Configuring an IP-in-IP Tunnel

hi all,
For configuring an IP-in-IP Tunnel according to Solaris man page for "ifconfig", I can use the command,
$ifconfig ip.tun0 myaddr mydestaddr tsrc anothermyaddr tdst a_dest_addr up
Can anybody help me what all addresses i need to provide in place of mydestaddr, mydestaddr, adestaddr and a_dest_addr..?

Its nothing to do with port forwarding.
You need to change the settings on the TV to use a static IP address, not DHCP.
Using static IP addresses on your home network
I only have some info for the Samsung TV, but I may be able to find the settings page on the Panasonic, if they have an online manual.
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

Similar Messages

Need Configuration example for DS-LITE ( Tunneling IPv4-IPv6)+NAT44.

Hi,
I need to understand DS-LITE with configuration example. Can anyone please help me out?
Regards,
RA

Hi Rahul,
DS-Lite is only supported on the CGSE in CRS and on the ISM in the ASR9k. Here is a sample config that might help you to understand.
RP/0/RSP0/CPU0:router(config)#
interface te0/0/0/0
ipv6 add 2001:db8:ff00::1/64
interface te0/1/0/0
ipv4 add 192.168.100.1/24
interface ServiceApp61
ipv6 address 2001:db8:1::1/64
service cgn demo service-type ds-lite
interface ServiceApp41
ipv4 address 192.168.1.1 255.255.255.252
service cgn demo service-type ds-lite
service cgn demo
service-type ds-lite dslite-1
map address-pool x.y.z.0/24
aftr-tunnel-endpoint-address 2001:db8:ffff::1
address-family ipv4
interface ServiceApp42
address-family ipv6
interface ServiceApp41
router static
address-family ipv4 unicast
x.y.z.0/24 ServiceApp42
address-family ipv6 unicast
2001:db8:ffff::1/128 ServiceApp41
regards

Which object in RSVP message carried the value configured by "tunnel mpls traffic-eng bandwidth" command?

Hi Experts,
I configured a simple MPLS TE tunnel in my routers and configured it with "tunnel mpls traffic-eng bandwidth 777" command. The tunnel came up fine. I tried to capture the packets (using GNS capture) going out of tunnel head end interface but I could not find out on which message object the value '777' is carried. Can anyone please explain me exactly in which RSVP/OSPF message the bandwidth value is carried?
Thanks,
Madhu

Hello Madhu,
I think it is FLOWSPEC object, not 100% sure
The FLOWSPEC class is defined in RFC 2210. Cisco IOS Software requests Controlled-Load service when reserving a TE tunnel. The FLOWSPEC format is complex and has many things in it that RSVP for MPLS TE doesn't use.The FLOWSPEC is used in Resv messages—Resv, ResvTear, ResvErr, ResvConf, ResvTearConf. Its only use in MPLS TE is to use the average rate section of the FLOWSPEC to specify the bandwidth desired, in bytes. Not bits. Bytes. So if you configure a tunnel with tunnel mpls traffic-eng 100000 to request 100 Mbps of bandwidth, this gets signalled as 12,500,000 bytes per second (100 Mb is 100,000 Kb is 100,000,000 bits, which is 12,500,000 bytes).
Hope this helps
Regards
Mahesh

AnyConnecy VPN and Split-tunnel ACL - Strange...

Hi,
I have ACL as follows and applied on AnyConnect VPN group as split-tunel value ACL.
access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq www
access-list SPLIT-ACL extended permit tcp host 192.168.200.63 172.16.1.0 255.255.255.0 eq https
When I connected with AnyConnect client, I can ping to 192.168.200.63 and also telnet to port 80. However I can not telnet to port 443. Strange thing is I do not see any hits on above ACL, morever I'm wondering how cam the ICMP is working and why it does not stop on this ACL..?
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x78e03140, priority=11, domain=permit, deny=true
        hits=113713, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=outside, output_ifc=any
When I did the packet-tracer both ICMP and http it just drop on Phase 4..as bellow, I just want to know what this ACL and where its been applied to..?
What is the correct syntax for packet-tracer command when troubleshooting AnyConnect VPN to check access inside/dmz server..?
I have used as follows:
packet-tracer input outside icmp 172.16.1.1 0 8 192.168.200.63 details
Appreciate if someone can help me out on this..
thanks

To start with it is not ideal to configure a port based split tunnel. It is not support and will give you weird results like one you are experiencing. You should use standard access-list for the split tunnel and to restrict the users to the following port use vpn filter.
As far as packet tracer is concerned for the VPN client if you use the outside interface as source it will never work the reason is the connection between the ASA and the client is of real IP address (Public) and the traffic that you are testing with is a VPN encrypted traffic your ASA's outside interface doesn't know what is 172.16.1.1, he will check it against the outside access-list and will drop it.
So in your case i would strongly recommed that use standard access-list for the split tunnel and to restrict the user to specific port use vpn filter. Following are the links to configure the same:
Allow Split Tunnel for Anyconnect:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
Configure VPN filter (Its for site to site and remote access but it works the same for Anyconnect):
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
Thanks
Jeet Kumar

Need a sample configuration

Folks,
I wrote a small program to parse the configuration. I am looking for a sample configuration of a Edge Router ( preferably 7200 ) having lots of configuration data including VPN , Martini Tunnel etc. I need to test my parser.
Any help will be greatly appriciated.

And....I am looking for a sample program to parse...could you help me...

Cisco WRVS4400N v2 FW 2.0.21/Cisco 2951 IPSec Tunnels

Hi,
We have an CISCO 2951 as a central hub in an IPSec VPN community, with six WRVS4400N branch office routers connecting into it.
Setting up the VPN tunnels worked fine, except after a while the tunnels seem to disconnect all by themselves, and they will not reconnect. Browsing the Cisco WRVS4400N logs we get:
[VPN Log]: ERROR: "Taller-182": pfkey write() of SADB_X_DELFLOW message 16 for flow [email protected] failed. Errno 14: Bad address
If I restart the WRVS4400N , the VPN connects just fine. If I let it sit for a while (like an hour or so) and hit connect, it connects just fine as well. Furthermore, if I enter the configuration screen for the VPN tunnel on the WRVS4400N , and hit SAVE (make no changes) it also connects. Just over time it seems to disconnect, and will not reconnect without a restart.
Can anyone enlighten me to a source of the problem??
Jun 22 10:08:01 - [VPN Log]: "Taller-182" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3Jun 22 10:08:01 - [VPN Log]: "Taller-182" #1: STATE_MAIN_I3: sent MI3, expecting MR3Jun 22 10:08:02 - [VPN Log]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-TJun 22 10:08:02 - [VPN Log]: "Taller-182" #1: Main mode peer ID is ID_IPV4_ADDR: '190.3.108.131'Jun 22 10:08:02 - [VPN Log]: "Taller-182" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4Jun 22 10:08:02 - [VPN Log]: "Taller-182" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}Jun 22 10:08:02 - [VPN Log]: "Taller-182" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK+UP {using isakmp#1}Jun 22 10:08:02 - [VPN Log]: "Taller-182" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK+UP {using isakmp#1}Jun 22 10:08:02 - [VPN Log]: "Taller-182" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIMEJun 22 10:08:02 - [VPN Log]: "Taller-182" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2Jun 22 10:08:02 - [VPN Log]: "Taller-182" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x8af3b4bd <0x9ebd59af xfrm=3DES_0-HMAC_SHA1 NATD=190.3.108.131:4500 DPD=none}Jun 22 10:08:02 - [VPN Log]: "Taller-182" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIMEJun 22 10:08:02 - [VPN Log]: "Taller-182" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2Jun 22 10:08:02 - [VPN Log]: "Taller-182" #3: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x1d42f1c9 <0x9ebd59b0 xfrm=3DES_0-HMAC_SHA1 NATD=190.3.108.131:4500 DPD=none}Jun 22 10:09:14 - [VPN Log]: "Taller-182" #4: initiating Main ModeJun 22 10:09:14 - [VPN Log]: "Taller-182" #4: received Vendor ID payload [RFC 3947] method set to=109Jun 22 10:09:14 - [VPN Log]: "Taller-182" #4: enabling possible NAT-traversal with method 3Jun 22 10:09:14 - [VPN Log]: "Taller-182" #4: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2Jun 22 10:09:14 - [VPN Log]: "Taller-182" #4: STATE_MAIN_I2: sent MI2, expecting MR2Jun 22 10:09:15 - [VPN Log]: "Taller-182" #4: received Vendor ID payload [Cisco-Unity]Jun 22 10:09:15 - [VPN Log]: "Taller-182" #4: received Vendor ID payload [Dead Peer Detection]Jun 22 10:09:15 - [VPN Log]: "Taller-182" #4: ignoring unknown Vendor ID payload [25bc71307e46d7adbdc6cedd8a3dea1e]Jun 22 10:09:15 - [VPN Log]: "Taller-182" #4: received Vendor ID payload [XAUTH]Jun 22 10:09:15 - [VPN Log]: "Taller-182" #4: I did not send a certificate because I do not have one.Jun 22 10:09:15 - [VPN Log]: "Taller-182" #4: NAT-Traversal: Result using 3: i am NATedJun 22 10:09:15 - [VPN Log]: "Taller-182" #4: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3Jun 22 10:09:15 - [VPN Log]: "Taller-182" #4: STATE_MAIN_I3: sent MI3, expecting MR3Jun 22 10:09:15 - [VPN Log]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-TJun 22 10:09:15 - [VPN Log]: "Taller-182" #4: Main mode peer ID is ID_IPV4_ADDR: '190.3.108.131'Jun 22 10:09:15 - [VPN Log]: "Taller-182" #4: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4Jun 22 10:09:15 - [VPN Log]: "Taller-182" #4: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}Jun 22 10:09:15 - [VPN Log]: "Taller-182" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK+UP {using isakmp#4}Jun 22 10:09:15 - [VPN Log]: "Taller-182" #5: ignoring informational payload, type IPSEC_RESPONDER_LIFETIMEJun 22 10:09:15 - [VPN Log]: "Taller-182" #5: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2Jun 22 10:09:15 - [VPN Log]: "Taller-182" #5: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x740585e6 <0x9ebd59b1 xfrm=3DES_0-HMAC_SHA1 NATD=190.3.108.131:4500 DPD=none}Jun 22 10:13:58 - [VPN Log]: shutting downJun 22 10:13:58 - [VPN Log]: forgetting secretsJun 22 10:13:58 - [VPN Log]: "Taller-182": deleting connectionJun 22 10:13:58 - [VPN Log]: "Taller-182" #5: deleting state (STATE_QUICK_I2)Jun 22 10:13:58 - [VPN Log]: ERROR: "Taller-182" #5: pfkey write() of SADB_X_ADDFLOW message 29 for flow %trap failed. Errno 14: Bad addressJun 22 10:13:58 - [VPN Log]: | 02 0e 00 0b 17 00 00 00 1d 00 00 00 03 0a 00 00Jun 22 10:13:58 - [VPN Log]: | 03 00 01 00 00 00 01 04 00 00 00 00 02 00 00 00Jun 22 10:13:58 - [VPN Log]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00Jun 22 10:13:58 - [VPN Log]: | 02 00 00 00 c0 a8 01 22 00 00 00 00 00 00 00 00Jun 22 10:13:58 - [VPN Log]: | 03 00 06 00 00 00 00 00 02 00 00 00 00 00 00 00Jun 22 10:13:58 - [VPN Log]: | 00 00 00 00 00 00 00 00 03 00 15 00 00 00 00 00Jun 22 10:13:58 - [VPN Log]: | 02 00 00 00 c0 a8 b6 00 00 00 00 00 84 0b 00 40Jun 22 10:13:58 - [VPN Log]: | 03 00 16 00 00 00 00 00 02 00 00 00 c0 a8 fe 00Jun 22 10:13:58 - [VPN Log]: | b0 25 01 00 22 00 00 00 03 00 17 00 00 00 00 00Jun 22 10:13:58 - [VPN Log]: | 02 00 00 00 ff ff ff 00 3a 20 64 65 6c 65 74 69Jun 22 10:13:58 - [VPN Log]: | 03 00 18 00 00 00 00 00 02 00 00 00 ff ff ff 00Jun 22 10:13:58 - [VPN Log]: | 54 45 5f 51 00 00 00 00Jun 22 10:13:58 - [VPN Log]: | 02 04 00 03 0b 00 00 00 1e 00 00 00 03 0a 00 00Jun 22 10:13:58 - [VPN Log]: | 03 00 01 00 74 05 85 e6 00 01 00 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | 02 00 00 00 c0 a8 01 22 00 00 00 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | 03 00 06 00 00 00 00 00 02 00 00 00 be 03 6c 83Jun 22 10:13:59 - [VPN Log]: | 00 00 00 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | 02 04 00 03 0b 00 00 00 1f 00 00 00 03 0a 00 00Jun 22 10:13:59 - [VPN Log]: | 03 00 01 00 9e bd 59 b1 00 01 00 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | 02 00 00 00 be 03 6c 83 00 00 00 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | 03 00 06 00 00 00 00 00 02 00 00 00 c0 a8 01 22Jun 22 10:13:59 - [VPN Log]: | 00 00 00 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: "Taller-182" #3: deleting state (STATE_QUICK_I2)Jun 22 10:13:59 - [VPN Log]: | 02 04 00 03 0b 00 00 00 20 00 00 00 03 0a 00 00Jun 22 10:13:59 - [VPN Log]: | 03 00 01 00 1d 42 f1 c9 00 01 00 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | 02 00 00 00 c0 a8 01 22 00 00 00 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | 03 00 06 00 00 00 00 00 02 00 00 00 be 03 6c 83Jun 22 10:13:59 - [VPN Log]: | 00 00 00 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | 02 04 00 03 0b 00 00 00 21 00 00 00 03 0a 00 00Jun 22 10:13:59 - [VPN Log]: | 03 00 01 00 9e bd 59 b0 00 01 00 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | 02 00 00 00 be 03 6c 83 00 00 00 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | 03 00 06 00 00 00 00 00 02 00 00 00 c0 a8 01 22Jun 22 10:13:59 - [VPN Log]: | 00 00 00 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: "Taller-182" #2: deleting state (STATE_QUICK_I2)Jun 22 10:13:59 - [VPN Log]: | 02 04 00 03 0b 00 00 00 22 00 00 00 03 0a 00 00Jun 22 10:13:59 - [VPN Log]: | 03 00 01 00 8a f3 b4 bd 00 01 00 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | 02 00 00 00 c0 a8 01 22 00 00 00 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | 03 00 06 00 00 00 00 00 02 00 00 00 be 03 6c 83Jun 22 10:13:59 - [VPN Log]: | 00 00 00 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | 02 04 00 03 0b 00 00 00 23 00 00 00 03 0a 00 00Jun 22 10:13:59 - [VPN Log]: | 03 00 01 00 9e bd 59 af 00 01 00 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | ff ff ff ff 00 00 00 00 03 00 05 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | 02 00 00 00 be 03 6c 83 00 00 00 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | 03 00 06 00 00 00 00 00 02 00 00 00 c0 a8 01 22Jun 22 10:13:59 - [VPN Log]: | 00 00 00 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: "Taller-182" #4: deleting state (STATE_MAIN_I4)Jun 22 10:13:59 - [VPN Log]: "Taller-182" #1: deleting state (STATE_MAIN_I4)Jun 22 10:13:59 - [VPN Log]: ERROR: "Taller-182": pfkey write() of SADB_X_DELFLOW message 36 for flow [email protected] failed. Errno 14: Bad addressJun 22 10:13:59 - [VPN Log]: | 02 0f 00 0b 0e 00 00 00 24 00 00 00 03 0a 00 00Jun 22 10:13:59 - [VPN Log]: | 03 00 15 00 00 00 00 00 02 00 00 00 c0 a8 b6 00Jun 22 10:13:59 - [VPN Log]: | 00 00 00 00 84 0b 00 40 03 00 16 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | 02 00 00 00 c0 a8 fe 00 b0 25 01 00 22 00 00 00Jun 22 10:13:59 - [VPN Log]: | 03 00 17 00 00 00 00 00 02 00 00 00 ff ff ff 00Jun 22 10:13:59 - [VPN Log]: | a8 eb ff bf 00 00 00 00 03 00 18 00 00 00 00 00Jun 22 10:13:59 - [VPN Log]: | 02 00 00 00 ff ff ff 00 00 00 00 00 00 00 00 00

Hello Thomas,
In my case, it was pfSense Linux firewall connected to the WRVS4400N...
We changed the ISP modem during the troubleshooting and as a result, the tunnel was always up at both sides. In both modems (the original modem and the new one) we used PPPoE (bridge mode) so there was no reason to have a problem with the first one...
Unfortunately, with the new modem we got another problem:
- If I try to connect from the pfSense network to the WRVS4400N network I have access all the time
- If I try to connect from the WRVS4400N network to the pfSense network I am getting "Request timed out". If I do PING x.x.x.x -t for a minute I am getting a reply and the connection works fine. As soon as I stop using the tunnel for more then 5 minutes, the WRVS4400N shows that the tunnel is up but the ping shows again "Request timed out".
As a final solution, we replaced the WRVS4400N with RV-042 and now it works fine at both sides all the time...
So... Sorry but I am done with the WRVS4400N. Do not have time for it.

DirectAccess Connectivity Assistant DTE Tunnel Settings

I am trying to setup the DirectAccess Connectivity Assistant per the Solution Accelerator "Deploying, Managing, and Using the Microsoft DirectAccess Connectivity Assistant".
Does anyone know where to find the DTE Tunnel IPv6 Addresses?
DTE
Type: A collection of IPv6 addresses that each identify a DirectAccess server.
Default: None
Description: Specifies the dynamic tunnel endpoints (DTEs) of the IPsec tunnels that enable DirectAccess. It is through these tunnels that the DCA attempts to access the resources that are specified in the CorporateResources setting. By default, the DCA uses the same DirectAccess server that the DirectAccess client computer connection is using. In default configurations of DirectAccess, there are typically two DTEs, one for the infrastructure tunnel, and one for the user tunnel. You should configure one DTE for each tunnel. Each entry consists of the text PING: followed by the IPv6 address, for example: PING:2001:3039::0001.
Important
If your DirectAccess configuration uses the Full Intranet Access or Selected Server Access models, where IPsec tunnel mode is used to connect to the DirectAccess infrastructure servers, and a separate IPsec transport mode tunnel is used to access shared resources that are required by the user, configuring one or more servers in the DTE setting is required.

Thanks for the info Jason....
Here is a sterilized output just for documentation purposes, using the
netsh advfirewall monitor show mmsa command.
DTE's are in bold below.
Main Mode SA at 03/01/2010 14:19:58
Local IP Address:                     2002:1122:3344:1:8828:3653:7eed:552
Remote IP Address:                    2002:1122:3355::1122:3355
Auth1:                                ComputerCert
Auth2:                                UserNTLM
MM Offer:                             None-AES128-SHA256
Cookie Pair:                          1cbfa87cf25f4e0e:1e9f969cc6590d6a
Health Cert:                          No
Main Mode SA at 03/01/2010 14:19:58
Local IP Address:                     2002:1122:3344:1:8828:3653:7eed:552
Remote IP Address:                    2002:1122:3355::1122:3355
Auth1:                                ComputerCert
Auth2:                                UserNTLM
MM Offer:                             None-AES128-SHA256
Cookie Pair:                          6fe5434eaf1664d3:73a42501b324bd02
Health Cert:                          No
Main Mode SA at 03/01/2010 14:19:58
Local IP Address:                     2001:0:d893:b568:3c8b:3fb8:e78b:2ee
Remote IP Address:                    2002:1122:3355::1122:3355
Auth1:                                ComputerCert
Auth2:                                UserNTLM
MM Offer:                             None-AES128-SHA256
Cookie Pair:                          c667efb69e1f79ae:18399b196e8f9c9f
Health Cert:                          No
Main Mode SA at 03/01/2010 14:19:58
Local IP Address:                     2002:1122:3344:1:8828:3653:7eed:552
Remote IP Address:                    2002:1122:3377::1122:3377
Auth2 Local ID:                       DOMAIN\user1
Auth2 Remote ID:                      host/UAG1.domain.com
Auth1:                                ComputerCert
Auth2:                                UserKerb
MM Offer:                             None-AES128-SHA256
Cookie Pair:                          0238a259333a0970:a9d2ed78a4a546d0
Health Cert:                          No
Ok.

Metro ethernet configuration

Months agao I had a 10MB metro ethernet link installed between two of my locations within 3 miles of each other. The link is fiber with a conversion module to copper, 10MB ethernet.
I have the link on one end coming into a fastether port on a cisco 2620 router and the other end on a fastether cisco 3745.
My routing the man like a frame link, each location is on a seperate subnet.
I have not configured either end for IPsec, tunnel, etc.
I have had the line checked by the ISP, but constantly received interface resets,output errors and excessive collisons.
I feel I'm missing something from the configuration.
I have verified my equipment is fine, both fastethers have been changed so my equipment is good.
Any suggestions would be appreciated.

It is related to send a busty traffic to you Ethernet interface and check the duplex and speed for both ends (It should be match).Check any viruses updated from the local Computers. Normally collision will happen when an Ethernet or transceiver cable is too long or when there are more than two repeaters between stations. So if the error is more then automatically the interface is resets. I hope the below link provide you more information.
http://www.cisco.com/en/US/products/hw/voiceapp/ps967/products_administration_guide_chapter09186a0080194668.html
http://www.cisco.com/en/US/products/hw/optical/ps2006/products_installation_and_configuration_guide_chapter09186a00800a9f95.html

IPsec over GRE tunnel's line protocol is down but able to ping the tunnel destination

>>both routers are located in different countries and connected with ISP
>>IPsec over GRE tunnel is configured on both the routers
>>tunnel's line protocol is down for both the ends but able to reach the tunnel destination with tunnel source
>>Packet is not receiving on the router_1 and but could see packets are getting encrypting on the Router_2
>>ISP is not finding any issue with their end
>>Please guide me how i can fix this issue and what need to be check on this ????
========================
Router_1#sh run int Tunnel20
Building configuration...
Current configuration : 272 bytes
interface Tunnel20
bandwidth 2048
ip address 3.85.129.141 255.255.255.252
ip mtu 1412
ip flow ingress
delay 1
cdp enable
tunnel source GigabitEthernet0/0/3
tunnel destination 109.224.62.26
end
===================
Router_1#sh int Tunnel20
Tunnel20 is up, line protocol is up>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Keepalive is not set
Hardware is Tunnel
Description: *To CRPrgEIQbaghd01 - 2Mb GRE over Shared ISP Gateway*
Internet address is 3.85.129.141/30
MTU 17916 bytes, BW 2048 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 195.27.20.14 (GigabitEthernet0/0/3), destination 109.224.62.26
Tunnel Subblocks:
src-track:
Tunnel20 source tracking subblock associated with GigabitEthernet0/0/3
Set of tunnels with source GigabitEthernet0/0/3, 32 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 1w6d, output 14w4d, output hang never
Last clearing of "show interface" counters 2y5w
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1565172427 packets input, 363833090294 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1778491917 packets output, 1555959948508 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
=============================
Router_1#ping 109.224.62.26 re 100 sou 195.27.20.14
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 109.224.62.26, timeout is 2 seconds:
Packet sent with a source address of 195.27.20.14
Success rate is 92 percent (92/100), round-trip min/avg/max = 139/142/162 ms
Router_1#
============================================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
#pkts encaps: 831987306, #pkts encrypt: 831987306, #pkts digest: 831987306
#pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611
Router_1#sh clock
15:09:45.421 UTC Thu Dec 25 2014
Router_1#
===================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
#pkts encaps: 831987339, #pkts encrypt: 831987339, #pkts digest: 831987339
#pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611>>>>>>>>>>>>>>>>>>>>Traffic is not receiving from Router 2
Router_1#sh clock
15:11:36.476 UTC Thu Dec 25 2014
Router_1#
===================
Router_2#sh run int Tu1
Building configuration...
Current configuration : 269 bytes
interface Tunnel1
bandwidth 2000
ip address 3.85.129.142 255.255.255.252
ip mtu 1412
ip flow ingress
load-interval 30
keepalive 10 3
cdp enable
tunnel source GigabitEthernet0/0
tunnel destination 195.27.20.14
end
Router_2#
=======================
Router_2#sh run | sec cry
crypto isakmp policy 10
authentication pre-share
crypto isakmp key Router_2 address 195.27.20.14
crypto isakmp key Router_2 address 194.9.241.8
crypto ipsec transform-set ge3vpn esp-3des esp-sha-hmac
mode transport
crypto map <Deleted> 10 ipsec-isakmp
set peer 195.27.20.14
set transform-set ge3vpn
match address Router_2
crypto map <Deleted> 20 ipsec-isakmp
set peer 194.9.241.8
set transform-set ge3vpn
match address Router_1
crypto map <Deleted>
Router_2#
====================================
Router_2#sh cry ip sa pe 195.27.20.14 | in caps
#pkts encaps: 737092521, #pkts encrypt: 737092521, #pkts digest: 737092521
#pkts decaps: 828154572, #pkts decrypt: 828154572, #pkts verify: 828154572>>>>>>>>>>>>Traffic is getting encrypting from router 2
Router_2#sh clock
.15:10:33.296 UTC Thu Dec 25 2014
Router_2#
========================
Router_2#sh int Tu1
Tunnel1 is up, line protocol is down>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Down
Hardware is Tunnel
Internet address is 3.85.129.142/30
MTU 17916 bytes, BW 2000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (10 sec), retries 3
Tunnel source 109.224.62.26 (GigabitEthernet0/0), destination 195.27.20.14
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet0/0
Set of tunnels with source GigabitEthernet0/0, 2 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 1w6d, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 14843
Queueing strategy: fifo
Output queue: 0/0 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
1881547260 packets input, 956465296 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1705198723 packets output, 2654132592 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
=============================
Router_2#ping 195.27.20.14 re 100 sou 109.224.62.26
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 195.27.20.14, timeout is 2 seconds:
Packet sent with a source address of 109.224.62.26
Success rate is 94 percent (94/100), round-trip min/avg/max = 136/143/164 ms
Router_2#
=========================

Hello.
First of all, try to reset IPSec (clear crypto isakmp sa ..., clear crypto session ...).
Configure inbound ACL on the router to match esp protocol and check if the packets arrive.
Please provide full output "show crypto ipsec sa"
from both sides.

Dot1q tunnel

Hi guys.
I'm trying to setup a dot1q tunnel on a 3560X, but the option does not seem available.
SW02#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW02(config)#int gig 0/1
SW02(config-if)#sw mode ?
access Set trunking mode to ACCESS unconditionally
dynamic Set trunking mode to dynamically negotiate access or trunk mode
trunk Set trunking mode to TRUNK unconditionally
SW02(config-if)#sw mode
I'm sure I have seen this command visible previously so it could be configuration or VTP related, but obviously am now doubting myself.
For reference the IOS version is;
c3560e-universalk9-mz.122-55.SE5/c3560e-universalk9-mz.122-55.SE5.bin
Its not an advipservices feature is it?
Thanks for your help.
Mike

Hi Mike,
according to the Configuration Guide, 802.1Q protocol tunneling is not supported on switches running the LAN base feature set.
Do you have at least an IP Base license activated (show license detail)?
Cisco Catalyst 3560-X Series Switches - Cisco IOS Software Packaging and Licensing White Paper
HTH
Rolf

MPLE TE Configuration

Hi All
Can someone assist me in the configuration, with the configuration of Two MPLS TE tunnels. This is how the network should work.
Some details of the topology can be found below.
PE - 1 loopback = 204.134.83.3
P1 = loopback = 204.134.85.2
P2 = loopback = 204.134.83.15
P3 = loopback = 204.134.84.49
PE2 = loopback = 204.134.83.11
Now what i need to do is configure two MPLE TE tunnels the primary tunnel should transport traffic Path 1 = PE-1, P1, P2, PE-2
The second Tunnel should transport traffic via Path 2 PE-1,P1,P3,P2, PE2.
Path will always act as the primary, path two will be the secondary, I want Tunnel 2 two also act as a backup if the link between P1 and P2 were to ever go down. Would be nice to have a FRR for tunnel two.
Help With this would be much appreciated. Please find topology attached. Please find current configurations attached, please ignore the GRE IPSEC tunnels in the configurations these were put in place because i wanted to encrypt traffic between all the nodes in the provider network.
For now all i need is assistance in building two tunnels between the provider routers. Topology attached.
PE-1 = Headend
PE-2 = Tail end router.
Thanks regards
Carl Williams

Hi
In below link you can see the sample config of MPLS TE & The MPLS TE concept.
http://fengnet.com/book/MPLS%20Configuration%20on%20Cisco%20IOS%20Software/ch09lev1sec4.html
Here is the below config that you can refer :-
interface Tunnel0
ip unnumbered Loopback0
tunnel destination x.x.x.x
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng priority 1 1
tunnel mpls traffic-eng path-option 1 dynamic ------ Here it will use CSPF Protocol to find path Dyanamic.
tunnel MPLS traffic-eng bandwidth 100
interface Tunnel1
ip unnumbered Loopback0
tunnel destination x.x.x.x
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng priority 2 2
tunnel mpls traffic-eng path-option 1 explicit name LSP1 ------ Here You can mention the path that you want.
tunnel MPLS traffic-end bandwidth 100
ip explicit-path name LSP1 enable
next-address x.x.x.x -- 1st Router Hops
next-address x.x.x.x -- 2nd Router Hops
next-address x.x.x.x -- 3rd Router Hops

Configuring LSP

Hi All,
I need to know the set of commands which are needed to create new LSP in Cisco Router.
I tried searching other docs available on Cisco Support forums, and came across the below set of commands, please help me know if these are correct and sufficient .
Also please guide me to know commands needed to create Explicit Path LSP.
switch# configure terminal
switch(config)#
switch(config)# feature mpls traffic-engineering
switch# configure terminal
switch(config)#
switch(config)# feature isis
switch(config)# router isis 200
switch(config-router)#
switch(config-router)# mpls traffic-eng level-1
switch(config-router)# mpls traffic-eng router-id loopback0
switch# configure terminal
switch(config)#
switch(config)# feature ospf
switch(config)# router ospf 200
switch(config-router)#
switch(config-router)# mpls traffic-eng area 1
switch(config-router)# mpls traffic-eng router-id loopback0
switch# configure terminal
switch(config)#
switch(config)# interface ethernet 2/1
switch(config-if)#
switch(config-if)# mpls traffic-eng tunnels
switch(config-if)# mpls traffic-eng bandwidth 1000
switch(config-if)# no shut
switch# configure terminal
switch(config)#
switch(config)# interface tunnel-te 1
switch(config-if-te)#
switch(config-if-te)# ip unnumbered loopback 0
switch(config-if-te)# destination 10.3.3.3
switch(config-if-te)# path-option 10 explicit name Link5
switch(config-if-te)# no shutdown
switch# configure terminal
switch(config)#
switch(config)# mpls traffic-eng configuration
switch(config-te)#
switch(config-te)# explicit-path name Link5
switch(config-te-expl-path)# index 10 next-address 10.3.3.3

Hello Ayush,
To form the LSP using MPLS Traffic Engineering, folowing is the checklist:
++ CEF should be enabled on all the routers
config t
ip cef
++ Loopback should be configured on the routers (which will also be used as router-id)
++ End to end loopback reachability should be fine via ISIS or ospf
++ "mpls traffic-eng tunnel" should be configured globally
++ "mpls traffic-eng tunnel" and "ip rsvp bandwidth" should be configured under all the core interfaces. By default rsvp reserves 75% bandwidth
++ mpls traffic-engineering should be configured under the ospf or isis process (as seen in the output of your question)
switch(config)# router ospf 200
switch(config-router)#
switch(config-router)# mpls traffic-eng area x
switch(config-router)# mpls traffic-eng router-id loopback0
++ Configure the explicit path on 2 end points
Suppose you have 3 routers:
A---------B---------C
so the config on A will be:
ip explicit-path name ABC
next-address
next-address
next-address
Similarly, configure the explicit path on C in reverse direction.
++ Finally, configure the tunnel on 2 end points.
config t
int tunnel x
ip unnumbered loop0
tunnel mode mpls traffic-eng
tunnel destination x.x.x.x >> This is the loopback IP of remote end
tunnel mpls traffic-eng path-option 1 explicit name abc
After this, it is upto you if you want to send the traffic on this tunnel via this options:
1. static
2. PBR
3. Autoroute Announce
4. Forwarding Adjacency
5. Load Sharing
6. Automatic Bandwidth Adjustment
Seems like the command line you used above is for Nexus (NX-OS). I have explained it for IOS.
Hope This Helps!!
Regards,
Imran

Re-optimization Time for Tunnel-TE in IOS XR 4.3.2

We have configured the Tunnel-TE with explicit path options 1 & 2. When we generate a failure scenario in primary path, the traffic switches over to secondary immediately but on the failure restoration, the primary tunnel does not preempt. On further investigation, we found that default reoptimization time for TE Tunnel is 60 mins which is vey high for us.
The tunnel configuration is as below.
interface tunnel-te1
description "LOCA-LOCB"
ipv4 unnumbered Loopback10
autoroute announce
destination 10.220.7.3
path-option 1 explicit name PATH_Pri
path-option 2 explicit name PATH_Sec
explicit-path name PATH_Pri
index 10 next-address strict ipv4 unicast 10.220.37.82
explicit-path name PATH_Sec
index 10 next-address strict ipv4 unicast 10.220.37.6
index 20 next-address strict ipv4 unicast 10.220.37.86
index 30 next-address strict ipv4 unicast 10.220.37.9
While exploring through internet, I came across a forum which mentions 3 options for reoptimization but it is for IOS. The wording goes like...
Reoptimization causes a tunnel to be rerouted in the network onto the more optimal path.
Three triggers can cause reoptimization of the TE tunnel so that it can be rerouted to the better path.
Periodic reoptimization - By default, the reoptimization of a TE tunnel occurs with a frequency of one hour
mpls traffic-eng reoptimize timers frequency interval changes the periodic reoptimization of a tunnel.
Event-driven reoptimization - mpls traffic-eng reoptimize events link-up enables the reoptimization when a link becomes operational for MPLS TE By default, Cisco IOS does not trigger reoptimization when a link in the network is available to TE again, either by configuration or because its state becomes operational.
Manual reoptimization - mpls traffic-eng reoptimize forces the immediate reoptimization of all the TE tunnels on the head end router.
I would like to know that
1. Is there any specific requirement behind keeping the default (periodic) reoptimization timer to 60 mins?
2. I could not find the options for configuring 'Event Driven reoptimization' in IOS XR. How to get it?
3. What are best practice reoptimization timer to be used in the network?
P.S: We are running IOS-XR 4.3.2 on ASR 9000.
Regards,
Himanshu Bansal

Himanshu,
The same commands are similar for IOS-XR. Here is the command references:
http://www.cisco.com/en/US/docs/routers/crs/software/crs_r4.3/mpls/command/reference/b_mpls_cr43crs_chapter_011.html#wp3673803944
Command Default
after-frr delay: 0
cleanup delay: 20
delay-time: 20
installation delay: 20
path-protection: 180
Thanks,
Bryan

GRE IPSEC tunnel between 2 cisco routers

Hello all,
I have configure a GRE tunnel between 2 sites on cisco router,although the GRE tunnel works fine.
once i have configure the IPSEC ...tunnel, the same is not stable .it goes down after sometime & keeps going into MM_State
#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst                             src             state                          conn-id status
x.x.x.x. x.x.x.x.x    MM_NO_STATE          0 ACTIVE
although the GRE tunnel works fine
Regards
Tejas

Hi David,
it is quite strange but when i started this discussion my issue was that show crypto isakmp sa shows state as "MM_NO_STATE" but now the problem is different
now today morning, i followed some steps
step 1. configure simple GRE tunnel between my 2 locations , able to ping other end tunnel IP with source tunnel IP all works fine .
step 2. started conditional debug for peer along with crypto isakmp & cryptp ipsec debug on both locations.
step 3 implement the IPSEC config on both the router, i have attach the same in a separate file
Now the problem is IPSEC negotiation has been successful see output below but my tunnel is down
SITE A
sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
114.143.78.X 14.102.64.X    QM_IDLE           1015 ACTIVE
SITE B
#sh crypto isakmp sa | include 14.102.64.X
14.102.64.X    114.143.78.X QM_IDLE          15532 ACTIVE
Now i am not sure why my tunnel is down ???
Please check the attach notepad
Regards
Tejas

EIGRP Tunnel and neighbor flapping

Hi,
     First I would like to note that I sanitized the IP addresses in these logs. I am by far no expert on VPNs, but I am trying to pinpoint a solution for a far reaching problem we are having. We have a DMVPN setup that has two destinations from the client end. The client is using a Cisco 871 with
c870-advipservicesk9-mz.124-15.T9 Ios image. I should note that we only have access to the client end, so we are unable to make any changes to the other side. At some sites, everything works perfect and there are never any drops. At other sites we get neighbor and tunnel drops that can go on for hours in a cycle, a few minutes apart. Below are logs from one of the sites, showing the type of events that we are seeing.
510505: Dec 24 11:30:50.269 EST: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 175: Neighbor 10.109.147.1 (Tunnel2) is up: new adjacency
510506: Dec 24 11:31:42.284 EST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=15.28.146.234, prot=50, spi=0x608EF276(1619980918), srcaddr=112.72.37.119
510507: Dec 24 11:32:05.446 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to down
510508: Dec 24 11:32:05.446 EST: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 175: Neighbor 10.109.147.1
(Tunnel2) is down: interface down
510509: Dec 24 11:33:20.449 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to up
510510: Dec 24 11:33:20.461 EST: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 175: Neighbor 10.109.147.1
(Tunnel2) is up: new adjacency
Sometimes this will be one tunnel with this issue, and sometimes it is both tunnels. The tunnel is mostly for redundancy, but there are some functions unique to each tunnel. We also get the
510506: Dec 24 11:31:42.284 EST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=15.28.146.234, prot=50, spi=0x608EF276(1619980918), srcaddr=112.72.37.119
message which I would assume is a packet from the previous tunnel coming through. and being rejected because it does not match the new keys. I have looked into the keep alive times and adjusted them both down and up, but the trouble continued. What can cause this kind of flapping? Is there anything that can be done from just the client end to correct this issue? Any help would be greatly appreciated. Below you can see the configuration we have on the tunnel. If you have any questions, please let me know.
Router#sh int tun2
Tunnel2 is up, line protocol is up
Hardware is Tunnel
Description: Tunnel to Destination2
Internet address is 10.129.167.4/17
MTU 1514 bytes, BW 192 Kbit/sec, DLY 7500000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (15 sec), retries 3
Tunnel source 10.124.8.6 (Loopback1), destination 219.224.19.22
Tunnel protocol/transport GRE/IP
    Key 0x68A92, sequencing disabled
    Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:01, output 00:00:07, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1588
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     7388052 packets input, 1813050207 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     7655854 packets output, 3329592353 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
*Note that we do not always see output drops

GRE keepalives are not supported with IPsec when tunnel protection is being used.
If this is DMVPN it's phase 1, invalid SPI recovery COULD be triggered by keepalives brining the tunnel down.
Also that's pretty old software - 12.4(15)T has had a few revisions since 9.

Configuring an IP-in-IP Tunnel

Similar Messages

Maybe you are looking for