07-23-2012 10:16 AM - edited 03-04-2019 05:03 PM
Hi All,
Just want to say a big thank you to all the Net Pros that devote their time & resources to help others.
I was recently on this forum when I configured VPN between two of our sites. I got the VPN up and running and all the resources working without hitches. How ever I had to add configure a fail over (Backup) link at the Head office, for this we are using BGP.
The fail over was configured and is running, all the systems are on internet. The VPN is showing UP and active but the only problem is that the internal systems cannot ping across the vpn to reach remote systems. So they can reach any resource on the LAN.
Pasted below is the sho run and show crypto session.
#sho run
Building configuration...
Current configuration : 6144 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service dhcp
!
hostname lagos
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096
logging console critical
enable secret 5
enable password
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3885639516
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3885639516
revocation-check none
rsakeypair TP-self-signed-3885639516
!
!
crypto pki certificate chain TP-self-signed-3885639516
certificate self-signed 01
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
ip cef
ip dhcp bootp ignore
!
!
no ip bootp server
ip domain name
ip name-server 19.x.x.x
ip name-server 4.x.x.x
ip name-server 1.x.x.x
login block-for 15 attempts 5 within 5
!
multilink bundle-name authenticated
password encryption aes
!
!
username td privilege 15 secret xx
username tdf privilege 15 secret xx
!
!
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key xxxx address 4.2.2.2
!
!
crypto ipsec transform-set ME-VPN esp-aes esp-md5-hmac
!
crypto map VPN-TO-PH 10 ipsec-isakmp
set peer 4.2.2.2
set transform-set ME-VPN
match address VPN-TRAFFIC
!
archive
log config
logging enable
hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface Loopback0
ip address 192.1.1.1 255.255.255.255
!
interface Loopback1
ip address 1.2.2.2 255.255.255.252
ip nat outside
ip virtual-reassembly
crypto map VPN-TO-PH
!
interface Tunnel0
no ip address
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
shutdown
!
interface FastEthernet0
description ### PRIMARY LINK ###
ip address 17.1.2.11 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
description ### DOPC SECONDARY LINK ###
ip address 17.1.4.11 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2
switchport access vlan 100
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan100
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
router bgp 65142
no synchronization
bgp log-neighbor-changes
network 1.2.2.0 mask 255.255.255.252
neighbor 17.1.2.1 remote-as 65136
neighbor 17.1.4.11 remote-as 65136
no auto-summary
!
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map LAT interface Loopback1 overload
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
logging trap debugging
logging facility local2
access-list 20 permit 192.168.0.x
access-list 100 remark EXCLUDE NAT
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 remark
access-list 101 permit udp any any eq bootpc
no cdp run
!
!
!
route-map LAT permit 1
match ip address 100
!
!
!
!
control-plane
!
line con 0
exec-timeout 5 0
password
login authentication local_auth
transport output telnet
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
password
login authentication local_auth
transport input telnet ssh
line vty 5 193
password
login authentication local_auth
transport input telnet ssh
!
end
#sho crypto session
Crypto session current status
Interface: Loopback1
Session status: UP-ACTIVE
Peer: 4.2.2.2 port 500
IKE SA: local 1.2.2.2/500 remote 4.2.2.2/500 Active
IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 2, origin: crypto map
As you can see, everything appear ok, but still the systems are not able to access resources over the vpn.
The only change added to this config compared to the former one is the introduction of routing protocol BGP (I was using default route initially). And the introduction of Loopback interface, the NAT is now using Loopback 1 interface address for overload instead of Fast Ethernet1.
Can some one tell me why this is not working and how to rectify.
Below is the sho run of the first config I used to initially set up the VPN (before setting up the Backup link). This was working perfectly and all the systems connecting over the vpn.
sho run
Building configuration...
Current configuration : 5891 bytes
!
version 12.4
!
crypto pki trustpoint TP-self-signed-3885639516
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3885639516
revocation-check none
!
ip cef
ip dhcp bootp ignore
!
!
no ip bootp server
no ip domain lookup
ip domain name mastersenergyltd.com
ip name-server 1.2.2.2
ip name-server 4.2.0.1
ip name-server 192.168.0.2
login block-for 15 attempts 5 within 5
!
multilink bundle-name authenticated
password encryption aes
!
!
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key xxx address 4.2.2.2
!
!
crypto ipsec transform-set ME-VPN esp-aes esp-md5-hmac
!
crypto map VPN-TO-PH 10 ipsec-isakmp
set peer 4.2.2.2
set transform-set ME-VPN
match address VPN-TRAFFIC
!
archive
log config
logging enable
hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
no ip address
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
shutdown
!
interface FastEthernet0
description BACKUP INTERNET LINK
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
ip address 4.2.2.7 255.255.255.128
ip verify unicast source reachable-via rx allow-default 101
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN-TO-PH
!
interface FastEthernet2
switchport access vlan 100
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan100
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 4.2.2.1
!
!
ip http server
ip http access-class 20
ip http authentication local
ip http secure-server
ip nat inside source route-map LAT interface FastEthernet1 overload
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
logging trap debugging
logging facility local2
access-list 20 permit 192.168.0.9
access-list 100 remark EXCLUDE NAT
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 remark
access-list 101 permit udp any any eq bootpc
no cdp run
!
!
!
route-map LAT permit 1
match ip address 100
!
end
Thanks in advance.
Tom
07-23-2012 01:30 PM
Hello Tom,
I hope you are well.
When using the loopback we need to enforce traffic of the VPN over the loopback itself in order to trigger the encrpytion process.
For this site you need
ip route 192.168.1.0 255.255.255.0 loopback1
on the remote site
ip route 192.168.0.0 255.255.255.0 loopback1
(assuming the same loop number is used on both routers)
Hope to help
Giuseppe
07-24-2012 12:31 AM
Hi Giuseppe,
Good to hear from you again. Your input helped me so much the last time to resolve my challenge. Thanks.
I added
ip route 192.168.1.0 255.255.255.0 loopback1
to the config but there was no change.
Show crypto session always show that the VPN is up and active meaning that there is no issue with the VPN configuration.
#sho crypto session
Crypto session current status
Interface: Loopback1
Session status: UP-ACTIVE
Peer: 4.2.2.2 port 500
IKE SA: local 19.2.22.22/500 remote 4.2.2.2/500 Active
IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 2, origin: crypto map
Its just IP connectivity of the end systems that is an issue.
The BGP is running between my router and the ISP router (my gateway) but my remote site router is not running BGP, its accessing the net via default route. And the remote site is not presently having a backup (failover) link.
The config for remote site is given below but I dont think that's the issue because the major change done was the introduction of BGP at the head office. The only thing done at the remote site was to change the peer address.
#sho run
Building configuration...
Current configuration : 4436 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-1653327508
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1653327508
revocation-check none
rsakeypair TP-self-signed-1653327508
dot11 syslog
!
ip cef
!
!
no ip domain lookup
ip name-server 1.2.2.2
ip name-server 4.2.0.1
!
multilink bundle-name authenticated
!
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key shhh address 4.2.2.7
!
!
crypto ipsec transform-set ME-VPN esp-aes esp-md5-hmac
!
crypto map VPN-TO-PH 10 ipsec-isakmp
set peer 4.2.2.7
set transform-set ME-VPN
match address SDM_1
!
archive
log config
hidekeys
!
interface Loopback0
ip address 192.200.200.1 255.255.255.255
!
interface Tunnel0
no ip address
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
ip address 4.2.2.2 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN-TO-PH
!
interface FastEthernet2
!
interface FastEthernet3
!
!
interface Vlan1
no ip address
!
interface Dialer1
no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 4.2.2.1
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthern
!
ip access-list extended SDM_1
remark SDM_ACL Category=20
permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
!
access-list 100 remark EXCLUDED FROM NAT
access-list 100 remark SDM_ACL Category=16
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
end
Thanks.
Tom
07-24-2012 04:44 AM
Hi Giuseppe,
I just thought i should add this observation.
I did a vpn tunnel test from sdm. Though the test was successful but i received this message which I feel may be the reason for the IP connectivity problem:
A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets.
1)Contact your ISP/Administrator to resolve this issue. 2)Issue the command 'crypto ipsec df-bit clear' under the VPN interface to avoid packets drop due to fragmentation.
I have issued 'crypto ipsec df-bit clear' on both local & remote routers but still no noticable change. The IP connectivity issues still persists.
Thanks
Tom
07-24-2012 07:51 AM
Hello Tom,
we should understand the issue better.
From router of site1 ( the one speaking eBGP) if you try to ping 192.168.1.1 from 192.168.0.1 what is the result?( I mean using an extended ping)
What is the output of show crypto ipsec sa?
The MTU issue has to be handled later if it is real. But for the moment it is important to understand the connectivity issue.
I remember you had some issues with some static NAT statements.
.
Hope to help
Giuseppe
07-24-2012 08:34 AM
Hi Giuseppe,
From the eBGP speaking router extended ping to remote router's internal and external interfaces gives 100% replies
#ping 192.168.1.1 source 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/304/496 ms
#ping 4.2.2.2 source 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 272/409/624 ms
From the non BGP speaking router, extended ping to this side also gives 100% replies when I use source IP as the local internal IP address but gives no reply when I use the public IP of external interface as the source IP.
#ping 192.168.0.1 source 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 4.2.2.2
.....
Success rate is 0 percent (0/5)
#ping 192.168.0.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 116/146/180 ms
#ping 192.168.0.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/280/428 ms
Yes its true I had some issues with static NAT statements previously but I removed the static NAT entirely. As u can see from the config earlier posted, the only NAT statement is that which I use for internet access and it is overloading on the Loopback1 interface.
I have a feeling it has to do with NATing but I can't pin point how else to issue the NAT statement since I didnt make any much change.
I can recall however that at the point of configuring the backup I had problem with ineternet connectivity until I added 'IP NAT OUTSIDE' to the two physical interfaces (Fa0 & Fa1) - Primary & Backup links. Initially I had the 'IP NAT OUTSIDE' statement only on the Loopback1 interface.
Thanks
Tom
07-24-2012 08:40 AM
Hello Tom,
the correct test is to ping internal to internal and this works. (LAN to LAN) you should see the counters increasing in show crypto ipsec sa for both encrypted and decrypted packets and bytes.
What happens if you start the ping from an host in 192.168.0.0/24 and you try to ping an host in 192.168.1.0/24?
I remember you had strange results with 50% of packet loss.
I see that you have removed all the static NAT statements.
Hope to help
Giuseppe
07-24-2012 08:51 AM
Hi,
Sorry I forgot to paste the output of the 'sho crypto ipsec sa' It is shown below:
For remote router (non BGP speaking router)
# sho crypto ipsec sa
interface: FastEthernet1
Crypto map tag: VPN-TO-PH, local addr 4.2.2.2
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 1.2.2.225 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 19473, #pkts encrypt: 19473, #pkts digest: 19473
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 4.2.2.2, remote crypto endpt.: 1.2.2.225
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1
current outbound spi: 0x8C6F3BB5(2356100021)
inbound esp sas:
spi: 0x21352D5D(557133149)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 19, flow_id: Motorola SEC 2.0:19, crypto map: VPN-TO-PH
sa timing: remaining key lifetime (k/sec): (4397342/1653)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8C6F3BB5(2356100021)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 20, flow_id: Motorola SEC 2.0:20, crypto map: VPN-TO-PH
sa timing: remaining key lifetime (k/sec): (4397199/1653)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
For Head office router (eBGP speaking router)
#sho crypto ipsec sa
interface: Loopback1
Crypto map tag: VPN-TO-PH, local addr 1.2.2.225
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/179)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
current_peer 4.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.2.2.225, remote crypto endpt.: 4.2.2.2
path mtu 1514, ip mtu 1514, ip mtu idb Loopback1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/6/179)
current_peer 4.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.2.2.225, remote crypto endpt.: 4.2.2.2
path mtu 1514, ip mtu 1514, ip mtu idb Loopback1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 4.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
#pkts decaps: 20462, #pkts decrypt: 20462, #pkts verify: 20462
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 1
local crypto endpt.: 1.2.2.225, remote crypto endpt.: 4.2.2.2
path mtu 1514, ip mtu 1514, ip mtu idb Loopback1
current outbound spi: 0xD069D21(218537249)
inbound esp sas:
spi: 0xEB28F588(3945330056)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 23, flow_id: Motorola SEC 2.0:23, crypto map: VPN-TO-PH
sa timing: remaining key lifetime (k/sec): (4471105/2648)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD069D21(218537249)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 24, flow_id: Motorola SEC 2.0:24, crypto map: VPN-TO-PH
sa timing: remaining key lifetime (k/sec): (4471174/2648)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
The MTU size on one side is 1500 while on the other side it is 1514.
Thanks
Tom
07-24-2012 09:01 AM
Hello Tom,
these show crypto ipsec sa look like fine
>> local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 4.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
>> #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
>> #pkts decaps: 20462, #pkts decrypt: 20462, #pkts verify: 20462
at each ping attempt LAN to LAN the pkts encaps should increase by 5. To be noted the remote end has had less configuration changes and the counter of received and decapsulated = decrypted packets is bigger.
I would try to use an extended ping to send 100 ICMP echo request from HQ router and then check again the counters to see if they are incremented by 100 in pkts encaps line
Hope to help
Giuseppe
07-23-2012 02:39 PM
In order to override the eBGP default TTL of 1, try to add the command:
neighbor 17.1.2.1 ebgp-multihop 255
on both routers for the neighbor statements (with the respective IP address of the neighbor on the other side).
If that doesn't help, can you post the output of the 'show ip bgp sum' and 'show ip route bgp' from both routers ?
Regards,
Georg
07-24-2012 12:40 AM
Hi Georg,
I can only add the
neighbor 17.1.2.1 ebgp-multihop 255
on my router since i dont have access to the ISP router. Will adding this only on my router make any difference?
The BGP is running between my router and the ISP router (my gateway) but my remote site router is not running BGP, its accessing the net via default route. And the remote site is not presently having a backup (failover) link.
I dont think that the issue is with the remote site router because the major change done was the introduction of BGP at the head office. The only thing done at the remote site was to change the peer address. And the show crypto session will reveal that VPN is ok.
#sho crypto session
Crypto session current status
Interface: Loopback1
Session status: UP-ACTIVE
Peer: 4.2.2.2 port 500
IKE SA: local 19.2.22.22/500 remote 4.2.2.2/500 Active
IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 2, origin: crypto map
Below is the output of sho ip bgp sum
sho ip bgp sum
BGP router identifier 19.2.22.22, local AS number 65142
BGP table version is 10, main routing table version 10
9 network entries using 1080 bytes of memory
17 path entries using 884 bytes of memory
7/6 BGP path/bestpath attribute entries using 868 bytes of memory
5 BGP AS-PATH entries using 120 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory
BGP using 2984 total bytes of memory
BGP activity 9/0 prefixes, 17/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
17.1.2.1 4 65136 341 341 10 0 0 01:32:01 8
17.1.4.1 4 65136 341 341 10 0 0 01:31:58 8
The BGP protocol seems ok. We have good connectivity to the internet and the vpn is up. But the only issue is IP connectivity of the end system thru the vpn connection. What do you think?
Thanks.
Tom
07-24-2012 04:45 AM
Hi Georg,
Thought I should add this:
I did a vpn tunnel test from sdm. Though the test was successful but i received this message which I feel may be the reason for the IP connectivity problem:
A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets.
1)Contact your ISP/Administrator to resolve this issue. 2)Issue the command 'crypto ipsec df-bit clear' under the VPN interface to avoid packets drop due to fragmentation.
I have issued 'crypto ipsec df-bit clear' on both local & remote routers but still no noticable change. The IP connectivity issues still persists.
Thanks
Tom
07-24-2012 04:42 AM
Hi All,
I did a vpn tunnel test from sdm. Though the test was successful but i received this message which I feel may be the reason for the IP connectivity problem:
A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets.
1)Contact your ISP/Administrator to resolve this issue. 2)Issue the command 'crypto ipsec df-bit clear' under the VPN interface to avoid packets drop due to fragmentation.
I have issued 'crypto ipsec df-bit clear' on both local & remote routers but still no noticable change. The IP connectivity issues still persists.
Thanks
Tom
07-24-2012 05:08 AM
Tom,
looking over your initial config, I think you might need to allow TCP port 179 (which is used by BGP) to your VPN-TRAFFIC extended access list. Add the following lines and see what happens:
permit tcp any any eq 179
permit tcp any eq 179 any
Regards,
Georg
07-24-2012 05:41 AM
Hi Georg,
I added the permit statement to the vpn traffic access list but still no change.
ip access-list extended VPN-TRAFFIC
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
permit tcp any any eq bgp
permit tcp any eq bgp any
There is no change to the result.
Thanks for your input.
Tom
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: