Re: Crypto Across two catalyst 6509s from Iwan Hoogendoorn on 2009-12-03 (Ccielab archives 12/2009)

From: Iwan Hoogendoorn <iwan_at_ipexpert.com>
Date: Thu, 3 Dec 2009 13:41:37 +0100
hi,
you don't have natting on the interfaces?
Also when you do a traceroute to you see that the traffic is trying
into the tunnel.
Cab you also ping the tunnel endpoints?
-- 
Regards,
Iwan Hoogendoorn
CCIE #13084 (R&S / Security / SP)
Sr. Support Engineer  IPexpert, Inc.
URL: http://www.IPexpert.com
On Thu, Dec 3, 2009 at 1:24 PM, olumayokun fowowe <olumayokun_at_gmail.com> wrote:
> Hello Dale,
>
> Find below the relevant portion of configs and hardware as requested:
>
>
>
> crypto isakmp policy 100
>  hash md5
>  authentication pre-share
> crypto isakmp key ABCBCC02TUNNEL address 192.x.y.74
> !
>
> crypto ipsec transform-set BDQ1 esp-des esp-md5-hmac
> !
> crypto map ABC_IPsec 1 ipsec-isakmp
>  set peer 192.x.y.74
>  set security-association lifetime seconds 86400
>  set transform-set BDQ1
>  set pfs group1
>  match address BHQ-IPSec
>
> ip access-list extended BHQ-IPSec
>  permit gre host 192.x.y.73 host 192.x.y.74
>
> interface Tunnel1
>  description TUNNEL CONNECTION TO BCC_IKEJA
>  bandwidth 100000
>  ip address 192.x.y.77 255.255.255.252
>  ip mtu 1400
>  load-interval 30
>  tunnel source 192.x.y.73
>  tunnel destination 192.x.y.74
>  crypto map HQBCC_IPsec
>
> interface GigabitEthernet4/22
>  ip address 192.x.y.73 255.255.255.252
>  crypto map ABC_IPsec
>
> router eigrp 200
> net 192.x.0.0
> no auto-summary
>
> ===========================================================
>
>
> CAT6509_EVEN#sh ver
> Cisco Internetwork Operating System Software
> IOS (tm) s72033_rp Software (s72033_rp-PK9SV-M), Version 12.2(18)SXD7b,
> RELEASE SOFTWARE (fc1)
> Technical Support: http://www.cisco.com/techsupport
> Copyright (c) 1986-2006 by cisco Systems, Inc.
> Compiled Fri 08-Dec-06 12:51 by ccai
> Image text-base: 0x4002100C, data-base: 0x42320000
>
> ROM: System Bootstrap, Version 12.2(17r)S4, RELEASE SOFTWARE (fc1)
> BOOTLDR: s72033_rp Software (s72033_rp-PK9SV-M), Version 12.2(18)SXD7b,
> RELEASE SOFTWARE (fc1)
>
> CAT6509_EVEN uptime is 15 weeks, 3 days, 20 hours, 38 minutes
> Time since CAT6509_EVEN switched to active is 15 weeks, 3 days, 20 hours, 37
> minutes
> System returned to ROM by reload at 04:52:28 PDT Mon Oct 22 2007 (SP by
> power-on)
> System restarted at 16:18:16 gmt Sun Aug 16 2009
> System image file is "sup-bootflash:s72033-pk9sv-mz.122-18.SXD7b.bin"
>
>
> This product contains cryptographic features and is subject to United
> States and local country laws governing import, export, transfer and
> use. Delivery of Cisco cryptographic products does not imply
> third-party authority to import, export, distribute or use encryption.
> Importers, exporters, distributors and users are responsible for
> compliance with U.S. and local country laws. By using this product you
> agree to comply with applicable laws and regulations. If you are unable
> to comply with U.S. and local laws, return this product immediately.
>
> A summary of U.S. laws governing Cisco cryptographic products may be found
> at:
> http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
>
> If you require further assistance please contact us by sending email to
> export_at_cisco.com.
>
> cisco WS-C6509-E (R7000) processor (revision 1.3) with 458720K/65536K bytes
> of memory.
> Processor board ID SMG1119N2JD
> SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
> Last reset from s/w reset
> X.25 software, Version 3.0.0.
> Bridging software.
> 6 Virtual Ethernet/IEEE 802.3  interface(s)
> 90 Gigabit Ethernet/IEEE 802.3 interface(s)
> 1917K bytes of non-volatile configuration memory.
> 8192K bytes of packet buffer memory.
>
> 65536K bytes of Flash internal SIMM (Sector size 512K).
> Configuration register is 0x2102
>
> ===========================================================
>
> CAT6509_EVEN#sh modul
> Mod Ports Card Type                              Model              Serial
> No.
> --- ----- -------------------------------------- ------------------
> -----------
>  1   24  CEF720 24 port 1000mb SFP              WS-X6724-SFP
> SAD111505YB
>  3    6  Firewall Module                        WS-SVC-FWM-1
> SAD1118039C
>  4   48  CEF720 48 port 10/100/1000mb Ethernet  WS-X6748-GE-TX
> SAL1117MD4K
>  5    2  Supervisor Engine 720 (Active)         WS-SUP720-3B
> SAL1020NNHA
>  6    2  Supervisor Engine 720 (Hot)            WS-SUP720-3B
> SAD111701C1
>  8    8  Intrusion Detection System             WS-SVC-IDSM-2
> SAD111403HD
>
> Mod MAC addresses                       Hw    Fw           Sw
> Status
> --- ---------------------------------- ------ ------------ ------------
> -------
>  1  001b.53bc.976c to 001b.53bc.9783   2.5   12.2(14r)S5  12.2(18)SXD7 Ok
>  3  001a.a148.b9d2 to 001a.a148.b9d9   4.1   7.2(1)       2.3(4)       Ok
>  4  001b.2a8d.73c0 to 001b.2a8d.73ef   2.5   12.2(14r)S5  12.2(18)SXD7 Ok
>  5  0013.c43a.fb48 to 0013.c43a.fb4b   5.2   8.4(2)       12.2(18)SXD7 Ok
>  6  000a.b818.bd50 to 000a.b818.bd53   5.3   8.4(2)       12.2(18)SXD7 Ok
>  8  001b.539c.7850 to 001b.539c.7857   6.3   7.2(1)       5.0(2)       Ok
>
> Mod Sub-Module                  Model              Serial        Hw
> Status
> --- --------------------------- ------------------ ------------ -------
> -------
>  1 Centralized Forwarding Card WS-F6700-CFC       SAD111803XG   3.1    Ok
>  4 Centralized Forwarding Card WS-F6700-CFC       SAD1118077G   3.1    Ok
>  5 Policy Feature Card 3       WS-F6K-PFC3B       SAL1020NHC9   2.3    Ok
>  5 MSFC3 Daughterboard         WS-SUP720          SAL1021NQN1   2.5    Ok
>  6 Policy Feature Card 3       WS-F6K-PFC3B       SAD1116028L   2.3    Ok
>  6 MSFC3 Daughterboard         WS-SUP720          SAD111705WV   2.6    Ok
>  8 IDS 2 accelerator board     WS-SVC-IDSUPG      ADBG70701445  2.5    Ok
>
> Mod Online Diag Status
> --- -------------------
>  1 Pass
>  3 Pass
>  4 Pass
>  5 Pass
>  6 Pass
>  8 Pass
>
>
> On Thu, Dec 3, 2009 at 12:02 PM, Dale Shaw <dale.shaw_at_gmail.com> wrote:
>
>> Hi,
>>
>> On Thu, Dec 3, 2009 at 7:20 PM, olumayokun fowowe <olumayokun_at_gmail.com>
>> wrote:
>> >
>> > I noticed something strange recently. I don't know if anybody can help me
>> > with an explanation. the connection between the two catalyst 6509
>> switches
>> > are routed and I have a number of SVIs on both switches (the SVIs serves
>> as
>> > gateway for a number of vlans). i have a GRE over IPSEC tunnel across the
>> > routed interfaces of the catalyst switches. Everything works fine if
>> traffic
>> > is passing over the routed interfaces and not the tunnels. However, if I
>> > force the traffic to pass across the tunnel, the SVIs become unreachable
>> > from both sides but the end devices are reachable. A show command
>> confirms
>> > that the traffic is being encrypted.
>>
>> Could it just be that the crypto processing is being performed by the
>> RP, instead of in hardware (as it will be for forwarding of plain text
>> traffic), and it's crippling the systems? It doesn't exactly match
>> your symptoms, but it's one possible theory. You're not doing any
>> bridging over the SVIs, are you?
>>
>> 1. post hardware configuration ("sh module")
>> 2. post relevant portions of IOS configuration, and IOS version information
>> 3. do what you can help us to help you. we're not magicians.
>>
>> cheers,
>> Dale
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Dec 03 2009 - 13:41:37 ART
This archive was generated by hypermail 2.2.0 : Sat Jan 02 2010 - 11:11:07 ART