Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IOS router VPN Client issue

Hi,

I do have an issue with VPN clients. The VPN client can connect, but no traffic is routed. I switched on debugging and notice that a packet is decrypted sucessful but dropped by CEF.

I got following messages:

post_crypto_ip_decrypt: Data just decrypted, 52 bytes

PostDecrypt: Particle based pak cef switched 3

CEF-Drop: Stalled adjacency for 0.0.0.0 on Virtual-Access2 for destination ...

Does anybody have an idea?

C2811 IOS 12.4(15)T1

VPN Client WindowsXP 5.0, MacOS X, ...

Here is a part of the config

ip cef

!

interface Loopback0

no ip address

!

interface FastEthernet0/0

description LAN

ip address 192.168.2.1 255.255.255.0

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

interface Virtual-Template2 type tunnel

ip unnumbered Loopback0

ip virtual-reassembly

tunnel source Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!

crypto isakmp client configuration group XXX

key YYY

dns 192.168.2.21 192.168.2.22

wins 192.168.2.2 192.168.2.23

domain mydomain.com

pool Pool_VPN

acl 100

save-password

split-dns mydomain.com

max-users 4

!

crypto isakmp profile sdm-ike-profile-1

match identity group XXX

client authentication list sdm_vpn_xauth_ml_1

isakmp authorization list sdm_vpn_group_ml_1

client configuration address respond

virtual-template 2

!

This config was working with IOS 12.4(11)XJ2.

1 REPLY
Silver

Re: IOS router VPN Client issue

When running CEF, a static arp can cause CEF to loose that mac address as an adjacency. On a static, the arp timeout is set to zero. When the adjacency is lost, packets gets punted to process-level. Doing a shut/noshut of the affected interface may help you. Configuring a static route to the client also may help.

166
Views
0
Helpful
1
Replies