CiscoForums.it

Buongiorno a tutti!

Ho creato una VPN site-to-site tra due ROUTER CISCO 877
La VPN funziona correttamente (ovvero riesco a pingare i vari clients,
riesco a scambiarmi file in rete e stampare) ma non riesco a far
funzionare il terminal server tra le due reti.
I client della stessa rete riescono a collegarsi in Terminal Server tra loro.

Il problema secondo me dipende dal fatto che i pacchetti non ritornano...

Avete qualche idea/ suggerimento?

Grazie a tutti e buon lavoro
Marco

Suggerimento: controlla i valori di mtu di atm e vlan

Wizard ha scritto:Suggerimento: controlla i valori di mtu di atm e vlan

Ciao,
come mi hai suggerito ho controllato i valori dell'MTU impostandolo a 1500
sia sull'ATM0 che sull'ATM0.1 (di entrambi i router), sulla Vlan non me lo lascia impostare/modificare

Nonostante questo il problema continuava a persistere.
Ho allora eseguito il test della VPN dall'SDM e mi è comparso questo
messaggio di errore:

" ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets."

Visto che modificando il valore dell'MTU il problema non si risolveva
ho inserito sia nell'ATM0 che nell'ATM0.1 di entrambi i router il comando "crypto ipsec df-bit clear" e così funziona!

Il test della VPN lanciato dall'SDM continua però a darmi sempre lo stesso errore... Avete qualche idea? La linea è una ADSL Telecom Interbusiness...

Grazie!
Marco

Facci vedere la config completa che facciamo prima!
Cmq, se adesso navighi fregate del errore dato dal PDM, anzi, dimenticatelo proprio il PDM!

Wizard ha scritto:Facci vedere la config completa che facciamo prima!
Cmq, se adesso navighi fregate del errore dato dal PDM, anzi, dimenticatelo proprio il PDM!

Ciao,
ecco la configurazione di uno dei due router (tanto sono uguali).
Grazie!

#############################################
!This is the running config of the router: 192.168.11.111
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXX-CED
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 XXX.
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 1
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name XXX.it
ip name-server 151.99.125.1
ip name-server 151.99.0.100
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-498544502
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-498544502
revocation-check none
rsakeypair TP-self-signed-498544502
!
!
crypto pki certificate chain TP-self-signed-498544502
certificate self-signed 01
30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34393835 34343530 32301E17 0D303830 31313131 30353733
315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3439 38353434
35303230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
CBDBC2BB BADD695F D409F517 C5BB3446 233BA12B 482EFADF 3C257A25 7D318D11
B0108A9D 775E5AF8 4A3D2191 35E03FB6 8E8B2610 9CC75DF3 CEAAD655 FCCCB6D1
0D342DB3 F72CB198 A0E321B7 7F0DC27D F2728ED7 29BCC665 FA34FAD0 D8C6BC16
010F650D 957BCA30 05D2B31B E51F0315 F774CE90 BCF53B7D 93F09760 E30059E3
02030100 01A38180 307E300F 0603551D 130101FF 04053003 0101FF30 2B060355
1D110424 30228220 42657274 6F6E6547 6C617373 2D434544 2E626572 746F6E65
676C6173 732E6974 301F0603 551D2304 18301680 141263C9 D4E94C55 82D30EE3
3F973989 D81CA3FD FD301D06 03551D0E 04160414 1263C9D4 E94C5582 D30EE33F
973989D8 1CA3FDFD 300D0609 2A864886 F70D0101 04050003 81810048 3761C567
3510CC26 1C277CB4 063B9395 C84712F3 D114F16A 143E5717 C05F5E3A D025B6BC
FFEA9573 5F5958FE 95EF34B2 C09F4398 2FD1595B 0C9C5617 4D9C6D93 E0DD8756
8D8F0DB5 A4651E84 361CBB23 8F239BC1 ED29D28E DED9F394 963C77BA EC97CBE4
4F293CAF 07C3BE35 69D9A38C 0103118B D1296015 F665FB15 688330
quit
username XXX privilege 15 secret 5 XXX
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXX address 88.XX.XX.XX4
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to88.XX.XX.XX4
set peer 88.XX.XX.XX4
set transform-set ESP-3DES-SHA
match address 103
!
!
!
interface ATM0
mtu 1500
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
crypto ipsec df-bit clear
!
interface ATM0.1 point-to-point
description $FW_OUTSIDE$$ES_WAN$
ip address 88.XX.XX.XX8 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
pvc 8/35
encapsulation aal5snap
!
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.11.111 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
!
logging trap debugging
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.12.0 0.0.0.255
access-list 1 permit 192.168.11.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 192.168.12.0 0.0.0.255 host 192.168.11.111 eq telnet
access-list 100 permit tcp 192.168.11.0 0.0.0.255 host 192.168.11.111 eq telnet
access-list 100 permit tcp 192.168.12.0 0.0.0.255 host 192.168.11.111 eq 22
access-list 100 permit tcp 192.168.11.0 0.0.0.255 host 192.168.11.111 eq 22
access-list 100 permit tcp 192.168.12.0 0.0.0.255 host 192.168.11.111 eq www
access-list 100 permit tcp 192.168.11.0 0.0.0.255 host 192.168.11.111 eq www
access-list 100 permit tcp 192.168.12.0 0.0.0.255 host 192.168.11.111 eq 443
access-list 100 permit tcp 192.168.11.0 0.0.0.255 host 192.168.11.111 eq 443
access-list 100 permit tcp 192.168.12.0 0.0.0.255 host 192.168.11.111 eq cmd
access-list 100 permit tcp 192.168.11.0 0.0.0.255 host 192.168.11.111 eq cmd
access-list 100 deny tcp any host 192.168.11.111 eq telnet
access-list 100 deny tcp any host 192.168.11.111 eq 22
access-list 100 deny tcp any host 192.168.11.111 eq www
access-list 100 deny tcp any host 192.168.11.111 eq 443
access-list 100 deny tcp any host 192.168.11.111 eq cmd
access-list 100 deny udp any host 192.168.11.111 eq snmp
access-list 100 deny ip 88.XX.XX.XX6 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 101 permit udp host 88.XX.XX.XX4 host 88.XX.XX.XX8 eq non500-isakmp
access-list 101 permit udp host 88.XX.XX.XX4 host 88.XX.XX.XX8 eq isakmp
access-list 101 permit esp host 88.XX.XX.XX4 host 88.XX.XX.XX8
access-list 101 permit ahp host 88.XX.XX.XX4 host 88.XX.XX.XX8
access-list 101 remark Auto generated by SDM for NTP (123) ntp2.ien.it
access-list 101 permit udp host 193.204.114.233 eq ntp host 88.XX.XX.XX8 eq ntp
access-list 101 remark Auto generated by SDM for NTP (123) ntp1.ien.it
access-list 101 permit udp host 193.204.114.232 eq ntp host 88.XX.XX.XX8 eq ntp
access-list 101 permit udp host 151.99.0.100 eq domain host 88.XX.XX.XX8
access-list 101 permit udp host 151.99.125.1 eq domain host 88.XX.XX.XX8
access-list 101 deny ip 192.168.11.0 0.0.0.255 any
access-list 101 permit icmp any host 88.XX.XX.XX8 echo-reply
access-list 101 permit icmp any host 88.XX.XX.XX8 time-exceeded
access-list 101 permit icmp any host 88.XX.XX.XX8 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.12.0 0.0.0.255 any
access-list 102 permit ip 192.168.11.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.11.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 104 permit ip 192.168.11.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 104
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 102 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17179817
ntp server 193.204.114.232 source ATM0.1 prefer
ntp server 193.204.114.233 source ATM0.1
end

Ma adesso che problemi hai?

Wizard ha scritto:Ma adesso che problemi hai?

Ciao!
No, non ho più nessun problema... Visto che mi avevi chiesto
di postare l'intera configurazione l'ho fatto... ma funziona tutto!

Grazie ancora per la dritta!

Ciao
Marco

Buondi
io sono nella sua stessa situazione,
se però faccio un tunnel GRE+IPSEC, mtu a 1400 e mss a 1360 tutto funziona perfettamente.
io volevo farlo andare in ipsec normale

dalla rete A alla rete B va il rdp, ping ma non network-share
dalla rete B alla rete A fanno solo i ping e il network share

ho impostato il df-clear globale senza esito
ho la policy map attiva che i pacchetti vpn si fanno il df-bit a zero

come posso giocare con gli mtu? e i mss?

gli mtu delle mie interfacce atm sono ovviamente 1500
quello eth anch'esso a 1500

ho provato a fare mss a 1360 e mtu 1400 dappertutto ma non cambia nulla...