Announcement

Collapse
No announcement yet.

Cisco 1841 Site to Site VPN to MS TMG - No Traffic Passing

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 1841 Site to Site VPN to MS TMG - No Traffic Passing

    Hi everyone

    I've been searching for a few days now on this and saw a few posts on here with similar issues, most commonly though on ASA/PIX.

    We have a Cisco 1841 router with the ADVSECURITY IOS. We also have a Microsoft TMG 2010 server and are trying to get a S2S IPSEC tunnel between the two. We've created the TMG config as per all our other S2S VPNs (although none of these go to Cisco devices). We've set up the Cisco as below. When running show crypto isakmp sa and show crypto ipsec sa, they both show as ACTIVE. However no traffic is going between the 2 (Pings don't reply etc). I can see the VPN as up in the TMG and I can see the traffic is allowed to the Cisco device. I've followed a fair amount of configs to get it how it is, but as above most seem to be about PIX to TMG, or not to TMG at all.

    If anyone can shed some light on this that'd be very welcome.

    172.20.0.0/16 is Cisco network
    172.15.0.0/16 is TMG network

    Code:
    Current configuration : 6435 bytes
    !
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname xxxxxxxxxxx
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    dot11 syslog
    ip cef
    !
    !
    !
    !
    ip vrf vpn1
    !
    ip domain name xxxxxxxxxx
    !
    multilink bundle-name authenticated
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
    accept-dialin
      protocol pptp
      virtual-template 1
    !
    !
    !
    !
    !
    archive
    log config
      hidekeys
    !
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key hello address xxx.xxx.xxx.xxx
    !
    !
    crypto ipsec transform-set TESTSET esp-3des esp-sha-hmac
    !
    crypto map TESTMAP 10 ipsec-isakmp
    set peer xxx.xxx.xxx.xxx
    set transform-set TESTSET
    set pfs group1
    match address 100
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    description $ES_LAN$
    ip address xxx.xxx.xxx.xxx 255.255.0.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    ip address xxx.xxx.xxx.xxx 255.255.255.0
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map TESTMAP
    !
    interface Virtual-Template1
    ip unnumbered FastEthernet0/1
    peer default ip address pool vpn
    no keepalive
    ppp encrypt mppe auto required
    ppp authentication ms-chap-v2
    !
    ip local pool vpn xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
    ip forward-protocol nd
    !
    !
    no ip http server
    no ip http secure-server
    ip nat inside source list 150 interface FastEthernet0/1 overload
    !
    logging trap debugging
    logging xxx.xxx.xxx.xxx
    access-list 1 permit 172.20.0.0 0.0.255.255
    access-list 100 permit ip 172.20.0.0 0.0.255.255 172.15.0.0 0.0.255.255
    access-list 150 deny   ip 172.20.0.0 0.0.255.255 172.15.0.0 0.0.255.255
    access-list 150 permit ip 172.20.0.0 0.0.255.255 any
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler allocate 20000 1000
    end
    Many thanks in advance.

  • #2
    Re: Cisco 1841 Site to Site VPN to MS TMG - No Traffic Passing

    Post the results from:


    show crypto isakmp sa

    show crypto ipsec sa


    Your config on the cisco looks fine. Your protected subnets are 172.20.0.0/16 locally and the remote subnet is 172.15.0.0/16. Make sure its the same on the TMG side.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Cisco 1841 Site to Site VPN to MS TMG - No Traffic Passing

      isakmp:

      Code:
      IPv4 Crypto ISAKMP SA
      dst             src             state          conn-id slot status
      192.168.0.4     xxx.xxx.xxx.xxx   QM_IDLE           1027    0 ACTIVE
      (external IP)    (Remote IP)
      
      IPv6 Crypto ISAKMP SA
      ipsec:

      Code:
      interface: FastEthernet0/1
          Crypto map tag: TESTMAP, local addr 192.168.0.4
      
         protected vrf: (none)
         local  ident (addr/mask/prot/port): (172.20.0.0/255.255.0.0/0/0)
         remote ident (addr/mask/prot/port): (172.15.0.0/255.255.0.0/0/0)
         current_peer xxx.xxx.xxx.xxx port 4500
           PERMIT, flags={origin_is_acl,}
          #pkts encaps: 31, #pkts encrypt: 31, #pkts digest: 31
          #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 0, #pkts compr. failed: 0
          #pkts not decompressed: 0, #pkts decompress failed: 0
          #send errors 123, #recv errors 0
      
           local crypto endpt.: 192.168.0.4, remote crypto endpt.: xxx.xxx.xxx.xxx
           path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
           current outbound spi: 0x0(0)
      
           inbound esp sas:
            spi: 0x3BE1C377(1004651383)
              transform: esp-3des esp-sha-hmac ,
              in use settings ={Tunnel UDP-Encaps, }
              conn id: 2233, flow_id: FPGA:233, crypto map: TESTMAP
              sa timing: remaining key lifetime (k/sec): (4440281/3598)
              IV size: 8 bytes
              replay detection support: Y
              Status: ACTIVE
      
           inbound ah sas:
      
           inbound pcp sas:
      
           outbound esp sas:
            spi: 0x9CF1DAAF(2633095855)
              transform: esp-3des esp-sha-hmac ,
              in use settings ={Tunnel UDP-Encaps, }
              conn id: 2234, flow_id: FPGA:234, crypto map: TESTMAP
              sa timing: remaining key lifetime (k/sec): (4440281/3598)
              IV size: 8 bytes
              replay detection support: Y
              Status: ACTIVE
      
           outbound ah sas:
      
           outbound pcp sas:
      I've tried Googling the "Send Errors" but cannot come up with anything substantial. Also not sure if this is only on the Cisco to TMG route rather than the TMG to Cisco route.

      Comment


      • #4
        Re: Cisco 1841 Site to Site VPN to MS TMG - No Traffic Passing

        Make sure both ends have a route to those protected subnets.

        Phase 1 is fine. Phase 2 is also fine and I see both the inbound and outbound SA's established. I also see that the cisco end is encapsulating traffic and sending it in the tunnel but nothing is being decapsulated (meaning either the remote end isn't receiving it or the traffic is being filtered inbound/outbound on the other end.

        Double check your crypto ACL's on both sides, they should be "mirror" images of each other. Also I would remove pfs just to rule that out.


        What does the other side look like?

        Also when you attempt to send traffic from the cisco to the remote end do you see the "send errors" increasing along with the pkts encaps: pkts encrypt?
        Last edited by auglan; 7th September 2012, 13:26.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Cisco 1841 Site to Site VPN to MS TMG - No Traffic Passing

          Removed PFS. Still have the issue. I've run logging on the TMG and pings from the Cisco side to the TMG side come through as attached. The error rate goes up when pinging from Cisco to TMG but not the other way. The Pkt figure is going up very slowly but I'm not sure where that it coming from as it doesn't rise with the error rate.

          The TMG side has a single rule which allows all traffic to pass between the VPN (Cisco) and the Internal network (TMG). There is also a routed network rule to ensure traffic bound for the Cisco network does not go out of the NAT.
          Attached Files

          Comment


          • #6
            Re: Cisco 1841 Site to Site VPN to MS TMG - No Traffic Passing

            Do you see the decap counters increase when sending traffic from the TMG side to the cisco?

            Can you ping from the TMG side to the cisco successfully?

            Also I assume the TMG is behind NAT? As I see the cisco negotiated NAT-T (udp 4500)

            I would look over the cisco config again. Check and make sure your peer addresses are correct etc...

            Also you can try some debugs. Be carefull with these as they produce alot of output. I would log to the buffer or to a syslog server.

            debug crypto isakmp

            debug crypto ipsec
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: Cisco 1841 Site to Site VPN to MS TMG - No Traffic Passing

              No counters increase on sending traffic from TMG to Cisco.

              No - PING traffic shows in the outbound rule as allowed but no reply is received.

              The TMG is behind a NAT - unavoidable unfortunately in our case.

              Peer addresses are def correct - matched as well to someone else's config who was connecting to a SonicWall.

              We tried some debugs this morning. The output showed no ping request from the TMG side. It did show the requests from the Cisco side but it was sending a dest host unreachable back to the requesting PC. The debug of the ipsec and isakmp showed no errors and stated Phase 2 complete.

              Comment


              • #8
                Re: Cisco 1841 Site to Site VPN to MS TMG - No Traffic Passing

                It did show the requests from the Cisco side but it was sending a dest host unreachable back to the requesting PC.

                This usually means it doesn't have a route for the destination. Make sure on both sides that they have routes for each other's protected subnets.
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment


                • #9
                  Re: Cisco 1841 Site to Site VPN to MS TMG - No Traffic Passing

                  Sorry it wasn't a dest host unreachable it was a "ICMP: dst (cisco router ip) port unreachable rcv from (some internal ip address)". The odd thing is I am seeing traffic going both ways through the TMG (i.e. I can see requests coming from the Cisco to the TMG net and I can see requests coming from the TMG net to the Cisco net), but they never reply. From what I can tell all the required routing is in place.

                  Comment


                  • #10
                    Re: Cisco 1841 Site to Site VPN to MS TMG - No Traffic Passing

                    What is upstream from the TMG server?

                    Also don't discount reloading the router either.
                    CCNA, CCNA-Security, CCNP
                    CCIE Security (In Progress)

                    Comment


                    • #11
                      Re: Cisco 1841 Site to Site VPN to MS TMG - No Traffic Passing

                      Hi Sorry for late reply - have been away and just come back to this now.

                      Upstream from TMG is ISP firewall which port forwards all traffic to TMG's "external" interface. Router also reloaded.

                      Comment


                      • #12
                        Re: Cisco 1841 Site to Site VPN to MS TMG - No Traffic Passing

                        I would check with the ISP to see if its being filtered. The cisco is encapsulating packets and putting them in the tunnel, but it isn't receiving anything back from the other side. A couple of things to check would be.

                        1. Do you see the packets from the cisco reaching the TMG?
                        2. If so are they being encapsulated and sent to the tunnel on the TMG side.
                        3. If so then the cisco isn't receiving them so I would check with the upstream ISP firewall.

                        More often then not you see this with either a routing issue or a filtering issue in the transmit path. Since NAT-T was negotiated you would need to allow udp 4500 inbound/outbound
                        Last edited by auglan; 15th October 2012, 18:43.
                        CCNA, CCNA-Security, CCNP
                        CCIE Security (In Progress)

                        Comment

                        Working...
                        X