Re: Crypto Across two catalyst 6509s from swap m on 2009-12-03 (Ccielab archives 12/2009)

From: swap m <ccie19804_at_gmail.com>
Date: Thu, 3 Dec 2009 21:58:48 +0400

two things -
1. i don't see a SPA/VPN blade in your list of modules for 6500
2. use tunnel protection instead of crypto map on tunnel interface. i have
seen issues using crypto map on tunnels.

Swap
#19804

On Thu, Dec 3, 2009 at 7:20 PM, olumayokun fowowe <olumayokun_at_gmail.com>wrote:

> Hello Iwan,
>
> There is no nat configuration on the switches at all. I can not ping the
> tunnel end points. A traceroute from one of the switches to an end device
> on
> the other switch is successful but without showing the ip addresses of the
> hops.
>
> Mayokun
>
>
>
> On Thu, Dec 3, 2009 at 1:41 PM, Iwan Hoogendoorn <iwan_at_ipexpert.com>
> wrote:
>
> > hi,
> >
> > you don't have natting on the interfaces?
> > Also when you do a traceroute to you see that the traffic is trying
> > into the tunnel.
> > Cab you also ping the tunnel endpoints?
> >
> > --
> > Regards,
> >
> > Iwan Hoogendoorn
> > CCIE #13084 (R&S / Security / SP)
> > Sr. Support Engineer IPexpert, Inc.
> > URL: http://www.IPexpert.com
> >
> >
> >
> > On Thu, Dec 3, 2009 at 1:24 PM, olumayokun fowowe <olumayokun_at_gmail.com>
> > wrote:
> > > Hello Dale,
> > >
> > > Find below the relevant portion of configs and hardware as requested:
> > >
> > >
> > >
> > > crypto isakmp policy 100
> > > hash md5
> > > authentication pre-share
> > > crypto isakmp key ABCBCC02TUNNEL address 192.x.y.74
> > > !
> > >
> > > crypto ipsec transform-set BDQ1 esp-des esp-md5-hmac
> > > !
> > > crypto map ABC_IPsec 1 ipsec-isakmp
> > > set peer 192.x.y.74
> > > set security-association lifetime seconds 86400
> > > set transform-set BDQ1
> > > set pfs group1
> > > match address BHQ-IPSec
> > >
> > > ip access-list extended BHQ-IPSec
> > > permit gre host 192.x.y.73 host 192.x.y.74
> > >
> > > interface Tunnel1
> > > description TUNNEL CONNECTION TO BCC_IKEJA
> > > bandwidth 100000
> > > ip address 192.x.y.77 255.255.255.252
> > > ip mtu 1400
> > > load-interval 30
> > > tunnel source 192.x.y.73
> > > tunnel destination 192.x.y.74
> > > crypto map HQBCC_IPsec
> > >
> > > interface GigabitEthernet4/22
> > > ip address 192.x.y.73 255.255.255.252
> > > crypto map ABC_IPsec
> > >
> > > router eigrp 200
> > > net 192.x.0.0
> > > no auto-summary
> > >
> > > ===========================================================
> > >
> > >
> > > CAT6509_EVEN#sh ver
> > > Cisco Internetwork Operating System Software
> > > IOS (tm) s72033_rp Software (s72033_rp-PK9SV-M), Version 12.2(18)SXD7b,
> > > RELEASE SOFTWARE (fc1)
> > > Technical Support: http://www.cisco.com/techsupport
> > > Copyright (c) 1986-2006 by cisco Systems, Inc.
> > > Compiled Fri 08-Dec-06 12:51 by ccai
> > > Image text-base: 0x4002100C, data-base: 0x42320000
> > >
> > > ROM: System Bootstrap, Version 12.2(17r)S4, RELEASE SOFTWARE (fc1)
> > > BOOTLDR: s72033_rp Software (s72033_rp-PK9SV-M), Version 12.2(18)SXD7b,
> > > RELEASE SOFTWARE (fc1)
> > >
> > > CAT6509_EVEN uptime is 15 weeks, 3 days, 20 hours, 38 minutes
> > > Time since CAT6509_EVEN switched to active is 15 weeks, 3 days, 20
> hours,
> > 37
> > > minutes
> > > System returned to ROM by reload at 04:52:28 PDT Mon Oct 22 2007 (SP by
> > > power-on)
> > > System restarted at 16:18:16 gmt Sun Aug 16 2009
> > > System image file is "sup-bootflash:s72033-pk9sv-mz.122-18.SXD7b.bin"
> > >
> > >
> > > This product contains cryptographic features and is subject to United
> > > States and local country laws governing import, export, transfer and
> > > use. Delivery of Cisco cryptographic products does not imply
> > > third-party authority to import, export, distribute or use encryption.
> > > Importers, exporters, distributors and users are responsible for
> > > compliance with U.S. and local country laws. By using this product you
> > > agree to comply with applicable laws and regulations. If you are unable
> > > to comply with U.S. and local laws, return this product immediately.
> > >
> > > A summary of U.S. laws governing Cisco cryptographic products may be
> > found
> > > at:
> > > http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
> > >
> > > If you require further assistance please contact us by sending email to
> > > export_at_cisco.com.
> > >
> > > cisco WS-C6509-E (R7000) processor (revision 1.3) with 458720K/65536K
> > bytes
> > > of memory.
> > > Processor board ID SMG1119N2JD
> > > SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
> > > Last reset from s/w reset
> > > X.25 software, Version 3.0.0.
> > > Bridging software.
> > > 6 Virtual Ethernet/IEEE 802.3 interface(s)
> > > 90 Gigabit Ethernet/IEEE 802.3 interface(s)
> > > 1917K bytes of non-volatile configuration memory.
> > > 8192K bytes of packet buffer memory.
> > >
> > > 65536K bytes of Flash internal SIMM (Sector size 512K).
> > > Configuration register is 0x2102
> > >
> > > ===========================================================
> > >
> > > CAT6509_EVEN#sh modul
> > > Mod Ports Card Type Model
> > Serial
> > > No.
> > > --- ----- -------------------------------------- ------------------
> > > -----------
> > > 1 24 CEF720 24 port 1000mb SFP WS-X6724-SFP
> > > SAD111505YB
> > > 3 6 Firewall Module WS-SVC-FWM-1
> > > SAD1118039C
> > > 4 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX
> > > SAL1117MD4K
> > > 5 2 Supervisor Engine 720 (Active) WS-SUP720-3B
> > > SAL1020NNHA
> > > 6 2 Supervisor Engine 720 (Hot) WS-SUP720-3B
> > > SAD111701C1
> > > 8 8 Intrusion Detection System WS-SVC-IDSM-2
> > > SAD111403HD
> > >
> > > Mod MAC addresses Hw Fw Sw
> > > Status
> > > --- ---------------------------------- ------ ------------ ------------
> > > -------
> > > 1 001b.53bc.976c to 001b.53bc.9783 2.5 12.2(14r)S5 12.2(18)SXD7
> Ok
> > > 3 001a.a148.b9d2 to 001a.a148.b9d9 4.1 7.2(1) 2.3(4)
> Ok
> > > 4 001b.2a8d.73c0 to 001b.2a8d.73ef 2.5 12.2(14r)S5 12.2(18)SXD7
> Ok
> > > 5 0013.c43a.fb48 to 0013.c43a.fb4b 5.2 8.4(2) 12.2(18)SXD7
> Ok
> > > 6 000a.b818.bd50 to 000a.b818.bd53 5.3 8.4(2) 12.2(18)SXD7
> Ok
> > > 8 001b.539c.7850 to 001b.539c.7857 6.3 7.2(1) 5.0(2)
> Ok
> > >
> > > Mod Sub-Module Model Serial Hw
> > > Status
> > > --- --------------------------- ------------------ ------------ -------
> > > -------
> > > 1 Centralized Forwarding Card WS-F6700-CFC SAD111803XG 3.1
> Ok
> > > 4 Centralized Forwarding Card WS-F6700-CFC SAD1118077G 3.1
> Ok
> > > 5 Policy Feature Card 3 WS-F6K-PFC3B SAL1020NHC9 2.3
> Ok
> > > 5 MSFC3 Daughterboard WS-SUP720 SAL1021NQN1 2.5
> Ok
> > > 6 Policy Feature Card 3 WS-F6K-PFC3B SAD1116028L 2.3
> Ok
> > > 6 MSFC3 Daughterboard WS-SUP720 SAD111705WV 2.6
> Ok
> > > 8 IDS 2 accelerator board WS-SVC-IDSUPG ADBG70701445 2.5
> Ok
> > >
> > > Mod Online Diag Status
> > > --- -------------------
> > > 1 Pass
> > > 3 Pass
> > > 4 Pass
> > > 5 Pass
> > > 6 Pass
> > > 8 Pass
> > >
> > >
> > > On Thu, Dec 3, 2009 at 12:02 PM, Dale Shaw <dale.shaw_at_gmail.com>
> wrote:
> > >
> > >> Hi,
> > >>
> > >> On Thu, Dec 3, 2009 at 7:20 PM, olumayokun fowowe <
> olumayokun_at_gmail.com
> > >
> > >> wrote:
> > >> >
> > >> > I noticed something strange recently. I don't know if anybody can
> help
> > me
> > >> > with an explanation. the connection between the two catalyst 6509
> > >> switches
> > >> > are routed and I have a number of SVIs on both switches (the SVIs
> > serves
> > >> as
> > >> > gateway for a number of vlans). i have a GRE over IPSEC tunnel
> across
> > the
> > >> > routed interfaces of the catalyst switches. Everything works fine if
> > >> traffic
> > >> > is passing over the routed interfaces and not the tunnels. However,
> if
> > I
> > >> > force the traffic to pass across the tunnel, the SVIs become
> > unreachable
> > >> > from both sides but the end devices are reachable. A show command
> > >> confirms
> > >> > that the traffic is being encrypted.
> > >>
> > >> Could it just be that the crypto processing is being performed by the
> > >> RP, instead of in hardware (as it will be for forwarding of plain text
> > >> traffic), and it's crippling the systems? It doesn't exactly match
> > >> your symptoms, but it's one possible theory. You're not doing any
> > >> bridging over the SVIs, are you?
> > >>
> > >> 1. post hardware configuration ("sh module")
> > >> 2. post relevant portions of IOS configuration, and IOS version
> > information
> > >> 3. do what you can help us to help you. we're not magicians.
> > >>
> > >> cheers,
> > >> Dale
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Dec 03 2009 - 21:58:48 ART

This archive was generated by hypermail 2.2.0 : Sat Jan 02 2010 - 11:11:07 ART