Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Every second ping fails

Hello everyone,

I have a small test lan with a 2611xm setup for a ipsec vpn.

On each fe port I have one laptop directly plugged in, the inside int is assigned by dhcp, and the outside at this stage is static.

I am using a 3rd party ipsec client program shrewsoft vpn client.

The tunnel comes up and sa is established with plenty of packets encrypting and decrypting.

As mentioned in the title, every second ping fails in either direction from client to client, router pings 100% to the inside laptop and fails to the ipsec assigned address of 192.168.1.10 of the 'remote' client.


Below is my config and below that I think highlights where the issue might be, the arp entry of the ipsec assigned address is incomplete.

An ipconfig /all on the 'remote' client shows a mac address of the tunnel int as aaaa.aaaa.aa00.

Regards,

Mitchell

config:

Router#show run
Building configuration...

Current configuration : 2139 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash:c2600-ik9s-mz.123-6f.bin
boot-end-marker
!
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name vpn.changeme.com
ip name-server 4.2.2.2
ip dhcp excluded-address 192.168.0.0 192.168.0.9
!
ip dhcp pool internal
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 4.2.2.2
   domain-name vpn.changeme.com
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto keyring remote_user
  pre-shared-key address 0.0.0.0 0.0.0.0 key xxxx
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp nat keepalive 5
crypto isakmp client configuration address-pool local ipsec
!
crypto isakmp client configuration group remote_user_group
key xxxx
pool external
crypto isakmp profile remote_user
   keyring remote_user
   match identity group remote_user_group
!
!
crypto ipsec transform-set DYN_TFS esp-aes 256 esp-sha-hmac
!
crypto dynamic-map DYN_MAP 1
set transform-set DYN_TFS
set isakmp-profile remote_user
!
!
crypto map map client configuration address initiate
crypto map map client configuration address respond
crypto map map 1 ipsec-isakmp dynamic DYN_MAP discover
!
!
!
!
interface FastEthernet0/0
description INTERNAL ETHERNET
ip address 192.168.0.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
description WAN ETHERNET
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
no cdp enable
crypto map map
!
interface Serial0/1
no ip address
shutdown
!
ip local pool ipsec 192.168.1.10 192.168.1.100
ip http server
no ip http secure-server
ip classless
ip route profile
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
!
!
access-list 101 permit ip any 192.168.0.0 0.0.0.255
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
privilege level 15
login
transport input telnet
!
!
!
end


Router#show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.1.1.2                0   001b.d338.0bab  ARPA   FastEthernet0/1
Internet  10.1.1.1                -   0017.5993.a6c1  ARPA   FastEthernet0/1
Internet  192.168.1.10            0   Incomplete      ARPA  
Internet  192.168.0.1             -   0017.5993.a6c0  ARPA   FastEthernet0/0
Internet  192.168.0.2             1   001b.d338.0b7c  ARPA   FastEthernet0/0

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Every second ping fails

The "Internet  192.168.1.10            0   Incomplete      ARPA " output does not look correct.

The router shouldn't even have that particular ARP entry as there is no router interface with the 192.168.1.0/24 subnet, therefore there is no reason for the router to ARP for that subnet unless you have plug a PC with the 192.168.1.10 ip address earlier. I would suggest that you clear the ARP entry in the router "clear arp".

For the following route statement: ip route 192.168.1.0 255.255.255.0 FastEthernet0/1, I would change the next hop from fa0/1 to the actual ip address of the next hop router (or your PC ip address if you are directly connecting a PC to the router fa0/1 interface), ie:

ip route 192.168.1.0 255.255.255.0 10.1.1.x

Hope that helps.

3 REPLIES
Super Bronze

Re: Every second ping fails

The "Internet  192.168.1.10            0   Incomplete      ARPA " output does not look correct.

The router shouldn't even have that particular ARP entry as there is no router interface with the 192.168.1.0/24 subnet, therefore there is no reason for the router to ARP for that subnet unless you have plug a PC with the 192.168.1.10 ip address earlier. I would suggest that you clear the ARP entry in the router "clear arp".

For the following route statement: ip route 192.168.1.0 255.255.255.0 FastEthernet0/1, I would change the next hop from fa0/1 to the actual ip address of the next hop router (or your PC ip address if you are directly connecting a PC to the router fa0/1 interface), ie:

ip route 192.168.1.0 255.255.255.0 10.1.1.x

Hope that helps.

New Member

Re: Every second ping fails

ok, so thats working now, thanks very much!

I do have one further question,

Im trying to block all traffic to the internal network of 192.168.0.0 that is not encrypted (and more importantly authenticated).

Is there a way to only allow access to the inside network from auth+encrypted remote users?

Super Bronze

Re: Every second ping fails

Yes, you can apply CBAC on the inside interface (fa0/0), and configure ACL to deny all traffic inbound on the WAN interface (fa0/1). Decrypted traffic from VPN is by default allowed and is not checked by the ACL applied on the outside interface.

Example:

ip inspect name outbound tcp

ip inspect name outbound udp

access-list 150 deny ip any any

interface fa0/0

     ip inspect outbound in

interface fa0/1

     ip access-group 150 in

Here is the sample configuration on CBAC:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

Hope that helps.

1908
Views
0
Helpful
3
Replies