RE: Bizzare Routing/VPN Issue [7:64301]
Hi John, What address is the NZ guy pinging on your spoke routers? The LAN address that is getting propagated? If you do a debug icmp trace on the VPN box (assuming you can, I've never touched one) what is the ICMP message you receive? That will probably tell you everything. When you ping from your remote spoke routers to NZ, what interface address are you using to ping _from_? Can you try pinging from a server in a spoke site, or set the ping from address to be the LAN interface of your spoke router? Infact, that looks to me to be exactly what it is. You are pinging from a spoke router, and it is using the serial(?) interface address, which due to your non-contiguous network addressing (tsk tsk!) is not included in your VPN configuration, so the VPN concentrator probably sends the ICMP message to NZ but the NZ side is not configured to encrypt traffic for the network the ping came from so it never gets back. Sounds good to me... Symon -Original Message- From: John Brandis [mailto:[EMAIL PROTECTED] Sent: 04 March 2003 01:55 To: [EMAIL PROTECTED] Subject: Bizzare Routing/VPN Issue [7:64301] Hi All, I am sure one of you will see the problem and be able to offer a solution. I have 2 organisations here, one in Australia the other in NZ. In Australia, we have a hub and spoke point to multi-point config from the hubs perspective. I run OSPF and have all sites in area 0 (yes I know i should break this up so that each region forms its own area, but why at this time ??) My problem, which only started this morning at 5am when the tech in NZ and I decided to up the encryption settings on the VPN, I think is related to routing, or related to a crypto map error. In Sydney, I use a cisco 3005 whilst the office initiating the IPSEC connection uses a little Watchguard box. Until this morning it was simple, I could see his local lan behind the remote peer, and he could see my local networks, but not the office's on my WAN (by design). The goal of this morning was to permit NZ to be able to see all networks in Australia. We dont yet run a nice continuos IP scheme here (yet), so each network had to be delcared line by line rather than a nice summary. We implemented this network by network. I enabled my NZ counterpart access to the Australian hub site and one of the spokes. Thats when the problem started. We tried to put the next spoke site network list in the list of availiable networks, then it all fell to bits. The problem now is that the guy in NZ can ping my spoke sites routers, however from these spoke sites I cant ping him. I trace the packet, and watch it hop through my network with the last hop being the 3005 VPN concentrator that connects NZ to us. From there it times out...From my desk in the hub site in Australia, I can ping both the spoke site, and the NZ techs PC. So at this stage I can confirm that the route that works from sydney to NZ, has been redistributed via OSPF to my spoke sites, however it just does not appear to get through the tunnel, however the guy in NZ says he has 100% ping to my spoke sites. Could any one suggest where a possible problem could be ? I can see IPSEC tunnels for the various networks and I can see traffic going across them, however I have no idea why I cant access anything across the VPN from my spoke sites. The NZ guy said all traffic from Australia has a permit statement. I can only see the problem as access-list like problem on his end, as we had this working for the central site here (hub site) and for one of the spoke sites until we added more. Would appreciate any help. Thanks all Johnny b ** visit http://www.solution6.com UK Customers - http://www.solution6.co.uk ** The Solution 6 Head Office and NSW Branch has moved premises. Please make sure you have updated your records with our new details. Level 14, 383 Kent Street, Sydney NSW 2000. General Phone: 61 2 9278 0666 General Fax: 61 2 9278 0555 ** This email message (and attachments) may contain information that is confidential to Solution 6. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return email immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Solution 6 are neither given nor endorsed by it. * = This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further
RE: Bizzare Routing/VPN Issue [7:64301]
Beware of assuming that a VPN can route traffic in the same way as a proper router would. I have had a similar problem due to the network list associated with tunnels. The routing Table built by the VPN 3005 is based upon the information collated from the network lists, but is not used in the same way that a router would use it. A router will forward packets based on which route has the longest match to the IP address. The VPN appears to use the first route that satisfies the destination. This route will be created by which ever tunnel comes up first and gives its network list to the 3005 that it is connecting to. the only way that I have managed to solve the problem is by having completely specific network lists that ensure that there is no dubiety in where packets can be routed to. if you are using super-netting be careful. Steve Wilson Network Engineer -Original Message- From: John Brandis [mailto:[EMAIL PROTECTED] Sent: 04 March 2003 01:55 To: [EMAIL PROTECTED] Subject: Bizzare Routing/VPN Issue [7:64301] Hi All, I am sure one of you will see the problem and be able to offer a solution. I have 2 organisations here, one in Australia the other in NZ. In Australia, we have a hub and spoke point to multi-point config from the hubs perspective. I run OSPF and have all sites in area 0 (yes I know i should break this up so that each region forms its own area, but why at this time ??) My problem, which only started this morning at 5am when the tech in NZ and I decided to up the encryption settings on the VPN, I think is related to routing, or related to a crypto map error. In Sydney, I use a cisco 3005 whilst the office initiating the IPSEC connection uses a little Watchguard box. Until this morning it was simple, I could see his local lan behind the remote peer, and he could see my local networks, but not the office's on my WAN (by design). The goal of this morning was to permit NZ to be able to see all networks in Australia. We dont yet run a nice continuos IP scheme here (yet), so each network had to be delcared line by line rather than a nice summary. We implemented this network by network. I enabled my NZ counterpart access to the Australian hub site and one of the spokes. Thats when the problem started. We tried to put the next spoke site network list in the list of availiable networks, then it all fell to bits. The problem now is that the guy in NZ can ping my spoke sites routers, however from these spoke sites I cant ping him. I trace the packet, and watch it hop through my network with the last hop being the 3005 VPN concentrator that connects NZ to us. From there it times out...From my desk in the hub site in Australia, I can ping both the spoke site, and the NZ techs PC. So at this stage I can confirm that the route that works from sydney to NZ, has been redistributed via OSPF to my spoke sites, however it just does not appear to get through the tunnel, however the guy in NZ says he has 100% ping to my spoke sites. Could any one suggest where a possible problem could be ? I can see IPSEC tunnels for the various networks and I can see traffic going across them, however I have no idea why I cant access anything across the VPN from my spoke sites. The NZ guy said all traffic from Australia has a permit statement. I can only see the problem as access-list like problem on his end, as we had this working for the central site here (hub site) and for one of the spoke sites until we added more. Would appreciate any help. Thanks all Johnny b ** visit http://www.solution6.com UK Customers - http://www.solution6.co.uk ** The Solution 6 Head Office and NSW Branch has moved premises. Please make sure you have updated your records with our new details. Level 14, 383 Kent Street, Sydney NSW 2000. General Phone: 61 2 9278 0666 General Fax: 61 2 9278 0555 ** This email message (and attachments) may contain information that is confidential to Solution 6. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return email immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Solution 6 are neither given nor endorsed by it. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64335t=64301 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Bizzare Routing/VPN Issue [7:64301]
SOLVED You are correct. Just to think I was about to book the 5 star hotel for the other guys. I never looked at it like this. Now you can see exactly what I was doing. Telnet to the router, try to ping from there. It was coming out as the s0 ip address. So I guess I was right in a way, it was a crypto map error. That subnet was not permitted to pass traffic over the tunnel. Thanks Symon, I must buy you a virtual beer some time. John -Original Message- From: Symon Thurlow [mailto:[EMAIL PROTECTED] Sent: Tuesday, 4 March 2003 7:13 PM To: [EMAIL PROTECTED] Subject: RE: Bizzare Routing/VPN Issue [7:64301] Hi John, What address is the NZ guy pinging on your spoke routers? The LAN address that is getting propagated? If you do a debug icmp trace on the VPN box (assuming you can, I've never touched one) what is the ICMP message you receive? That will probably tell you everything. When you ping from your remote spoke routers to NZ, what interface address are you using to ping _from_? Can you try pinging from a server in a spoke site, or set the ping from address to be the LAN interface of your spoke router? Infact, that looks to me to be exactly what it is. You are pinging from a spoke router, and it is using the serial(?) interface address, which due to your non-contiguous network addressing (tsk tsk!) is not included in your VPN configuration, so the VPN concentrator probably sends the ICMP message to NZ but the NZ side is not configured to encrypt traffic for the network the ping came from so it never gets back. Sounds good to me... Symon -Original Message- From: John Brandis [mailto:[EMAIL PROTECTED] Sent: 04 March 2003 01:55 To: [EMAIL PROTECTED] Subject: Bizzare Routing/VPN Issue [7:64301] Hi All, I am sure one of you will see the problem and be able to offer a solution. I have 2 organisations here, one in Australia the other in NZ. In Australia, we have a hub and spoke point to multi-point config from the hubs perspective. I run OSPF and have all sites in area 0 (yes I know i should break this up so that each region forms its own area, but why at this time ??) My problem, which only started this morning at 5am when the tech in NZ and I decided to up the encryption settings on the VPN, I think is related to routing, or related to a crypto map error. In Sydney, I use a cisco 3005 whilst the office initiating the IPSEC connection uses a little Watchguard box. Until this morning it was simple, I could see his local lan behind the remote peer, and he could see my local networks, but not the office's on my WAN (by design). The goal of this morning was to permit NZ to be able to see all networks in Australia. We dont yet run a nice continuos IP scheme here (yet), so each network had to be delcared line by line rather than a nice summary. We implemented this network by network. I enabled my NZ counterpart access to the Australian hub site and one of the spokes. Thats when the problem started. We tried to put the next spoke site network list in the list of availiable networks, then it all fell to bits. The problem now is that the guy in NZ can ping my spoke sites routers, however from these spoke sites I cant ping him. I trace the packet, and watch it hop through my network with the last hop being the 3005 VPN concentrator that connects NZ to us. From there it times out...From my desk in the hub site in Australia, I can ping both the spoke site, and the NZ techs PC. So at this stage I can confirm that the route that works from sydney to NZ, has been redistributed via OSPF to my spoke sites, however it just does not appear to get through the tunnel, however the guy in NZ says he has 100% ping to my spoke sites. Could any one suggest where a possible problem could be ? I can see IPSEC tunnels for the various networks and I can see traffic going across them, however I have no idea why I cant access anything across the VPN from my spoke sites. The NZ guy said all traffic from Australia has a permit statement. I can only see the problem as access-list like problem on his end, as we had this working for the central site here (hub site) and for one of the spoke sites until we added more. Would appreciate any help. Thanks all Johnny b ** visit http://www.solution6.com UK Customers - http://www.solution6.co.uk ** The Solution 6 Head Office and NSW Branch has moved premises. Please make sure you have updated your records with our new details. Level 14, 383 Kent Street, Sydney NSW 2000. General Phone: 61 2 9278 0666 General Fax: 61 2 9278 0555 ** This email message (and attachments) may contain information that is confidential to Solution 6. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case
Bizzare Routing/VPN Issue [7:64301]
Hi All, I am sure one of you will see the problem and be able to offer a solution. I have 2 organisations here, one in Australia the other in NZ. In Australia, we have a hub and spoke point to multi-point config from the hubs perspective. I run OSPF and have all sites in area 0 (yes I know i should break this up so that each region forms its own area, but why at this time ??) My problem, which only started this morning at 5am when the tech in NZ and I decided to up the encryption settings on the VPN, I think is related to routing, or related to a crypto map error. In Sydney, I use a cisco 3005 whilst the office initiating the IPSEC connection uses a little Watchguard box. Until this morning it was simple, I could see his local lan behind the remote peer, and he could see my local networks, but not the office's on my WAN (by design). The goal of this morning was to permit NZ to be able to see all networks in Australia. We dont yet run a nice continuos IP scheme here (yet), so each network had to be delcared line by line rather than a nice summary. We implemented this network by network. I enabled my NZ counterpart access to the Australian hub site and one of the spokes. Thats when the problem started. We tried to put the next spoke site network list in the list of availiable networks, then it all fell to bits. The problem now is that the guy in NZ can ping my spoke sites routers, however from these spoke sites I cant ping him. I trace the packet, and watch it hop through my network with the last hop being the 3005 VPN concentrator that connects NZ to us. From there it times out...From my desk in the hub site in Australia, I can ping both the spoke site, and the NZ techs PC. So at this stage I can confirm that the route that works from sydney to NZ, has been redistributed via OSPF to my spoke sites, however it just does not appear to get through the tunnel, however the guy in NZ says he has 100% ping to my spoke sites. Could any one suggest where a possible problem could be ? I can see IPSEC tunnels for the various networks and I can see traffic going across them, however I have no idea why I cant access anything across the VPN from my spoke sites. The NZ guy said all traffic from Australia has a permit statement. I can only see the problem as access-list like problem on his end, as we had this working for the central site here (hub site) and for one of the spoke sites until we added more. Would appreciate any help. Thanks all Johnny b ** visit http://www.solution6.com UK Customers - http://www.solution6.co.uk ** The Solution 6 Head Office and NSW Branch has moved premises. Please make sure you have updated your records with our new details. Level 14, 383 Kent Street, Sydney NSW 2000. General Phone: 61 2 9278 0666 General Fax: 61 2 9278 0555 ** This email message (and attachments) may contain information that is confidential to Solution 6. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return email immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Solution 6 are neither given nor endorsed by it. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64301t=64301 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Bizzare Routing/VPN Issue [7:64301]
this is a complex situation that requires that you fly me out your way and pay my stay at a five star hotel and full salary plus travel bonus for the 6 to 8 weeks it will take me to solve the problem :- -- TANSTAAFL there ain't no such thing as a free lunch John Brandis wrote in message news:[EMAIL PROTECTED] Hi All, I am sure one of you will see the problem and be able to offer a solution. I have 2 organisations here, one in Australia the other in NZ. In Australia, we have a hub and spoke point to multi-point config from the hubs perspective. I run OSPF and have all sites in area 0 (yes I know i should break this up so that each region forms its own area, but why at this time ??) My problem, which only started this morning at 5am when the tech in NZ and I decided to up the encryption settings on the VPN, I think is related to routing, or related to a crypto map error. In Sydney, I use a cisco 3005 whilst the office initiating the IPSEC connection uses a little Watchguard box. Until this morning it was simple, I could see his local lan behind the remote peer, and he could see my local networks, but not the office's on my WAN (by design). The goal of this morning was to permit NZ to be able to see all networks in Australia. We dont yet run a nice continuos IP scheme here (yet), so each network had to be delcared line by line rather than a nice summary. We implemented this network by network. I enabled my NZ counterpart access to the Australian hub site and one of the spokes. Thats when the problem started. We tried to put the next spoke site network list in the list of availiable networks, then it all fell to bits. The problem now is that the guy in NZ can ping my spoke sites routers, however from these spoke sites I cant ping him. I trace the packet, and watch it hop through my network with the last hop being the 3005 VPN concentrator that connects NZ to us. From there it times out...From my desk in the hub site in Australia, I can ping both the spoke site, and the NZ techs PC. So at this stage I can confirm that the route that works from sydney to NZ, has been redistributed via OSPF to my spoke sites, however it just does not appear to get through the tunnel, however the guy in NZ says he has 100% ping to my spoke sites. Could any one suggest where a possible problem could be ? I can see IPSEC tunnels for the various networks and I can see traffic going across them, however I have no idea why I cant access anything across the VPN from my spoke sites. The NZ guy said all traffic from Australia has a permit statement. I can only see the problem as access-list like problem on his end, as we had this working for the central site here (hub site) and for one of the spoke sites until we added more. Would appreciate any help. Thanks all Johnny b ** visit http://www.solution6.com UK Customers - http://www.solution6.co.uk ** The Solution 6 Head Office and NSW Branch has moved premises. Please make sure you have updated your records with our new details. Level 14, 383 Kent Street, Sydney NSW 2000. General Phone: 61 2 9278 0666 General Fax: 61 2 9278 0555 ** This email message (and attachments) may contain information that is confidential to Solution 6. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return email immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Solution 6 are neither given nor endorsed by it. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64307t=64301 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Bizzare Routing/VPN Issue [7:64301]
I can solve that issue with 4 stars - Original Message - From: The Long and Winding Road To: Sent: Monday, March 03, 2003 9:04 PM Subject: Re: Bizzare Routing/VPN Issue [7:64301] this is a complex situation that requires that you fly me out your way and pay my stay at a five star hotel and full salary plus travel bonus for the 6 to 8 weeks it will take me to solve the problem :- -- TANSTAAFL there ain't no such thing as a free lunch John Brandis wrote in message news:[EMAIL PROTECTED] Hi All, I am sure one of you will see the problem and be able to offer a solution. I have 2 organisations here, one in Australia the other in NZ. In Australia, we have a hub and spoke point to multi-point config from the hubs perspective. I run OSPF and have all sites in area 0 (yes I know i should break this up so that each region forms its own area, but why at this time ??) My problem, which only started this morning at 5am when the tech in NZ and I decided to up the encryption settings on the VPN, I think is related to routing, or related to a crypto map error. In Sydney, I use a cisco 3005 whilst the office initiating the IPSEC connection uses a little Watchguard box. Until this morning it was simple, I could see his local lan behind the remote peer, and he could see my local networks, but not the office's on my WAN (by design). The goal of this morning was to permit NZ to be able to see all networks in Australia. We dont yet run a nice continuos IP scheme here (yet), so each network had to be delcared line by line rather than a nice summary. We implemented this network by network. I enabled my NZ counterpart access to the Australian hub site and one of the spokes. Thats when the problem started. We tried to put the next spoke site network list in the list of availiable networks, then it all fell to bits. The problem now is that the guy in NZ can ping my spoke sites routers, however from these spoke sites I cant ping him. I trace the packet, and watch it hop through my network with the last hop being the 3005 VPN concentrator that connects NZ to us. From there it times out...From my desk in the hub site in Australia, I can ping both the spoke site, and the NZ techs PC. So at this stage I can confirm that the route that works from sydney to NZ, has been redistributed via OSPF to my spoke sites, however it just does not appear to get through the tunnel, however the guy in NZ says he has 100% ping to my spoke sites. Could any one suggest where a possible problem could be ? I can see IPSEC tunnels for the various networks and I can see traffic going across them, however I have no idea why I cant access anything across the VPN from my spoke sites. The NZ guy said all traffic from Australia has a permit statement. I can only see the problem as access-list like problem on his end, as we had this working for the central site here (hub site) and for one of the spoke sites until we added more. Would appreciate any help. Thanks all Johnny b ** visit http://www.solution6.com UK Customers - http://www.solution6.co.uk ** The Solution 6 Head Office and NSW Branch has moved premises. Please make sure you have updated your records with our new details. Level 14, 383 Kent Street, Sydney NSW 2000. General Phone: 61 2 9278 0666 General Fax: 61 2 9278 0555 ** This email message (and attachments) may contain information that is confidential to Solution 6. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return email immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Solution 6 are neither given nor endorsed by it. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64318t=64301 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
