02-19-2014 06:01 PM - edited 02-21-2020 07:30 PM
Please help!!!
I am trying to setup a lab router ISR1921 to build VPN tunnel with vmware vshield edge. The configure of the 1921 is pasted below. There is not much setting on the vshield side really and I am positive both sides are matching for phase 1&2.
The issue i have: The tunnel can be built properly and i can also see encap and decap counters increasing from show crypto ipsec sa output. However devices on either side can communicate. With that been said, I can ping from 1921 to internal interface IP of the vshield with specified source IP. But just no communication from either side...
I did debugs and the only "error related" messages are:
Feb 20 01:58:03.193: ISAKMP:(1001):deleting node 1656104565 error FALSE reason "Informational (in) state d1"
...
Feb 20 01:58:03.193: ISAKMP:(1001):purging node -1657220080
I hope I did not make a stupid mistake in configure but I have spent too much time on this. It is suposed to be a really simple setup...please help!!
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Lab-1900
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.154-1.T1.bin
boot system flash:c1900-universalk9-mz.SPA.151-4.M7.bin
boot system flash:c1900-universalk9-mz.SPA.150-1.M4.bin
boot-end-marker
!
aaa new-model
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
!
aaa session-id common
clock timezone AST -4 0
clock summer-time ADT recurring 3 Sun Mar 2:00 2 Sun Nov 2:00
!
ip dhcp excluded-address 192.168.100.1 192.168.100.40
!
ip dhcp pool DHCPPOOL
import all
network 192.168.100.0 255.255.255.0
domain-name LAB
dns-server 8.8.8.8 4.2.2.2
default-router 192.168.100.1
lease 4
!
ip domain name lab
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip inspect log drop-pkt
ip cef
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
multilink bundle-name authenticated
!
redundancy
!
ip ssh version 2
!
class-map type inspect match-any ESP_CMAP
match access-group name ESP_ACL
class-map type inspect match-all SDM_GRE_CMAP
match access-group name GRE_ACL
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-cls-VPNOutsideToInside-13
match access-group 154
class-map type inspect match-all ALLOW-VPN-TRAFFIC-OUT
match access-group name ALLOW-VPN-TRAFFIC-OUT
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match protocol http
class-map type inspect match-any AH_CMAP
match access-group name AH_ACL
class-map type inspect match-all ALLOW-VPN-TRAFFIC
match access-group name ALLOW-VPN-TRAFFIC-OUT
class-map type inspect match-all ccp-invalid-src
match access-group 126
class-map type inspect match-any ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map AH_CMAP
match class-map ESP_CMAP
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all SDM_VPN_PT
match access-group 137
match class-map SDM_VPN_TRAFFIC
!
policy-map type inspect self-out-pmap
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect out-self-pmap
class type inspect SDM_VPN_PT
pass
class class-default
drop log
policy-map type inspect in-out-pmap
class type inspect ccp-invalid-src
drop log
class type inspect ALLOW-VPN-TRAFFIC-OUT
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop log
policy-map type inspect out-in-pmap
class type inspect sdm-cls-VPNOutsideToInside-13
inspect
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone-pair security zp-self-out source self destination out-zone
service-policy type inspect self-out-pmap
zone-pair security zp-out-To-in source out-zone destination in-zone
service-policy type inspect out-in-pmap
zone-pair security zp-in-out source in-zone destination out-zone
service-policy type inspect in-out-pmap
zone-pair security zp-out-self source out-zone destination self
service-policy type inspect out-self-pmap
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key iL9rY483fF address 172.24.92.103
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto map IPSEC_MAP 1 ipsec-isakmp
description Tunnel-to-Sandbox2
set peer 172.24.92.103
set security-association lifetime seconds 28800
set transform-set ESP-3DES-SHA
set pfs group2
match address 150
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN
ip address 172.24.92.18 255.255.255.0
ip nat outside
no ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
no mop enabled
crypto map IPSEC_MAP
crypto ipsec df-bit clear
!
interface GigabitEthernet0/1
description LAN
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
!
ip nat inside source route-map RMAP_4_PAT interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 172.24.92.254
!
ip access-list extended AH_ACL
permit ahp any any
ip access-list extended ALLOW-VPN-TRAFFIC-OUT
permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended ESP_ACL
permit esp any any
ip access-list extended TELNET_ACL
permit tcp any any eq telnet
!
route-map RMAP_4_PAT permit 1
match ip address 108
!
snmp-server community 1snmp2use RO
access-list 108 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 permit ip 192.168.100.0 0.0.0.255 any
access-list 126 permit ip host 255.255.255.255 any
access-list 126 permit ip 127.0.0.0 0.255.255.255 any
access-list 137 permit ip 172.24.92.0 0.0.0.255 any
access-list 150 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 154 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
!
control-plane
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class TELNET_ACL in
exec-timeout 0 0
logging synchronous
transport input all
line vty 5 15
access-class TELNET_ACL in
exec-timeout 0 0
logging synchronous
transport input all
!
scheduler allocate 20000 1000
ntp server 0.ca.pool.ntp.org prefer
ntp server 1.ca.pool.ntp.org
!
end
Solved! Go to Solution.
02-24-2014 08:47 AM
NAT seems to be fine.
Please create an ACL with bidirecctional ACEs and add it as an access-group to the ingress interface:
ip access-list extended 180
permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255 log
permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 log
permit ip any any
interface GigabitEthernet0/1
ip access-group 180 in
ip access-group 180 out
Then generate some traffic and run the show access-lists 180 command.
Also, if possible enable debug ip icmp at the same time.
Share the results.
Thanks,
02-24-2014 09:06 AM
Sounds like a possible CEF issue.
Since this is a TEST environment, remove the access-group from the interface and issue the following command in configuration mode:
no ip cef
Let me know if it works after that.
02-20-2014 09:20 AM
No one has any experience of the combination of two...
Still waiting...
02-21-2014 06:01 AM
Wow...this would be the quietest discussion ever?
02-24-2014 05:14 AM
Bump it for another time...Still wonder if anyone could share some light on this...
02-24-2014 06:44 AM
Hi,
I took a quick look at the configuration and seems to be fine, I did not check the ZBF piece though.
If you add both interfaces to the same zone-member, do you notice any difference?
If so, put the configuration back and run:
ip inspect log drop-pkt
Also, does the tunnel flap?
show crypto session detail
HTH.
Message was edited by: Javier Portuguez
02-24-2014 08:40 AM
I do have the ip inspect log drop-pkt configured but funny enough, there is not log of dropping...
I did also try to have both interfaces configured in in-zone but nothing changed.
Another funny point: if I do "ping 192.168.1.10 source 192.168.100.1" on 1921 router, I got replies properly but not on the host connected inside of 1921...
From show crypto ipsec sa:
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
02-24-2014 08:47 AM
NAT seems to be fine.
Please create an ACL with bidirecctional ACEs and add it as an access-group to the ingress interface:
ip access-list extended 180
permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255 log
permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 log
permit ip any any
interface GigabitEthernet0/1
ip access-group 180 in
ip access-group 180 out
Then generate some traffic and run the show access-lists 180 command.
Also, if possible enable debug ip icmp at the same time.
Share the results.
Thanks,
02-24-2014 09:02 AM
Well, magically the 2 permits rule solved issue. However WHY?
Isnt the zone-based firewall suppose to permit the traffic with my configured rules? Why I have to apply static ACL to interface (LAN ONE) to permit? Isnt ZBF supposed to replaced the traditional static ACL firewall...?
02-24-2014 09:06 AM
Sounds like a possible CEF issue.
Since this is a TEST environment, remove the access-group from the interface and issue the following command in configuration mode:
no ip cef
Let me know if it works after that.
02-24-2014 09:11 AM
U r awesome!!!!
Removed the access group 180 from gig0/1 on both directions and disabled IP CEF. Connection is back gain!!!
So does this mean it is a bug in IOS or I did configure wrong...
02-24-2014 09:18 AM
It is a possibility.
Try this:
1- Add reverse-route to the crypto map:
crypto map outside_map 10 ipsec-isakmp
reverse-route static
Some more information about IP CEF.
Troubleshooting Prefix Inconsistencies with Cisco Express Forwarding
Please share the "show version | inc 15".
Thanks!
02-24-2014 09:23 AM
With IP CEF enabled and adding reverse-route static also brought the connection back.
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.4(1)T1, RELEASE SOFTWARE (fc2)
ROM: System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)
System image file is "flash:c1900-universalk9-mz.SPA.154-1.T1.bin"
Cisco CISCO1921/K9 (revision 1.0) with 491520K/32768K bytes of memory.
BTW, ur link does not work.
02-24-2014 09:38 AM
Very good, then that is your fix.
The link is: http://www.cisco.com/c/en/us/support/docs/ip/express-forwarding-cef/14540-cefincon.html
Please rate any helpful posts.
02-24-2014 09:43 AM
Thanks alot for your help!!! I am still trying to figure out why the Reverse Route Injection is needed on IOS?
While I was waiting for help, I also setup an ASA 5505 to the same vshield edge and I did not have to enable reverse route injection there...
I should read the IP CEF stuff more I guess...
02-24-2014 09:45 AM
You are welcome!
Feel free to ping me back at any time.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: