VPN failed to re-establish after dyn-IP router restart

Unanswered Question
Jul 22nd, 2010
User Badges:

Hi,


I had configured VPN (router to router) to work on both dyn-Ip and VPN was able to establish.


The problem I encountered now is my VPN failed to re-establish after my remote router restarted.


What is the problem and how can I resolve it?



from my understanding only the local router (with set peer)will initiate the establishment when reload. In this case, how do I configure the peer to do periodic peer check or can i configure the remote gateway to initiate establishment as well or is there a command to re-initiate establish at local router when VPN failed?


Local router setup:

crypto map CMAP_1 ipsec-isakmp

     set peer hostname dynamic

     set transform-set ESP-AES-SHA

     match address 109


Remote router setup:

crypto dynamic-map DYNMAP_1

     set transform-set ESP-AES-SHA

     match address 109


crypto map CMAP_1 65535 ipsec-isakmp dynamic DYNMAP_1


Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jitendriya Athavale Thu, 07/22/2010 - 22:04
User Badges:
  • Cisco Employee,

you can configure ike keepalives


this tracks the presense of tunnel, if the peer becomes unresponsive it tears it down


however there is no way that you can make a site to site tunnel come up on its own, what you can do is probably keep small traffic like icmp or something like that going through the tunnel so that it is brought up when it goes down


for your current setup i think u will need to clear the cry sa's try the following command on local router


clear cry sa (do it for this particular peer)


also try


clear cry sess (this is the best thing but be careful if you have other tunnels up they might go down too if not done for a particular peer)

jazzlim2004 Sun, 07/25/2010 - 19:33
User Badges:

Thanks for your reply. I will try it out soon.


But there another issue on my dyn-dyn VPN. (my configuration consist of 1 static map & dyn map)


Although the VPN LED is lighted and the command "show crypto isakmp & ipsec sa" indicated VPN is connected but at the SDM--> VPN-->SitetoSite--> status : it indicated VPN is down


and I also cannot ping the remote router ip 192.168.2.1


Hope you can advise me again.


Thank you


Local Router ACL:

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip host 192.168.1.1 host 192.168.2.1


access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 deny   ip host 192.168.1.1 host 192.168.2.1
access-list 101 permit ip 192.168.1.0 0.0.0.255 any


Remote Router ACL:
access-list 100  ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip host 192.168.2.1 host 192.168.1.1


access-list 101 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny   ip host 192.168.2.1 host 192.168.1.1
access-list 101 permit ip 192.168.2.0 0.0.0.255 any

Jitendriya Athavale Sun, 07/25/2010 - 22:00
User Badges:
  • Cisco Employee,

what about internal networks, are you able to ping them


please paste the following output for this tunnel


show crypto ipsec sa peer


on both sides


also just a small advise, it is not suggested that we put crypto acl on the dynamic crypto map side, we have seen issues previously

jazzlim2004 Sun, 07/25/2010 - 22:36
User Badges:

I able to ping local LAN IP


Local Router:

interface: Dialer0

    Crypto map tag: SDM_CMAP_1, local addr 110.00.00.182


   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

   current_peer 110.00.00.74 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 28, #pkts encrypt: 28, #pkts digest: 28

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0


     local crypto endpt.: 110.00.00.182, remote crypto endpt.: 110.00.00.74

     path mtu 1452, ip mtu 1452, ip mtu idb Dialer0

     current outbound spi: 0xC52B2F7B(3307941755)


     inbound esp sas:

      spi: 0x3BC55BFF(1002789887)

        transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, }

        conn id: 1, flow_id: Motorola SEC 1.0:1, crypto map: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (4422111/3420)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:

      spi: 0xC52B2F7B(3307941755)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2, flow_id: Motorola SEC 1.0:2, crypto map: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (4422106/3420)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE


     outbound ah sas:


Remote Router:

interface: Dialer0
    Crypto map tag: SDM_CMAP_1, local addr 110.00.00.74


   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 110.00.00.182 port 500
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0


     local crypto endpt.: 110.00.00.74, remote crypto endpt.: 110.00.00.182
     path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
     current outbound spi: 0x3BC55BFF(1002789887)


     inbound esp sas:
      spi: 0xC52B2F7B(3307941755)
        transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, }
        conn id: 1, flow_id: Motorola SEC 1.0:1, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4473981/3018)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x3BC55BFF(1002789887)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: Motorola SEC 1.0:2, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4473986/3018)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE


     outbound ah sas:


Thank you

Jitendriya Athavale Sun, 07/25/2010 - 22:48
User Badges:
  • Cisco Employee,

firstly, a small clarification


what exactly do you mean by i can ping local lan ip - are you refering to network on your sid?

bcoz from the outputs i understadn that you are not able to ping anything accross the vpn


now secondly we can see the packets reaching the remote router and get decapsulated, but we dont see encaps which mena that either this router is not encrypting it or the return packets are not reaching the router


you you please apply this access-list on the lan interface of remote router


ip access-list 199 extended


10 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

20 permit ip any any


int

ip access-group 199 in


also which side is the dynamic crypto map

jazzlim2004 Sun, 07/25/2010 - 23:05
User Badges:

Hi,


I cannot ping across Vpn, only can ping inside lan.


My dyn-map is at remote router


already added the command as below but still cannot ping remote.


interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip access-group 199 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412


Extended IP access list 100
    10 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 (28 matches)
    20 permit ip host 192.168.2.1 host 192.168.1.1
    30 permit ip host 192.168.2.1 host 192.168.1.15
Extended IP access list 101
    10 deny ip host 192.168.2.1 host 192.168.1.15
    20 deny ip host 192.168.2.1 host 192.168.1.1
    30 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    40 permit ip 192.168.2.0 0.0.0.255 any
Extended IP access list 199
    10 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    20 permit ip any any


In your previous reply, you mentioned that "it is not suggested that we put crypto acl on  the dynamic crypto map side"

So what is the advisable step to take?


Thank you

jazzlim2004 Mon, 07/26/2010 - 00:18
User Badges:

Building configuration...


Current configuration : 7188 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname simon

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

enable secret 5 $1$6yX1$YA/jiONxc3B.wYvwkH/RA.

!

no aaa new-model

clock timezone PCTime 8


crypto pki trustpoint TP-self-signed-2710428729

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2710428729

revocation-check none

rsakeypair TP-self-signed-2710428729

!

crypto pki certificate chain TP-self-signed-2710428729

certificate self-signed 01

  **deleteD**

      quit

dot11 syslog

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.2.1 192.168.2.19

ip dhcp excluded-address 192.168.2.221 192.168.2.254

!

ip dhcp pool sdm-pool1

   import all

   network 192.168.2.0 255.255.255.0

   dns-server 203.211.152.66 210.193.2.66

   default-router 192.168.2.1

!

!

no ip bootp server

ip domain name simon.com

ip name-server 203.211.152.66

ip name-server 210.193.2.66

ip ddns update method sdm_ddns1

HTTP

  add http://simon:[email protected]/nic/update?system=dyndns&hostname=[email protected]/nic/update?system=dyndns&hostname=&myip=

  remove http://simon:[email protected]/nic/update?system=dyndns&hostname=[email protected]/nic/update?system=dyndns&hostname=&myip=

interval maximum 0 2 0 0

interval minimum 0 0 15 0

!

username simon privilege 15 secret 5 $1$pElV$sGbX/fcWNbenegOA2mFUQ/

!

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key XXXXXXXXX address 0.0.0.0 0.0.0.0 no-xauth

!

crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-AES-SHA

match address 100

!

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries

!

interface ATM0

ip ddns update hostname simon.dyndns.org

ip ddns update sdm_ddns1 host members.dyndns.org

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description $ES_WAN$$FW_OUTSIDE$

  pvc 0/100

  pppoe-client dial-pool-number 1

!

crypto map SDM_CMAP_1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2


interface FastEthernet3

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.2.1 255.255.255.0

ip access-group 199 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1412

!

interface Dialer0

ip ddns update hostname simon.dyndns.org

ip ddns update sdm_ddns1 host members.dyndns.org

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452


ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname [email protected]

ppp chap password 7 104A040B14434A59

ppp pap sent-username [email protected] password 7 03005619175B791E

crypto map SDM_CMAP_1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip host 192.168.2.1 host 192.168.1.1

access-list 100 permit ip host 192.168.2.1 host 192.168.1.15

access-list 101 deny   ip host 192.168.2.1 host 192.168.1.15

access-list 101 deny   ip host 192.168.2.1 host 192.168.1.1

access-list 101 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

access-list 199 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 199 permit ip any any

dialer-list 1 protocol ip permit

no cdp run

!

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

Jitendriya Athavale Mon, 07/26/2010 - 05:17
User Badges:
  • Cisco Employee,

now can you remove the acl entry from the dynamic map and try to re establish the tunnel by clearing the sa's


clear crypto sa

clear crypto session

jazzlim2004 Tue, 08/03/2010 - 21:02
User Badges:

Hi,


already done what you suggested. What can we do now? Do I need to use TED?


Do Cisco have any configuration example for IPSEC VPN with dynamic to dynamic IP?


Thank you

Jitendriya Athavale Tue, 08/03/2010 - 23:52
User Badges:
  • Cisco Employee,

** you cannot have ipsec vpn between dy ip to dy ip


    you can have it only between static to dyn


** what do you mean by TED

jazzlim2004 Wed, 08/04/2010 - 00:54
User Badges:

Tunnel Endpoint discovery(TED)?

Can you advise how to write a ping  command(to generate traffic) so that the VPN can be connected all the time?

Thank you

jazzlim2004 Wed, 08/04/2010 - 01:55
User Badges:

Hi,


So how about the problem about VPN establishment? You have any suggestion for me?


Thank you

Actions

This Discussion