Mundy

IT Knowledge Base

User Tools

Site Tools


troubleshooting_cisco_vpn

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

troubleshooting_cisco_vpn [2018/04/09 09:56] (current)
Line 1: Line 1:
 +====== Troubleshooting Cisco VPN ======
  
 +===== Pinging from the Cisco across the VPN =====
 +
 +If you're pinging directly from the router, across the VPN, sometimes it will try to ping from the public IP address of the router and put the packet directly out on the internet, ie not through the VPN. You must set the source address that you are pinging from.
 +
 +<​code>#​ping ip 192.168.235.100 source 10.0.123.1</​code>​
 +
 +===== IPSEC "Black Hole" ​ =====
 +
 +IPSEC uses "​Security Associations"​ (SA) - An SA is a relationship between two or more potential VPN endpoints, which determines what encryption algorithms to use, and the two endpoints exchange session keys. ([[http://​etutorials.org/​Networking/​Cisco+Certified+Security+Professional+Certification/​Part+III+Virtual+Private+Networks+VPNs/​Chapter+9+Cisco+IOS+IPSec+Introduction/​Security+Association+SA/​|more info]])
 +
 +You can see the SAs with the command: show crypto isakmp sa
 +
 +Sometimes an endpoint will reconnect to the Internet and reconnect with a different session key, and the other endpoint will think that nothing even happened, so both endpoints have different session keys and can't talk. You can clear the SA with this command: clear crypto ipsec sa
 +
 +Or in Cisco'​s words: An IPSec "black hole" occurs when one IPSec peer "​dies"​ (for example, a peer can "​die"​ if a reboot occurs or if an IPSec peer somehow gets reset). Because one of the peers (the receiving peer) is completely reset, it loses its IKE SA with the other peer. Generally, when an IPSec peer receives a packet for which it cannot find an SA, it tries to send an IKE "​INVALID SPI NOTIFY"​ message to the data originator. This notification is sent using the IKE SA. If there is no IKE SA available, the receiving peer drops the packet. Source: [[http://​www.cisco.com/​en/​US/​docs/​ios/​12_3t/​12_3t2/​feature/​guide/​gt_ispir.html|Invalid SPI Recovery]] - this may be a feature we can turn on so we never see this problem...
troubleshooting_cisco_vpn.txt ยท Last modified: 2018/04/09 09:56 (external edit)