Got it

[Troubleshooting Series] Case 19 Network problem when goes through DSVPN tunnel

Latest reply: Dec 27, 2018 06:52:30 804 2 0 0 0

Hello everyone,

Today I will share with you how to deal with the network problem when goes through DSVPN tunnel.

Network Topology

Figure 1-1 Network problem when traffic goes through DSVPN  tunnel

093904p9d8lp99w89yur5w.png

 

Fault Description

Customer can't ping from one side (101.1.1.1) to the other side (202.1.1.1).


Configuration Files

l   AR1

#
pki realm default
 enrollment self-signed
#
ipsec proposal 1
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm 3des
#
ike proposal 1
 encryption-algorithm 3des-cbc
 dh group2
 authentication-algorithm sha1
 prf hmac-sha2-256
#
ike peer p1 v1
 pre-shared-key cipher %^%#1"4j#17n2'.c\"3q3#g4NGy|1\9Rj%Y{5Y)r$o>$%^%#
 ike-proposal 1
#
ipsec profile profile1
 ike-peer p1
 proposal 1
#                                       
interface GigabitEthernet0/0/0
 ip address 10.220.7.39 255.255.254.0
#
interface GigabitEthernet0/0/2
 ip address 192.168.1.2 255.255.255.0
#
interface LoopBack0
 ip address 101.1.1.1 255.255.255.0
#
interface Tunnel0/0/0
 ip address 111.1.1.1 255.255.255.0
 tunnel-protocol gre p2mp
 source GigabitEthernet0/0/2
 ipsec profile profile1
 nhrp entry multicast dynamic
#
ip route-static 0.0.0.0 0.0.0.0 10.220.6.1
ip route-static 172.168.1.0 255.255.255.0 192.168.1.1
ip route-static 202.1.1.0 255.255.255.0 Tunnel0/0/0
#
l   AR2

#
pki realm default
 enrollment self-signed
#
ipsec proposal 1
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm 3des
#
ike proposal 1
 encryption-algorithm des-cbc
 dh group2
 authentication-algorithm sha1            
 prf hmac-sha2-256
#
ike peer p1 v1
 pre-shared-key cipher %^%#Xb=f+J<Up&;zprO9<Ik5s6EOIQoPDV~{U)*.bw:J%^%#
 ike-proposal 1
#
ipsec profile profile1
 ike-peer p1
 proposal 1
#
interface Vlanif999
 description MANAGEMENT-DO-NOT-TOUCH
 ip address 192.168.80.3 255.255.224.0
#
interface GigabitEthernet0/0/0
 ip address 172.16.1.6 255.255.255.252
#
interface GigabitEthernet0/0/1            
 ip address 172.168.1.2 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 10.220.7.40 255.255.254.0
#

interface LoopBack0
 ip address 172.16.3.3 255.255.255.255
#
interface LoopBack1
 ip address 172.16.113.1 255.255.255.255
#
interface LoopBack3
 ip address 202.1.1.1 255.255.255.0
#
interface Tunnel0/0/0
 ip address 111.1.1.2 255.255.255.0
 tunnel-protocol gre p2mp
 source GigabitEthernet0/0/1
 ipsec profile profile1
 nhrp entry 111.1.1.1 192.168.1.2
#
bgp 65502
 peer 172.16.1.5 as-number 65501
 peer 172.16.1.14 as-number 65502         
 #
 ipv4-family unicast
  undo synchronization
  preference 5 255 255
  network 172.16.3.3 255.255.255.255
  network 172.16.3.5 255.255.255.255
  network 172.16.3.6 255.255.255.255
  network 172.16.3.7 255.255.255.255
  network 172.16.3.8 255.255.255.255
  network 172.16.3.9 255.255.255.255
  network 172.16.3.10 255.255.255.255
  network 172.16.3.11 255.255.255.255
  network 172.16.3.12 255.255.255.255
  network 172.16.3.13 255.255.255.255
  network 172.16.5.0 255.255.255.0
  network 172.16.6.0 255.255.255.0
  network 172.16.7.0 255.255.255.0
  network 172.16.8.0 255.255.255.0
  network 172.16.10.0 255.255.255.0
  network 172.16.12.0 255.255.255.0
  network 172.16.13.0 255.255.255.0
  network 172.16.113.1 255.255.255.255
  peer 172.16.1.5 enable
  peer 172.16.1.14 enable                 
#
ospf 10 router-id 172.16.3.3
 import-route bgp type 1
 area 0.0.0.0
  network 172.16.1.12 0.0.0.3
  network 172.16.1.16 0.0.0.3
  network 172.16.3.3 0.0.0.0
#
 ftp server enable
#
ip route-static 0.0.0.0 0.0.0.0 10.220.6.1
ip route-static 101.1.1.0 255.255.255.0 111.1.1.1
ip route-static 172.1.0.0 255.255.0.0 192.168.64.1 description MANAGEMENT-DO-NOT-TOUCH
ip route-static 192.168.1.0 255.255.255.0 172.168.1.1
ip route-static 192.168.10.0 255.255.255.0 192.168.64.1 description MANAGEMENT-DO-NOT-TOUCH
#

Troubleshooting Location


Step 1      Analyze the configuration, we can find the scenario is DSVPN OVER IPSEC.

Run the display ike sa command in any view of the AR2 device to check IPSEC tunnel first.

<R2U21-AR3200> display ike sa
IKE SA information :
    Conn-ID       Peer            VPN   Flag(s)                Phase            
  --------------------------------------------------------------------          
    390           0.0.0.2         0                            1             
 
   Number of IKE SA : 1                                                    
  --------------------------------------------------------------------          
 
  Flag Description:                                                              
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING   


Step 2      If the IPSEC tunnel is not established, check and modify the parameters of IPSEC to make it success.

<R2U25-AR3200> display ike sa
IKE SA information :
    Conn-ID       Peer            VPN   Flag(s)                Phase            
  --------------------------------------------------------------------          
    540           172.168.1.2     0     RD                     2             
    539           172.168.1.2     0     RD                     1                        
 
   Number of IKE SA : 2                                                     
  --------------------------------------------------------------------          
 
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING


Step 3      Check whether DSVPN tunnel is ok.

093924rd6a22e0ox96o2x6.png


Step 4      Check the configuration, we can find on spoke, one command is wrong. After modify it, DSVPN is ok.

094254feqe6zjage54zyaq.png

094419oqzelarhrbqqek4f.png


  Step 5      Test again when the DSVPN OVER IPSEC tunnel ok. If still can’t ping, let’s check the route. For DSVPN tunnel, the nexthop should not be a interface but a specified ip address.

094427onv77zl5iv3f35ul.png

Solution:

l   Check the IPSEC tunnel.

l   Check NHRP after checked IPSEC tunnel. If the NHRP is not normal, Check the parameter of DSVPN.

l   Check the router after NHRP is ok.



Root Cause

DSVPN over IPSEC tunnel can’t be established because of the parameter not matched.

After the tunnel established, the traffic still can’t forward because of the incorrect router.


That is all I want to share with you! Thank you!


  • x
  • convention:

3li
Created Dec 18, 2018 09:34:51

Its hard
View more
  • x
  • convention:

dagui
Created Dec 27, 2018 06:52:30

Check NHRP after checked IPSEC tunnel. If the NHRP is not normal, Check the parameter of DSVPN.Can you provide a more detailed explanation?
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.