More VPN routing issues... )-:

Discussion in 'Cisco' started by scooter133@gmail.com, Oct 22, 2008.

  1. Guest

    So i have 2 PIXs that connect via the internet via IPSec Preshared
    Keys LAN-to-LAN

    HQ 10.1.x.x <- Internet -> SF 10.2.x.x <- rotuer-> 10.6.x.x


    Not sure what happened to the configs, but we were originally working
    from 10.1 to 10.2 and not from 10.1 to 10.6

    I made some corrections to my Lifetime values and all was good in the
    world.

    Then a month or so later, I can no longer go from 10.1 to 10.2 though
    from 10.1 to 10.6 works great.

    What can I do to troubleshoot this?

    Thanks,
    Scott<-
     
    , Oct 22, 2008
    #1
    1. Advertising

  2. Guest

    On 22 Oct, 20:05, wrote:
    > So i have 2 PIXs that connect via the internet via IPSec Preshared
    > Keys LAN-to-LAN
    >
    > HQ 10.1.x.x  <- Internet -> SF 10.2.x.x  <- rotuer-> 10.6.x.x
    >
    > Not sure what happened to the configs, but we were originally working
    > from 10.1 to 10.2 and not from 10.1 to 10.6
    >
    > I made some corrections to my Lifetime values and all was good in the
    > world.
    >
    > Then a month or so later, I can no longer go from 10.1 to 10.2 though
    > from 10.1 to 10.6 works great.
    >
    > What can I do to troubleshoot this?


    Firstly I am really a router person - the pix is a whole
    new ball game. Well in my view new 'can of worms' really.
    Lots of it is similar though.

    For the VPN to "work" you need the following:-
    1. - Communications between the two pixes for IPSEC
    traffic.
    2. - IPSEC Security Association - established
    3. - Valid routes in both directions from end host to
    end host.
    4. - pix firewall allowing traffic.
    5. - maybe some other stuff.

    Clearly 1. is OK.

    Next easiest to check are probably the validity of
    routes at all points in the path.


    Re: 2.
    sh cry ip sa -

    You have to check that the entries for you end
    points have operational SA's.

    If the SA is up there are loads of counters about
    bytes and lifetimes, if not none. I dont have a pix
    or IPSEC router to look at now.

    sh ip route ! displays the routing.

    Post:-

    Exactly what is not working.
    sh run
    sh ip route
    sh cry ip sa ! - (or whatever the command really is on a pix)

    You should sanitise the information removing
    KEYS, user IDs, passwords, and mangling
    external IP addresses.

    from both ends.

    You can "capture" packe3ts to a buffer and look at them
    later.
    There are various debugs.
    debug crypto ipsec ! maybe
     
    , Oct 22, 2008
    #2
    1. Advertising

  3. networkzman Guest

    scott,

    double check if theres any conflict with routes and also the crypto
    acl.

    To capture the traffic.

    do the following:
    access-list capture1 permit ip 10.1.x.x 255.255.255.0 10.2.x.x
    255.255.255.0
    capture capt1 interface inside access-list capture1

    verify:
    show capture capt1

    Thanks


    On Oct 22, 11:52 pm, wrote:
    > On 22 Oct, 20:05, wrote:
    >
    > > So i have 2 PIXs that connect via the internet via IPSec Preshared
    > > Keys LAN-to-LAN

    >
    > > HQ 10.1.x.x  <- Internet -> SF 10.2.x.x  <- rotuer-> 10.6.x.x

    >
    > > Not sure what happened to the configs, but we were originally working
    > > from 10.1 to 10.2 and not from 10.1 to 10.6

    >
    > > I made some corrections to my Lifetime values and all was good in the
    > > world.

    >
    > > Then a month or so later, I can no longer go from 10.1 to 10.2 though
    > > from 10.1 to 10.6 works great.

    >
    > > What can I do to troubleshoot this?

    >
    > Firstly I am really a router person - the pix is a whole
    > new ball game. Well in my view new 'can of worms' really.
    > Lots of it is similar though.
    >
    > For the VPN to "work" you need the following:-
    > 1. - Communications between the two pixes for IPSEC
    >    traffic.
    > 2. - IPSEC Security Association - established
    > 3. - Valid routes in both directions from end host to
    >    end host.
    > 4. - pix firewall allowing traffic.
    > 5. - maybe some other stuff.
    >
    > Clearly 1. is OK.
    >
    > Next easiest to check are probably the validity of
    > routes at all points in the path.
    >
    > Re: 2.
    > sh cry ip sa  -
    >
    > You have to check that the entries for you end
    > points have operational SA's.
    >
    > If the SA is up there are loads of counters about
    > bytes and lifetimes, if not none. I dont have a pix
    > or IPSEC router to look at now.
    >
    > sh ip route ! displays the routing.
    >
    > Post:-
    >
    > Exactly what is not working.
    > sh run
    > sh ip route
    > sh cry ip sa  ! - (or whatever the command really is on a pix)
    >
    > You should sanitise the information removing
    > KEYS, user IDs, passwords, and mangling
    > external IP addresses.
    >
    > from both ends.
    >
    > You can "capture" packe3ts to a buffer and look at them
    > later.
    > There are various debugs.
    > debug crypto ipsec  ! maybe
     
    networkzman, Oct 23, 2008
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. OZ
    Replies:
    3
    Views:
    11,181
  2. camocas
    Replies:
    4
    Views:
    2,671
    camocas
    Jun 2, 2006
  3. inventica

    cisco pix VPN routing issues

    inventica, Feb 26, 2007, in forum: Cisco
    Replies:
    8
    Views:
    835
    Frank Winkler
    Feb 28, 2007
  4. masterbullfrog

    VPN Client Routing Issues

    masterbullfrog, Sep 12, 2007, in forum: Cisco
    Replies:
    4
    Views:
    2,031
    masterbullfrog
    Sep 17, 2007
  5. banana7

    VPN to VPN Routing

    banana7, Sep 17, 2007, in forum: Cisco
    Replies:
    0
    Views:
    394
    banana7
    Sep 17, 2007
Loading...

Share This Page