Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
834
Views
0
Helpful
6
Replies

EasyVPN problem with 887

ronald.tuns
Level 1
Level 1

‎11-18-2010 01:00 AM

Hi,

I was wondering if someone has encountered this problem before, since I have it on three 887 routers...

Here's the case: I have configure a 887 router with EasyVPN and use the EasyVPN client to connect. This works fine, only the first time a connection is made, all traffic goes through the router to the remote network. After I disconnect, I can establish a VPN connection, but no traffic is returned from the remote network. After a reboot of de 887 device, I can reach the remote network. Again, after disconnecting, a new connection does not work, until I rebooted the device.

Any help is greatly appreciated.

Ronald

Labels:
0 Helpful
6 Replies 6

apothula
Level 1
Level 1

‎11-18-2010 02:15 AM

Hi Ronald,

I think, when you are disconnecting from the VPN, the IPSec SA is not getting deleted on the 887 causing the problem of Multiple SPI's.

What is the time difference between 2 consecutive logins ?


Next time, when you reconnect, do a show cry ips sa peer " public ip address of your client"

like, show cry ips sa peer 64.54.44.34

and paste the information here.

Also, please provide information about the IOS code running on the 887.

Cheers,


Nash.

0 Helpful

ronald.tuns
Level 1
Level 1
In response to apothula

‎11-18-2010 03:53 AM

Hi Nash,

Thanks for your reply. Here's the output when I use the show cry ips sa peer command:

interface: Virtual-Access4
    Crypto map tag: Virtual-Access4-head-0, local addr xxx.xxx.xxx.xxx

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.10.26/255.255.255.255/0/0)
   current_peer yyy.yyy.yyy.yyy port 63302
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: yyy.yyy.yyy.yyy
     path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access4
     current outbound spi: 0x582813CA(1479021514)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xDBA5C3B(230317115)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 13, flow_id: Onboard VPN:13, sibling_flags 80000046, crypto map
: Virtual-Access4-head-0
        sa timing: remaining key lifetime (k/sec): (4519221/3514)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x582813CA(1479021514)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 14, flow_id: Onboard VPN:14, sibling_flags 80000046, crypto map
: Virtual-Access4-head-0
        sa timing: remaining key lifetime (k/sec): (4519226/3514)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

In this situation, there was no response from the remote network.

The router has the following os: Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(1)T1, RELEASE SOFTWARE (fc2)

This is the config running on the device:

version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname fw-alst
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-1516288270
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1516288270
revocation-check none
rsakeypair TP-self-signed-1516288270
!
!
crypto pki certificate chain TP-self-signed-1516288270
certificate self-signed 01
  
   quit
no ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.9
ip dhcp excluded-address 192.168.1.16 192.168.1.254
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 195.121.1.34 195.121.1.66
   default-router 192.168.1.254
!
!
ip cef
no ip bootp server
ip domain name alst.local
ip name-server 195.121.1.34
ip name-server 195.121.1.66
ip inspect name CCP_LOW cuseeme
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW netshow
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO886-SEC-K9 sn FCZ144093UJ
!
!
username xxx privilege 15 secret 5
username yyy secret 5
!
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn-afa
key
pool SDM_POOL_1
acl 102
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group vpn-afa
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip flow ingress
pvc 8/48
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.254 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 7
ppp pap sent-username password 7
no cdp enable
!
ip local pool SDM_POOL_1 10.10.10.20 10.10.10.30
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.1 3389 interface Dialer0 3389
ip route 0.0.0.0 0.0.0.0 Dialer0
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by CCP firewall configuration
access-list 100 remark CCP_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by CCP firewall configuration
access-list 101 remark CCP_ACL Category=1
access-list 101 permit tcp any any eq 3389
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp host 195.121.1.66 eq domain any
access-list 101 permit udp host 195.121.1.34 eq domain any
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end

I would be most grateful if you can shed some light on the issue !

Regards,

Ronald

0 Helpful

apothula
Level 1
Level 1
In response to ronald.tuns

‎11-18-2010 05:32 AM

Hi Ron,

Try adding the follwing configuration,

ip access-list ext 150

deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

ip nat inside source list 150 interface Dialer 0 overload

no ip nat inside source list 1 interface Dialer 0 overload

clear ip nat translations *

Then connect to the VPN back to back and run connectivity tests.

Let me know how it goes.

Cheers,


Nash.

0 Helpful

ronald.tuns
Level 1
Level 1
In response to apothula

‎11-18-2010 06:39 AM

Hi Nash,

Thanks for your suggestions. I enterd the commands and reloaded the new config. Unfortunately no improvement: I can still use the VPN only once.

Regards,

Ronald

0 Helpful

apothula
Level 1
Level 1
In response to ronald.tuns

‎11-18-2010 08:21 AM

Hi Ronald,

Please open a case with Cisco TAC.

There are a few things that need to be looked into which would be really difficult to be discussed in detail on the forum.

Cheers,

Nash.

0 Helpful

ronald.tuns
Level 1
Level 1
In response to apothula

‎11-19-2010 02:21 AM

Hi Nash,

I'm going to do that. Thanks for your help so far !

Update: I downloaded the newest IOS version and this solved the problem.

Regards,

Ronald

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents