[nsp] Policy routing .. Cisco-6006

MGG hiruy at comcast.net
Wed Mar 17 14:19:12 EST 2004


Dear all,

We are trying to transition our VPN network from the old Netscreen to the
newer faster model.  Currently we are supporting 30+ networks and the plan
is to cut-over one network at a time without making any changes to the
remote side (especially peer gateway IP).  The old Netscreen is connected to
Cisco 6006 w/MSFC1 which serves as a gateway to the internet. 

The approach we have taken is to use policy-route.  We place the new
Netscreen behind a temp-router (C3640) using the same subnet/IP address as
the old one.  The inbound traffic which matches ACL is directed to the
router's 2nd interface which is directly connected to Cisco-6006. 

ISP --> [C6006] --------------> OLD Netscreen-----|   
               |
|----internal network
               |---->[C3640] ---> New Netscreen ----|   

Well everything works fine and we have managed to cut-over few networks
already.  The problem we have is once in awhile [say every 3-5 hours] users
behind the new network will lose their connection (VPN drops off) for few
seconds while the users behind the new users stay up. I have done some
troubleshooting and have not been able to find the problem and the
intermittent nature of the problem makes it difficult to debug and isolate
the problem.  I was wondering if anyone had seen this problem before.  Any
tweaks, suggestions you can offer is very much appreciated!

Here is the abbreviated and sanitized version of the config to protect the
innocent (me ;-) ) 

---------------------------------------
interface Vlan15 [ISP uplink]
  ip address <ISP Facing WAN IP> 
  ip access-group BlockRFC1918 in
  no ip directed-broadcast
  ip route-cache policy
  ip policy route-map RouteToNewVPN
  no cdp enable
end

Extended IP access list EverythingElse
    permit ip any any 

Extended IP access list NewVPN
    permit udp host <remote-VPN ip> host <local-VPN IP> eq isakmp 
    permit esp host <remote-VPN ip> host <local-VPN IP> 
    permit icmp host <remote-VPN ip> host <local-VPN IP> 
 
route-map Route-To-New-VPN permit 10
 match ip address NewVPN
 set ip next-hop <IP Address of 3640>
!
route-map Route-To-New-VPN deny 20
 match ip address EverythingElse

"show ver"  --- snippet --- 

IOS (tm) MSFC Software (C6MSFC-IS-M), Version 12.0(7)XE1
cisco Cat6k-MSFC (R5000) processor with 122880K/8192K bytes of memory.
R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache
Bridging software.
X.25 software, Version 3.0.0.
6 Virtual Ethernet/IEEE 802.3  interface(s)
123K bytes of non-volatile configuration memory.
4096K bytes of packet SRAM memory.


-MGG.




More information about the cisco-nsp mailing list