Large Enterprise Network Troubleshooting CCIE Course Institute in Delhi Gurgaon

Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192


Remote Office Troubleshooting
Large enterprise networks often contain multiple remote offices connecting back to a network
located at a corporate headquarters. Troubleshooting remote office network issues
can require knowledge of a wide array of technologies, as illustrated in Figure 14-1.
448 CCNP TSHOOT 642-832 Official Certification Guide
Each of the technology areas shown in the figure has previously been addressed in this
book. Rather than reviewing each of these topics, this section primarily focuses on VPN
issues that can impact remote office connectivity. For example, a VPN connection established
through the Internet can be used as a backup to a private IP WAN connection, as
shown in Figure 14-2.
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
Internet
Internet
Site-to-Site
Remote Access
HQ
HQ
Remote
Office
Telecommuter
Figure 14-3 Site-to-Site and Remote-Access VPNs
Chapter 14: Large Enterprise Network Troubleshooting 449
VPN Types
As illustrated in Figure 14-3, most VPNs can be categorized as one of two types:
■ Site-to-site VPNs: A site-to-site VPN typically terminates in a router at the headquarters
and a router at the remote site. Such an arrangement does not require the
clients at the remote site to have VPN client software installed.
■ Remote-access VPNs: A remote-access VPN requires VPN clients at the remote
site to run VPN client software. Although this approach might require more administrative
overhead to install client software on all clients, remote-access VPNs do offer
more flexibility for mobile users. For example, clients can connect via their hotel’s
Internet connection using VPN client software on their laptop computer.
Each VPN type has unique design considerations.
Site-to-Site VPN Considerations
Figure 14-4 depicts a site-to-site VPN connection.
Following is a listing of potential issues that you should consider with site-to-site networks:
■ Overlapping IP address spaces: Notice that the Branch A and Headquarters locations
have an overlapping IP address space (that is, 10.1.1.0/24). This overlap might
prevent these two networks from communicating successfully. A fix for such an issue
is to configure Network Address Translation (NAT) to support overlapping networks.
■ Dynamic routing protocols: Dynamic routing protocols (for example, Enhanced
Interior Gateway Routing Protocol [EIGRP], Open Shortest Path First [OSPF], and
Routing Information Protocol, version 2 [RIPv2]) typically send advertisements to a
multicast address; however, IPsec tunnels transport only unicast IP packets. A Generic
Routing Encapsulation (GRE) tunnel, however, can transport a variety of traffic
types. Therefore, all IP traffic (including multicast and broadcast traffic) can initially
be encapsulated within GRE packets, which are unicast IP packets. Those GRE packets
can then be encapsulated inside IPsec packets to secure their transmission.
Key
Topic
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
450 CCNP TSHOOT 642-832 Official Certification Guide
IPsec
IPsec IPsec
Branch B
192.168.1.0/24
Static Routing
Headquarters
10.1.1.0/24
Branch C
172.16.1.0/24
EIGRP
Branch A
10.1.1.0/24
Static Routing
Internet
Figure 14-4 Site-to-Site VPN Connection
■ Maximum transmission unit (MTU) size:Most Cisco router interfaces default to
an MTU size of 1500 bytes for packets (that is, not including a Layer 2 header). However,
when traffic is encapsulated inside a VPN tunnel, the tunnel header(s) add to the
packet size. For example, a combined GRE and IPsec tunnel can add between 60 and
80 bytes of overhead to a packet. As a result, the packet size might exceed its MTU
setting. When an interface attempts to transmit a packet that exceeds the MTU of the
interface, the interface attempts to fragment the packet. If successful, each fragment
receives its own header creating a new packet, which is of an acceptable size. However,
fragmenting large packets can cause issues. First, the act of performing fragmentation
increases the burden on a router processor. Additionally, some packets are
marked with a Do Not Fragment (DF) bit, which can cause those packets to be
dropped.
■ Misconfiguration: The configuration of IPsec tunnels can be quite complex. As a
result, a common troubleshooting issue for site-to-site VPNs is a misconfiguration of
the VPN endpoints (for example, the routers at each side of the VPN tunnel).
■ Point-to-point nature of GRE tunnels: Because GRE tunnels are point-to-point logical
connections, suboptimal pathing might result. For example, consider Figure 14-5.
Imagine that Branch B wants to communicate with Branch C. The GRE tunnels are
configured in a hub-and-spoke topology, where the Headquarters location is functioning
as the hub. Therefore, traffic travels from Branch B to Headquarters and then
from Headquarters to Branch C. Because traffic is not flowing directly from Branch B
to Branch C, excessive delay and poor performance might result.
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
Chapter 14: Large Enterprise Network Troubleshooting 451
GRE
Internet
GRE GRE
Branch B
Headquarters
Branch C
Branch A
Figure 14-5 Hub-and-Spoke GRE Tunnels
Internet
Internet
Branch B
Headquarters
Branch C
Branch A
Figure 14-6 Full Mesh of GRE Tunnels
Another option is to create a full mesh of VPN connections, as shown in Figure 14-6.
Full mesh networks, however, do not scale well. Specifically, the number of connections
required to form a full mesh of connections between n sites equals n(n–1)/2.
For example, if you had ten sites you wanted to interconnect in a full mesh topology,
you would need to configure 45 (that is, 10(10–1)/2 = 45) connections.
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
452 CCNP TSHOOT 642-832 Official Certification Guide
Internet
Branch B
Dynamic Multipoint
VPN Tunnel
Headquarters
Branch C
Branch A
Figure 14-7 DMVPN
Rather than creating a full mesh of VPN connections between all sites in an enterprise
network, you can alternatively use Dynamic Multipoint VPN (DMVPN) technology.
DMVPM allows VPN connections to be dynamically created on an
as-needed basis.
Figure 14-7 illustrates a DMVPN connection. In the figure, notice that when Branch
B wants to communicate with Branch C, a dynamic VPN is formed between those
two sites.
This DMVPN solution overcomes the performance issues of a hub-and-spoke topology,
while simultaneously overcoming the scalability issues presented by a full mesh
topology.
■ Suboptimal routing: Recall that a tunnel is a logical connection between two endpoints;
however, that logical connection can span multiple router hops. If a portion of
a tunnel spans a slow or unreliable link, the result can be poor performance for all
tunnel traffic.
Another issue that can lead to suboptimal routing is recursive routing. For example,
when configuring a GRE tunnel, you specify the IP address of the remote side of the
tunnel. If the best route to that destination IP address (from the perspective of the IP
routing table of the source router) is the source router’s tunnel interface, the tunnel interface
might experience flapping. Therefore, poor VPN performance can be linked
to an inappropriate routing configuration on one or both of the VPN routers.
■ Route processor overhead: Depending on the security algorithms chosen to protect
an IPsec tunnel, some router platforms might suffer from poor performance.
Also, the number of VPN tunnels that can be terminated on a router depends on the
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
Chapter 14: Large Enterprise Network Troubleshooting 453
Table 14-2 VPN Tunnel Capacity for Various ISR Platforms
Router Platform Maximum IPsec Speed and Number of Supported VPN
Tunnels
Cisco 1841 95 Mbps IPsec VPN
800 tunnels
Cisco 2801 100 Mbps IPsec VPN
1500 tunnels
Cisco 2811 30 Mbps
1500 tunnels
Cisco 2821 140 Mbps
1500 tunnels
Cisco 2851 145 Mbps
1500 tunnels
Cisco 3825 175 Mbps
2000 tunnels
Cisco 3845 185 Mbps
2500 tunnels
underlying router platform. Table 14-2 contrasts the VPN tunnel capacity of various
Integrated Services Router (ISR) platforms.
Remote-Access VPN Considerations
Figure 14-8 depicts a remote-access VPN connection.
Following is a listing of potential troubleshooting issues that you should consider with remote-
access networks:
■ Authentication: Users connecting from their PC (running VPN client software) require
user credentials (for example, username and password credentials) to gain access
to a network. Therefore, one reason remote-access VPN users fail to establish a
VPN tunnel is that they provide incorrect credentials. Alternatively, the users might
provide correct credentials, but the authentication server might be configured incorrectly
or might not be functioning.
■ User profiles: Because users log into a remote-access VPN, different users can be
assigned different policies through the use of user profiles. As a result, when remoteaccess
VPN users are unable to connect to desired resources, the underlying issue
might be their user profile.
■ MTU size: Remote-access VPN clients have a similar issue with MTU sizes and fragmentation,
as previously described for site-to-site VPNs. Fortunately, VPN client
software often allows you to configure the MTU size of a tunnel.
Key
Topic
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
■ Misconfiguration: VPN software running on a client machine often has multiple
configuration options. As a result, a common issue for remote-access VPNs is the
misconfiguration of the VPN client software.
■ Client security software: Security software running on a client machine might deny
traffic required for VPN establishment. Therefore, firewall and anti-virus software
running on a VPN client machine might result in the failure of a VPN connection.
Troubleshooting VPN Issues
VPNs involve multiple configuration elements. Therefore, as a troubleshooting aid, the following
list provides a collection of questions to answer when troubleshooting a VPN issue:
■ How is IP addressing assigned? (For example, do overlapping IP address ranges exist?)
■ Is the VPN site-to-site or remote-access?
■ How are the MTU values configured on the router interfaces transited by the VPN?
■ What translations (if any) is NAT performing?
■ Are routing protocols routing traffic over a GRE tunnel or over a physical interface?
■ According to a router’s IP routing table, is the best path to a tunnel destination’s IP
address the tunnel interface? (If so, a recursive routing issue might result.)
Table 14-3 lists a collection of Cisco IOS commands useful in troubleshooting VPN
connections.
Internet
Hotel
Headquarters
Mobile Workforce
Telecommuter’s
House
Figure 14-8 Remote-Access VPN Connection
Key
Topic
454 CCNP TSHOOT 642-832 Official Certification Guide
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
Key
Topic
Table 14-3 VPN Troubleshooting Commands
Command Description
show crypto ipsec sa Displays IPsec security association settings
show crypto engine connections
active
Displays configuration information for all active
IPsec sessions
show crypto map Displays the crypto map configuration of a router
(for example, information about ACLs being referenced
by the crypto map, the IP address of the
IPsec peer, the security association lifetime, and the
name of the crypto map transform set)
show ip route Displays routes injected into a router’s IP routing
table, including next-hop IP address or exit interface
information for IP routes
show ip protocols Displays information about the active IP routing
processes of a router
show interfaces tunnel number Displays status and configuration information for a
specified tunnel interface on a router
HQ
Remote
Office
Serial 1/0
172.16.1.1/30
Tunnel 0
10.1.1.1/30
Serial 1/0
172.16.1.2/30
Fa 0/0
10.2.2.1/24
Fa 0/0
192.168.1.29/24
Tunnel 0
10.1.1.2/30
HQ BR
Figure 14-9 IPsec and GRE Tunnel Topology
To illustrate the data collection process for a VPN using both IPsec and GRE technologies,
consider Figure 14-9.
Although the configuration of VPN tunnels is outside the scope of the TSHOOT curriculum,
as a reference, Examples 14-1 and 14-2 illustrate the VPN configurations present on
routers HQ and BR.
Example 14-1 VPN Configuration on Router HQ
HQ# show run
...OUTPUT OMITTED...
hostname HQ
!
crypto isakmp policy 1
Chapter 14: Large Enterprise Network Troubleshooting 455
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
456 CCNP TSHOOT 642-832 Official Certification Guide
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 172.16.1.2
!
crypto ipsec transform-set TSHOOT-TRANSFORM esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to172.16.1.2
set peer 172.16.1.2
set transform-set TSHOOT-TRANSFORM
match address 100
!
interface Tunnel0
ip address 10.1.1.1 255.255.255.252
ip mtu 1420
tunnel source 172.16.1.1
tunnel destination 172.16.1.2
tunnel path-mtu-discovery
crypto map SDM_CMAP_1
!
interface FastEthernet0/0
ip address 192.168.1.29 255.255.255.0
!
interface Serial1/0
ip address 172.16.1.1 255.255.255.0
encapsulation ppp
crypto map SDM_CMAP_1
!
ip route 0.0.0.0 0.0.0.0 Tunnel0
ip route 10.1.1.0 255.255.255.0 172.16.1.2
ip route 172.16.1.2 255.255.255.255 Serial1/0
!
!
access-list 100 remark SDM_ACL Category=4
access-list 100 permit gre host 172.16.1.1 host 172.16.1.2
!
...OUTPUT OMITTED...
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
Chapter 14: Large Enterprise Network Troubleshooting 457
Example 14-2 VPN Configuration on Router BR
BR# show run
...OUTPUT OMITTED...
hostname BR
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 172.16.1.1
!
crypto ipsec transform-set TSHOOT-TRANSFORM esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer 172.16.1.1
set transform-set TSHOOT-TRANSFORM
match address SDM_1
!
interface Tunnel0
ip address 10.1.1.2 255.255.255.252
ip mtu 1420
tunnel source 172.16.1.2
tunnel destination 172.16.1.1
tunnel path-mtu-discovery
crypto map SDM_CMAP_1
!
interface FastEthernet0/0
ip address 10.2.2.1 255.255.255.0
!
interface Serial1/0
ip address 172.16.1.2 255.255.255.0
encapsulation ppp
!
ip route 0.0.0.0 0.0.0.0 Tunnel0
ip route 10.1.1.0 255.255.255.0 172.16.1.1
ip route 172.16.1.1 255.255.255.255 Serial1/0
!
ip access-list extended SDM_1
remark SDM_ACL Category=4
permit gre host 172.16.1.2 host 172.16.1.1
...OUTPUT OMITTED...
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
458 CCNP TSHOOT 642-832 Official Certification Guide
Example 14-3 provides sample output from the show crypto ipsec sa command on router
HQ. The output offers information about IPsec security association settings, including IP
address information for the tunnel peers and information about the encryption and hashing
algorithms being used to protect the tunnel traffic.
Example 14-3 show crypto ipsec sa Command Output on Router HQ
HQ# show crypto ipsec sa
interface: Serial1/0
Crypto map tag: SDM_CMAP_1, local addr 172.16.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.1.2/255.255.255.255/47/0)
current_peer 172.16.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 60, #pkts encrypt: 60, #pkts digest: 60
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0
local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.1.2
path mtu 1420, ip mtu 1420, ip mtu idb Tunnel0
current outbound spi: 0x631F3197(1662988695)
inbound esp sas:
spi: 0x2441D1C7(608293319)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4451479/3185)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
Chapter 14: Large Enterprise Network Troubleshooting 459
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x631F3197(1662988695)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4451473/3183)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Tunnel0
Crypto map tag: SDM_CMAP_1, local addr 172.16.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.1.2/255.255.255.255/47/0)
current_peer 172.16.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 60, #pkts encrypt: 60, #pkts digest: 60
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0
local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.1.2
path mtu 1420, ip mtu 1420, ip mtu idb Tunnel0
current outbound spi: 0x631F3197(1662988695)
inbound esp sas:
spi: 0x2441D1C7(608293319)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: SDM_CMAP_1
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
460 CCNP TSHOOT 642-832 Official Certification Guide
sa timing: remaining key lifetime (k/sec): (4451479/3182)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x631F3197(1662988695)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4451473/3181)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Example 14-4 provides sample output from the show crypto engine connections active
command on router HQ. The output shows local interface and IP address information for
all active IPsec sessions. You can also see from the output the encryption and hashing algorithms
being used.
Example 14-4 show crypto engine connections active Command Output on Router HQ
HQ# show crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt
1 Serial1/0 172.16.1.1 set HMAC_SHA+3DES_56_C 0 0
2001 Serial1/0 172.16.1.1 set AES+SHA 28 0
2002 Serial1/0 172.16.1.1 set AES+SHA 0 0
Example 14-5 provides sample output from the show crypto map command on router
HQ. The output includes such information as the peer IP address, the ACL used to classify
traffic to be sent over the tunnel, and the interfaces using a particular crypto map.

Chapter 14: Large Enterprise Network Troubleshooting 461
Example 14-5 show crypto map Command Output on Router HQ
HQ# show crypto map
Crypto Map “SDM_CMAP_1” 1 ipsec-isakmp
Description: Tunnel to172.16.1.2
Peer = 172.16.1.2
Extended IP access list 100
access-list 100 permit gre host 172.16.1.1 host 172.16.1.2
Current peer: 172.16.1.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
TSHOOT-TRANSFORM,
}
Interfaces using crypto map SDM_CMAP_1:
Serial1/0
Tunnel0
Example 14-6 provides sample output from the show ip route command on router HQ.
Notice that the route to the IP address of the tunnel destination is a physical interface and
not a tunnel interface. This approach can help prevent the recursive routing issue previously
discussed.
Example 14-6 show ip route Command Output on Router HQ
HQ# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.1.0/24 is directly connected, Serial1/0
C 172.16.2.0/24 is directly connected, FastEthernet0/1
C 172.16.1.2/32 is directly connected, Serial1/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/30 is directly connected, Tunnel0
S 10.1.1.0/24 [1/0] via 172.16.1.2
C 192.168.1.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 is directly connected, Tunnel0
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
462 CCNP TSHOOT 642-832 Official Certification Guide
Example 14-7 provides sample output from the show ip protocols command on router
HQ. The output normally displays information about routing protocols running on a
router. However, in this example, the lack of any output indicates that no dynamic routing
protocols are configured.
Example 14-7 show ip protocols Command Output on Router HQ
HQ# show ip protocols
Example 14-8 provides sample output from the show interfaces tunnel 0 command on
router HQ. From the output you can determine that the Tunnel 0 interface is operational at
Layer 1 and Layer 2. You can also see the source and destination IP address of the tunnel
and that the tunnel protocol in use is GRE.