Wireless Access

Struggling to get this working and the information out there isn't great. I have my MM/Backup uop and running, and my VPNC/Backup up and running. There is a L3 boundary between them, but no firewall.

 

I've configured my Branch MD and can see crypto ipsec up between it and my VPNC MD. However, the Branch MD cannot connect to the MM?!?

 

Steps so far:

• Added Branch MD to MM Controller list using factory-cert.
• Added Hub and Spoke to VPNC MDs, again using factory-cert.
• Configured both VPNC MDs as VPNCs and added my Branch MD to the list. VPNC configured as manual (no activate in my scenario).
• Added crypto-local isakmp route to my Branch MD for the management VLAN.

 

What can I see?

• On the Branch MD, I can ping my VPNC MD management address.
• Tunnel on Branch MD shows the below.
  • Initiator IP - Branch MD IP.
  • Responder IP - Public IP of VPNC MD.
  • Flags - UT2.
  • Inner IP - Nothing.
• Tunnel on VPNC MD shows the below.
  • Initiator IP - Public IP of Branch MD.
  • Responder IP - Public IP of VPNC MD.
  • Flags - UT2.
  • Inner IP - Nothing.
• On the Branch MD, I can see a route to my VPNC MD and MM.
  • I (MM Subnet) [0/256] ipsec map management-vpnc.
    C (VPNC MD IP) is an ipsec map management-vpnc.
• On the VPNC MD, I can see a route to my Branch MD.
  • C (Branch MD IP) is an ipsec map default-vpnip-master-ipsecmap-xx:xx:xx:xx:xx:xx

If anyone can see anything obvious, please shout as this is driving me nuts!

What is the routing table on the MM? Since it is on a different L3 segment from the VPNC, does it know about the Branch's subnet and how to route to the VPNC in order to reach the branch? 

 

It looks like most of the routing is being done statically rather than dynamically, so start there for each of the nodes along the way.

Dear, I have a similar question about joining a new MD in the MM via a VPNC
The remote MD is configured correctly and I see attempts in the VPNC logs for setting up a VPN tunnel

<3833> <WARN> |ike| IKE SA Deletion: IKE2_delSa peer:1x.x.x.x:5225 id:3283608146 errcode:ERR_IKESA_EXPIRED saflags:0x51 arflags:0x0

Do I still need to add configuration on the MM too?

When I try to update the VPN tunnel configuration on MM for the new MD, I receive the following


I'm a little confused by this message, is it going the remote MD (which is fine)
or will it reboot the MM ??

Regards
Original Message:
Sent: Apr 09, 2019 01:22 PM
From: Charlie Clemmer
Subject: Branch MD -> VPNC MD -> MM

What is the routing table on the MM? Since it is on a different L3 segment from the VPNC, does it know about the Branch's subnet and how to route to the VPNC in order to reach the branch? 

 

It looks like most of the routing is being done statically rather than dynamically, so start there for each of the nodes along the way.

I had the same issue, resolved by adding a route on the MM to the Branch MD with destination the ipsec map between MM and VPNC

Warming this topic up:

We facing exact same issue and trying to get the Branch-MD connected to the MM, while having IPSec between Branch-MD and VPNC running. We are also able to ping from Branch-MD to MM but we can not reach the Branch-MD from the MM using ping. Also Branch-MD is shown as down on MM and get no configs pushed.

What exact route was entered in which hierarchy ?

We tried  addding routes on /MM:

1st try

Destination: BranchMD-local-IP (dhcp from router onsite)   next hop ipsec map default-local-conductor-ipsecmap"VPNC-IP"

2 try

Destination: BranchMD-TunnelIP next hop  ipsec map "default-local-conductor-ipsecmap"VPNC-IP"

at that moment when we added "2 try" route we were not able to ping from Branch-MD anymore

but no luck, please help

Original Message:
Sent: Jul 08, 2020 03:27 AM
From: Thomasds
Subject: Branch MD -> VPNC MD -> MM

I had the same issue, resolved by adding a route on the MM to the Branch MD with destination the ipsec map between MM and VPNC