Search This Blog

Friday, 8 April 2011

DCdiag fails over IPSEC Tunnel

I had a server behind a IPSEC tunnel between two Cisco 1841 routers and when running a dcdiag the Locator check was failing. I used the verbose output on the dcdiag and it noted that UDP packets were being either dropped or fragmented to the destination servers.

I looked at the syslog on the Cisco 1841 and I could see UDP packets between the two servers being dropped, I checked the class map for this policy map and udp was listed at the bottom of the class map but it was not being matched.

I then created a new class map for the udp protocol and added this with inspect to the policy map and then dcdiag worked. I used a inspect log in the policy map to show this in the syslog.

Strange behaviour that the udp packets do not match even though they are in the right class map, but I needed a solution so I created a new protocol definition for the UDP LDAP on port 389 and then a new class map and policy map inspection.

ip port-map user-ldap-udp port udp 389
class-map type inspect match-any cmap-ldap-traffic
match protocol user-ldap-udp
policy-map type inspect ccp-inspect
class type inspect cmap-ldap-traffic

No comments:

Post a Comment