[Swan] No Traffic Received On Tunnels
Adam Tauno Williams
awilliam at whitemice.org
Wed Jul 10 13:30:40 UTC 2019
On Tue, 2019-07-09 at 16:31 -0400, Paul Wouters wrote:
> On Tue, 9 Jul 2019, Adam Tauno Williams wrote:
> > I have a working ipsec server - let's call it X2.X2.X2.X2 -
> > connected
> > via GRE tunnels to three Cisco 890 series routers. It works!
>
> Yes it shows the new site is ipsec. You can run ipsec trafficstatus
> to see byte counters, so if you do a ping (with proper source IP)
> then you can check the outBytes to see if it got encrypted, and
> inBytes to see if it got encrypted replies. Then you can likely
> narrow down the specific issue.
Both tunnel interfaces show outbound (TX) traffic.
I can packet capture ESP packets leaving the server's primary interface
which correspond to the remote endpoint.
Neither appears to receive any traffic to the tunnel interfaces.
EXISTING SITE: 006 #23: "btc-gre", type=ESP, add_time=1562755016, inBytes=1967115, outBytes=5936, id='X.X.X.X'
NEW SITE: 006 #25: "ets-gre", type=ESP, add_time=1562755016, inBytes=0, outBytes=352, id='X.X.X.X'
EXISTING SITE: 006 #37: "try-gre", type=ESP, add_time=1562755081, inBytes=10241181, outBytes=12673250, id='X.X.X.X'
EXISTING SITE: 006 #39: "usd-gre", type=ESP, add_time=1562755087, inBytes=157737014, outBytes=3852240137, id='X.X.X.X'
etsgate>show int tunnel0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.17.3.85/30
MTU 17874 bytes, BW 1544 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source X.X.X.X (FastEthernet0), destination Y.Y.Y.Y
Tunnel Subblocks:
src-track:
Tunnel0 source tracking subblock associated with FastEthernet0
Set of tunnels with source FastEthernet0, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1434 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "branch-ipsec-profile")
Last input never, output never, output hang never
Last clearing of "show interface" counters 19:29:10
Input queue: 0/75/0 (size/max/drops); Total output drops: 15
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
329 packets output, 30731 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
etsgate#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
X.X.X.X Z.Z.Z.Z QM_IDLE 2007 ACTIVE
IPv6 Crypto ISAKMP SA
etsgate#show crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
13 IPsec AES+SHA 0 0 0 X.X.X.X
14 IPsec AES+SHA 27 0 0 X.X.X.X
2007 IKE SHA+AES256 0 0 0 X.X.X.X
etsgate#show crypto
Number of Crypto Socket connections 1
Tu0 Peers (local/remote): X.X.X.X/Z.Z.Z.Z
Local Ident (addr/mask/port/prot): (X.X.X.X/255.255.255.255/0/47)
Remote Ident (addr/mask/port/prot): (Z.Z.Z.Z/255.255.255.255/0/47)
IPSec Profile: "branch-ipsec-profile"
Socket State: Open
Client: "TUNNEL SEC" (Client State: Active)
Crypto Sockets in Listen state:
Client: "TUNNEL SEC" Profile: "branch-ipsec-profile" Map-name: "Tunnel0-head-0"
--
Executive Committee Chair
Michigan Association of Railroad Passengers
537 Shirley St NE Grand Rapids, MI 49503-1754 Phone: 616.581.8010
E-mail: awilliam at whitemice.org GPG#D95ED383
More information about the Swan
mailing list