Dear,

I tried this before but still i am facing the same issue.

Thanks peter for the reply

I wonder how the routing changes when you have the VPN running. Does the  HQ send you a set of routes that could potentially take over your  current routing, including the default route?

NO

What does the traceroute show when the VPN is running?

If i do traceroute to 8.8.8.8 The traffic hits to HO (ezvpn server)

Would it confirm that the packets are actually being carried over to the HQ site?

YES

Optionally, can you post the show ip route command output during the time VPN is up?

Router#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer0

      85.0.0.0/32 is subnetted, 2 subnets

C        85.154.72.1 is directly connected, Dialer0

C        85.154.78.33 is directly connected, Dialer0

      119.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        119.127.99.0/24 is directly connected, Vlan1

L        119.127.99.1/32 is directly connected, Vlan1

Hi Clark,

In the case the HQ is not sending any routes (i.e. no split tunneling is performed), the EzVPN client will add a (possible hidden) default route via the HQ site. That confirms the behavior you're seeing. Can you actually configure the HQ site to advertise only those routes to you that should be available through the tunnel? We need to do split tunneling here.

Best regards,

Peter

Thanks for the reply,

The split tunneling is confgrued on the HQ router,

I have 10 location running with 870 router, the 10th locaton router went faulty i replace that router with 887VA router and i confgured the same config on the 887VA router which are available on the 870 router.

Things are working perfect on 12.4 IOS once i changed the router to 887VA with an 15.0 IOS all stops working.

Thanks

Hi Clark,

Hmmm... would you mind entering the crypto ipsec client ezvpn EZ mode on your 887VA and adding the following command?

virtual-interface

so the configuration will look like:

crypto ipsec client ezvpn EZ

  ! other configuration will remain intact

  virtual-interface

This configuration change will cause the router to create a Virtual-Access interface through which the split tunnel is being represented in the routing table. I assume this should help us to avoid all traffic being pulled into the VPN tunnel.

After changing the configuration, you will need to tear down the VPN and let it come up again. After this, please again post the output of the show ip route command. Thanks!

Best regards,

Peter

Hello Peter,

After enterng the comand the VPN went down and it did nt come up again. It removed the command from the dialer 0 interface, i manually put it back again, but still the status same.

Thanks

Hi Clark,

Okay, a slight modification. Add these lines to your running-config:

interface Virtual-Template1 type tunnel

  tunnel-mode ipsec ipv4

!

crypto ipsec client ezvpn EZ

  no virtual-interface

  virtual-interface 1

Regardless of whether the VPN comes up or not, after modifying your configuration and trying to reestablish the VPN, please post the output of the show ip route and show crypto ipsec client ezvpn commands. Thank you!

Best regards,

Peter

Dear Peter,

interface Virtual-Template1 type tunnel

  tunnel-mode ipsec ipv4

As soon as i execute the below command

crypto ipsec client ezvpn EZ

  virtual-interface 1

EZVPN: For virtual-interface to take effect apply ezvpn on a real interface

Aug 25 18:58:21.248: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access5, changed state to down

Router(config-crypto-ezvpn)#do sh ip rout

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer0

      62.0.0.0/32 is subnetted, 2 subnets

C        62.61.160.1 is directly connected, Dialer0

C        62.61.173.250 is directly connected, Dialer0

      119.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        119.127.99.0/24 is directly connected, Vlan1

L        119.127.99.1/32 is directly connected, Vlan1

Router(config-crypto-ezvpn)#

############################################

Router#sh ip int brief  

Interface                  IP-Address      OK? Method Status                Protocol

ATM0                       unassigned      YES NVRAM  up                    up     

ATM0.1                     unassigned      YES unset  up                    up     

Dialer0                    62.61.173.XX   YES IPCP   up                    up     

Ethernet0                  unassigned      YES NVRAM  administratively down down   

FastEthernet0              unassigned      YES unset  down                  down   

FastEthernet1              unassigned      YES unset  up                    up     

FastEthernet2              unassigned      YES unset  down                  down   

FastEthernet3              unassigned      YES unset  down                  down   

NVI0                       119.127.99.1    YES unset  up                    up     

Virtual-Access1            unassigned      YES unset  up                    up     

Virtual-Access2            unassigned      YES unset  up                    down   

Virtual-Access3            unassigned      YES unset  down                  down   

Virtual-Access4            unassigned      YES unset  up                    down   

Virtual-Access5            unassigned      YES unset  up                    down   

Virtual-Template1          unassigned      YES unset  up                    down   

Vlan1                      119.127.99.1    YES NVRAM  up                    up     

Router#   

  ##################################################################

Router#sh cry ipse cli ezvpn

Easy VPN Remote Phase: 8

Tunnel name : EZ

Inside interface list: Vlan1

Outside interface: Virtual-Access5

Current State: IDLE

Last Event: REMOVE_INTERFACE_CFG

Save Password: Disallowed

Current EzVPN Peer: 85.154.XX.XX

Hi Clark,

I've tested this in Dynamips. It seems that there is some sort of a bug that prevents the client configuration from correctly being modified using the virtual-interface command if the EzVPN client is already activated on interfaces. It results into the erroneous messages about 'only a single outside interface allowed'.

It seems that one of ways to rectify this is to simply remove the entire EzVPN client configuration and paste it back. So if you don't mind please try doing just that, e.g.:

interface Dialer0

  no crypto ipsec client ezvpn EZ

!

crypto ipsec client ezvpn EZ

  no virtual-interface

  exit

no crypto ipsec client ezvpn EZ

!

! At this point, make absolutely sure that no EzVPN config

! has remained in your router

!

crypto ipsec client ezvpn EZ

  virtual-interface

  connect auto

  group KK key 123

  mode network-extension

  peer 85.85.85.86 default

  xauth userid mode interactive

  exit

interface Vlan1

  crypto ipsec client ezvpn EZ inside

  exit

interface Dialer0

  crypto ipsec client ezvpn EZ outside

  end

Looking forward to hearing from you!

Best regards,

Peter

sorry to saw ur reply late give me 5 min i will reply you

Dear Peter

still the same no ping from internal lan to IP 8.8.8.8 nor i am not able to ping from the router itself

here are the output.

Router(config-if)#do sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
ATM0                       unassigned      YES manual up                    up     
ATM0.1                     unassigned      YES unset  up                    up     
Dialer0                    85.154.200.4    YES IPCP   up                    up     
Ethernet0                  unassigned      YES NVRAM  administratively down down   
FastEthernet0              unassigned      YES unset  down                  down   
FastEthernet1              unassigned      YES unset  up                    up     
FastEthernet2              unassigned      YES unset  down                  down   
FastEthernet3              unassigned      YES unset  down                  down   
NVI0                       119.127.99.1    YES unset  up                    up     
Virtual-Access1            unassigned      YES unset  up                    up     
Virtual-Access2            unassigned      YES unset  up                    down   
Virtual-Access3            unassigned      YES unset  down                  down   
Virtual-Access4            unassigned      YES unset  up                    down   
Virtual-Access5            unassigned      YES unset  up                    down   
Virtual-Access6            85.154.200.4    YES unset  up                    up     
Virtual-Template1          unassigned      YES unset  up                    down   
Vlan1                      119.127.99.1    YES NVRAM  up                    up 

###############################

Router(config-if)# do sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 0.0.0.0, Virtual-Access6

                is directly connected, Dialer0

      85.0.0.0/32 is subnetted, 3 subnets

C        85.154.200.1 is directly connected, Dialer0

C        85.154.200.4 is directly connected, Dialer0

S        85.154.237.218 [1/0] via 0.0.0.0, Dialer0

      119.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        119.127.99.0/24 is directly connected, Vlan1

L        119.127.99.1/32 is directly connected, Vlan1

Router(config-if)#

#################################

Router#sh crypto ipsec client ezvpn

Easy VPN Remote Phase: 8

Tunnel name : EZ

Inside interface list: Vlan1

Outside interface: Virtual-Access6 (bound to Dialer0)

Current State: IPSEC_ACTIVE

Last Event: MTU_CHANGED

Save Password: Disallowed

Current EzVPN Peer: 85.154.XX.XX

Router#

Hi Clark,

At least now you can see that the split tunnel is not working - the routing table now clearly shows that all you are getting from the HQ is a default route that points through the Virtual-Access interface back to the HQ. Your router basically load-balances over the Dialer (non-VPN) and Virtual-Access (VPN) interfaces indiscriminately.

The most correct solution would be to correct the HQ configuration because at present, it is not sending a proper split tunnel configuration to your own router. However, I do not know if changing the HQ's configuration is currently in your power, or whether it is acceptable. Definitely, though, the split tunneling configuration on HQ is not correct, and HQ is not sending the set of local routes to be carried across the VPN to your router.

Best regards,

Peter