Cisco Router problem routing for Remote Client

Discussion in 'Cisco' started by, Nov 18, 2005.

  1. Guest


    My company has 2 centers main-Center and an Branch(100Km apart), they
    are connect by an VPN service Using Cisco 1841 and Cisco 1761(At
    Branch) Routers. All intenet access to the Branch is through the Vpn
    from the Main Center. The problem i am facing is that i am trying to
    establish an Vpn session through nortel VPn software to an Remote
    Client site from the Branch office which i am unable to connect it give
    an error message "Secure connection has been lost". When i try doing
    the same through the main center it connect without any problem.Also,
    at the branch office i am able to acces sites and other servers outside
    our network. Things to Note :

    1) all traffice between the 2 centers is unrestricted.
    2) On MAin router from which internet is being accessed all traffice on
    ports ISAKMP ESP AH is open to and from the Remote Clients VPN
    3) on the Branch router all traffice is open in and out to the Remote
    Clients Public Ip.

    Now, to analyze the problem i did an ethreal packet sniffing when try
    to connect to remote clients VPN. the results are as follows:
    1) I see traffice to the renote client site as ISAKMP( Agressive Mode),
    A response back from client is recieved.

    2) Then there is traffice and response for ISAkMP(transaction (Config

    3)Then i can see traffic from My machine to the remote site as ESP, I
    can see 31 packets sent but no packets recieved.

    4) After about 51 seconds of the initiating the process i see
    ISAKMP(informational), for which i get an response back as

    5) Immediately after that ICMP Destination unreachable, form my machine
    .. Then i cant ping the remore Nortel fireall for 2-3 Minutes.

    I have also checked the NAT translations on the Main Router . It show
    the ISAKMP traffice from My machine Ip to the Remote clients Firewall
    Ip and the ICMPerr

    The problem is that i need to get this up and runningas this is Imp.
    Any help is welcome . Plesae let me know if u need details..

    , Nov 18, 2005
    1. Advertisements

  2. Guest

    Since Cisco won't post this anywhere for us, I will. . . . .

    SCeg83834 Bug Details
    Release Notes
    A router may stop translating packets using NAT, when a NAT entry with
    protocol "icmperr" is observed in the "show ip nat translation" output.

    These sysmptoms are observed in a Cisco router when the router is
    configured with only dynamic NAT translations with a single address in
    the NAT pool, or when configured using "interface overload".

    To clear all the NAT translations using "clear ip nat trans *" command.

    This is a problem in recent PI6 images. It did not occur in PI6 images
    built prior to January 1st, 2005.

    To allow additional translations to be created while the router has
    created one with the ICMPERR, what you would need to do is to create an
    IP NAT POOL containing more than 1 public IP address and perform NAT
    overload over it. This way, when one of the IP addresses is taken over
    by this erroneous translation, the other IP addresses will still be
    able to be used as the Inside Global address. You will also have to
    reduce the ICMP nat timeout so the router punts out the icmperr
    translation sooner making the used IP address available again.
    , Dec 7, 2005
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter Sale
    Robin Walker
    Dec 11, 2004
  2. OZ
  3. imhotep
    Jun 21, 2006
  4. imhotep
    Jun 23, 2006
  5. Giuen
    Sep 12, 2008