ezvpn fails on 1841 router with multiple dot1q intefaces

- S
- shawnhenry01
  
  Contact options for registered users
posted
17 years ago

Tue, Aug 29, 2006 3:12 PM

Have a network that I'm trying to seperate traffic on. Vlan 30 connects to coporate network via VPN connection (server is a 3k series concentrator). Vlan 20 is private network. I'm setting up dot1q encapsulated sub interfaces on the 1841, however, as soon as I add an L3 address to the 2nd dot1q interface the VPN connection drops and won't connect. Actually, it does connect but it disconnects immedeately...

Config:

#############################################################

crypto ipsec client ezvpn DI-FTW connect manual group IOSClient key ***** local-address FastEthernet0/0 mode network-extension peer x.x.x.x acl 100 username XXXX password ****** xauth userid mode local ! interface FastEthernet0/0 ip address x.x.x.x 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto no mop enabled ! interface FastEthernet0/1 no ip address speed auto full-duplex no mop enabled ! interface FastEthernet0/1.20 encapsulation dot1Q 20 ### CANT ADD L3 ADDRESS 192.168.1.1 HERE#### no snmp trap link-status ! interface FastEthernet0/1.30 encapsulation dot1Q 30 ip address 172.17.72.1 255.255.255.0 ip nat inside ip virtual-reassembly no snmp trap link-status crypto ipsec client ezvpn DI-FTW inside ! interface Serial0/0/0 ip unnumbered FastEthernet0/0 ip nat outside ip virtual-reassembly no keepalive no fair-queue ignore dcd crypto ipsec client ezvpn DI-FTW ! ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0/0 ! ip nat inside source list 150 interface FastEthernet0/0 overload ! access-list 1 permit 172.17.72.0 0.0.0.255 access-list 100 permit ip 172.17.72.0 0.0.0.255 172.16.0.0 0.15.255.255 access-list 100 permit ip 172.17.72.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 150 deny ip 172.17.72.0 0.0.0.255 172.16.0.0 0.15.255.255 access-list 150 deny ip 172.17.72.0 0.0.0.255 10.0.0.0 0.255.255.255 access-list 150 permit ip 172.17.72.0 0.0.0.255 any

#############################################################

ezvpn debug output:

ng1-1841router#cry ip cli ez connect DI-FTW ng1-1841router#

*Aug 28 16:08:57.159: EZVPN(DI-FTW): Deleted PSK for address x.x.x.x

*Aug 28 16:08:57.159: EZVPN(DI-FTW): Current State: CONNECT_REQUIRED

*Aug 28 16:08:57.159: EZVPN(DI-FTW): Event: CONNECT *Aug 28 16:08:57.159: EZVPN(DI-FTW): ezvpn_connect_request *Aug 28 16:08:57.159: EZVPN(DI-FTW): Found valid peer x.x.x.x *Aug 28 16:08:57.159: EZVPN(DI-FTW): Added PSK for address x.x.x.x

*Aug 28 16:08:57.163: EZVPN(DI-FTW): New State: READY

*Aug 28 16:08:58.267: EZVPN(DI-FTW): Current State: READY *Aug 28 16:08:58.267: EZVPN(DI-FTW): Event: IKE_PFS *Aug 28 16:08:58.267: EZVPN(DI-FTW): No state change *Aug 28 16:08:58.267: EZVPN(DI-FTW): Current State: READY *Aug 28 16:08:58.267: EZVPN(DI-FTW): Event: CONN_UP *Aug 28 16:08:58.267: EZVPN(DI-FTW): ezvpn_conn_up CB19182D 5B3BF259 E6204325 987A 05BF *Aug 28 16:08:58.267: EZVPN(DI-FTW): No state change *Aug 28 16:08:58.947: EZVPN(DI-FTW): Current State: READY *Aug 28 16:08:58.947: EZVPN(DI-FTW): Event: XAUTH_REQUEST *Aug 28 16:08:58.947: EZVPN(DI-FTW): ezvpn_xauth_request *Aug 28 16:08:58.947: EZVPN(DI-FTW): ezvpn_parse_xauth_msg *Aug 28 16:08:58.947: EZVPN: Attributes sent in xauth request message: *Aug 28 16:08:58.947: XAUTH_TYPE_V2(DI-FTW): 0 *Aug 28 16:08:58.947: XAUTH_USER_NAME_V2(DI-FTW): *Aug 28 16:08:58.947: XAUTH_USER_PASSWORD_V2(DI-FTW): *Aug 28 16:08:58.951: XAUTH_MESSAGE_V2(DI-FTW) *Aug 28 16:08:58.951: EZVPN(DI-FTW): send saved username XXXX and password < omitted> *Aug 28 16:08:58.951: EZVPN(DI-FTW): New State: XAUTH_REQ *Aug 28 16:08:58.951: EZVPN(DI-FTW): Current State: XAUTH_REQ *Aug 28 16:08:58.951: EZVPN(DI-FTW): Event: XAUTH_REQ_INFO_READY *Aug 28 16:08:58.951: EZVPN(DI-FTW): ezvpn_xauth_reply *Aug 28 16:08:58.951: XAUTH_TYPE_V2(DI-FTW): 0 *Aug 28 16:08:58.951: XAUTH_USER_NAME_V2(DI-FTW): XXXX *Aug 28 16:08:58.951: XAUTH_USER_PASSWORD_V2(DI-FTW): *Aug 28 16:08:58.951: EZVPN(DI-FTW): New State: XAUTH_REPLIED *Aug 28 16:08:59.935: EZVPN(DI-FTW): Current State: XAUTH_REPLIED *Aug 28 16:08:59.935: EZVPN(DI-FTW): Event: XAUTH_STATUS *Aug 28 16:08:59.935: EZVPN(DI-FTW): xauth status received: Success *Aug 28 16:08:59.935: EZVPN(DI-FTW): New State: READY *Aug 28 16:09:00.623: EZVPN(DI-FTW): Current State: READY *Aug 28 16:09:00.623: EZVPN(DI-FTW): Event: MODE_CONFIG_REPLY *Aug 28 16:09:00.623: EZVPN(DI-FTW): ezvpn_mode_config CB19182D 5B3BF259 E6204325 987A05BF CB19182D 5B3BF259 E6204325 987A05BF CB19182D 5B3BF259 E6204325 987A05BF C B19182D 5B3BF259 E6204325 987A05BF *Aug 28 16:09:00.631: EZVPN(DI-FTW): ezvpn_parse_mode_config_msg *Aug 28 16:09:00.631: EZVPN: Attributes sent in message: *Aug 28 16:09:00.631: DNS Primary: 172.18.0.10 *Aug 28 16:09:00.631: DNS Secondary: 172.18.1.10 *Aug 28 16:09:00.631: NBMS/WINS Primary: 172.18.0.13 *Aug 28 16:09:00.631: NBMS/WINS Secondary: 172.18.28.29 *Aug 28 16:09:00.631: Savepwd on *Aug 28 16:09:00.631: Split Tunnel List: 1 *Aug 28 16:09:00.631: Address : 172.16.0.0 *Aug 28 16:09:00.631: Mask : 255.240.0.0 *Aug 28 16:09:00.631: Protocol : 0x0 *Aug 28 16:09:00.631: Source Port: 0 *Aug 28 16:09:00.631: Dest Port : 0 *Aug 28 16:09:00.631: Split Tunnel List: 2 *Aug 28 16:09:00.631: Address : 10.0.0.0 *Aug 28 16:09:00.635: Mask : 255.0.0.0 *Aug 28 16:09:00.635: Protocol : 0x0 *Aug 28 16:09:00.635: Source Port: 0 *Aug 28 16:09:00.635: Dest Port : 0 *Aug 28 16:09:00.635: Default Domain: xx.somedomain.xx *Aug 28 16:09:00.635: EZVPN: Unknown/Unsupported Attr: APPLICATION_VERSION (0x7) *Aug 28 16:09:00.635: EZVPN(DI-FTW): ezvpn_nat_config *Aug 28 16:09:00.639: EZVPN(DI-FTW): New State: SS_OPEN *Aug 28 16:09:00.655: EZVPN(DI-FTW): Current State: SS_OPEN *Aug 28 16:09:00.655: EZVPN(DI-FTW): Event: SOCKET_READY *Aug 28 16:09:00.655: EZVPN(DI-FTW): No state change *Aug 28 16:09:00.659: EZVPN(DI-FTW): Current State: SS_OPEN *Aug 28 16:09:00.659: EZVPN(DI-FTW): Event: SOCKET_READY *Aug 28 16:09:00.659: EZVPN(DI-FTW): No state change *Aug 28 16:09:00.667: EZVPN(DI-FTW): Current State: SS_OPEN *Aug 28 16:09:00.667: EZVPN(DI-FTW): Event: SOCKET_READY *Aug 28 16:09:00.667: EZVPN(DI-FTW): No state change *Aug 28 16:09:00.667: EZVPN(DI-FTW): Current State: SS_OPEN *Aug 28 16:09:00.667: EZVPN(DI-FTW): Event: SOCKET_READY *Aug 28 16:09:00.667: EZVPN(DI-FTW): No state change *Aug 28 16:09:00.667: EZVPN(DI-FTW): Current State: SS_OPEN *Aug 28 16:09:00.667: EZVPN(DI-FTW): Event: SOCKET_READY *Aug 28 16:09:00.667: EZVPN(DI-FTW): No state change *Aug 28 16:09:00.667: EZVPN(DI-FTW): Current State: SS_OPEN *Aug 28 16:09:00.667: EZVPN(DI-FTW): Event: SOCKET_READY *Aug 28 16:09:00.667: EZVPN(DI-FTW): No state change *Aug 28 16:09:00.671: EZVPN(DI-FTW): Current State: SS_OPEN *Aug 28 16:09:00.671: EZVPN(DI-FTW): Event: SOCKET_READY *Aug 28 16:09:00.671: EZVPN(DI-FTW): No state change *Aug 28 16:09:00.671: EZVPN(DI-FTW): Current State: SS_OPEN *Aug 28 16:09:00.671: EZVPN(DI-FTW): Event: SOCKET_READY *Aug 28 16:09:00.671: EZVPN(DI-FTW): No state change *Aug 28 16:09:01.367: EZVPN(DI-FTW): Current State: SS_OPEN *Aug 28 16:09:01.367: EZVPN(DI-FTW): Event: MTU_CHANGED *Aug 28 16:09:01.367: EZVPN(DI-FTW): No state change *Aug 28 16:09:01.367: EZVPN(DI-FTW): Current State: SS_OPEN *Aug 28 16:09:01.367: EZVPN(DI-FTW): Event: SOCKET_UP *Aug 28 16:09:01.367: ezvpn_socket_up *Aug 28 16:09:01.367: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=XXXX Gr oup=IOSClient Server_public_addr=x.x.x.x NEM_Remote_Subnets=172.17.72.0/255.2 55.255.0 172.1 *Aug 28 16:09:01.371: EZVPN(DI-FTW): Tunnel UP! Letting user know about it *Aug 28 16:09:01.371: EZVPN(DI-FTW): New State: IPSEC_ACTIVE *Aug 28 16:09:01.391: EZVPN(DI-FTW): Current State: IPSEC_ACTIVE *Aug 28 16:09:01.391: EZVPN(DI-FTW): Event: MTU_CHANGED *Aug 28 16:09:01.391: EZVPN(DI-FTW): No state change *Aug 28 16:09:01.391: EZVPN(DI-FTW): Current State: IPSEC_ACTIVE *Aug 28 16:09:01.391: EZVPN(DI-FTW): Event: SOCKET_UP *Aug 28 16:09:01.391: ezvpn_socket_up *Aug 28 16:09:01.391: EZVPN(DI-FTW): Tunnel UP! Letting user know about it *Aug 28 16:09:01.391: EZVPN(DI-FTW): No state change *Aug 28 16:09:01.407: EZVPN(DI-FTW): Current State: IPSEC_ACTIVE *Aug 28 16:09:01.407: EZVPN(DI-FTW): Event: MTU_CHANGED *Aug 28 16:09:01.407: EZVPN(DI-FTW): No state change *Aug 28 16:09:01.407: EZVPN(DI-FTW): Current State: IPSEC_ACTIVE *Aug 28 16:09:01.407: EZVPN(DI-FTW): Event: SOCKET_UP *Aug 28 16:09:01.407: ezvpn_socket_up *Aug 28 16:09:01.407: EZVPN(DI-FTW): Tunnel UP! Letting user know about it *Aug 28 16:09:01.407: EZVPN(DI-FTW): No state change *Aug 28 16:09:01.431: EZVPN(DI-FTW): Current State: IPSEC_ACTIVE *Aug 28 16:09:01.431: EZVPN(DI-FTW): Event: MTU_CHANGED *Aug 28 16:09:01.431: EZVPN(DI-FTW): No state change *Aug 28 16:09:01.431: EZVPN(DI-FTW): Current State: IPSEC_ACTIVE *Aug 28 16:09:01.431: EZVPN(DI-FTW): Event: SOCKET_UP *Aug 28 16:09:01.431: ezvpn_socket_up *Aug 28 16:09:01.435: EZVPN(DI-FTW): Tunnel UP! Letting user know about it *Aug 28 16:09:01.435: EZVPN(DI-FTW): No state change *Aug 28 16:09:02.143: EZVPN(DI-FTW): Current State: IPSEC_ACTIVE *Aug 28 16:09:02.143: EZVPN(DI-FTW): Event: SOCKET_DOWN *Aug 28 16:09:02.143: EZVPN: ezvpn_socket_down *Aug 28 16:09:02.143: EZVPN: Current peer down is x.x.x.x *Aug 28 16:09:02.143: EZVPN(DI-FTW): No state change *Aug 28 16:09:02.151: EZVPN(DI-FTW): Current State: IPSEC_ACTIVE *Aug 28 16:09:02.151: EZVPN(DI-FTW): Event: SOCKET_DOWN *Aug 28 16:09:02.151: EZVPN: ezvpn_socket_down *Aug 28 16:09:02.151: EZVPN: Current peer down is x.x.x.x *Aug 28 16:09:02.151: EZVPN(DI-FTW): No state change *Aug 28 16:09:02.151: EZVPN(DI-FTW): Current State: IPSEC_ACTIVE *Aug 28 16:09:02.151: EZVPN(DI-FTW): Event: SOCKET_DOWN *Aug 28 16:09:02.151: EZVPN: ezvpn_socket_down *Aug 28 16:09:02.151: EZVPN: Current peer down is x.x.x.x *Aug 28 16:09:02.151: EZVPN(DI-FTW): No state change *Aug 28 16:09:02.151: EZVPN(DI-FTW): Current State: IPSEC_ACTIVE *Aug 28 16:09:02.151: EZVPN(DI-FTW): Event: SOCKET_DOWN *Aug 28 16:09:02.151: EZVPN: ezvpn_socket_down *Aug 28 16:09:02.151: EZVPN: Current peer down is x.x.x.x *Aug 28 16:09:02.151: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=XXXX Group=IOSClient Server_public_addr=x.x.x.x *Aug 28 16:09:02.151: EZVPN(DI-FTW): No state change *Aug 28 16:09:02.151: EZVPN(DI-FTW): Current State: IPSEC_ACTIVE *Aug 28 16:09:02.151: EZVPN(DI-FTW): Event: CONN_DOWN *Aug 28 16:09:02.151: EZVPN(DI-FTW): New active peer is x.x.x.x *Aug 28 16:09:02.151: EZVPN(DI-FTW): Ready to connect to peer x.x.x.x *Aug 28 16:09:02.151: EZVPN(DI-FTW): ezvpn_close CB19182D 5B3BF259 E6204325 987A05 BF CB19182D 5B3BF259 E6204325 987A05BF CB19182D 5B3BF259 E6204325 987A05BF CB19182 D 5B3BF259 E6204325 987A05BF CB19182D 5B3BF259 E6204325 987A05BF CB19182D 5B3BF259 E6204325 987A05BF CB19182D 5B3BF259 E6204325 987A05BF CB19182D 5B3BF259 E6204325 987A05BF *Aug 28 16:09:02.163: EZVPN(DI-FTW): Deleted PSK for address x.x.x.x

*Aug 28 16:09:02.163: EZVPN(DI-FTW): ezvpn_reset

*Aug 28 16:09:02.167: EZVPN(DI-FTW): New State: CONNECT_REQUIRED

- S
- shawnhenry01
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Tue, Aug 29, 2006 6:16 PM

Fixed it. Had to remove the ezvpn config from ther interfaces then re-add it. Must be a bug in the ezvpn code. I'm sure a reboot would have taken care of it too.

- A
- AN
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Sat, Sep 2, 2006 3:40 PM

Try removing the crypto and adding it back on next time.

- B
- Bod43
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Sat, Sep 2, 2006 7:06 PM

Thanks for the update. It is easy to forget that the config process can go awry since it is usually robust.