.72.45.211, remote crypto endpt.: 194.72.33.5
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x2246025(35938341)

     inbound esp sas:
      spi: 0x2111A9F3(554805747)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: Motorola SEC 1.0:5, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4556050/52688)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x2246025(35938341)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: Motorola SEC 1.0:6, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4556049/52688)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2
    Crypto map tag: SDM_CMAP_1, local addr 195.72.45.211

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.48.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
   current_peer 194.72.33.5 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 61, #pkts encrypt: 61, #pkts digest: 61
    #pkts decaps: 361, #pkts decrypt: 361, #pkts verify: 361
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 194.72.45.211, remote crypto endpt.: 194.72.33.5
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x2246025(35938341)

     inbound esp sas:
      spi: 0x2111A9F3(554805747)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: Motorola SEC 1.0:5, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4556050/52688)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x2246025(35938341)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: Motorola SEC 1.0:6, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4556049/52688)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Federico Coto F... Sat, 04/24/2010 - 15:18

Traffic shows flowing fine through the tunnel between the LAN networks.

What exactly you cannot reach?

Federico.

Jennifer Halim Sat, 04/24/2010 - 21:36

This route statement does not seem to be correct:

ip route 192.168.100.0 255.255.255.0 195.72.33.5

Please remove that route and see if you can ping.

Actions

This Discussion