tunel & access-list (cisco 2600) 3

[andrewalx]

I have cisco 2600 and encripted tunel on serial. I need to tune inbound access-list on serial. The first entry I make
access-list 120 permit ip host 10.1.1.2 host 10.1.1.1
After I apply this list to serial tunel works fine for about half an hour, then ping of the other VPN side returns 'request timeout' and tunel again works fine after
serial0
no ip acce 120 in
ip acce 120 in
no ip acce 120 in
ip acce 120 in
and so on. There is no deny messages in log but CRYPTO-4-PKT_REPLAY_ERR warnings.
Can anybody tell me what's wrong whit access-list?
Regards, Andrew.

 

[sobak]

I ran into a similar problem with what you were experiencing. What IOS Version are you running? The version I was running was 12.1, Cisco verified there was a bug with that version and told me to upgrade to 12.1.5 T. Once I upgraded the IOS it ran fine and the Tunnel stays connected. If you upgrade be warned that if you are doing any logging, make sure you place a "Logging Exception ####" in the configuration, there seems to be a bug with this IOS version that will make the router loop if it crashes. Let me know if this helps you any.

david e

 

[andrewalx]

My IOS ver is 12.0(7)T. Can you tell more about that bug? Thank you for help.

 

[sobak]

Don't have much more information than that. We have about 5 IPSEC tunnels setup between our Enterprise router and our field offices. One particular VPN was posing a problem with staying up. I could get the vpn to reconnect if I ran the following commands....

clear crypto sa
clear crypto isakmp

After these two commands were issued on the remote router the vpn would be established and then stay up for about 30 minutes, after that it would timeout again. If I checked the debug log, I would get errors about ISAKMP Packet Discarded.

I worked on this situation for about two months then opened a case with Cisco. They told me it was a bug with my particular IOS Version......

The problem you are experiencing is a known issue with 12.0.7t. A few bug ID's are CSCdp99719, CSCdp62304. An IOS upgrade of 12.1.5t will resolve these issues. Please let me know if you have any further questions or if I can be of further assistance.

I went ahead and upgraded to the newest version 12.1.5t but then ran into a problem with the router crashing at odd times. When it would crash it would loop upon booting and stay in that condition until a full power-off. I once again opened a case with Cisco and they told me to put a "Logging Exception" in the configuration and it's been running ever since that. I've had no problems with my VPN's and everything seems to be working great.

Let me know if this helps you out any, I was very puzzled over this problem but it seems to be working now.

david e

 

[andrewalx]

I've found nothing about command "Logging Exception" in IOS docs. Is this command introduced in 12.1(5)T? What does it do?
P.S. You see, I don't have access to CCO.

 

[sobak]

You are correct, I believe this is a new command within 12.1(5)T, I checked on another system that was running 12.1(2) and there was no reference to it, I also looked on the Cisco Web site and couldn't find anything related to it. I did a logging ? and pasted the results below. Of course my router is still crashing (it did once yesterday) but when it crashes it recovers fully. Once I get the full information regarding this problem I will post it here. I am calling Cisco again today to determine the problem with the router crash. I will keep you informed. Does your VPN come back up when you issue the clear commands? If it does you are probably having the same issue that I am. Let me know it would be interesting to know.

david e



gw-mia(config)#logging ?
Hostname or A.B.C.D IP address of the logging host
buffered Set buffered logging parameters
console Set console logging level
exception Limit size of exception flush output
facility Facility parameter for syslog messages
history Configure syslog history table
monitor Set terminal line (monitor) logging level
on Enable logging to all supported destinations
rate-limit Set messages per second limit
trap Set syslog server logging level

 

[andrewalx]

Hi.
Clear commands didn't do anything.
IOS 12.1(5)T seems've resolved problem with tunnel (it works for an hour but I neet more time), but it doesn't write to log. It've added to run-config the folowing :
no service single-slot-reload-enable
logging rate-limit console 10 except errors
call rsvp-sync
dial-peer cor custom
but haven't changed start-config. I haven't reloaded router yet after upgrade.

 

[CMCDOJO]

sobok,

I have am having a problem with a IPSEC tunnel between two 1720 routers. The tunnel seems to function intermitently. I can "NET VIEW \\serveronotherside" and this works more often than not but there are periods were it just stops and returns a variety of errors. The most promanent errors returned are SEMAPHORE TIMEOUT PERIOD HAS EXPIRED and THE SERVER SERVICE IS NOT STARTED. After a couple of failed tries I can get it to go through again. At first I thought I might have a name resolution problem but using the W2K network monitor on both sides I have been able to see that traffic is crossing the VPN even on failed attempts.

I am using IOS 12.1 with the 12.1.(1)XC IP PLUS IPSEC 56 feature pack. The one side has a full T1 while the other side is a 384k fractional T1. Does this appear to be a similiar problem to yours prior to the IOS upgrade?

Thanks in advance.

cmcdojo

 

[jeter]

just a thought and to be honest I am not 100% sure, however
can you set ( exec-timeout 0 0 ) command to keep the session open ? From what I see its what,about every half hour !!!
J.Fisher CCNA
Jeter@LasVegas.com

 

[CMCDOJO]

jeter,

Thanks for responding. I tried the exec-timeout 0 0 or no exec-timeout as shown in the documentation. Neither of these worked. When I looked these commands up on the Cisco web-site they(it) appears to only be applicable to the terminal connection configuration.

cmcdojo

 

[sobak]

andrewalx
Sorry for not responding right away, I've been working on catching a hacker on my system. Anyway, you stated you upgraded to 12.1(5)t and your VPN is working, Is it still up and operational? And as far as logging information about the VPN are you wanting to log the VPN activity of the Access-list activity?

david e

 

[andrewalx]

Hi, Sobak.
Yes, VPN works fine. For 2,5 days already. What about logging, 's log' says logginig is being performed, the number of 'message lines logged' is increasing, but I see nothing is my Kiwi's Syslog Daemon Serviece Manager though I've experimented with 'logg rate-limit' command. I've put 'log' into VPN access-list too.

 

[sobak]

Great to hear that your VPN is working.....nice to think I'm doing a little good here helping out people.....anyway about your logging, I noticed in your statements regarding the logging I didn't see any....

Logging IP address of syslog daemon

Do you have that statement in there? I'm not sure but you may need to also enable SNMP traps in order to log to a Syslog Daemon I will check to ensure it needs to be, but do you already have them enabled? If you let me know that I will do a little further research to see about the SNMP traps.



david e

 

[andrewalx]

Hi.
I had working config, that logged ok on 12.0(7)T. I kept it untouched (with the same syslogd address) and it doesn't log on 12.1(5)T.
Thank you for help, I'm researching too and let you know the result.

 

[8dstaicu]

From 12.0 to 12.1 a new logging option apear:
logging source-interface
You must specify an interface as source for syslog messages.

 

[andrewalx]

Thank you, 8dstaicu. Now it loggs.

 

[sobak]

Hey, thanks a lot, I'll have to remember that one....

david e