11-10-2010 09:07 AM
Hello all
I have been banging my head against the wall on an issue and I would love some help if possible. I am a recent CCENT and beginner on cisco VPN. I setup my 851w running ios c850-advsecurityk9-mz.124-15.T11.bin using the CCP without any problem. So I began setup of the Cisco 861 running ios c860-universalk9-mz.150-1.M3.bin in much the same way. I used the CCP to configure EZVPN server for client connections. The clients connect fine and work the first time. If I try to connect a second time then it will authenticate and connect but I get no access to the internal private network. The split tunnel seems to be working fine as I can access the internet but I cannot ping the router internally or access anything on the VPN network. If I do a reload of the router, it works the first time and then not the second time. Please someone tell me this sounds familiar.
Thanks for any help.
Solved! Go to Solution.
11-10-2010 10:01 PM
It is probably hitting this bug
CSCth39861 RRI route may not be added to the RT (DVTI configuration)
which is duplicated of
CSCta53372 RRI static route disappears from routing table on interface shut/no-shut
11-10-2010 10:53 AM
can you provide the following info?
- running config
- reload the rotuer and then connect to it via vpn. From client side, issue a ping to a internal host and then capture
show crypto ipsec sa
sh ip route
- disconnect vpn and connect vpn client back again, issue a ping to a internal host and then capture
show crypto ipsec sa
sh ip route
11-10-2010 03:03 PM
Here is my running config, slightly modified for passwords and IPs etc.
Mostly I have messed around with NAT and Access list settings so those are different than the default coming from the CCP setup but it has acted the same throughout those changes.
I will attempt to reload and get the other info tonight and post a bit later.
Thanks for the reply
Current configuration : 5802 bytes
!
! Last configuration change at 01:09:20 UTC Mon Mar 1 1993 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-4168762193
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4168762193
revocation-check none
rsakeypair TP-self-signed-4168762193
!
!
crypto pki certificate chain TP-self-signed-4168762193
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313638 37363231 3933301E 170D3933 30333031 30303030
34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31363837
36323139 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A696 5F3E27B2 3E1ED90B FCA89CAD 732073CB 7546798B 6718221E 84837519
5ED6E124 0B01E71E DC5D38B6 10BF972C AF02B579 8C25EA26 C37DCCA3 788523EC
6A2F7334 7C958FCD F321E32E FD4C0F22 5FEB6F86 FAA4E401 CCCE2445 C2946EA7
565BC8D8 3548DCFF 1452E54C 5ED627E9 6C87A806 BEF5348F 34ED7248 FE8D7A73
F1650203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 14726F75 7465722E 69657069 7068616E 792E636F 6D301F06
03551D23 04183016 80147151 929EF82B 8D80A6F7 8899D854 EAE54F4A 05CE301D
0603551D 0E041604 14715192 9EF82B8D 80A6F788 99D854EA E54F4A05 CE300D06
092A8648 86F70D01 01040500 03818100 619676DE CF7B6F6E 12284DCA CC48AE0D
80B6ED39 BEC727F7 2E50C24F 39111FBB 79F1F1AA 99BFA032 7031E9ED 64B882BF
D098B783 226D54E1 6D375E8E F73B9CD4 BE1BC1B4 EA5827F3 C24684CF F9C927D8
51380702 188CF374 835D492F 9B86B43A 4F6D1D05 9F314DC3 B0E9F8C6 E6D7F59B
DEF1EC73 717A2586 E8A383B1 0434D7A8
quit
ip source-route
!
!
ip dhcp excluded-address 192.168.53.1
ip dhcp excluded-address 192.168.53.200 192.168.53.254
ip dhcp excluded-address 192.168.53.140
!
ip dhcp pool ccp-pool
import all
network 192.168.53.0 255.255.255.0
default-router 192.168.53.1
dns-server 192.168.53.253 8.8.8.8
lease 0 2
!
!
ip cef
ip domain name example.com
ip name-server 192.168.53.253
!
!
license udi pid CISCO861-K9 sn ----------------
!
!
username myuser privilege 15 secret 5 mypassword
crypto ctcp port 10000
!
!
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group mygroup
key mykey
dns 192.168.53.1
pool SDM_POOL_1
acl 100
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group mygroup
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0
switchport mode trunk
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN PORT$ETH-WAN$
ip address xxx.xxx.xxx.xxx 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.53.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 10.10.10.10 10.10.10.20
ip default-gateway xxx.xxx.xxx.xxx
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.53.253 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.53.253 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.53.253 8843 interface FastEthernet4 8843
ip nat inside source static tcp 192.168.53.253 8443 interface FastEthernet4 8443
ip nat inside source route-map rmap_nat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
ip access-list extended OVERLOAD
deny ip 192.168.53.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 192.168.53.0 0.0.0.255 any
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.53.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.53.0 0.0.0.255 any
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
no cdp run
route-map rmap_nat permit 10
match ip address OVERLOAD
!
!
control-plane
!
alias exec save copy run start
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input ssh
!
scheduler max-task-time 5000
end
11-10-2010 08:32 PM
I am again attempting to not show public IPs so I have edited a bit but I see where something is wrong.
When trying show ip route, I noticed that there is a line that shows with the successful connection
S 10.10.10.10/32 [1/0] via remoteipaddress, Virtual-Access2
it is missing on the unsuccessful connection.
For the show crypto ipsec sa I got
Successful connection:
router#show crypto ipsec sa
interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr VPNPUBLICIP
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)
current_peer REMOTEIPADDRESS port 1263
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: VPNPUBLICIP, remote crypto endpt.: REMOTEIPADDRESS
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x5E1E5249(1579045449)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x2A9F1BC7(715070407)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4540476/3571)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5E1E5249(1579045449)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4540480/3571)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Failed Connection:
router#show crypto ipsec sa
interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr VPNPUBLICIP
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.11/255.255.255.255/0/0)
current_peer REMOTEIPADDRESS port 1275
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: VPNPUBLICIP, remote crypto endpt.: REMOTEIPADDRESS
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0xCDFE847F(3456009343)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xDB016305(3674301189)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3, flow_id: Onboard VPN:3, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4580327/3578)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCDFE847F(3456009343)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 4, flow_id: Onboard VPN:4, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4580331/3578)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
11-10-2010 09:18 PM
can you try the following to see if it can fix the issue?
1. use a different IP NOT within subnet 10.10.10.0/24 for loopback 0 interface
2. reconfig ACL 100 and remove "access-list 100 permit ip 10.10.10.0 0.0.0.255 any".
11-10-2010 09:44 PM
Thanks for the suggestions but alas, we have not found it. I showed the changes in the running config below. Same exact thing with the missing static route in the show ip route too.
interface Loopback0
ip address 172.16.1.1 255.255.255.0
11-10-2010 09:52 PM
Not sure why the static route was not injected into routing table after tunnel is UP.
It looks like a bug to me.
Could you try the version which is working on 850 router?
11-10-2010 10:00 PM
Well I am a little bit of a newbie like I said and I guess I was not sure if it would be a good idea to downgrade the firmware on the 861. I am accessing it remotely and I will have to try that later so I don't take it down and lose my access. Guess it is good to know it might be a bug rather than I am doing something wrong.
Thanks for the help
11-10-2010 10:01 PM
It is probably hitting this bug
CSCth39861 RRI route may not be added to the RT (DVTI configuration)
which is duplicated of
CSCta53372 RRI static route disappears from routing table on interface shut/no-shut
11-27-2010 12:58 PM
I was having the exact same issue. I was running c890-universalk9-mz.150-1.M3.bin. The last person to post (Yudong Wu) gave me what I needed to resolve the issue. I upgraded to M4 and the static routes get added back like they are supposed to without a reload or resetting RRI.
Cisco IOS Release 15.0(1)M4 is a rebuild release for Cisco IOS Release 15.0(1)M. The caveats in this section are resolved in Cisco IOS Release 15.0(1)M4 but may be open in previous Cisco IOS releases.
CSCta53372
Symptoms: A VPN static route is not seen in the RIB after an interface is shut down and brought back up (shut/no shut).
Conditions: Configure the crypto client and server routers in such a way that the session is up and RRI installs a static route on the server that is pointing to the client IP address. Now shut down the interface on the server router that is facing the client. The RRI static route disappears from the RIB and never reappears.
12-06-2010 05:14 PM
Thanks for the replies. After waiting for weeks for my order to get my first smartnet contract in place, I upgraded to c860-universalk9-mz.150-1.M4 and all is fine now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide