Cisco Router 1921 Boot Error
Am having a problem on my new Cisco Router 1921 series, When i connect to the console am getting the attached error please advice
yup i suspected something similar to this.
Hence suggested to correct it using the rommon mode.
Anyways happy tht issue is resolved.
Please mark the thread as answered so that it is closed rather than beening openend and help other in future.
Similar Messages
-
We have a need to netboot a PC with Linux via a Cisco router (I.E. PXEboot).
We have copied the PXE linux.cfg files to the Cisco router's flash, (Cisco 2821, IOS Advanced Security 15-1.2-T1).
We have setup the router as a TFTP server with defaulted path as tftp-server flash:tftpboot
From the pc's CMOS, we selected PXE boot.
With "debug ip packet detail", we can see the DHCP request from the PC.
We cannot however, get the router to download the Linux files to the PC.
Manually we tried:
c:\ tftp 10.0.0.1 get default - no go.
ANYONE have an idea????
Thanks
Frank/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
Hi Ash,
Thanks for the assistance.
The laptop is directly connected to the Cisco 2821 routers g0/0 interface.
The router is configured to be a DHCP server with the Cisco 2821 router IP address on g0/0 set in the DHCP configuration to be the default router. The router’s IP address is excluded from DHCP. (10.0.0.30)
If the laptop’s bios is set to PXE boot, it seems to receive an IP address from the router I.E. 10.0.0.1– verified by statically assigning another pc IP address 10.0.0.1– the 2nd pc receives an error of IP address conflict. Then set the second pc to obtain its’ IP address via DHCP, and while running debug ip packet detail on the router, I see the router running through the DHCP assignment process and finally assigns the 2nd pc 10.0.0.2.
So needless to say, I believe the DHCP setup is functioning correctly.
The problem we have at this point is nailing down the TFTP-server function running on the Cisco 2821 router.
We were able to create the directory tree on the Cisco 2821 routers flash and then copy the correct files into each directory within flash.
Using WinXP DOS prompt, tftp does not seem to function.
With debug ip packet detail running on the router and Wireshark running on the PC, we run from a DOS window c:\tftp 10.0.0.1 GET \default. No matter how we specify the path, end result is an error of some kind.
We watch debug and wireshark display the communications of the PC and router talking, but cannot seem to get the requested file.
Perhaps WinXP tftp server is flawed.
If we load TFTP32 and attempt to send and/or receive a file from flash, works fine.
The router tftp config is as:
tftp-server flash:/tftpboot/dsl/pxeboot.cfg
The actual files name is "default" and is found on the Cisco 2821 flash:/tftpboot/dsl/pxeboot.cfg directory.
No ACLs on the Cisco router and the router is pretty much right out of the box.
Firewall is disabled on both PCs.
Ping to/from the PC/router works fine.
Thanks again
Frank -
I am getting an un expected error message when updating the setting to "extend network". Is there an obvious setting I may be missing? Cisco router being used.
If you are trying to "extend" using wireless only, you may not be aware that Apple designed the "extend" feature as a proprietary setting to only work with other Apple routers.
It is extremely unlikely that this will work with a Cisco router.
If your plans call for connecting the AirPort Express to the Cisco router using a wired Ethernet connection, it should be possible to configure the Express that way. -
Encapsulation dot1q is not working?, 2600 Cisco router
I am trying to config a 2620 Cisco router to perform subintreface (F0/0.1) for Vlan Trunk Protocol, however when I try to configure the encapsulation dot1q, I continue to receive error massage with ^ symbol below the 'c' See below, the platform version is a 12.3(26) which should be acceptable to perform an (encapsulation dot1q). The Ethernet is a fast-Ethernet 10/100 port. I also try the ISL, I receive the same massage.
Can anyone suggest what could be the problem!!
Thank you all!!!!!
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int f0/0
Router(config-if)#no ip address
Router(config-if)#no shutdown
Router(config-if)#int f0/0.1
Router(config-subif)#encapsulation dot1q 1
^ % Invalid input detected at '^' marker. Router(config-subif)#
==================================================================================================== Router#show version
Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-I-M), Version 12.3(26), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by cisco Systems, Inc. Compiled Mon 17-Mar-08 15:23 by dchih ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1) Router uptime is 5 minutes System returned to ROM by power-on System image file is "flash:c2600-i-mz.123-26.bin" cisco 2620 (MPC860) processor (revision 0x600) with 28672K/4096K bytes of memory . Processor board ID JAD05440GAN (1508240486) M860 processor: part number 0, mask 49 Bridging software. X.25 software, Version 3.0.0. 1 FastEthernet/IEEE 802.3 interface(s) 1 Serial network interface(s) 32K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Router#
==================================================================================================
Router#sh flash
System flash directory:
File Length Name/status
1 7754580 c2600-i-mz.123-26.bin [7754644 bytes used, 633960 available, 8388604 total]
8192K bytes of processor board System flash (Read/Write)
Router#jesse rodriguez wrote:I am connected through the console, Here are the output.Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)# Router(config)# Router(config)#int f0/0 Router(config-if)#no ip address Router(config-if)#no shutdown Router(config-if)# *Mar 1 00:01:36.891: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state t o up Router(config-if)# Router(config-if)#int f0/0.1Router(config-subif)#enc ? % Unrecognized commandRouter(config-subif)#en? % Unrecognized command Router(config-subif)#en ? % Unrecognized command Router(config-subif)#enJesse
It's possible your feature set it not good enough to run trunking.
Trunking apparently requires a minimum of the IP PLUS feature set according to this document
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml
table 2 shows a minimum IOS of 12.0(1)T and IPPLUS/IPPLUS on the 2620 - so your IOS revision is OK, but maybe your feature set is not.
You can figure which feature set you have by going here
http://tools.cisco.com/ITDIT/CFN/Dispatch?act=rlsSelect&task=search&searchby=image
and entering your image name (assuming it's not been stuffed with) which you can find by doing "show flash" or "dir"
If you don;t have the right feature set, then you're out of luck unless you can upgrade/change the IOS image the router is booting with.
Cheers. -
Trouble connecting Cisco router with cable modem for Internet purposes
So I am requesting help from the Cisco community on this issue as the cable company states there equipment is working fine. At all my facilities I have a guest Internet service setup through a local Internet provide to provide Internet services to the residents and guests. I have the cable modem usually a Motorola SBG6580 or a SMC 8014 (both provided by cable company) connected to my router on a FE or GE interface. I am using static IPs and using the cable modem just as a modem (bridge mode). Over the past several months these connections have just stopped working. I have not made any drastic changes to my router configs; however, the cable company has updated the firmware on these modems. I am wondering if that could affected how the modem and router talk. I was told by the cable company that the modem sees the Cisco router but that the port is inactive. My router shows the port is active and traffic passing. Does anyone have any ideas that could point where the problem lies? I will post a basic config to one that currently does not work. I am using a VRF to route a certain group out, using NAT. Please let me know if I need to post additional info. Any help would be greatly appreciated.
Cisco CISCO2911/K9
Version 15.2(3)T1
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname 1204RTR01
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.152-3.T1.bin
boot system flash0:c2900-universalk9-mz.SPA.151-3.T.bin
boot-end-marker
card type t1 0 0
logging buffered 64000
aaa new-model
aaa session-id common
clock timezone cst -6 0
clock summer-time CDT recurring
no ipv6 cef
no ip source-route
ip vrf 5
rd 5:1
ip multicast-routing
1
ip dhcp pool Guest
vrf 5
network 10.51.XXX.0 255.255.255.0
default-router 10.51.XXX.XXX
dns-server 209.18.47.61 209.18.47.62
ip flow-cache timeout active 1
no ip bootp server
no ip domain lookup
ip cef
multilink bundle-name authenticated
application
global
service alternate default
license udi pid CISCO2911/K9 sn FTX1508AHTM
hw-module pvdm 0/0
redundancy
ip tcp synwait-time 10
interface GigabitEthernet0/0.5
description Guest VLAN
encapsulation dot1Q 5
ip vrf forwarding 5
ip address 10.51.xx.xxx 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
interface GigabitEthernet0/2
description Guest Intenet access
ip vrf forwarding 5
ip address 24.242.182.182 255.255.255.252 <--Cable company IP, Modem IP is 24.242.182.181
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 9 interface GigabitEthernet0/2 vrf 5 overload
ip route vrf 5 0.0.0.0 0.0.0.0 24.242.182.181
access-list 9 permit 10.51.204.0 0.0.0.255Ok, mysteriously this location just started working yesterday, but I still am dealing with seven others and I really would like to know what is going on. I will give you everything you may need and let me know.
Config:
version 15.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname 1112RTR01
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.152-3.T1.bin
boot system flash0:c2900-universalk9-mz.SPA.151-1.T.bin
boot-end-marker
aaa new-model
aaa session-id common
clock timezone CDT -6 0
clock summer-time CDT recurring
network-clock-participate wic 0
network-clock-select 1 T1 0/0/0
no ipv6 cef
no ip source-route
ip vrf GuestVRF
rd 5:1
ip multicast-routing
ip dhcp pool Guest
vrf GuestVRF
network 10.51.112.0 255.255.255.0
default-router 10.51.112.1
dns-server 209.18.47.61 209.18.47.62
ip flow-cache timeout active 1
no ip bootp server
no ip domain lookup
ip cef
application
global
service alternate default
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0.5
description Guest VLAN
encapsulation dot1Q 5
ip vrf forwarding GuestVRF
ip address 10.51.112.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface GigabitEthernet0/1
description Guest Internet (Time Warner Connection)
ip vrf forwarding GuestVRF
ip address 97.77.116.234 255.255.255.252
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
ip forward-protocol nd
ip nat inside source list 5 interface GigabitEthernet0/1 vrf GuestVRF overload
ip route vrf GuestVRF 0.0.0.0 0.0.0.0 97.77.116.233
access-list 5 permit 10.51.112.0 0.0.0.255
control-plane
end
router#sh ip arp vrf GuestVRF
router#Internet 97.77.116.233 2 f80b.bee7.e09f ARPA GigabitEthernet0/1
Protocol Address Age (min) Hardware Addr Type Interface
Internet 97.77.116.234 - 8843.e13c.8d99 ARPA GigabitEthernet0/1
router#ping vrf GuestVRF 97.77.116.233
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 97.77.116.233, timeout is 2 seconds:
Success rate is 0 percent (0/5)
router#sh int g0/1
GigabitEthernet0/1 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is 8843.e13c.8d99 (bia 8843.e13c.8d99)
Description: Guest Internet (Time Warner Connection)
Internet address is 97.77.116.234/30
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 1Gbps, media type is RJ45
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:00:10
Input queue: 76/75/15/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 3000 bits/sec, 7 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
81 packets input, 4860 bytes, 0 no buffer
Received 81 broadcasts (0 IP multicasts)
0 runts, 0 giants, 12 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
16 packets output, 1193 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
router#sh int g0/1
GigabitEthernet0/1 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is 8843.e13c.8d99 (bia 8843.e13c.8d99)
Description: Guest Internet (Time Warner Connection)
Internet address is 97.77.116.234/30
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 1Gbps, media type is RJ45
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:00:42
Input queue: 76/75/67/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 3000 bits/sec, 7 packets/sec
30 second output rate 1000 bits/sec, 2 packets/sec
408 packets input, 24480 bytes, 0 no buffer
Received 408 broadcasts (0 IP multicasts)
0 runts, 0 giants, 61 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
72 packets output, 5669 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
I am receiving packets in and out of the interface but I cannot ping the modem through the VRF.
router#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 97.77.116.234:3169 10.51.112.39:3169 209.18.47.62:53 209.18.47.62:53
udp 97.77.116.234:8534 10.51.112.39:8534 209.18.47.61:53 209.18.47.61:53
udp 97.77.116.234:12244 10.51.112.39:12244 209.18.47.61:53 209.18.47.61:53
udp 97.77.116.234:14002 10.51.112.39:14002 209.18.47.61:53 209.18.47.61:53
udp 97.77.116.234:23623 10.51.112.39:23623 209.18.47.62:53 209.18.47.62:53
udp 97.77.116.234:24489 10.51.112.39:24489 209.18.47.61:53 209.18.47.61:53
udp 97.77.116.234:24550 10.51.112.39:24550 209.18.47.61:53 209.18.47.61:53
udp 97.77.116.234:27458 10.51.112.39:27458 209.18.47.62:53 209.18.47.62:53
udp 97.77.116.234:28603 10.51.112.39:28603 209.18.47.62:53 209.18.47.62:53
udp 97.77.116.234:37404 10.51.112.39:37404 209.18.47.62:53 209.18.47.62:53
udp 97.77.116.234:53942 10.51.112.39:53942 209.18.47.61:53 209.18.47.61:53
udp 97.77.116.234:58125 10.51.112.39:58125 209.18.47.62:53 209.18.47.62:53
udp 97.77.116.234:64797 10.51.112.39:64797 209.18.47.61:53 209.18.47.61:53
udp 97.77.116.234:56925 10.51.112.52:56925 209.18.47.61:53 209.18.47.61:53
udp 97.77.116.234:56925 10.51.112.52:56925 209.18.47.62:53 209.18.47.62:53
udp 97.77.116.234:62342 10.51.112.52:62342 209.18.47.62:53 209.18.47.62:53
tcp 97.77.116.234:36559 10.51.112.69:36559 199.167.177.46:1227 199.167.177.46:1227
tcp 97.77.116.234:48895 10.51.112.69:48895 54.195.253.126:5223 54.195.253.126:5223
tcp 97.77.116.234:58385 10.51.112.69:58385 54.195.243.137:5223 54.195.243.137:5223
Pro Inside global Inside local Outside local Outside global
tcp 97.77.116.234:58658 10.51.112.71:58658 31.13.66.165:443 31.13.66.165:443
udp 97.77.116.234:3066 10.51.112.72:3066 209.18.47.62:53 209.18.47.62:53
udp 97.77.116.234:3884 10.51.112.72:3884 209.18.47.61:53 209.18.47.61:53
udp 97.77.116.234:6656 10.51.112.72:6656 209.18.47.61:53 209.18.47.61:53
udp 97.77.116.234:11194 10.51.112.72:11194 209.18.47.61:53 209.18.47.61:53
udp 97.77.116.234:11774 10.51.112.72:11774 209.18.47.62:53 209.18.47.62:53
Let me know if you need anything else. I need to figure this out and I just don't get it because the other site wasn't working a few days ago and all of a sudden it is working again but others are still not. -
Cant ping behind cisco router (site2site vpn)
Dears;
After configure site to site vpn between cisco router and fortigate firewall,
site A : 10.0.0.0/24 behind fortigate
site B: 10.10.10.0/24 behind cisco router
the tunnel is up and I can ping 10.0.0.1 from site B and can ping 10.10.10.1 from site A but I cant ping any ip inside 10.0.0.0/24 form site B or network 10.10.10.0/24 from site A
my cisco router configuration is
Current configuration : 2947 bytes
! No configuration change since last restart
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
boot-start-marker
boot-end-marker
enable secret 4 EE103as6FtdocdBefpgugX6P9eGaDKDyBvwz7AywH5Q
no aaa new-model
memory-size iomem 10
clock timezone cairo 2 0
crypto pki token default removal timeout 0
ip source-route
ip dhcp excluded-address 192.168.16.1
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp pool GUEST
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool LAN
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 8.8.8.8 8.8.4.4
ip cef
controller VDSL 0
ip ssh version 2
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 5
crypto isakmp key 6 *********** address 4.x.x.x no-xauth
crypto ipsec transform-set myset esp-aes esp-sha256-hmac
crypto map kon-map 10 ipsec-isakmp
set peer 4.x.x.x
set transform-set myset
set pfs group5
match address 105
interface Ethernet0
no ip address
no fair-queue
interface ATM0
no ip address
ip mtu 1452
ip tcp adjust-mss 1452
no atm ilmi-keepalive
interface ATM0.1 point-to-point
ip flow ingress
pvc 0/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
interface FastEthernet0
switchport mode trunk
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
switchport access vlan 2
no ip address
interface FastEthernet3
no ip address
interface Vlan1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Vlan2
ip address 192.168.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 0
ppp pap sent-username
crypto map kon-map
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 100 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
access-list 105 permit ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
banner motd ^C^C
end
when ping from cisco router
konsuler#ping 10.0.0.27 source vlan1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.27, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
Success rate is 0 percent (0/5)
help pleaseThank you karsten
I can ping interface of router from remote site but cant ping any device behind the router and can ping firewall interface but cant ping any device behind the firewall
-counters in
# sh crypto ipsec sa
increased only while ping 10.0.0.1 or 10.10.10.1 from both sides
r#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Dialer1
Uptime: 00:03:12
Session status: UP-ACTIVE
Peer: 4.x.x.x port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.x.x.x
Desc: (none)
IKEv1 SA: local 6.x.x.x/500 remote 4.x.x.x/500 Active
Capabilities:(none) connid:2001 lifetime:22:39:59
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 10.0.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 9 drop 0 life (KB/Sec) 4605776/3407
Outbound: #pkts enc'ed 14 drop 0 life (KB/Sec) 4605775/3407 -
Remote access VPN with Cisco Router - Can not get the Internal Lan .
Dear Sir ,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Below is the IP address of the device.
Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
IP address:10.10.10.1
Mask:255.255.255.0 F0/0
IP Address :20.20.20.1
Mask :255.255.255.0
F0/1
IP address :192.168.1.3
Mask:255.255.255.0
F0/0
IP address :20.20.20.2
Mask :255.255.255.0
F0/1
IP address :192.168.1.1
Mask:255.255.255.0
I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
Need your help to fix the problem.
Router R2 Configuration :!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip tcp synwait-time 5
interface FastEthernet0/0
ip address 20.20.20.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end
Router R1 Configuration :
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login USERAUTH local
aaa authorization network NETAUTHORIZE local
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
username vpnuser password 0 strongpassword
ip tcp synwait-time 5
crypto keyring vpnclientskey
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group remotevpn
key cisco123
dns 192.168.1.2
wins 192.168.1.2
domain mycompany.com
pool vpnpool
acl VPN-ACL
crypto isakmp profile remoteclients
description remote access vpn clients
keyring vpnclientskey
match identity group remotevpn
client authentication list USERAUTH
isakmp authorization list NETAUTHORIZE
client configuration address respond
crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 10
set transform-set TRSET
set isakmp-profile remoteclients
crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPNMAP
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpnpool 192.168.50.1 192.168.50.10
ip forward-protocol nd
ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
no ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
ip access-list extended NAT-ACL
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN-ACL
permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
endDear All,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Waiting for your responce .
--Milon -
How do I setup Airport Express to extend my CISCO router's wifi range?
Hi,
I am using CISCO EA4500 router for internet connection via wifi. I have Airport Express with me, which I want to use as extender of the wifi network. I setup the Airport Express as "Extend the wireless network", provided same base station name (CISCO), network name (JKS) and passwords.
However, I am not able to get it to work. Its gives me error saying network: unknown.
I have just 1 BHK flat, and even then the range is not enough to reach from my DR to BR. I tried using Airport Express as the base station as well. But the problem is again the range.
Help me please.
JayeshCan I do it other way around? I mean setup Airport as Base station and use Cisco to extend the wireless network?
I doubt that the Cisco router would be able to to wirelessly extend the AirPort network, since Apple uses proprietary settings that are designed to work with other Apple routers.
Also, when I am trying to use just Airport, I am not able to connect multiple devices at the same time
Sorry, but I don't know whether you have the AirPort connected to the Cisco router using an Ethernet cable....or.....whether you are saying that you have the AirPort connected directly to your modem using an Ethernet cable.
If the AirPort is connected directly to your modem.....what is the make and model number of this device?
Since you know that the Cisco router is working OK when you have it connected to your modem, things would be much simpler if you connect the AirPort to the Cisco router using an Ethernet cable. Can you do this? -
Help with Remote access VPN on Cisco router 3925 via Dialer Interface
Hi Everybody,
I need help for my work now, I appreciate if someone can fix my problem.I have a Cisco router 3925 and access Internet via PPPoE link. I want config VPN Remote Access and using software Cisco VPN client. But it doesn't work.. Here my config router :
HUNRE#show running-config
Building configuration...
Current configuration : 5515 bytes
! No configuration change since last restart
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname HUNRE
boot-start-marker
boot-end-marker
enable secret 5 $1$vEFw$rLfvLglzUgddCVwXDx03K.
enable password cisco
aaa new-model
aaa session-id common
crypto pki trustpoint TP-self-signed-1050416327
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1050416327
revocation-check none
rsakeypair TP-self-signed-1050416327
crypto pki certificate chain TP-self-signed-1050416327
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303530 34313633 3237301E 170D3134 30393235 31313534
31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30353034
31363332 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CC79 74FCFABE 81183B70 5A9F4A53 EB609754 7D5F8587 9150B76E 3207A86E
5B65F9E9 6CDAC21A 6D69221D 1FF61632 14763308 43B2A1CC 8EE5ABAC EF07530E
3F0D35FE F08C955B 60B52B92 F8F54D53 DD6DD623 01F83493 02F9C49A F0C3483D
3B48A008 8D96700E 88924BFE DE00201B DE5965DE 32898CAD 9012AB55 76B6F39B
2D470203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14C3418C BC35F3D9 B26B2475 2BB5F826 060525AB B3301D06
03551D0E 04160414 C3418CBC 35F3D9B2 6B24752B B5F82606 0525ABB3 300D0609
2A864886 F70D0101 05050003 81810070 AC7C26C6 4606A551 1A3FD6C5 2A5AEAE8
35DAC86E F8885E26 51F6EEAE 7565D3AA D532C8F3 55F6656F D103F38C 8FBDE7F1
83E77143 76469040 7FEA41E8 14963DB3 F7F28EA0 C5F2F42C B186B75C AAB04900
15F9CB38 A16964F5 4E7B4378 35041AA8 AE8EC181 D58D6A62 676E286A 7B9D80E6
35A0B9FB FB76E976 3D2A19D7 006078
quit
ip name-server 210.245.1.253
ip name-server 210.245.1.254
ip cef
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group 1
vpdn-group 2
license udi pid C3900-SPE100/K9 sn FOC1823839B
license boot module c3900 technology-package securityk9
username cisco privilege 15 secret 5 $1$aAjB$D3iLyPFTE7O1bHPnKSJcH0
username kdhong privilege 15 secret 5 $1$nfyX$FO1BPTabCUaE6uKQwpLT.1
redundancy
track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group VPN-HUNRE
key hunre
dns 8.8.8.8
domain hunre
pool IP-VPN
acl 199
max-users 100
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
mode tunnel
crypto dynamic-map DYNMAP 1
set transform-set encrypt-method-1
crypto map VPN client configuration address respond
crypto map VPN 65535 ipsec-isakmp dynamic DYNMAP
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip mtu 1492
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
duplex auto
speed auto
interface GigabitEthernet0/1
description FPT
no ip address
ip tcp adjust-mss 1412
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface GigabitEthernet0/2
description Connect to CMC
no ip address
ip mtu 1442
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1412
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 2
no cdp enable
interface Dialer1
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [USERNAME]
ppp chap password 0 [PASSWORD]
ppp pap sent-username [USERNAME] password 0 [PASSWORD]
ppp ipcp dns request
crypto map VPN
interface Dialer2
description Logical ADSL Interface 2
ip address negotiated
ip mtu 1442
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1344
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname [USERNAME]
ppp chap password 0 [PASSWORD]
ppp pap sent-username [USERNAME] password 0 [PASSWORD]
ppp ipcp address accept
no cdp enable
ip local pool IP-VPN 10.252.252.2 10.252.252.245
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source list 11 interface Dialer2 overload
ip nat inside source static 10.159.217.10 interface Dialer1
ip nat inside source list 199 interface Dialer1 overload
ip nat inside source static tcp 10.159.217.10 80 210.245.54.49 80 extendable
ip nat inside source static tcp 10.159.217.10 3389 210.245.54.49 3389 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.159.217.0 255.255.255.0 192.168.1.8
ip sla auto discovery
ip sla responder
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
access-list 10 permit any
access-list 11 permit any
access-list 101 permit icmp any any
access-list 199 permit ip any any
control-plane
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password cisco
transport input all
line vty 5 15
password cisco
transport input all
scheduler allocate 20000 1000
ntp master
end
However, I cannot ping interfac Dialer 1. I using Cisco vpn client software ver 5.0.07.0290.
Hopeful for your answers !
ThanksHi David Castro,
Thanks for your answer,
I configed following your guide, but it have not worked yet. I saw that I cannot ping IP gateway Internet . I using ADSL Internet and config PPPoE and my router receive IP from ISP. Here show ip int brief :
GigabitEthernet0/0 192.168.1.1 YES NVRAM up up
GigabitEthernet0/1 unassigned YES NVRAM up up
GigabitEthernet0/2 unassigned YES NVRAM up up
Dialer1 210.245.54.49 YES IPCP up up
Dialer2 101.99.7.73 YES IPCP up up
NVI0 192.168.1.1 YES unset up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
Virtual-Access3 unassigned YES unset up up
But I cannot ping Interface Dialer 1, so may be VPN is does not worked. Do you have some ideal ?
Thanks very much ! -
Ask the Expert: Cisco UCS Troubleshooting Boot from SAN with FC and iSCSI
Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco UCS Troubleshooting Boot from SAN with FC and iSCSI with Vishal Mehta and Manuel Velasco.
The current industry trend is to use SAN (FC/FCoE/iSCSI) for booting operating systems instead of using local storage.
Boot from SAN offers many benefits, including:
Server without local storage can run cooler and use the extra space for other components.
Redeployment of servers caused by hardware failures becomes easier with boot from SAN servers.
SAN storage allows the administrator to use storage more efficiently.
Boot from SAN offers reliability because the user can access the boot disk through multiple paths, which protects the disk from being a single point of failure.
Cisco UCS takes away much of the complexity with its service profiles and associated boot policies to make boot from SAN deployment an easy task.
Vishal Mehta is a customer support engineer for Cisco’s Data Center Server Virtualization TAC team based in San Jose, California. He has been working in the TAC for the past three years with a primary focus on data center technologies such as Cisco Nexus 5000, Cisco UCS, Cisco Nexus 1000v, and virtualization. He has presented at Cisco Live in Orlando 2013 and will present at Cisco Live Milan 2014 (BRKCOM-3003, BRKDCT-3444, and LABDCT-2333). He holds a master’s degree from Rutgers University in electrical and computer engineering and has CCIE certification (number 37139) in routing and switching and service provider.
Manuel Velasco is a customer support engineer for Cisco’s Data Center Server Virtualization TAC team based in San Jose, California. He has been working in the TAC for the past three years with a primary focus on data center technologies such as Cisco UCS, Cisco Nexus 1000v, and virtualization. Manuel holds a master’s degree in electrical engineering from California Polytechnic State University (Cal Poly) and VMware VCP and CCNA certifications.
Remember to use the rating system to let Vishal and Manuel know if you have received an adequate response.
Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation in the Data Center community, under subcommunity Unified Computing, shortly after the event. This event lasts through April 25, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.Hello Evan
Thank you for asking this question. Most common TAC cases that we have seen on Boot-from-SAN failures are due to misconfiguration.
So our methodology is to verify configuration and troubleshoot from server to storage switches to storage array.
Before diving into troubleshooting, make sure there is clear understanding of this topology. This is very vital with any troubleshooting scenario. Know what devices you have and how they are connected, how many paths are connected, Switch/NPV mode and so on.
Always try to troubleshoot one path at a time and verify that the setup is in complaint with the SW/HW interop matrix tested by Cisco.
Step 1: Check at server
a. make sure to have uniform firmware version across all components of UCS
b. Verify if VSAN is created and FC uplinks are configured correctly. VSANs/FCoE-vlan should be unique per fabric
c. Verify at service profile level for configuration of vHBAs - vHBA per Fabric should have unique VSAN number
Note down the WWPN of your vhba. This will be needed in step 2 for zoning on the SAN switch and step 3 for LUN masking on the storage array.
d. verify if Boot Policy of the service profile is configured to Boot From SAN - the Boot Order and its parameters such as Lun ID and WWN are extremely important
e. finally at UCS CLI - verify the flogi of vHBAs (for NPV mode, command is (from nxos) – show npv flogi-table)
Step 2: Check at Storage Switch
a. Verify the mode (by default UCS is in FC end-host mode, so storage switch has to be in NPIV mode; unless UCS is in FC Switch mode)
b. Verify the switch port connecting to UCS is UP as an F-Port and is configured for correct VSAN
c. Check if both the initiator (Server) and the target (Storage) are logged into the fabric switch (command for MDS/N5k - show flogi database vsan X)
d. Once confirmed that initiator and target devices are logged into the fabric, query the name server to see if they have registered themselves correctly. (command - show fcns database vsan X)
e. Most important configuration to check on Storage Switch is the zoning
Zoning is basically access control for our initiator to targets. Most common design is to configure one zone per initiator and target.
Zoning will require you to configure a zone, put that zone into your current zonset, then ACTIVATE it. (command - show zoneset active vsan X)
Step 3: Check at Storage Array
When the Storage array logs into the SAN fabric, it queries the name server to see which devices it can communicate.
LUN masking is crucial step on Storage Array which gives particular host (server) access to specific LUN
Assuming that both the storage and initiator have FLOGI’d into the fabric and the zoning is correct (as per Step 1 & 2)
Following needs to be verified at Storage Array level
a. Are the wwpn of the initiators (vhba of the hosts) visible on the storage array?
b. If above is yes then Is LUN Masking applied?
c. What LUN number is presented to the host - this is the number that we see in Lun ID on the 'Boot Order' of Step 1
Below document has details and troubleshooting outputs:
http://www.cisco.com/c/en/us/support/docs/servers-unified-computing/ucs-b-series-blade-servers/115764-ucs-san-tshoot-00.html
Hope this answers your question.
Thanks,
Vishal -
Connecting to NME-IPS results in connecting to cisco router itself
Suddenly, without any clear reason, I cannot access the NME-IPS in my router.
Instead it connects to the router console.
The IP address is also pingable.
Output:
gateway#service-module IDS-Sensor 1/0 status
Service Module is Cisco IDS-Sensor1/0
Service Module supports session via TTY line 66
Service Module is in Steady state
Service Module heartbeat-reset is enabled
Getting status from the Service Module, please wait..
Cisco Systems Intrusion Prevention System Network Module
Software version: 7.0(6)E4
Model: NME-IPS
Memory: 443504 KB
Mgmt IP addr: 192.168.11.99
Mgmt web ports: 443
Mgmt TLS enabled: true
gateway#service-module IDS-Sensor 1/0 session
Trying 192.168.11.99, 2066 ... Open
C
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
User Access Verification
Username:If IME is not connecting, is it giving you some sort of error?
Do you have ASDM launcher loaded? if so, does it also fail to connect?
When you launch IME are you prompted for a password, is that failing on the password entry or does it simply fail to connect to the device?
I have not been able to access my NME via https either, I get a Java error, but I pretty much always use Cisco IME to access my NME module so I have not chased down the Java issue. -
Problems connecting to a Open Network via Wi-fi on Cisco Router
Hi everyone, I know I'm new here but I'm in need of your help, so if you can assist please do so as I cannot live without wi-fi and might have to go back to my nokia again if I can't sort this out.
Vodafone finally released the Iphone on their network in Ireland today and I've picked a 3gs up straight away.
At work I have a wi-fi network with a CISCO router (I have no access to the router as only IT do and they won't change anything to satisfy me and my Iphone anyways). This network has no encryption whatsoever and its free to join, you don't need any password or anything. My nokia at the start couldn't connect as it said that the network needed a pre shared key, this isn't true and in the end it was just change a setting to no auth required for it to log into the network and work perfectly.
Today I got to work and the Iphone can't connect to the network, just says it can't join the network. I cannot find anything about authentication on the settings of the phone nor can I work around this at all. I've had a Ipod touch for (the 2nd gen) for over 2 years and I gave up trying to set it up at work because I just couldn't find what was wrong with it, I ended up almost not using it other than when traveling or on the gym.
So first question is there any way I can access the authentication settings for wi-fi connections on the Iphone? Maybe its just a little change that is needed like the nokia.
Has anyone experienced this problem on a open network that they cannot join?
Any other sugestions? Anything really?
Thank you very much for your time guys, I would really really appreciate your help on this.
Regards,
Rod
PS: I've also tried to install the Iphone configuration utility however I don't know how to access the profiles on the phone, anyone can help with this so I can try the profile I've created?
I don't think it is going to work because the options available on the configuration utility are basicly the same available on the Iphone itself.
Anyone has any sugestion on how to solve this problem??? Thanks very much.Sun Mar 28 06:02:24 unknown Preferences[292] <Warning>: wifi handler: (null)
Sun Mar 28 06:02:27 unknown kernel[0] <Debug>: AppleBCMWLAN::setASSOCIATE() [configd]: lowerAuth = AUTHTYPE_OPEN, upperAuth = AUTHTYPE_NONE, key = CIPHER_NONE, flags = 0x0
Sun Mar 28 06:02:27 unknown configd[22] <Error>: WiFi:[//////////////////>: Failed to associate with Internet: 5
Sun Mar 28 06:02:27 unknown kernel[0] <Debug>: AppleBCMWLANJoinManager::join(): No such network: "Internet"
Sun Mar 28 06:02:27 unknown Preferences[292] <Warning>: WiFiManagerAssociationCallback: err(5), err(00000005)
This is what I get on the Iphone configuration utility debug console. I edited out just a couple of numbers in case this is sensitive information the company wouldn't want me to share.
Message was edited by: F-22 -
Cisco router T1 gw voip Radius Radiator
All
I got a cisco router and want to output the radiator,
however I found that the /cgi-bin/radacct.cgi , each call record had generate 4 records...
What is the best method for me to take the one.
00000572 27 Sep 2004 16:39:21 0:00:00 3101 3200 156 80
00000572 27 Sep 2004 16:39:26 0:00:00 3101 3200 156 80
00000572 27 Sep 2004 16:39:31 0:00:00 3101 3200 156 80
00000576 27 Sep 2004 16:39:32 0:00:00 3111 3141 157 80
00000572 27 Sep 2004 16:39:36 0:00:00 3101 3200 156 80
00000576 27 Sep 2004 16:39:37 0:00:00 3111 3141 157 80
00000576 27 Sep 2004 16:39:42 0:00:00 3111 3141 157 80
00000576 27 Sep 2004 16:39:47 0:00:00 3111 3141 157 80Thanks for the link Calvin.
I actually got it to work by just old fashion trial and error. Turned out to be two things:
Microsoft 2008 R2 NPS>Policies>Network Policies>" Wireless Policy I created">Authentication Methods.... CHAP had to be enabled.
Microsoft 2008 R2 NPS>Policies>Network Policies>" Wireless Policy I created">conditions..... delete the friendly name I read I needed to create. This "various RADIUS Clients was not so important to us" (will make sense if you follow link)
I mainly used this link for anyone interested:
http://www.darylhunter.me/blog/2010/06/cisco-ios-fu-7-cisco-radius-windows-server-2008-nps.html -
Please advise me on the below error;; I am using tftpd for tft
Router#copy startup-config tftp
Address or name of remote host []? 192.168.0.12
Destination filename [router-confg]?
%Error opening tftp://192.168.0.12/router-confg (Socket error)This was the right answer.. Solved
https://learningnetwork.cisco.com/thread/56041
im surprised you can ping without attaching a crossover cable.
because if your only using your console port to connect your pc...then you dont have ip connectivity
i think the cable your using to connect your pc to your router fa port is a straight through ethernet cable....
you see it attaches to a switch port in the back of your home router(not cisco router)
not a router port.
so you need a different cable depending on how you want to connect to your router.
you can check to see if it is a crossover cable
just peer down the end of the cable you can see the colours...
if they are in the same order on each end...then it is a straight through cable
if they have a different order...then it is a crossover cable
if your connecting to your pc via your home router.
then yes.....you need to plug a straight through cable into your cisco router from your home router
and it will work
if your connecting your pc directly to your router
then you need to use a crossover cable from the back of your pc...to your cisco router.
and it will work -
SRX Using DHCP on UNTRUST (BRANCH)-- Connected to Static VTI Cisco Router (HQ)
Good morning Gentlemen, I need some advice. I am primarily a cisco IOS chap, but have recently been delving into some JUNOS action.
I cannot find an example on the Juniper Forums/Documentation or the Cisco Forums/Documentation to my specific Issue.
Firstly, I am not interested in Policy Based VPNs. I do not know if it is possible to use a DHCP assigned public address on remote device with a "static VTI" - when using IKE identities. However as Phase one is up, I think the issue is more to do with Phase2 proposals when not explicitly defining a Tunnel destination.
In the scenario I am trying to sort now, I have an SRX-100 device, that gets its public address from a DHCP server.
I have back at the HQ, a cisco router.
The Cisco router has various VTI tunnels out to other branch devices, that are smaller Cisco routers. These VTI tunnels are working fine - note all using static Public IP's
I have my phase1 up fine, (from both sides' perspective) and am sending a local-identity hostname instead of a defining a destination address on the Tunnel on the cisco side.
JUNIPER
Index State Initiator cookie Responder cookie Mode Remote Address
5048723 UP 41ee08a4a0fde661 517176fea0f23989 Aggressive 4.4.4.4
CISCO
IPv4 Crypto ISAKMP SA
dst src state conn-id status
4.4.4.4 1.1.1.1 QM_IDLE 1110 ACTIVE NICK-SRX-ISAKMP-PROFILE
A working VTI tunnel has an SA of : (cisco perspecive)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
I have tried sending this as the proxy-id on the Juniper to no avail.
The error is still :
*Jun 6 10:20:07.244: ISAKMP1110):atts are acceptable.
IPSec policy invalidated proposal with error 64
*Jun 6 10:20:07.244: ISAKMP1110): phase 2 SA policy not acceptable!
The IPSEC transform-Set attributes are accepted though,
transform 0, ESP_3DES
*Jun 6 10:20:07.244: ISAKMP: attributes in transform:
*Jun 6 10:20:07.244: ISAKMP: authenticator is HMAC-SHA
*Jun 6 10:20:07.244: ISAKMP: SA life type in seconds
*Jun 6 10:20:07.244: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Jun 6 10:20:07.244: ISAKMP: SA life type in kilobytes
*Jun 6 10:20:07.244: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 6 10:20:07.244: ISAKMP: encaps is 1 (Tunnel)
*Jun 6 10:20:07.244: ISAKMP1110):atts are acceptable.
So it is something to do with the SA/Proxy ID's being sent.
here is the Juniper Config:
proposal IKE-SHA-AES128-DH2 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 86400;
policy IKE-POLICY-HQ {
mode aggressive;
proposals IKE-SHA-AES128-DH2;
pre-shared-key ascii-text "secretkey";
gateway IKE-GATEWAY {
ike-policy IKE-POLICY-HQ;
address 4.4.4.4;
local-identity hostname knuckles.net;
external-interface fe-0/0/0.0;
proposal HQ-IPSEC-PROPOSAL {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
lifetime-kilobytes 4608000;
policy HQ-IPSEC-POLICY {
proposals HQ-IPSEC-PROPOSAL;
vpn ROUTE-BASED-VPN-TO-HQ {
bind-interface st0.0;
ike {
gateway IKE-GATEWAY;
ipsec-policy HQ-IPSEC-POLICY;
establish-tunnels immediately;
st0 {
unit 0 {
family inet {
address 10.1.1.2/30;
CISCO SIDE:
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
crypto keyring NICK-SRX
pre-shared-key hostname knuckles.net key secretkey
crypto isakmp profile NICK-SRX-ISAKMP-PROFILE
keyring default
keyring NICK-SRX
match identity host knuckles.net
initiate mode aggressive
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile NICK-SRX-IPSEC-PROFILE
set transform-set ESP-3DES-SHA
set isakmp-profile NICK-SRX-ISAKMP-PROFILE
interface Tunnel1
description HQ to NC-SRX
ip address 10.1.1.1 255.255.255.252
tunnel source 4.4.4.4
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile NICK-SRX-IPSEC-PROFILE
FYI - If I use the Provider given DHCP address on the Cisco Tunnel config, as a destination - the tunnel comes up immediately....So ' thinking this may be a limitation of static VTI. I have not tested the IKE identity on a remote cisco router also using VTI yet.
e.g.
interface Tunnel1
description HQ to NC-SRX
ip address 10.1.1.1 255.255.255.252
tunnel source 4.4.4.4
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile NICK-SRX-IPSEC-PROFILE
So I guess my question is Is this possible using a static VTI?
What does this comand do - does it turn on dynamic VTI (all that virtual-template business)- or just tell the tunnel to expect and IKE identity?
tunnel destination dynamic
Does Dynamic VTI work with Different Vendors, and if so how can you control what VRF is assigned to the tunnels - I will need in the future multiple VRF's for each branch device, some using DHCP public addresses.
The VTI design guide does not mention Identity IKE for branch sites without using dynamic VTI.
I would like to avoid using the whole easyVPN / dynamic VTI, as I need to use multiple VRF;s on the endpoints.Perhaps this fellow has cracked it - is this the only way ???
https://supportforums.cisco.com/document/58076/dynamic-ip-dynamic-ip-ipsec-vpn-tunnel
Maybe you are looking for
-
Hello! Ive made a program that collects the information in TEDS sensors with an NI RIO 9233, the only problem is that when I change to another sensor or the direction of the sensor I dont get any new results. Then I need to restart in the Measurment
-
Your expert opinion needed: I'm soon to upgrade my entire AV set-up at home. This is what I'm thinking: Mac: Intel iMac/MacBook where iPod will dock Audio: iTunes Library held on a Time Capsule Wireless music in house with Sonos (no doubt Apple will
-
How to get iPhoto back on a fresh install (not upgrade) of Mavericks?
I have a mid 2010 white unibody Macbook which came with Snow Leopard pre-installed and hence iPhoto. I recently upgraded to an SSD with a fresh install of Mavericks which does not come with iPhoto. As I originally had iPhoto, can I get a (free) copy
-
I am trying to make more room on my iPhone. I've gone through all my apps and can't find one that would store documents or data. Is there a way to find out what is occupying this space? I've gone through and practically shut off every other sync c
-
Installing Time Machine backup to a newer iMac
My old Intel iMac has died and I am getting a newer iMac. Both Macs have Lion installed and I want to install backups from Time Machine to the newer iMac. Is this a straight forward operation or will it cause me some grief? My old iMac was a late 200