site to site VPN problem.

Unanswered Question
Oct 3rd, 2010
User Badges:

HI every one. I have some problem on site-to-site VPN. Here is the Diagram.HQ using PIX 516E. Branches using Cisco 1721 router.


Dia.JPG


User at Branches always complain that unable to use resources at HQ1 through VPN. But able to use resources at HQ2. So when I login to Branches router, I noticed as below


TN_Butterworth#show cry isa sa
dst             src                           state                 conn-id slot status
218.208.70.xxx  210.187.78.xxx  QM_IDLE            221    0 ACTIVE
218.208.70.xxx  210.187.78.xxx  MM_NO_STATE  220    0 ACTIVE (deleted)
218.208.4.xxx    218.208.70.xxx QM_IDLE              1      0 ACTIVE                          <------ VPN to HQ2 seems fine. Branch IP is 218.208.70.xxx
210.187.78.xxx  218.208.70.xxx  QM_IDLE            222    0 ACTIVE
210.187.78.xxx  218.208.70.xxx  MM_NO_STATE  219    0 ACTIVE (deleted)


VPN to HQ1 keep dropping. I noticed in Cisco Web, MM_NO_STATE, means configuration doesn't match at phase 1. But there is QM_IDLE state also for VPN to HQ1. What does this realy mean? If configuration mismatch, the VPN totaly unable to establish right? But why some shows establish and some not? And the connection ID keeps increasing means the SA keeps deleted and recreate again. Sometime I can ping HQ1 LAN and some time can't. Why is it so many entries in ISAKMP SA table for in branch router for VPN to HQ1? Does this means related to Hardware issue at HQ1 PIX?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jitendriya Athavale Sun, 10/03/2010 - 22:24
User Badges:
  • Cisco Employee,

the vpn with H1Q 1 is flapping


do you see this on all the spokes or only one spoke


also do you have any other tunnel terminating on HQ 1 other than these spokes which are also flapping


how are the HQ 1 and HQ 2 different (hardware, software configuration)


if possible paste the output of config on both the HQ's

NAGISWAREN2 Mon, 10/04/2010 - 04:29
User Badges:

Hi Jathaval,



I have about 7 branches with same design as above. All branches having same problem VPN to HQ1.I have attached HQ1 PIX show run and Branch Show run file. HQ1 and HQ2 are using same device PIX516E with similar configuration. Both PIX are sitting behind a Loadbalancer, so their external IP is Private IP.

Attachment: 
Jitendriya Athavale Mon, 10/04/2010 - 04:52
User Badges:
  • Cisco Employee,

i assume this is the crypto map you are using



crypto map Butterworth 1


i see 2 peers which is hq 1 is it the first one???


also i see u have deny statement in crypto acl - i am not sure why you need that


now coming to PIX


crypto map outside_map 27 match address outside_cryptomap_27
crypto map outside_map 27 set peer 218.208.70.246
crypto map outside_map 27 set peer 219.95.115.102



what is is the 218 ip i see 219 is the router, just curious to understand your setup

NAGISWAREN2 Tue, 10/05/2010 - 05:23
User Badges:

Hi,


In branch router,


The two set peer IP is because HQ1 having two ISP. Once branch router lost connection to peer 1, it will failover to peer 2. Thats same goes to PIX configuration. The Deny statement is just nothing. equal to implicit deny.

Jitendriya Athavale Tue, 10/05/2010 - 08:17
User Badges:
  • Cisco Employee,

please enable conditional debugs on both firewall HQ1 and router and paste them



debug crypto condition peer ipv4

debug crypto isa sa

debug crypto ips sa


on firewall


i am not sure if your code supports conditional debugs but still try the debugs, the syntax might be little different

Actions

This Discussion