Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
494
Views
0
Helpful
4
Replies

1841 IOS Version

siclines1234
Level 1
Level 1

‎06-19-2010 08:16 PM

Hi,

I have been troubleshooting a VPN connection between an ASA and 1841. I have had trouble connecting, I get ping and tracert to/from. I can see the 1841 send to the ASA, I see the ASA send to the 1841 but I don't see the 1841 receive the ASA, hence the breakdown.

I am wondering could IOS version play a role? If so, I am currently running the following on an 1841:

Image Name  c1841-advsecurityk9-mz.124-10a.bin 
IOS Version  12.4(10a)

Should I and if so, what should I upgrade to?

Thanks for your help,

Jackie:)

Labels:
0 Helpful
4 Replies 4

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎06-20-2010 03:15 AM

Jackie,

IOS verion CAN play a role, but from your problem description looks like somethign is blocking ESP (or udp/4500) packets before the router.

I'd check any ACLs or "firewalls".

If you do want to upgrade to for the latest in mainline 12.4(25)c when I last looks and that some time ago.

Marcin

0 Helpful

siclines1234
Level 1
Level 1
In response to Marcin Latosiewicz

‎06-20-2010 04:29 PM

I've have checked the ACL's on both routers, I have tore down and recreated the maps, tunnels, everything. Still does not work.

I contacted both side's ISPs and they have tested and cleared the lines on either side and claim that all their equipment just passes the traffic through and they don't block any traffic.

That's why I thought maybe the IOS version might be causing the problem.

Do you think I should upgrade the IOS or what can I post that will help determine the problem?

Thanks,
Jackie

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to siclines1234

‎06-20-2010 11:30 PM

Jackie,

What I would do is to check that packets are being sent and received.

ASA it's easy - get a packet capture of IKE, ESP and UDP 4500 to and frop the router.

On router apply an ingress access-list on interface facing outside (if not done already)

First three entries on the acl should be.

permit udp h ASA_IP_ADDRESS eq 500 any

permit esp h ASA_IP_ADDRESS any

perm udp h ASA_IP_ADDRESS eq 4500 any

(if no ACL in place already remember to add "permit ip any any" at the end).

Now If you will see hits on either esp or udp 4500 entries it mean that an upgrade can help. If you don't see them arriving - you check the ASA to see if packets are leaving and if they are not malformed.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Marcin Latosiewicz

‎06-21-2010 09:26 AM

Jackie

Some other things that you might check.

- what interfaces on the ASA and the 1841 are you using for crypto isakmp? (what are you using for crypto isakmp enable on the ASA and what interface has the crypto map on the 1841)

- what are you specifying for the peer address on the ASA and on the 1841?

- when you ping and traceroute are you going from the peer address on the device and going to the peer address of the other device?

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents