Wow very strange VPN-related issue today. Customer opens trouble-ticket and complains that network connectivity is failing (VoIP phones failing to register with hosted CME thru VPN tunnel).
Hmm… let’s see if we can ping the outside interface of the customer firewall. Yup no problem there.
OK… well let’s see if we can SSH to the customers firewall – nope SSH times out. Strange. Can ping, cannot SSH. So I gain access to the customers firewall inside interface through an alternate network connection and reload. After reload I can successfully SSH. Strange.
OK… let’s see if IKE PHASE1 SA is up… ‘show crypto isakmp sa’. Yup we got PHASE1 ‘AM_ACTIVE’ on both side.
OK… let’s clear the IPSEC SA counters and then see if IPSEC is encrypting and de-encrypting on both sides. Nope we got some problems…
Data-Center:
#pkts encaps: 276
#pkts decaps: 272
Customer:
#pkts encaps: 354
#pkts decaps: 0
How weird… the Data-Center shows it encapping but the customer firewall shows it’s not receiving those encaps (decaps are zero).
How can that be?!? PHASE1 SA is up and PHASE2 SA is up but customer side is not decapping?
Let’s pull a Wireshark capture on the Data-Center outside interface and see what we see…
Welp we are in fact sending AND receiving IPSEC ESP traffic to and from both ends.
So why is the customer firewall not decapping? Good question. Don’t know. And don’t have a Cisco service contract so can’t call TAC.
Solution was to build a L2L IPSEC tunnel on a secondary firewall at customers location.
No comments:
Post a Comment