08-24-2013 06:42 AM - edited 03-04-2019 08:51 PM
Dear Experts,
I have a strange issue ,, my configs were working perfect on 12.4 when i changed the router 887 VA with an IOS 15.1 the NAT doenst works for internet traffic.
I have confgured the EZVPN client on my new 887VA router connecting to HO,the vpn is established perfect but the traffic for internet stops, when i remove the crypto command from my outside interface it starts translating and the natting for internet traffic works fine.
08-25-2013 06:49 AM
Hello Clark,
Not sure if this will help but i have encountered a similar issue which was solved by performing the NAT via a route-map
Please try the following configuration :
Route-map NAT match-any permit 10
match ip address 100
match interface Dialer0
!
ip nat inside source route-map NAT interface Dialer0 overload
Regards,
Valentine
08-25-2013 07:30 AM
Dear,
I tried this before but still i am facing the same issue.
08-25-2013 09:45 AM
Hi Clark,
I am not entirely sure but my thoughts revolve about a different thing: you say that when you have the EzVPN client running, the NAT does not work, and when you remove the crypto ipsec client command from your Dialer0 interface, the internet connectivity resumes.
I wonder how the routing changes when you have the VPN running. Does the HQ send you a set of routes that could potentially take over your current routing, including the default route? What does the traceroute show when the VPN is running? Would it confirm that the packets are actually being carried over to the HQ site? Optionally, can you post the show ip route command output during the time VPN is up?
Best regards,
Peter
08-25-2013 10:15 AM
Thanks peter for the reply
I wonder how the routing changes when you have the VPN running. Does the HQ send you a set of routes that could potentially take over your current routing, including the default route?
NO
What does the traceroute show when the VPN is running?
If i do traceroute to 8.8.8.8 The traffic hits to HO (ezvpn server)
Would it confirm that the packets are actually being carried over to the HQ site?
YES
Optionally, can you post the show ip route command output during the time VPN is up?
Router#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Dialer0
85.0.0.0/32 is subnetted, 2 subnets
C 85.154.72.1 is directly connected, Dialer0
C 85.154.78.33 is directly connected, Dialer0
119.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 119.127.99.0/24 is directly connected, Vlan1
L 119.127.99.1/32 is directly connected, Vlan1
08-25-2013 10:38 AM
Hi Clark,
In the case the HQ is not sending any routes (i.e. no split tunneling is performed), the EzVPN client will add a (possible hidden) default route via the HQ site. That confirms the behavior you're seeing. Can you actually configure the HQ site to advertise only those routes to you that should be available through the tunnel? We need to do split tunneling here.
Best regards,
Peter
08-25-2013 10:59 AM
Thanks for the reply,
The split tunneling is confgrued on the HQ router,
I have 10 location running with 870 router, the 10th locaton router went faulty i replace that router with 887VA router and i confgured the same config on the 887VA router which are available on the 870 router.
Things are working perfect on 12.4 IOS once i changed the router to 887VA with an 15.0 IOS all stops working.
Thanks
08-25-2013 11:15 AM
Hi Clark,
Hmmm... would you mind entering the crypto ipsec client ezvpn EZ mode on your 887VA and adding the following command?
virtual-interface
so the configuration will look like:
crypto ipsec client ezvpn EZ
! other configuration will remain intact
virtual-interface
This configuration change will cause the router to create a Virtual-Access interface through which the split tunnel is being represented in the routing table. I assume this should help us to avoid all traffic being pulled into the VPN tunnel.
After changing the configuration, you will need to tear down the VPN and let it come up again. After this, please again post the output of the show ip route command. Thanks!
Best regards,
Peter
08-25-2013 11:30 AM
Hello Peter,
After enterng the comand the VPN went down and it did nt come up again. It removed the command from the dialer 0 interface, i manually put it back again, but still the status same.
Thanks
08-25-2013 11:41 AM
Hi Clark,
Okay, a slight modification. Add these lines to your running-config:
interface Virtual-Template1 type tunnel
tunnel-mode ipsec ipv4
!
crypto ipsec client ezvpn EZ
no virtual-interface
virtual-interface 1
Regardless of whether the VPN comes up or not, after modifying your configuration and trying to reestablish the VPN, please post the output of the show ip route and show crypto ipsec client ezvpn commands. Thank you!
Best regards,
Peter
08-25-2013 12:02 PM
Dear Peter,
interface Virtual-Template1 type tunnel
tunnel-mode ipsec ipv4
As soon as i execute the below command
crypto ipsec client ezvpn EZ
virtual-interface 1
EZVPN: For virtual-interface to take effect apply ezvpn on a real interface
Aug 25 18:58:21.248: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access5, changed state to down
Router(config-crypto-ezvpn)#do sh ip rout
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Dialer0
62.0.0.0/32 is subnetted, 2 subnets
C 62.61.160.1 is directly connected, Dialer0
C 62.61.173.250 is directly connected, Dialer0
119.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 119.127.99.0/24 is directly connected, Vlan1
L 119.127.99.1/32 is directly connected, Vlan1
Router(config-crypto-ezvpn)#
############################################
Router#sh ip int brief
Interface IP-Address OK? Method Status Protocol
ATM0 unassigned YES NVRAM up up
ATM0.1 unassigned YES unset up up
Dialer0 62.61.173.XX YES IPCP up up
Ethernet0 unassigned YES NVRAM administratively down down
FastEthernet0 unassigned YES unset down down
FastEthernet1 unassigned YES unset up up
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
NVI0 119.127.99.1 YES unset up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up down
Virtual-Access3 unassigned YES unset down down
Virtual-Access4 unassigned YES unset up down
Virtual-Access5 unassigned YES unset up down
Virtual-Template1 unassigned YES unset up down
Vlan1 119.127.99.1 YES NVRAM up up
Router#
##################################################################
Router#sh cry ipse cli ezvpn
Easy VPN Remote Phase: 8
Tunnel name : EZ
Inside interface list: Vlan1
Outside interface: Virtual-Access5
Current State: IDLE
Last Event: REMOVE_INTERFACE_CFG
Save Password: Disallowed
Current EzVPN Peer: 85.154.XX.XX
08-25-2013 12:57 PM
Hi Clark,
I've tested this in Dynamips. It seems that there is some sort of a bug that prevents the client configuration from correctly being modified using the virtual-interface command if the EzVPN client is already activated on interfaces. It results into the erroneous messages about 'only a single outside interface allowed'.
It seems that one of ways to rectify this is to simply remove the entire EzVPN client configuration and paste it back. So if you don't mind please try doing just that, e.g.:
interface Dialer0
no crypto ipsec client ezvpn EZ
!
crypto ipsec client ezvpn EZ
no virtual-interface
exit
no crypto ipsec client ezvpn EZ
!
! At this point, make absolutely sure that no EzVPN config
! has remained in your router
!
crypto ipsec client ezvpn EZ
virtual-interface
connect auto
group KK key 123
mode network-extension
peer 85.85.85.86 default
xauth userid mode interactive
exit
interface Vlan1
crypto ipsec client ezvpn EZ inside
exit
interface Dialer0
crypto ipsec client ezvpn EZ outside
end
Looking forward to hearing from you!
Best regards,
Peter
08-25-2013 01:17 PM
sorry to saw ur reply late give me 5 min i will reply you
08-25-2013 01:40 PM
Dear Peter
still the same no ping from internal lan to IP 8.8.8.8 nor i am not able to ping from the router itself
here are the output.
Router(config-if)#do sh ip int brief
Interface IP-Address OK? Method Status Protocol
ATM0 unassigned YES manual up up
ATM0.1 unassigned YES unset up up
Dialer0 85.154.200.4 YES IPCP up up
Ethernet0 unassigned YES NVRAM administratively down down
FastEthernet0 unassigned YES unset down down
FastEthernet1 unassigned YES unset up up
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
NVI0 119.127.99.1 YES unset up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up down
Virtual-Access3 unassigned YES unset down down
Virtual-Access4 unassigned YES unset up down
Virtual-Access5 unassigned YES unset up down
Virtual-Access6 85.154.200.4 YES unset up up
Virtual-Template1 unassigned YES unset up down
Vlan1 119.127.99.1 YES NVRAM up up
###############################
Router(config-if)# do sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 0.0.0.0, Virtual-Access6
is directly connected, Dialer0
85.0.0.0/32 is subnetted, 3 subnets
C 85.154.200.1 is directly connected, Dialer0
C 85.154.200.4 is directly connected, Dialer0
S 85.154.237.218 [1/0] via 0.0.0.0, Dialer0
119.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 119.127.99.0/24 is directly connected, Vlan1
L 119.127.99.1/32 is directly connected, Vlan1
Router(config-if)#
#################################
Router#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 8
Tunnel name : EZ
Inside interface list: Vlan1
Outside interface: Virtual-Access6 (bound to Dialer0)
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Disallowed
Current EzVPN Peer: 85.154.XX.XX
Router#
08-25-2013 02:00 PM
Hi Clark,
At least now you can see that the split tunnel is not working - the routing table now clearly shows that all you are getting from the HQ is a default route that points through the Virtual-Access interface back to the HQ. Your router basically load-balances over the Dialer (non-VPN) and Virtual-Access (VPN) interfaces indiscriminately.
The most correct solution would be to correct the HQ configuration because at present, it is not sending a proper split tunnel configuration to your own router. However, I do not know if changing the HQ's configuration is currently in your power, or whether it is acceptable. Definitely, though, the split tunneling configuration on HQ is not correct, and HQ is not sending the set of local routes to be carried across the VPN to your router.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide