Solved: IOS VPN site2site trouble

Spinu Viorel · ‎11-25-2008

Hello,

I have a VPN site2site that is working, but not always :)

1) After some minutes, hours (diffrend periods) it is not working anymore. I test the tunnel with SDM and it up and running. I do sh crypto isakmp sa / detailed and I have QM_IDDLE and status ACTIVE; I do sh crypto ipsec sa and it is there. I have to reload the router to make it work again. Where should I look for some onfos about the problem.

2) I noticed that lifetime parameter was not the same. I changed it, so now it is the same on both peers. Could this be a problem? It did not solved my problem.

3) Can I force rebuild the tunnel without reloading the router with clear crypto isakmp conn_ID or clear crypto sa [peer/map] spi ?

3) The ACL that defines interesting trafic is like: permit ip local_LAN remote_LAN . ICMP is not interesting trafic; if I ping the remote_LAN why does it counts in ipsec sa ; if I do a sh crypto ipsec sa , I see those icmp packets counted here:

local ident (addr/mask/prot/port): (172.31.0.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)

current_peer 89.x.x.x port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 1371, #pkts encrypt: 1371, #pkts digest: 1371

#pkts decaps: 2412, #pkts decrypt: 2412, #pkts verify: 2412

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

Thank u!

and excuse my english

ariesc_33 · ‎11-26-2008

1,2 - yes this might have fixed it already by matching the lifetime on both router/FW.

3. yes

4.other than defining the access-list for interesting traffic, did you also configure another access-list for this tunnel? if not, then all IP traffic are allowed including icmp. you may not receive icmp reply because the other firewall is blocking it.

please rate if it helps

View solution in original post

ariesc_33 · ‎11-26-2008

1,2 - yes this might have fixed it already by matching the lifetime on both router/FW.

3. yes

4.other than defining the access-list for interesting traffic, did you also configure another access-list for this tunnel? if not, then all IP traffic are allowed including icmp. you may not receive icmp reply because the other firewall is blocking it.

please rate if it helps

Spinu Viorel · ‎11-27-2008

no. I don't have any other access-list defined for the tunnel. But from what I know IP traffic is diffrent from ICMP traffic. So if I permit IP, it does not mean that I permit ICMP also. so, I say that ip traffic (intersting) is routed through VPN and icmp traffic to internet through default route, outside VPN, becouse it is not intersting.

interface Vlan2

description $FW_INSIDE$

ip address 172.31.0.253 255.255.255.0

ip access-group 102 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

access-list 106 remark IPSec Rule

access-list 106 permit ip 172.31.0.0 0.0.0.255 192.168.30.0 0.0.0.255

it is a new network I am tring to dicover; I found that the peer is pix 525 , could this be a problem ?

thank u so much for taking the time to answer!

ariesc_33 · ‎11-27-2008

as long as the vpn policies match, there should be no issue.