11-14-2012 12:30 PM
I've had a local 620 & a master 3200 in place for several months with no problems whatsoever. All of a sudden, I no longer have my IPSEC tunnel between the two. I have confirmed that both sites have full internet connectivity and clients at either end are able to access external resources.
Here is Topology Below:
620 > VLAN1 DHCP 192.168.0.2 > Modem 192.168.0.1 > Public IP > INTERNET > Router doing NAT > 3200
Local 620 Config:
masterip ipsec ****** interface vlan 1
interface vlan 31 ip address 192.168.31.1 255.255.255.0
ip nat inside operstate up description "LAN"
ip default gateway 192.168.0.1
Debug: Nov 14 21:27:52 :103060: |ike| exchange.c:exchange_negotiation_state_inprog:2708 Ipsec map default-local-master-ipsecmap is marked negotiation-inprogress
Nov 14 21:27:52 :103060: |ike| exchange.c:exchange_start_pre_connect:3225 IKE negotiation in progress for map default-local-master-ipsecmap
Nov 14 21:28:12 :103063: |ike| ->Delete AGGRESSIVE Exchange ic de0f30e6fe652351 rc 0000000000000000
Nov 14 21:28:12 :103063: |ike| modp_free entered
Nov 14 21:28:12 :103060: |ike| exchange.c:exchange_negotiation_state_done:2724 Ipsec map default-local-master-ipsecmap is marked negotiation-done
Nov 14 21:28:13 :103060: |ike| if.c:GetIPAddrByVlanId:209 vlan 1 ip 192.168.0.2
Nov 14 21:28:13 :103060: |ike| ipc.c:controlplaneArpModify:4012 Failed to Delete ARP error No such device or address
Nov 14 21:28:13 :103063: |ike| New(1) AGGRESSIVE Exchange ic e06241d1b84b40e0 rc 0000000000000000
Nov 14 21:28:13 :103063: |ike| ike_phase_1_initiator_send_SA policy:10001 enc:5 hmac:2 auth:1 group:2
Nov 14 21:28:13 :103063: |ike| group_get entered id:2 Nov 14 21:28:13 :103063: |ike| group_get ike_group:0x10000178
Nov 14 21:28:13 :103063: |ike| modp_init entered Nov 14 21:28:13 :103063: |ike| group_get group:0x101d1c3c
Nov 14 21:28:13 :103060: |ike| ike_phase_1.c:ike_phase_1_initiator_send_SA:415 peer:
Nov 14 21:28:13 :103063: |ike| ike_phase_1_send_KE_NONCE caCert:none Nov 14 21:28:13 :103063: |ike| ike_phase_1_send_KE_NONCE
Nov 14 21:28:13 :103060: |ike| if.c:GetIPAddrByVlanId:209 vlan 0 ip 192.168.31.1
Nov 14 21:28:13 :103060: |ike| ike_phase_1.c:ike_phase_1_send_ID:1744 with SwitchIP 192.168.31.1
Nov 14 21:28:13 :103063: |ike| ike_phase_1_send_ID Nov 14 21:28:13 :103060: |ike| exchange.c:exchange_negotiation_state_inprog:2708 Ipsec map default-local-master-ipsecmap is marked negotiation-inprogress
Local Show Datapath Session 4500:
(aructrl-la) #show datapath session | include 4500
220.127.116.11 192.168.0.2 17 4500 10000 0/0 0 0 0 local 400 FNY
192.168.0.2 18.104.22.168 17 4500 4500 0/0 0 0 1 local 400 FSC
On the Master show datapath session, I only see 4500 for my other functioning local controllers. Thoughts?
11-14-2012 02:46 PM
In the datapath session table you posted, the destination port from 22.214.171.124 to 192.168.0.2 doesn't look right. I'm sure that should also read 4500. Are you sure the dst port isn't being translated somewhere? If not, my first thought would be to check the datapath at the other end?
11-14-2012 02:48 PM
Actually scratch that, you said you don't see it the other end. However, there is a NAT marker against that same session. Are you sure the full config of that controller isn't NAT'ing the destination port by mistake?
11-14-2012 02:53 PM
Thanks for the reply. I don't believe it is, but where would I check that? The only place I've defined NAT is on VLAN 31, 32 & 33. using the "ip nat inside" and these are my "internal" VLANs. Since VLAN 1 is also a private IP, I've tried enabling "ip nat inside" on it as well, but that didn't work.
11-14-2012 02:57 PM
Most likely it would be on the physical ports of VLAN 1 facing toward the router.
So, if that's not it, I'd be thinking along two lines.
If I wanted a quick dirty fix, reboot the 650 controller and check the result?
If I wanted to find the root cause, run a packet capture on both controllers against port 4500. As long as there are no RAPs connected, the packet capture shouldn't be too big on the local. The master might be quite big, so maybe just start with the local and see what it shows?
11-14-2012 03:01 PM
There is no router connected to the local (620), just an ISP modem that is handing out DHCP to VLAN 1 on the controller. I'm not onsite where the local is so I can't do a packet capture there. I could do one for the master though.
11-14-2012 03:13 PM
Sorry, when I say router, I mean your DSL modem!
Are you able to get at the controller remotely? SSH from a remote desktop or similar? Login to the local controller if so, and at the enable prompt, start with "packet-capture ?". You set it up (hint - "packet-capture udp 4500"), leave it for a bit, then do "tar logs tech-support".Then, copy the logs.tar file to a TFTP or FTP, and then get it to wherever you are. Might save a trip.