Cisco WAN :: 2048 Sized Pings Failing Over Ipsec Tunnel
Mar 20, 2013
So because of the way active directory handles Group Policy I have been tasked with finding out why this is failing over the WAN. Basically I know why, but don't know how to correct it. I am trying to increase the MTU over an ipsec tunnel to 2048 to allow Microsoft Slowlink detection to occur. [URL] Basically, it sends 2 icmp packets. One at a normal size and one at a size of 2048. In my case this is trying to occur over an ipsec tunnel and failing due to the MTU being at 1440. I have seen a few articles about increasing it to 1500, but is there a way to increase the MTU to allow the 2048 sized icmp packets?
View 4 Replies
ADVERTISEMENT
Aug 16, 2011
Phase1 is complete, Phase2 isn't coming up...everything has been verified on both sides but we're getting unknown errors.
Aug 17 11:33:15.609 CDT: ISAKMP (0:2): Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Aug 17 11:33:15.609 CDT: ISAKMP (0:2): Input = IKE_MESG_INTERNAL,
[Code].....
View 1 Replies
View Related
May 28, 2013
After hours of trial and error, and searching user groups, I have found that on occasion, ASA v8.4 will stop pings with the IPsec-Spoofing logic. Interestingly, the packet-trace will say everything is allowed.
The fix (at least in my case, and one other) is to narrow the crypto-map to specific hosts, not subnets.
View 2 Replies
View Related
Sep 23, 2012
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
View 4 Replies
View Related
May 17, 2011
I'm trying to configure a Cisco 1941 to connect to multiple Amazon VPC instances. Each VPC instance brings up 2 x IPsec over GRE tunnels with BGP in to the EC2 cloud and enables flat extension of the corporate LAN. Basically. you can spin up EC2 instances in a private subnet and route to them across the VPC link from the corporate LAN.
The Amazon configuration is templated and not designed to support multiple instances on one customer access gateway - however, I want to overcome this and find a technical solution around bringing up a second physical router. I've got VRF configured and working for the first instance, but when we add a second VRF to the configuration IPsec fails. The second VRF is essentially identical to the first.
We're potentially looking at a licensing issue with IOS 15.x, the version we're running is...
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
data None None None
[Code]....
However, the IPsec configuration is complete and all keychains etc. are in place as they should be.
View 13 Replies
View Related
Oct 17, 2012
I am using a Cisco RV110W (Firmware 1.2.09) in a branch and I would like to create a VPN Tunnel to another site that has a Cisco RV042 (firmware v4.2.1.02)
What would be the correct Configuration? the current configuration I am using is
in the RV042 i am using
Check Enable
Local Group Setup
Local Security Gateway Type : IP Only
IP Address : RV042 Pulbic IP address
[Code].....
View 3 Replies
View Related
Oct 19, 2011
- Ipsec tunnell between two 881's
- An Aruba access point trying to set up a tunnell back to controller through the ipsec tunnell, on udp 4500
- Even though traffic shouldn't be NAT'ed (and other traffic is not), udp 4500 is NAT'ed
I guess this might be default behaviour, thing is that it used to work when it was set up as a route based easy vpn.
View 1 Replies
View Related
May 4, 2011
how to create ip sec tunnel using these parameters. customer ip where tunnel has to be connected 1.1.1.1
ISAKMP Parameters: (Phase I)
Encryption: AES-256 or 3DES
Authentication Mode: Pre-shared key
[Code]......
View 4 Replies
View Related
Mar 9, 2011
We have a Cisco 2820 that serves as a hub and our spokes are Cisco 871s. Its been working for a while and for some reason last week. Http and https traffic over the tunnel is having connection issues. I can Remote desktop or PCanywhere into the remote PCs. From that PC I can ping internal IP address or IP of the webmail server or internal webserver with no issue. But if I access it over the browser it times out or it will work and stop working again. Basically ica, icmp, pcanythere, rdp traffic works over the tunnel but not http or https.
View 2 Replies
View Related
May 4, 2011
can I force an IPSEC L2L tunnel to use NAT-T encapsulation no matter what? Automatic detection says none of the endpoints are behind NAT. I know I can disable it by the "crypto map XXX set nat-t-disable" command, but I want the exact opposite.
I have a very strange issue where asynchronos routing is making my life as a technician very hard.
A side question; Can I do something about an ISP that is policy-base-routing its ESP traffic (and/or translating it)?
ASA5505 ===>===>===> ISAKMP traffic ===>===>===> ASA5510
212.178.155.73 80.62.yyy.xxx (traffic source IP: 212.178.155.73)
[Code].....
View 3 Replies
View Related
Aug 8, 2012
i am curently troubleshooting a ipsec l2l VPN between
1. ASA 7.2(4) to SSG-140
2. Cisco 871W to SSG-140
In both scenario's the tunnel is nicely established, and traffic goes into the tunnel, but nothing comes out. All encap's, but no decap's
It seems like a routing issue, but we can not find anything on both sites.
So maybe i m running into a (known) issue between cisco VPN equipment and the SSG-140?
Could it be a proxy-id issue? Cause they configure stuff like 10.1.1.0/24 and i configure 10.1.1.0 0.0.0.255
View 7 Replies
View Related
Mar 24, 2011
I'm attempting to configure a tunnel on a PIX-501 version 6.3. It's an old device that's due to be replaced soon, but unfortunately we need a tunnel now... I have been using this document as a reference (6211): URL ,The remote end is a sonicwall.
The problem seems to be that the pix never sees the interesting traffic for the tunnel, and never tries to initiate a connection. I have enabled crypto ipsec and crypto isakmp debugs, but no data is ever displayed, even when attempting to access a device on the remote side of the tunnel! Someone had tried to set up this device with some tunnels in the past, but was never successful, so I'm thinking there might be remaining commands in the running-config causing problems.
View 7 Replies
View Related
Oct 29, 2012
configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office.
I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch. These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel. What I wanted to do was create another vlan, give this a different subnet. Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall.
[URL]
So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work. I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside) The configuration can be seen below for the NAT part;
! Denies vpn interesting traffic but permits all otherip access-list extended NAT-Trafficdeny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255deny ip 172.19.191.0 0.0.0.255 192.168.128.0
[Code].....
View 1 Replies
View Related
Mar 3, 2011
I have been struggling for a few days with getting site-to-site traffic working across a L2L IPSec tunnel. At this point, I have the tunnel up, and I see packets being decrypted on the correct IPSec SA's when I ping from a local network computer on the ASA side to a local network computer on the router side. I cannot ping from one side to the other, but those packets are getting through. We have another L2L tunnel that is from that ASA to another remote site's ASA, and that is functional. I have mirrored the configuration for ACLs, etc. from that site, so I believe that the issue is with the packets getting incorrectly translated by the NAT/NONAT statements/ACLs on the router side.
View 8 Replies
View Related
Nov 28, 2012
since a few days I'm trying to solve a problem. I've successfully established an IPSec tunnel between two local LANs. In the main office I'm working with a ASA5510 CLI 8.4 and a static public IP address. The branches are using different Cisco 8xx routers and dynamic public IP address. The following picture shows the current configuration:As I mentioned an IPSec Tunnel between the main office "Intern"-LAN 192.168.1.0/24 and an outside LAN 10.10.0.0/24 is successfully established. Now there is a new intern "Admin"-LAN 192.168.2.0/24 at the main office. The users from the outside LAN 10.10.0.0/24 need the possibility to reach this new intern "Admin"-LAN.Can I simply route the traffic from 10.10.0.0/24 to 192.168.2.0/24 via the existing IPSec-Tunnel? Or need I a new IPSec tunnel between the outside 10.10.0.0/24 LAN and the new "Admin"-LAN 192.168.2.0/24?
View 5 Replies
View Related
Aug 24, 2012
I'm going to implement a S-2-S VPN IPSec connection between 2 locations and I've to NAT incomming and outgoing traffic.
View 4 Replies
View Related
May 20, 2013
I have an ASA5510 configuration that I'd like to add to.In this configuration there is a site to site IPSEC VPN tunnel to a remote location.It is tunneling a particular subnet for me and everything is working.In the remote subnet, there is an ASA 5525-x connected on the outside interface. Let's say for argument's sake, the outside IP is 210.0.0.1.On the Inside interface, i've configured 10.240.32.0/24 network.The only static route I have configured on the 5510 is the default gateway that goes to the ISP.I assumed that I have to add: route Outside 10.240.32.0 255.255.255.0 210.0.0.1 1.I did this, but i'm not able to reach the destination 10.240.32.0/24 network. I can't see anything hitting the 5525-x and the only thing I see on the 5510 is the building outbound ICMP and the teardown for the ICMP.
View 6 Replies
View Related
Aug 22, 2011
I´m getting a dynamic public IP from my provider and what I´m trying to do is to establish a remote vpn tunnnel using IPSec which I achieve but every time the sessions resets or the ASA 5505 resets I get a new public IP and I need to put the new IP on the remote client so I can establish the vpn... How can I establish an ipsec vpn using DNS? For this scenario the remote vpn client is a vpn phone but it could be for any vpn client.
Private IP Public IP Private IP
PBX ---- (LAN) ---- ASA 5505 ---( Internet ) --- Remote Site ( Router ) --- (LAN) -- VPN Phone
View 3 Replies
View Related
May 7, 2012
I have a site to site IPSec tunnel setup and operational but periodically the remote site goes down, because of a somewhat reliable internet connection. The only way to get the tunnel to re-establish is to go to the remote site and simply issue a ping from a workstation on the remote network. We were having this same issue with a Cisco PIX 506E but decided to upgrade the hardware and see if that resolve the issue. It ran for well over a year and our assumtions was that the issue was resolved. I was looking in the direction of the security-association lifetime but if we power cycle the unit, I would expect that it would kill the SA but even after power cycling, the VPN does not come up automatically.
View 1 Replies
View Related
Nov 18, 2011
I configured an IPSec VPN tunnel between two ASA 5505 firewalls. I would like to make sure that the IPSec tunnel (hence the security association) is permanent and do not drop due to idle condition.
View 2 Replies
View Related
Jun 29, 2011
I need to route traffic to DMZ (and internal) from the branch office thru the IPSec tunnel. How do I manage that with my Cisco 881?
View 1 Replies
View Related
Mar 29, 2011
I have running more the 30 VPN tunnels on my ASA5540 release 8.3(x).I want to disable one VPN tunnel(temporarily) without removing the configuration either Phase 1 or Phase 2.let me to know the command to disable IPSec VPN tunnel on CLI or ASDM.
View 1 Replies
View Related
Aug 9, 2012
I'm having trouble configuring an ASA5505 on version 8.31 code for an IPSec tunnel. I've done this multiple times on 8.2.5 but can't seem to get my tunnel to even attempt to come up on this ASA. Not sure if it's relevent or not, but this remote ASA has never been used for another VPN tunnel before. When I attempt to ping a host on the other side of my tunnel, I just see the following: 8108# sho crypto isa sa
There are no isakmp sas
My local network is 10.1.1.X/24 and my remote peer network contains 66.37.227.X/24. I've been working on this for the better part of the day and would love to get it resolved.
View 8 Replies
View Related
Aug 3, 2011
I've created an IPSEC VPN site-to-site from a SR520 (remote office) to a Nortel Contivity(home office)...all works really well on the VPN front as I can communicate effectively over the tunnel. However, this setup will be deployed at a few smaller sites and I'd like to setup a split tunnel so that Internet bound traffic goes straight to the Internet while traffic bound for our home office goes over the IPSEC Tunnel.
View 1 Replies
View Related
Apr 23, 2012
We have about 9 1900 routers and 1 ASA 5510 for partail mesh VPN network. So 8 1900 connect to 1 1900 and ASA located in HQ and datacenter. All worked well however there is one site running really strange. The tunnel between 1900 is up for a while and down. Reboot router seems to be the only fix. But tunnel to ASA does not seem to be down at all.
The issue happened again today, we rebooted the router on site but tunnel still not up. DEBUG shows: deleting SA reason "Death by retransmission P1 "
I can see alot of Apr 24 19:57:55.271: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
To me it seems like the IDE packet sent but never got reply and timed out. I did also check on the other end, the HQ. All other tunnels are still running fine on that router, just this remote site. Plus I got the similiar output when debugging on HQ router.
One thing do notice though, there was no match on both router for the ACL to match/permit ESP traffic... I asked on-site staff to reboot the modem used in remote site.
View 3 Replies
View Related
Mar 19, 2011
I have a Site to Site IPSEC VPN Tunnel created with ASDM wizard.
Cisco ASA-5505
Peer A: x.x.x.x
Lan A: 192.168.0.0 255.255.255.0
Fortinet FortiGate-50b
Peer B: y.y.y.y
Lan B: 192.168.23.0 255.255.255.0
I start traffic from LAN B with a ping (or telnet it doesn't matter) that receive no reply but tunnel goes up fine.
"show isakmp sa" seems ok (says "State : MM_ACTIVE")
"show ipsec sa" seems ok but all #pkts are zero
try ftp, telnet from LAN B to LAN A systems but no one work. "show ipsec sa" all #pkts are zero As soon as I generate traffic from LAN A to LAN B these works (with tunnel already up) also traffic from LAN B to LAN A works.Obviously if I end VPN and start tunnel making traffic from LAN A all work fine bidirectionally, LAN A reach LAN B and LAN B reach LAN A.No msg logged in either two appliance.
Seems a very strange problem because seems not related to Phase1 or Phase2 already established.Traffic (routing ?) start works only after at least one packet goes from LAN A to LAN B.No msg logged in either two appliance.Problems begun in ASA version 8.0(4) ASDM version 6.1(3) and remain/continue after upgrade to ASA Version 8.4(1) ASDM version 6.4(1).
View 1 Replies
View Related
Aug 3, 2011
I'm having some trouble configuring 2 cisco routers (877) with ipsec vpn tunnel.The 2 of them are linked to the internet with dynamic adsl's - their ip-addresses changes all the time.when the configuration is based on ip addresses it's working ok, but when I'm trying to use host name with the DDNS feature, it's not coming up, I get a lot of errors...
I've searched google and various posts regarding that issue.It's seems like it's possible to do a dynamic-ip to dynamic-ip ipsec tunnel, but I found zero manuals and configuration.I've added the template that I'm using to configure the tunnel with ip addresses.
View 2 Replies
View Related
May 23, 2011
Iam fairly new to Cisco IOS and am having trouble getting an IPSEC tunnel to come up between 2 cisco 881-s. I have entered both debug crypto isakmp and debug crypto verbose but when I try to ping an internal IP at the other location through my VLAN1 interface no debugging info comes up.
Also my ACL-s for the crypto maps show no activity. I have tried many things so my configuration files are starting to get really messy.
[code]...
View 1 Replies
View Related
Jan 30, 2012
We have 7 remote offices and 10 tower locations that utilize IPsec tunnels back to our HQ. We now want to force all traffic including web surfing through the tunnels. What would be the easiest way to acomplish this? I have tried utilizing the crypto map policy to do this, but was unable to acomplish this.
Each of our office locationss utilize a Cisco 2811 router and the tower locations utilize a Cisco 881.
View 21 Replies
View Related
Mar 5, 2012
I'm attempting to debug an ipsec tunnel on an ASA 5510 (8.4(3)) and when I turn on `debug crypto ipsec` and then execute `logging monitor` I get an constant stream of TCP debugging events, is it possible to only view ipsec messages?
View 2 Replies
View Related
Feb 10, 2011
Having a problem getting an ipsec tunnel to work between 2 asa 5505. This in one of the two configs.
Result of the command: "show run"
: Saved:ASA Version 8.3(2) !hostname 20Pullmandomain-name skeincenable password IKxxneNMTRgDw/Xd encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1nameif insidesecurity-level 100ip address 172.16.1.70 255.255.255.0 !interface Vlan2nameif outsidesecurity-level 0ip [Code]...
View 1 Replies
View Related
Jun 9, 2011
we have a DMVPN Phase 2 setup in a hub and spoke design using a single head end device (Cisco 2821) and 30 spokes the majority of which are 1801's, all spokes have the same configuration and underlying transport (DSL). DSL circuits are terminated directly on the ISR.
We have a strange issue where by one of the spokes drops the tunnel every 4 or 6 minutes almost down to the second as per the output from "crypto logging session" This seems to vary between both time frames.
EEYSRO01# sh logg | include CRYPTO-5-SESSION_STATUS
Jun 10 12:48:36.624: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 213.**.**.**:500 Id: 213.**.**.**
Jun 10 12:49:06.697: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 213.**.**.**:500 Id: 213.**.**.**
Jun 10 12:52:36.718: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 213.**.**.**:500 Id: 213.**.**.**
Jun 10 12:52:37.030: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 213.**.**.**:500 Id: 213.**.**.**
[code]....
We also have other errors that proceed to the tunnel Up/Down events
Jun 10 14:35:15.716: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x2000820
Jun 10 14:35:15.716: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x1000820
View 0 Replies
View Related
Oct 23, 2012
We are currently experiencing a problem on an IP SEC VPN tunnel that has all of us here completely stumped. We are hoping that one of you experts out there will be able to assist. Here are some basic details:
NETWORKS
An IPSEC site to site tunnel has been built between the two sites on different networks.
PIX 515E - MAIN SITE
Network 172.16.0.0/24
CISCO 1841 - REMOTE SITE
Network 172.16.99.0/24
ISSUE
All traffic flows over the VPN from the 172.16.99.0 network in the direction of the Pix, such as RDP, SIP etc. Pings will go in both directions across the tunnel. Other than the pings most traffic will NOT flow over the tunnel from the 172.16.0.0 network on the pix to the 172.16.99.0 network on the 1841. It would appear that something on the 1841 is blocking traffic coming in over the tunnel from the 172.16.0.0 network as we can not get a wire shark capture on a PC on the 172.16.99.0 network, other than the ICMP traces. Usually this is an access list problem but we have checked and double checked the configuration and can't see anything.
TROUBLESHOOTING SO FAR
1. Have tried inserting various access list changes to the tunnel on the 1841 to make specific reference to the 172.16.0.0 network.
2. Have tried various NAT entries.
3. Have removed and then recreated the VPN tunnel from a fresh start.
4. Have made the MTU 1400 on the inside interfaces on the Pix and the 1841.
The tunnel is fully up at all times and as we say can ping in both directions.
View 7 Replies
View Related