Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Site-To-Site VPN Anomalies

Status
Not open for further replies.
bubarooni

bubarooni

Technical User
Joined
May 13, 2001
Messages
506
Location
US
I'm not sure if they are really unusual behavior or not but, I like that word...

Here is my setup:
Location1: Pix 506 (192.168.1.254) setting in front of a 1750 router (192.168.1.1).
Location2: 1750 router (192.168.4.1).
The tunnel is between the PIX at Location1 and the 1750 router at Location2.

Anyway, I just (finally!!!) got a Site-To-Site vpn working yesterday. When I came in this morning it wasn't, I could ping Location2 ip's from Location1 but not the reverse. Magically, it started back up and is now working quite well at both ends of the tunnel.

Is this normal behavior? Did my incessant pinging 'jumpstart' the tunnel somehow? Is there a command I can use for that from the router. I used the "Show Crypto isakmp sa" command at the Location2 router and it indicated that the tunnel was up. State read "QM_IDLE". What does that mean.

All my DNS traffic that is generated at Location2 is being directed into the tunnel and out the router at Location1. This results in nasty "The page cannot be displayed." errors.

I did a tracert to " and the traffic is exited out of the router at Location1.

I did a tracert to 216.239.39.99 and the traffic is exited out of the local router here at Location2.

I figure this must be an access list problem but, can't figure it out. Here are my access lists:
**********************
access-list 100 permit ip any any
access-list 101 permit gre any host x.x.x.x
access-list 101 permit tcp any host x.x.x.x eq 1723
access-list 101 permit ip any host x.x.x.x
access-list 101 permit gre any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit tcp any any
access-list 101 permit icmp any any
access-list 101 permit esp any any
access-list 111 deny ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip 192.168.4.0 0.0.0.255 any
access-list 120 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
****************************
access-list 120 is applied to the crypto map
access-group 111 to the route-map nonat
access-group 101 to the outside interface

If you can answer either question I'd be very obliged for the help.
 
Sort by date Sort by votes
IPSec tunnels can be taken down by two things, byte count and/or time. After a certain amount of time or a certain byte count (data that has passed through the tunnel) the tunnel will re-negotiate a SA (security association). Normally a tunnel does not go down and stay down unless no data ever passes through the tunnel. Once interesting data is passed to the router the tunnel comes back up and all is good.

Just in case I would make sure that everything matches on both ends of the tunnel match.

Can you post the configs for the PIX and the router?

QM_IDLE basically means the tunnel is up and ready. This is normal.

What DNS servers are your clients using in location 2?

 
Upvote 0 Downvote
Hi mtashiro,

Thanks for the info. The tunnel has stayed up, though I notice the CONN ID seems to change constantly which maybe is where it drops and then picks back up. I think I did get my web browsing problem fixed too.

I explained the problem I was having to a friend of mine in an email and he replied that it sounded like upd related access-list problems. I have messed around the last few days researching it and trying different things I found on the web. I finally fixed it with the following:

access-list 101 permit udp any eq domain any

I don't really understand what it's doing so am not completely comfortable with it. It does send the locally generated http requests directly out of the router now instead of thru the tunnel. Could you explain the access-list statement for me?

Also, how many Site-To-Site vpn's could I realistically set up with a PIX 506. My bosses are so impressed with the vpn they are talking of ditching the frame at some locations (I swear it's only because they can surf the web faster at the remote sites!).

Thanks
 
Upvote 0 Downvote
Simultaneous VPN peers: 25*


* Maximum number of simultaneous site-to-site or remote access VPN/IKE Security Associations (SAs) supported


Heck, they'll wind up having me drop all the frame!

Thanks for the info
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
389
badwolf1686
B
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
540
CPM86
CPM86
Luzbel
  • Locked
  • Question Question
Connecting HVAC controller to network
Replies
0
Views
562
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question Question
how to backup cisco sg500-52p switch
Replies
1
Views
772
madwok
madwok
quazimotto
  • Locked
  • Question Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
313
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top