×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASK THE EXPERT- TROUBLESHOOTING IPSEC ON VPN 3000 CONCENTRATORS

Unanswered Question
Dec 2nd, 2002
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Troubleshooting IPsec on VPN 3000 Concentrators with Cisco expert Jazib Frahim. Jazib belongs to the VPN-Solutions Team in Research Triangle Park, North Carolina where he acts as the Team Lead for his theatre. He joined Cisco Systems in 1999 as an engineer in the Technical Assistance Center (TAC). Feel free to post any questions relating to Troubleshooting IPsec VPN 3000 Concentrators. Remember to use the rating system to let Jazib know if you’ve received an adequate response.

Jazib might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through December 13. Visit this forum often to view responses to your questions and the questions of other community members.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kdurrett Mon, 12/02/2002 - 11:40
User Badges:

Jazib,

Hi, Just a following up with ya. Looking for documentation on errors(event class) from monitoring for the 3000. I thought with 3.6 it was gonna be on CCO after a couple of weeks? Any new status or can you send a link?


Kurtis Durrett

jfrahim Tue, 12/03/2002 - 13:15
User Badges:
  • Cisco Employee,

Hey Kurtis,

Nice to hear back from you. I had a discussion with the Engineering Development group and according to them, it is still under works. I'll follow up with the DE group again on it and let you know

Jazib

jfrahim Tue, 12/03/2002 - 14:23
User Badges:
  • Cisco Employee,

Hi Kurtis,

Just got an answer from the development team. It seems like they are shooting for early next year

Hope it helps

Jazib

mmedwid Mon, 12/02/2002 - 12:14
User Badges:

I am also interested in a common error explanation reference. One we're dealing with lately is "session reset by peer" messages seen at the client PC. What are common reasons for seeing this?

jfrahim Tue, 12/03/2002 - 13:48
User Badges:
  • Cisco Employee,

Hi,

If you are seeing "session reset by peer", then it means the concentrator disconnected your session for some reason.

1) If the client hit the Max-Connect timeout

2) If the client hit the idle timeout

3) if the session is administratively disconnected by the concentrator

4) If the concentrator does not receive the keepalives

are a few important ones

Concentrator logs will give a better idea why it happened

Hope that helps

Jazib

mmedwid Tue, 12/03/2002 - 14:28
User Badges:

Jazib,


Is there a way to make the keep-alive process more forgiving to poor environments? For example say you have some folks coming to your concentrator from India which is renowed for its congested pipes out of the country...might you be able to accomodate those users coming from congested or high latency environments by adjusting a parameter on the CVPN?


Thanks.


Michael

jfrahim Wed, 12/04/2002 - 05:31
User Badges:
  • Cisco Employee,

Hi Michael,

For the users who have slow Internet connections, what you can do is, create a new new group and disable "IKE Keepalive" under the IPSec tab. This will allow the users to be connected even if IKE keepalives are getting lost

Hopw that helps

Thanks

Jazib

mmedwid Wed, 12/04/2002 - 13:37
User Badges:

That sounds like a good suggestion. What is the trade off in turning off the keepalives?

mmedwid Wed, 12/04/2002 - 17:13
User Badges:

say - one question related to that... If you have a pix 506E connected to a CVPN concentrator - is there anything you need to do on the PIX side so it does not do IKE keepalives?

peterhw Mon, 12/02/2002 - 17:51
User Badges:

Hi:

I have 100 vpn clients connect to my concentrator 3000 around the world ,some of the user from certain area complained that they couldn't make the ipsec tunnel up with the error message "peer response timeout". How to fix it?

jfrahim Tue, 12/03/2002 - 13:52
User Badges:
  • Cisco Employee,

Hi,

It seems like either the client didn't get a proper response from the concentrator on time that it timed out the connection. If you enable "log viewer" on the client, and set the filter to High for the different classes, you will see what happening. If your client is timing out the connection, you will see a lot of retransmission in the logs

Hope that gives you an idea of what's going on

Jazib

kdurrett Tue, 12/03/2002 - 08:05
User Badges:

You got no options here on the concentrator. If you tried setting the peer to the HSRP address already, then this probably isn't going to work. As you already have found out using the same access-list as interesting traffic on the concentrator with 2 separate L2L connections wont work. There isn't much you can do on the router side either. If you replace the 3000 with a router, then you can do multiple set peer x.x.x.x with one crypto map which would work for your scenario.


Kurtis Durrett

eblizard Tue, 12/03/2002 - 08:14
User Badges:

Kurtis, I am a little puzzeled by setting a local or non public address as a peer address. Is that what you meen by setting the peer to the HSRP address? The HSRP address we use is a private address because we do not have a public address that could be shared by the seperate circuits. I have also looked at some things on the Cisco site but am confused how they talk about using loopback addresses for local addresses for peer addresses. See below:


If you use a local-address for that crypto map set, it has multiple effects:



Only one IPSec security association database will be established and shared for traffic through both interfaces.



The IP address of the specified interface will be used as the local address for IPSec (and IKE) traffic originating from or destined to that interface.


One suggestion is to use a loopback interface as the referenced local address interface, because the loopback interface never goes down.


I am not sure how the above would work? Could the 3005 see a loopback interface?





kdurrett Tue, 12/03/2002 - 09:33
User Badges:

I assumed you was running hsrp on the outside as well. My mistake. Using the loopback is also assuming that you have one router with 2 pipes and not 2 routers with a separate pipe on each. I dont think that this is possible with your set up. In order for this to work you will need to have a single ip address for termination which is where the loopback comes into place. Even if you run HSRP on the outside interfaces I dont think you can use the ip address for a loopback on both routers. Maybe if you set up the loopbacks with HSRP. Im not able to test that out for ya, maybe you could give the results. Didn't realize I was posting in Jazibs forum, maybe he will add some further insight.


Kurtis

eblizard Tue, 12/03/2002 - 10:05
User Badges:

Your right, unfortunately HRSP is only running on the inside. Our goal is automated IPSec failover and we have the capability to put the two pipes on the same router and have the other router on site but off the network for hardware redundancy. We have one location now with the two pipes in one router setup and it also has the same negative result .


I am not sure how the remote router loopback works with the 3005? If I enter a crypto map local address loopback 0 and give loopback 0 a private IP (again .. the two pipes have unique public addresses) on the router how will the 3005 associate the SA with the remote router if the peer address is private? Am I understanding this process correctly?

kdurrett Tue, 12/03/2002 - 13:40
User Badges:

The loopback will have to be a public address in order for that to work as it wont work with a private. 3005 will work to the router in only that condition. So your understanding is correct that it wont work that way. Personally, I think you aren't using the right equipment for what your trying to do. You would be better off doing GRE over IPSEC with router to router. This will satisfy the load balancing you are trying to do on your routers. Just an idea.


Kurtis

jfrahim Tue, 12/03/2002 - 14:16
User Badges:
  • Cisco Employee,

Hi Eblizard,

As Kurtis mentioned, there is not a good way to get what you are looking for.

The only good option that I could think of, is to have a Cisco router ( rather than a concentrator) at the enterprise site.

By doing that, you can 2 options:

1) Either configure GRE over IPSec between your Enterprise router and multiple spoke routers. The good thing about this option is, all the routing updates will be sent between the sites dynamically and thus your enterprise router can failover to the other router fairly quickly.

2) or configure just native IPSec between your Enterprise router and your spoke routers, and specify multiple set peer statements at the enterprise site for the backup connection.

Sorry there is no good method to achieve redundancy if you mix IOS routers and VPN concentrators

Hope that helps

Jazib

eblizard Wed, 12/04/2002 - 06:24
User Badges:

Thanks Jazib, that gives me something to think about. Having another device (IOS router or PIX) to terminate the backup sessions at the Enterprise site may be what I am looking for because it will add another element of redundancy which is key.


jfrahim Wed, 12/04/2002 - 07:06
User Badges:
  • Cisco Employee,

Hi,

I think using an IOS router would be a better choice than a pix firewall. If you want to go for GRE over IPSec model, pix does not have this functionality.

With the PIS FW, you can, however, use multiple set peer statements for redundancy

Hope that helps

Jazib

eblizard Tue, 12/03/2002 - 08:14
User Badges:

Senario:


3005 Concentrator at enterprise location - and cookie cutter template for remote sites that use IOS 1720 and 2610 IOS routers for IPSec LAN2LAN connections to the enterprise location. Each remote location uses two IOS routers each using a unique ISP T1 circuit and public address but each use HSRP to share a common Ethernet interface as a gateway for the local network traffic.


On the 3005 I have to configure primary and backup IPSec LAN2LAN sessions for each location because each of the two remote IOS routers at each location cannot share a common public IP for the peer address and the Concentrator (to my knowledge) will not allow more than one peer address without setting up the session as though the peer address was dynamic.


Because I am using the two tunnels for redundancy, they share the same address list information for encrypting traffic for the tunnel. On the IOS router side I have tried using a lower priority number for isakmp policy and crypto map statements that match the second or backup LAN2LAN 3005 tunnel and use different lifetime settings so that if the first LAN2LAN session is available it will negotiate the primary LAN2LAN session if the peer responds. IKE keepalives are enabled on both ends.


My issue is that because the two LAN2LAN tunnels to the same site share the same local network address range there does not appear to be a way to control how the 3005 chooses which remote peer to contact to initiate a session via the enterprise side of the WAN. If primary peer at address 208.x.x.x does not respond for LAN addresses 10.56.x.x the 3005 does not try the other secondary session which also encrypts traffic to network 10.56.x.x for LAN traffic to peer 63.x.x.x. The remote side however is able to bring up the backup or secondary LAN2LAN session from their side but because we cannot initiate things under these circumstances from the enterprise side this scenario does not fully meet our needs.


banlan.chen Tue, 12/03/2002 - 11:31
User Badges:

Hi,


Is it possible to setup a lan to lan tunnel between two private network which have same ip subnet? If possible, please tell me how can I configure the vpn equipments. Thanks.


Banlan Chen

gjstem Tue, 12/03/2002 - 15:18
User Badges:

Jazib,


I have a question with regards to running ipsec utilizing Cisco IOS. I have been working on a Cisoc IOS vpn network that is running ipsec with gre tunnels and nat between sites. Split tunneling has been enabled by using the nat to translate private traffic before it is routed to the internet. Intranet (VPN) traffic is of course encrypted and routed via the gre tunnels to the remote sites. I was recently analyzing the nat tables and came accross entries with both private source and destination addresses. RFC 1918 addresses are being used throughout the network for internal addressing. This tells me that vpn traffic is also being nated before it is encrypted. This should not be the case, public internet traffic should be the only traffic that is nated. VPN traffic should not be nated but rather encapsulated with a gre header to make it routable on the internet to the other endpoint of the tunnel. I'm wondering if this is the correct behavior? With this particular setup, is it neccessary to apply the appropriate deny access-list to the nat access-list to stop private traffic from be nated. I was under the impression that a deny nat statement should only be needed if running tunnel mode ipsec and nat only. My logic assumed that the gre interface would break the nat process because the ip nat inside and outside are applied only the ethernet and serial interfaces respectivally and not the tunnel interface. If tunnel mode ipsec and nat only were being used, that seems logical to apply the appropriate deny access-list statement to ensure only private (intranet) traffic is encrypted and not nated because all of the traffic is crossing the same interfaces.



router 1720's

code: 12.2(7c)


Information sources:


http://www.cisco.com/warp/public/707/ipsecgrenat.html


http://www.cisco.com/warp/public/707/overload_private.shtml


any assistance is appreciated,



Greg

jfrahim Wed, 12/04/2002 - 05:41
User Badges:
  • Cisco Employee,

Hi Greg,

If the traffic is destined over the GRE tunnel and you don't have "ip nat inside/outside" command on the GRE tunnel itself, then your traffic should not be natted. In "sh ip nat trans", it should show you inside local, inside global and outside global. If the traffic is destined to something on the other side of the tunnel, then you will see remote private destination as outside global.

If you like, you can send me the output to me at: jfrahim@cisco.com

Thanks

Jazib

edavidj Tue, 12/03/2002 - 15:57
User Badges:

I'm having a problem getting 3.5.3 clients updating to 3.6.2.b.


I go to configuration-system-client update-entries

client type=windows

URL=http:///vpn/vpnclient.exe

Revisions=3.6 (Rel).


When clients connect, and click on the "launch" button they get a "this page cannot be displayed" message.

I must mention that I created my own customized executable using installshield and modified it to have our company logo as the backgroud, as well as 4 default connections included. The file name now is vpnclient.exe. I have that file inside a share called vpn on a internal server.

Is there any special configuration that has to be done on the server where the updated client is?

On the URL box of the 3000, I tried different paths, and changed permissions on the vpn share etc, but nothing seems to work,


Thanks


David

mwestern Tue, 12/03/2002 - 21:23
User Badges:

Hi Jazib,

I've been gradually setting up quite a number of cisco3000 concentrators with LAN-LAN connections, but i am having major trouble getting the routing to happen properly.


It seems that when i create LAN - LAN connections between any two sites, both sides can route properly and i can verify this by looking at the routing table. I'm using Network AutoDiscovery on all routers.


If i try to route across two concentrators this doesn't work:


SiteA ------------- SiteB ----------------------- SiteC

10.199.1.0 10.1.50.0 10.199.2.0

255.255.255.0 255.255.248.0 255.255.255.0


site a can see site b, site b can see both, and site c can see site b.


It seems to me that RIP entries do not get passed across multiple concentrators.


i've played with the rip entries on both the private and public interfaces in the hope that this will fix the problem.


I've also tried putting in reverse route injection and specifying the the local and remote subnets as well and this seems to get the routes across to the various places but still doesn't work.


i might add that the above diagram is a simplified version of what we have. we've got between 25-40 3000 VPNs around the place.


i've also been trying to put something useful in the Network Lists(Configuration | Policy Management | Traffic Management | Network Lists) in the hope that this will also fix our problem, but i get the error:


Error adding entries to network list (Instance Error).


even if i use the Generate Local List button.


hmm, i hope this is clear enough...

thanks and regards


mwestern@affairs.net.au



mwestern Tue, 12/03/2002 - 21:38
User Badges:

Oh, couple more things i forgot to mention:


1. how does one troubleshoot incorrect routing?

a. doing a traceroute from a machine gets all * for every Cisco that it passes though, and gets * for dropouts as well. this is very confusing.

b. routing table on a cisco gets a lot of RIP entries, but it's quite hard to tell where they've come from except if you delete a LAN2LAN connection and watch them dissapear (after a clear routes).


2. one LAN2LAN connection i've made to a VPN in france refuses to route. i delete the LAN to LAN and the RIP entries on either end dissapear and then i recreate it, it connects etc etc to Phase 2 (in the event log) but refuses to route.


3. I've noticed on some connections (Administration | Administer Sessions)there is more than one IPSec Session with different subnets in them. one connection i've got with a static route the remote end (siteC) out to a standard router, gets two entries. the siteC rnage and also the siteD range (siteD is 10.199.8.0). so i would have thought that siteA would have both siteB,C,D in it's IPSec entries:


SiteA ------------- SiteB ----------------------- SiteC --------------------------SiteD (not VPN)

10.199.1.0------ 10.1.50.0------------------- 10.199.2.0 ---------------- 10.199.8.0

255.255.255.0 -255.255.248.0 -------------255.255.255.0 -----------255.255.255.0


but it doesn't....


anyway, sorry this last question is vague...

regards

mwestern@affairs.net.au



jfrahim Wed, 12/04/2002 - 10:50
User Badges:
  • Cisco Employee,

Hi,

1a) for most part, concentrator show all the the next-hop ip addresses past the IPSec tunnel. Does your traceroute die at the private interface of the concentrator.?

1b) in the routing table, it should show you which concentrator is the next hop ip address for a specific subnet. You don't have to clear the Lan-Lan tunnel

2) when you are sending the packets over the tunnel, do you see any encrypts going up for that tunnel

3) The IPSec SAs are only creates when there is some interesting traffic to bring up the SA. If you don't see an SA, then there is a possibility that your concentrator never saw any interesting traffic to bring up the IPSec SA

Hope that helps

Jazib

mwestern Wed, 12/04/2002 - 14:00
User Badges:

1a) yes it does, it just drops the actual cisco which is fine with the other things to watch.

1b) ah, this is most interesting, my routing table is nothing of the kind:

(edited) 203.x.x.1 is the gateway on the public address.

0.0.0.0 0.0.0.0 203.x.x.1 2 Default 0 1

10.1.0.0 255.255.248.0 203.x.x.1 2 RIP 23 2

10.1.16.0 255.255.248.0 203.x.x.1 2 RIP 23 9

10.1.24.0 255.255.248.0 203.x.x.1 2 RIP 23 9

10.1.40.0 255.255.248.0 203.x.x.1 2 RIP 23 9

10.1.64.0 255.255.248.0 0.0.0.0 1 Local 0 1

10.1.88.0 255.255.248.0 203.x.x.1 2 RIP 4 2

10.1.120.0 255.255.248.0 203.x.x.1 2 RIP 16 2

10.1.128.0 255.255.248.0 203.x.x.1 2 RIP 23 9


i've been playing with the rip settings on all these devices and our middle VPN (siteb in the ex) i've got RIP v1/v2 for both inbound and outbound on both the public and private ip.

i think the default is just inbound on the private which baffles me, if all the vpns have RIP only inbound how does the RIP ever get out to get to other VPNs?

what should they be for site A, Site B, and Site C? all set to the default? or site B something different because it should be passing stuff though?


2) good, that's something to watch for.

3) ah, so an IKE up means the link is up, that's happening. but for some reason no interesting traffic is getting through. i've got two VPNs with this behaviour, one works when i've got rip on both the public and private interface, and the other i'm struggling with cos i can't get anything though. :)



jfrahim Wed, 12/04/2002 - 09:22
User Badges:
  • Cisco Employee,

Hi there,

If you are using Network Auto Discovery, which uses the RIP protocol to advertise/receive the network informtation. The VPN3K concentrator does not forward rip updates learned from one tunnel to another, because of Split-horizon.

Configuring Network list can get you what you need, but you have to be careful, so that you don't overlap your network lists applied to different tunnels

Is there a requirement in your setup to pass all the traffic throught the hub concentrator. Can you configure ipsec tunnels between the spokes using Network Auto-Discovery

Jazib

mwestern Wed, 12/04/2002 - 14:22
User Badges:

OK, now this is getting interesting.


1) split horizon? i must confess i've only read this in passing. i'm a bit confused about this because i seached thru all the 3000 VPN docs and there was nothing about split-horizon. am i right in guessing that split horizon is enabled and you don't have the option to change it? so we need to create these network lists... :)

2) I have a problem configuring the network list. everything i try comes up with this error.

so i

i) select L2L: AutoDiscovery Local (Configuration | Policy Management | Traffic Management | Network Lists | Modify

)

ii) press generate local list, it refreshes correctly with all the network lists as i would have expected.

iii) i press apply and i get:

An error has occurred while attempting to perform the operation.

Error adding entries to network list (Instance Error).


if i try other things manually i get nowhere as well.


on a side note, it'd be nice to see in products an exact error number or something that you can goto cisco, punch in the web site and it gives you explanation. i searched for this problem and couldn't find anything.


3) we can create a connection between every VPN to every other VPN, but we don't control half the VPN network. we have a counterpart in the US who are complete idiots and are no help whatsoever. we are in charge of setting up Aus/Asia and some in Europe. basically we have a triangle setup for our mail server but the routing along that path is not the easiest.


Japan HongKong France Italy

| | | |

Aus--------------------------------------------------------Europe (England)

|_____________________US_____________|

|

US01

| | |

US2 US3 US4

(nice triangle eh)


and all the smaller sites branch off from one of these three.


so i guess in short there is a requirement to shovel all traffic to the entire 10.0.0.0 range out to the nearest hub.


so in the diagram, we want traffic to get from Japan to US2 it's gotta happen.

so at the moment we can't even get traffic from in side Japan to inside Hong Kong with this setup (obviously from Japan to Hong Kong is makes sense to have a Tunnel straight there and we do but for testing i disconnect the tunnel and play with the routing)


but we don't want to have create a tunnel from Japan to US2 because we don't have control of any US VPNs or routers (nor do we even know exactly what they are ), but we want routing to follow the path and get there.


Thanks and regards

Matthew


PS I do appreciate the time you put in here....



mwestern Wed, 12/04/2002 - 14:49
User Badges:

ok back again.

re 2) i'll also add that i have a whole pile of L2L Entries in the network lists but they're all blank... should this be the case if using network auto discovery?


i've just managed to create a new Network list and this works fine, but when i edit any of the L2L entries i get this other error. i take it that's not the right thing to do.....


i'll keep playing

mwestern Wed, 12/04/2002 - 16:03
User Badges:

ok back to this scenario


SiteA ------------------------- SiteB ------------------------------------- SiteC


SiteB is also connected to a host of other sites in a hub arrangement.

SiteA 10.199.0.0/24

SiteC 10.199.1.0/24


I really am stuck here. No matter what i do i can't get SiteA to see SiteC.

My current bash is using network lists as suggested.

i've got the following network lists:

SiteA SiteA - 10.199.0.0/0.0.0.255 (wildcard mask) SiteB - 10.0.0.0/0.255.255.255


SiteB SiteA - 10.199.0.0/0.0.0.255 (wildcard mask) SiteB - 10.0.0.0/0.255.255.255 (i've also tried 10.1.64.0/0.0.7.255 like it should be)- SiteC - 10.199.1.0/0.0.0.255


SiteC SiteC - 10.199.1.0/0.0.0.255 (wildcard mask) SiteB - 10.0.0.0/0.255.255.255



at first i also tried adding manual routes to either side as well, tried every concoction of routes imaginable, direct, via siteBs inside card, via SiteBs outside card, a router that exists inside siteB that can see everything...


more ideas?


what is the *best* (seems there is only one way) to get this happening?

thanks a pile

Matthew






jfrahim Thu, 12/05/2002 - 19:04
User Badges:
  • Cisco Employee,

Hi Matthew,

1) Threre is no option to disable SH on the concentrator

2) do you know how many Routes you have on the concentrator's routing table. because, if I recall it rite, you cannot add more than 200 entries in the Network List

3) For this, it is hard to tell with out looking at the routing table, network list, and the networks info on the remote and hub concentrators

Is it possible for you to give me an example

Jazib

mwestern Mon, 12/09/2002 - 15:26
User Badges:

1) ok

2) about 45. i've got nothing in the network list. i tried this option but still didn't work.

3) sure thing. my email is mwestern@affairs.net.au i can give you access to the live systems if you like. email me and perhaps we can sort this out offlist?

or i can post here (drawing diagrams in this thing is useless :).) but would need to change some things. regards

Matthew


jfrahim Thu, 12/12/2002 - 07:00
User Badges:
  • Cisco Employee,

Hi Matthew,

Go ahead and send me the info at jfrahim@cisco.com. Let's take it offline, so that you can send me your topology and configs

Jazib

jfrahim Wed, 12/04/2002 - 07:02
User Badges:
  • Cisco Employee,

Hi David,

If you are getting a "page cannot be displayed" message, then there are a couple things that could be configured wrong:

1) either the URL that is passed down by the concentrator is wrong, or

2) the VPN client does not have connectivity to the server


To find out what's going on, open up a web browser from an internal machine ( any internal machine which can access the http server ), and cut and paste the URL in the browser, and see if it launches the VPN client

If it does, then the URL that you passed down is correct, otherwise you would need to fix the URL

Hope that helps

Jazib

Nelson Rodrigues Fri, 12/06/2002 - 22:52
User Badges:
  • Cisco Employee,

David, the client update feature for the software VPN clients is to "notify" them a a new software is available for them to load. They still must manually load thesoftware on the client. Currently only the VPN 3002 HW clients are automatically upgraded.


Software Auto-Update for the software clients will be provided in a future release.


Nelson


mmedwid Wed, 12/04/2002 - 16:33
User Badges:

I notice that when you create a tunnel that in most cases - a route is automatically generated for the route table you can view in the monitoring tab. But in a few instances I have had to add static routes to point the traffic to the next hop router. Can you clarify the relationship between IPsec tunnel definitions and the route table?

jfrahim Thu, 12/05/2002 - 19:07
User Badges:
  • Cisco Employee,

Hi,

If you are using Reverse Route injection, a static route will be added in the routing table by concentrator for the remote subnet. Is that what you are seeing?

Thanks

Jazib

mmedwid Fri, 12/06/2002 - 08:38
User Badges:

Nope - we don't make use of Reverse Route injection. Altho I would like to in the future. Here's an example. Sunnyvale is our hub and Tokyo is a stub network in our VPN LAN to LAN network. The Tokyo nets are defined in a network list called tokyo which contains only...


10.10.214.0/0.0.0.255

10.30.40.1/0.0.0.0


...and there is a LAN to LAN tunnel defined in system/tunneling/IPsec/LAN-to-LAN which makes use of that network list as Remote Network.


In this case I needed to add a static route for tokyo in system/ip routing/static routes. 10.10.214.0/24->(Internet Gateway router) This is what I needed to do to get this to work.


But in another case - Atlanta has a LAN to LAN tunnel which terminates to the same Sunnyvale concentrator. It's remote network is simply 172.19.0.0/16. There is no static route in the CVPN telling the CVPN to forward that traffic out to the Internet gateway. In fact there's no entry in the route table in Monitoring/Route Table for the network 172.19.0.0 (and no larger inclusive block.) Yet somehow the CVPN figures out where the traffic should be sent and I am able to route from Sunnyvale to Atlanta just as well as I can send from Sunnyvale to Tokyo.


The bottom line is the process of setting up these routes in the CVPN seems inconsistent. Sometimes I appear to need to define static routes to get the traffic to go where I want it to go. And other times not.


Ha...as I'm typing this I am thinking I may have answered my own question. It may be the case that if your remote network is a sub-block of a network which normally routes inside - you need to define the route on your CVPN. For example there is a route 10.0.0.0/8 which points inside on the CVPN. The address block for Tokyo as I sais is 10.10.224.0/24 - a block included in the 10.0.0.0/8. Whereas 172.19.0.0/16 is totally different so the CVPN doesn't get confused about where to send that traffic.









jfrahim Fri, 12/06/2002 - 10:26
User Badges:
  • Cisco Employee,

Hi there,

You nailed down the problem yourself. If you have a static route in your routing table and your remote subnets fall in that range, then you have to manually add the static route for those subnets yourself to route the packets properly

Good catch

Jazib

mwestern Sun, 12/08/2002 - 19:12
User Badges:

Jazib,


Not quite. part of my question stated that i have a problem with my manual routes. consider:


SiteA (10.1.0.1) 203.1.150.15) ------------- SIteB(10.2.0.1) 204.1.150.15) --------------SiteC(10.3.0.1) 205.1.150.15)


(external addresses fictitious)


how do i add the correct routes? i've tried adding the route:


1. to the inside card of SiteB (10.2.0.1)

2. to the outside card of either SiteC or SiteA

3. to a router inside SiteB (10.2.0.2)


you've also stated that in the routing table it should show which external Cisco it should go via. but all the learned routes via RIP show that the destination is via the external number as the router. is this right or wrong?


so my major question is what on earth should i be adding as the route?


also our US counterpart has a cisco 3030, do you know the differences between the 3005 and te 3030? we have all 3005s...


thanks

Matthew


jfrahim Thu, 12/12/2002 - 07:11
User Badges:
  • Cisco Employee,

Hi Matthew,

If you are using NAD, then your concentrator should show the remote concentrator as the originator of the route using RIP. Is that something that you are not seeing?

A 3005 has only 2 FE interfaces and all encryption is done in SW. A 3030 concentrator has 3 FE interfaces and a HW encryption module

Let's discuss your routing problem offline. Can you send me an email at jfrahim@cisco.com and if possible attach a network topology with the network information for better understanding

Thanks

Jazib

engel Wed, 12/04/2002 - 17:13
User Badges:

Hi Jazib,

Kindly assist for the following design:

Internet---VPN3000-----Cat3550----Internal LAN


1. At the Internet, there will be CustomerA remote users, CustomerB remote users, CustomerC remote users.

2. VPN3000 Private Interface and Cat3550 port1/1 interface will be in the native VLAN (VLAN1).

3. CustomerA Servers LAN will be in Private VLAN2, CustomerB Servers LAN will be in Private VLAN3,

CustomerC Servers LAN will be in Private VLAN4 (Customer A, B and C are connected to 3550 ports).

4. There will be access to the servers on the Private VLAN of each customer from their remote users or remote networks.


Question:

1. With the above design, can we say that CustomerA, CustomerB, CustomerC LAN are logically separate,

and the traffic to each PVLAN are secured and there will be no leaking of traffic to the other PVLAN area ?


2. Does Cisco consider to implement 802.1q on the VPN3000 ?


Would be greatly appreciate for your help


Regards,

Engelhard M. Labiro

jfrahim Fri, 12/06/2002 - 07:27
User Badges:
  • Cisco Employee,

Hi Engelhard,

1) If the priv interface of your concentrator is in VLAN1 and cat3550'sfa1/1 is also in VLAN1, then the concentrator would forward all traffic to the switch on vlan 1 (assuming that you have a tunnel default gateway defined and is set to the ip address of the switch). It is upto to the switch to properly route the packets to the correct VLANs.

2) Currently there are no plans to implement this

Hope that helps

Jazib

engel Wed, 12/04/2002 - 18:25
User Badges:

Hi Jazib,


Please kindly assist for the following questions regarding keepalive DPD implementation of VPN3000 series (Concentrator, 3002 Hw Client and VPN Software).

1. My finding of VPN3000 Concentrator keepalive DPD to a 3002 Hw Client is 5 minutes and it moves to aggresive mode with three keepalives every 5 seconds once the 3002 doesn`t reply with DPD R-U-THERE-ACK. If 3002 misses to reply those aggresive keepalives, the Concentrator will tear down the 3002`s session. My question is why does the Concentrator have to wait as long as FIVE minutes to send its first DPD keepalive to the 3002 Hw Client ??


2. I am confused with the timing for a VPN3000 Concentrator decision when it will try to send a keepalive DPD to its remote peer. Some document says that

keepalive will be sent when there is a need to send some data to its VPN peer. My question is when does the Concentrator start its timer to send a keepalive DPD? What are conditions if any that the Concentrator will try to send a keepalive DPD? Does it send keepalives every 5 minutes or only when some conditions meet? Our several testings result at the lab shows that a Concentrator will take 5 minutes before it sends the first keepalive to its remote peer (a 3002 Hw client and a software remote client).


3. As Cisco routers have a command to configure the IKE keepalive timer, this feature is not available at VPN3000 Concentrator and Hw Client (VPN software does have a configureable keepalive). There is only a check box at the group to enable keepalive, but we can not define how long should it send to its peer. Does Cisco consider to implement a configureable keepalive timer at VPN3000 ?


Would be greatly appreciate for your help.


Best Regards,

Engelhard M. Labiro

jfrahim Fri, 12/06/2002 - 10:09
User Badges:
  • Cisco Employee,

Hi Engel,

1) A concentrator may have thousands of users logged in. To more aggressively poll connected devices to see if they’re connected is very intensive.

2) In addition to sending a DPD check every 5 minutes, the Concentrator will enter worry mode if traffic is ever sent to a remote client and no data is received back within a few seconds.


3) According to the 3K product team, there are no imminent plans to make this timer configurable on the VPN 3K.


hope that is helpful

Jazib

engel Wed, 12/04/2002 - 18:30
User Badges:

Dear Jazib,


Would be appreciate if you can help me with the following problem regarding automation of adding a large number of users to a Concentrator internal database. Do you have any idea on how to add 500 users or so ? It will be very painfull to add it one-by-one without a tools. Registering the users to an external database is not an option right now.


Thanks for any insight,


Best Regards,

Engelhard M. Labiro

jfrahim Fri, 12/06/2002 - 07:34
User Badges:
  • Cisco Employee,

Hi Engel,

Unfortunately, adding the users one-by-one is the only option on the concentrator. You cannot modify the config file, because most of the stuff in the config file is encrypted ( especially the password/shared keys etc)

You mentioned that eternal authentication device is not possible at this time, but I would still highly encourage you to implement this as soon as possible. Otherwise managing it would be a hassle

Thanks

Jazib

Actions

This Discussion