Re: Strange VPN issue

From: Tarun Pahuja (pahujat@gmail.com)
Date: Wed Oct 24 2007 - 14:35:24 ART

• Next message: darth router: "Re: Good night, Sweet Dreams"
• Previous message: A.G. Ananth Sarma (GMail): "Re: Voice Query - Unable to use all the ports on 3560 to"
• Maybe in reply to: Chamara Peris: "Strange VPN issue"
• Next in thread: Chamara Peris: "Re: Strange VPN issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Chamara,
                Are the working and non working routers using the same DNS
servers or different DNS servers? You can specify multiple criteria for
matching.

http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd8034bd59.shtml

Do me a favor, revert back your configuration to use Match identity host
domain , try to initiate the tunnel and capture the debug and send it to me,
Seems like the FQDN is not getting resolved correctly.

Thanks,
Tarun

On 10/23/07, Chamara Peris <dimsyboy@gmail.com> wrote:
>
> same IOS version on working setup and non working setup :(
>
> On 10/24/07, WorkerBee < ciscobee@gmail.com> wrote:
> >
> > Before you check on the IOS version, if you change the type domain to
> > address , does it work? Changing to address type is to make sure no
> > configuration or firewall issue.
> >
> > On 10/24/07, WorkerBee <ciscobee@gmail.com> wrote:
> > > Maybe is IOS version? Check the version against the working setup.
> > >
> > > On 10/24/07, Chamara Peris < dimsyboy@gmail.com> wrote:
> > > > Hi All,
> > > >
> > > > Any ideas on this issue?
> > > >
> > > >
> > > > On 10/23/07, Chamara Peris < dimsyboy@gmail.com> wrote:
> > > > >
> > > > > I have ip domain-lookup enabled and hub router & spoke both can
> > ping the
> > > > > test123.vpn.com (it resolves it).
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On 10/23/07, WorkerBee < ciscobee@gmail.com> wrote:
> > > > > >
> > > > > > Do you have 'ip domain-lookup' enable?
> > > > > >
> > > > > > Try to do a ping test123.vpn.com and see if the router can
> resolve
> > the
> > > > > > domain
> > > > > > name correctly.
> > > > > >
> > > > > >
> > > > > > On 10/23/07, Chamara Peris < dimsyboy@gmail.com> wrote:
> > > > > > > Hi Group,
> > > > > > >
> > > > > > > I am experiencing a very strange VPN issue. I have two sites
> > connect
> > > > > > via
> > > > > > > VPN. Hub site has a static IP and spoke site is dynamic.
> Please
> > refer
> > > > > > to
> > > > > > > configs of each site below.
> > > > > > >
> > > > > > > HUB:
> > > > > > >
> > > > > > > crypto keyring sats
> > > > > > > pre-shared-key address 0.0.0.0 0.0.0.0 key testing123
> > > > > > > !
> > > > > > > crypto isakmp policy 1
> > > > > > > encr 3des
> > > > > > > authentication pre-share
> > > > > > > group 2
> > > > > > >
> > > > > > > crypto isakmp invalid-spi-recovery
> > > > > > > crypto isakmp profile HH
> > > > > > > keyring sats
> > > > > > > match identity host domain test123.vpn.com
> > > > > > >
> > > > > > > !
> > > > > > > crypto ipsec transform-set myset esp-3des esp-sha-hmac
> > > > > > > !
> > > > > > > crypto dynamic-map dynmap 11
> > > > > > > set transform-set myset
> > > > > > > set isakmp-profile HH
> > > > > > > match address 137
> > > > > > >
> > > > > > > crypto map xyz 10 ipsec-isakmp dynamic dynmap
> > > > > > >
> > > > > > >
> > > > > > > access-list 137 permit ip 192.168.60.0 0.0.0.255 192.168.61.0
> > > > > > 0.0.0.255
> > > > > > >
> > > > > > >
> > > > > > > SPOKE:
> > > > > > >
> > > > > > > crypto isakmp policy 1
> > > > > > > encr 3des
> > > > > > > authentication pre-share
> > > > > > > group 2
> > > > > > > crypto isakmp key testing123 address 111.111.111.111
> > > > > > > crypto isakmp invalid-spi-recovery
> > > > > > > crypto isakmp keepalive 360
> > > > > > > !
> > > > > > > !
> > > > > > > crypto ipsec transform-set myset esp-3des esp-sha-hmac
> > > > > > > !
> > > > > > > crypto map xyz 2 ipsec-isakmp
> > > > > > > set peer 111.111.111.111
> > > > > > > set transform-set myset
> > > > > > > match address 137
> > > > > > >
> > > > > > > access-list 137 permit ip 192.168.61.0 0.0.0.255 192.168.60.0
> > > > > > 0.0.0.255
> > > > > > >
> > > > > > >
> > > > > > > My problem is this setup doesn't work in this environment.
> > However
> > > > > > same
> > > > > > > setup on another set of routers works perfectly. All the
> routers
> > have
> > > > > > domain
> > > > > > > name setup and name servers setup.
> > > > > > >
> > > > > > > Only way to get this going on this set of routers is to change
> > > > > > following
> > > > > > > on HUB router.
> > > > > > >
> > > > > > > match identity host domain test123.vpn.com -----> match
> identity
> > > > > > address
> > > > > > > 0.0.0.0
> > > > > > >
> > > > > > > With the above change it works. But I can't understand why
> match
> > > > > > identity
> > > > > > > host domain doesn't work on this setup.
> > > > > > >
> > > > > > > Any ideas and help?
> > > > > > >
> > > > > > > Regards
> > > > > > > CP
> > > > > > >
> > > > > > >
> > > > > >
> > _______________________________________________________________________
> > > > > > > Subscription information may be found at:
> > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: darth router: "Re: Good night, Sweet Dreams"
• Previous message: A.G. Ananth Sarma (GMail): "Re: Voice Query - Unable to use all the ports on 3560 to"
• Maybe in reply to: Chamara Peris: "Strange VPN issue"
• Next in thread: Chamara Peris: "Re: Strange VPN issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:18 ART