• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

esp packets being stripped

R

rasczak

Lifer
Hi all,

I have a question for the network gurus. I have a set of remote networks coming in on a t1 line. The t1 is also a vpn of sorts.

(work encryptor2) ----[routerA]----[encryptor1]----[csu/dsu]--------[commercial carrier]--------[csu/dsu]----[encryptor1]----[routerB]-----(internet)--------(remote site behind another encryptor2)

The problem I am having is it seems the remote site is having an issue receiving our esp packets. Upon more troubleshooting we've found that at routerB they are receiving our esp packets but at zero bytes. Has anyone come across an issue like this? one thing I should mention, at routerA I ran a test on the serial port and found that it did have an input.crc error. We went back to the commercial carrier and they ran some loopback tests that showed over 900,000 input and CRC errors. Could a bad line cause our ESP traffic to get zeroed out, yet the packet still get forwarded to another router? If not, could a router do something like this?

p.s. I should also note that our ISAKAMP traffic is getting through and we show a good tunnel, but because the other end is not receiving the ESP packets with data their tunnels are not coming up.

Thanks!
 
rasczak said:
Ahhhh I'll look into that. Would IPSec Translation have the same effect?
Click to expand...

ESP doesn't like NAT at all, there's no layer4. Depending on the VPN you can enable NAT traversal or something similar that wraps ESP into a layer4 header via UDP or TCP. It's the first thing to look for if IKE/phase 2 comes up but ESP doesn't work. NAT.
 
spidey07 said:
ESP doesn't like NAT at all, there's no layer4. Depending on the VPN you can enable NAT traversal or something similar that wraps ESP into a layer4 header via UDP or TCP. It's the first thing to look for if IKE/phase 2 comes up but ESP doesn't work. NAT.
Click to expand...

So we found out what the issue was. It turns out there was an IOS upgrade and the new upgrade doesn't like the ACL's created in an earlier IOS apparently. We had the ACL's taken off and once that happened our tunnels came up immediately. Now they are working on fixing the ACL issue itself.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top