Ezvpn not so ez

We are evaluating an asa5520 and are attempting to build a site to site 3des ipsec vpn with an 851. We followed the examples in a cisco how to, but can't get the tunnel up. Show crypto isakmp sa shows the router is in AG_INIT_EXCH state, and debugs show the following error "Encryption algorithm offered does not match policy!" Attempts to auth on the router with the "crypto ipsec client ezvpn xauth" command says there are no xauth requests pending.
To me it looks like the problem is on the asa side but isakmp policy hash is set to md5, as is the 851 router.
Stumped atm...

• Voice mail now remembers if you're listening through a bluetooth headset. Before you had to keep switching back from the internal speaker.
Is there any way to turn this feature off? Here is my problem. I use my iphone with bluetooth hands free in my car, but I cannot listen to the iphone voice mail through the car's hands free. Thus, I want to listen to the messages through the phone. Trouble is .. the phone keeps defaulting to the hands free setting. Is there some way to change the default?
Thanks

Similar Messages

Does ASA ezVPN support reactive primary vpn server feature

hi,
i am going to configure asa5505 as the azvpn client . and configre primay and secondary vpn server in the list.
i find some feature that is support by ios ROUTER ezvpn, not sure it will be support on ASA ezVPN???
Question? will the ezvpn fall back to the primary vpn server , if primary back on line, on ASA ?
Reactivate Primary Peer
The Reactivate Primary Peer feature allows a default primary peer to be defined. The default primary peer (a server) is one that is considered better than other peers for reasons such as lower cost, shorter distance, or more bandwidth. With this feature configured, if Easy VPN fails over during Phase 1 SA negotiations from the primary peer to the next peer in its backup list, and if the primary peer is again available, the connections with the backup peer are torn down and the connection is again made with the primary peer.

No, the Primary peer won't be tried again until the phase 1 tunnel is torn down and reactivated. Re-keys do not count. Hope this helps.

EZVPN public internet split tunnel with dialer interface

I have a job on where I need to be able to use EZVPN with split tunnel but still have access to an external server from the corporate network as the external server will only accept connections from the corporate public IP address.
So I have not only included the corporate C class in the interesting traffic but also the IP address of the external server.
So all good so far, traffic for the corporate network goes down the tunnel as well as the IP address for the external server.
Now comes the problem, I am trying to send the public IP traffic for the external server out of the corporate network into the public internet but it just drops and does not get back out the same interface into the internet.
I checked out this procedure and it did not help as the route map counters do not increase with my attempt to reach the external router.
http://www.cisco.com/c/en/us/support/docs/security/vpn-client/71461-router-vpnclient-pi-stick.html
And to just test the process, I removed the split tunnel and just have everything going down the tunnel so I can test with any web site. I also have a home server on the network that is reached so I can definitly reach into the network at home which is the test for the corporate network I am trying to reach.
Its a cisco 870 router and here is the config
Router#sh run
Building configuration...
Current configuration : 4617 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
logging message-counter syslog
enable secret 5 *************************
enable password *************************
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.3
ip dhcp excluded-address 192.168.1.4
ip dhcp excluded-address 192.168.1.5
ip dhcp excluded-address 192.168.1.6
ip dhcp excluded-address 192.168.1.7
ip dhcp excluded-address 192.168.1.8
ip dhcp excluded-address 192.168.1.9
ip dhcp excluded-address 192.168.1.111
ip dhcp pool myDhcp
network 192.168.1.0 255.255.255.0
dns-server 139.130.4.4
default-router 192.168.1.1
ip cef
ip inspect name myfw http
ip inspect name myfw https
ip inspect name myfw pop3
ip inspect name myfw esmtp
ip inspect name myfw imap
ip inspect name myfw ssh
ip inspect name myfw dns
ip inspect name myfw ftp
ip inspect name myfw icmp
ip inspect name myfw h323
ip inspect name myfw udp
ip inspect name myfw realaudio
ip inspect name myfw tftp
ip inspect name myfw vdolive
ip inspect name myfw streamworks
ip inspect name myfw rcmd
ip inspect name myfw isakmp
ip inspect name myfw tcp
ip name-server 139.130.4.4
username ************************* privilege 15 password 0 *************************
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group HomeFull
key *************************
dns 8.8.8.8 8.8.8.4
pool SDM_POOL_1
include-local-lan
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group HomeFull
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 3
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 1740
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
crypto ctcp port 10000
archive
log config
hidekeys
interface Loopback10
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0.1 point-to-point
description TimsInternet
ip flow ingress
ip policy route-map VPN-Client
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 3
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Virtual-Template3 type tunnel
ip unnumbered Dialer3
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect myfw in
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1372
no ip mroute-cache
hold-queue 100 out
interface Dialer0
no ip address
interface Dialer3
ip address negotiated
ip access-group blockall in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression
ip policy route-map VPN-Client
no ip mroute-cache
dialer pool 3
dialer-group 1
no cdp enable
ppp chap hostname *************************@direct.telstra.net
ppp chap password 0 *************************
ip local pool SDM_POOL_1 10.0.0.10 10.0.0.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer3
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 101 interface Dialer3 overload
ip access-list extended VPN-OUT
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended blockall
remark CCP_ACL Category=17
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit ahp any any
permit tcp any any eq 10000
deny ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map VPN-Client permit 10
match ip address VPN-OUT
set ip next-hop 10.0.0.2
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
password cisco
scheduler max-task-time 5000
end
Router#exit
Connection closed by foreign host.

Thanks for the response.
Not sure how that would help as I can connect into the internal network just fine, but I want to hairpin back out the interface and surf the internet from the VPN client. The policy route map makes the L10 the next hop and it has NAT.

All the subnets are not reachable over the VPN

Hi all,
We have a EZVPN connection to one of our branch office. Connectivity diagram is attached with this discussion.
HO LAN (10.1.0.0/16 & 192.6.14.0/24) --------- ASA5520-------- Internet ---------- Cisco2911-------- LAN of remote location (10.2.0.0/16)
we are using 10.2.0.0/26 subnet at remote office and 10.1.0.0/16 & 192.6.14.0/24 subnets at HO. From HO through 10.1.0.0/16 & 192.6.14.0/24 all the devices are reachable except the firewall which is connected with GigabitEthernet0/2 interface of cisco2911 router(on which VPN is created).
Its a fortigate firewall and it is reachable locally from the network 10.2.0.0/16. I believe its an issue with phase2 ACLs but didn't able to resolve the issue.
I'm not able to take GUI / CLI interfaces of fortigate firewall even i'm not able to ping the IP of GigabitEthernet0/2 interface of cisco2911.
kindly advise on same.
Below is the configuration of ASA5520 of HO and cisco2911 router of branch office
ASA5520:-
access-list inside_access_in extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list splittunnelacl_JNC_AUH extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list splittunnelacl_JNC_AUH extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list Outside_cryptomap_65534.191 extended permit ip object-group DM_INLINE_NETWORK_103 10.2.0.0 255.255.0.0
jashanmalasa/sec/act# sho run obj
jashanmalasa/sec/act# sho run object-group | b DM_INLINE_NETWORK_103
object-group network DM_INLINE_NETWORK_103
network-object 10.1.0.0 255.255.0.0
network-object 192.6.14.0 255.255.255.0
group-policy AUHNEW internal
group-policy AUHNEW attributes
dns-server value 192.6.14.189 192.6.14.182
vpn-access-hours none
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
ip-comp disable
re-xauth disable
pfs enable
ipsec-udp disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
default-domain value xxxxxx
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem enable
tunnel-group AUHNEW type remote-access
tunnel-group AUHNEW general-attributes
authorization-server-group LOCAL
default-group-policy AUHNEW
tunnel-group AUHNEW ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
isakmp ikev1-user-authentication none
Cisco2911:-
Current configuration : 10258 bytes
! Last configuration change at 19:06:18 AST Thu May 8 2014 by admin
! NVRAM config last updated at 19:01:43 AST Thu May 8 2014 by admin
! NVRAM config last updated at 19:01:43 AST Thu May 8 2014 by admin
version 15.1
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname AUHOffice_RTR
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.151-4.M4.bin
boot-end-marker
card type e1 0 0
no aaa new-model
clock timezone AST 4 0
network-clock-participate wic 0
network-clock-select 1 E1 0/0/0
no ipv6 cef
ip source-route
ip cef
ip name-server 213.42.xxx.xxx
multilink bundle-name authenticated
isdn switch-type primary-net5
crypto pki token default removal timeout 0
voice-card 0
dspfarm
dsp services dspfarm
voice service voip
fax protocol pass-through g711ulaw
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g711alaw
codec preference 3 g729r8
codec preference 4 g729br8
voice class h323 1
h225 timeout tcp establish 3
voice translation-rule 1
rule 1 /^9$.*$/ /\1/
voice translation-rule 2
rule 1 /^0$2.......$$/ /00\1/
rule 2 /^0$3.......$$/ /00\1/
rule 3 /^0$4.......$$/ /00\1/
rule 4 /^0$5........$$/ /00\1/
rule 5 /^0$6.......$$/ /00\1/
rule 6 /^0$7.......$$/ /00\1/
rule 7 /^0$9.......$$/ /00\1/
rule 8 /^00$.*$/ /0\1/
rule 9 /^.......$/ /0&/
rule 10 // /000\1/
voice translation-rule 3
rule 1 /^3../ /026969&/
voice translation-profile FROM_PSTN
translate calling 2
translate called 1
voice translation-profile TO_PSTN
translate calling 3
license udi pid CISCO2911/K9 sn xxxxxxxxx
license accept end user agreement
license boot module c2900 technology-package securityk9
hw-module pvdm 0/0
hw-module sm 1
username admin privilege 15 secret 4 Ckg/sS5mzi4xFYrh1ggXo92THcL6Z0c6ng70wM9oOxg
redundancy
controller E1 0/0/0
framing NO-CRC4
pri-group timeslots 1-10,16
crypto ipsec client ezvpn jashanvpn
connect auto
group AUHNEW key jashvpn786
mode network-extension
peer 83.111.xxx.xxx
acl 150
nat allow
nat acl 110
xauth userid mode interactive
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 10.2.0.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1430
ip policy route-map temp
duplex auto
speed auto
crypto ipsec client ezvpn jashanvpn inside
h323-gateway voip interface
h323-gateway voip bind srcaddr 10.2.0.1
interface GigabitEthernet0/1
description *** Connected to 40MB Internet ***
no ip address
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface GigabitEthernet0/2
ip address 10.2.0.11 255.255.255.248
duplex auto
speed auto
interface Serial0/0/0:15
no ip address
encapsulation hdlc
isdn switch-type primary-net5
isdn incoming-voice voice
no cdp enable
interface SM1/0
ip unnumbered GigabitEthernet0/0
service-module ip address 10.2.0.3 255.255.255.248
!Application: CUE Running on SM
service-module ip default-gateway 10.2.0.1
interface SM1/1
description Internal switch interface connected to Service Module
no ip address
interface Vlan1
no ip address
interface Dialer0
description *** JASHANMAL 40MB Internet ***
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxx
ppp chap password 7 0252150B0C0D5B2748
ppp pap sent-username xxxxxx password 7 15461A5C03217F222C
crypto ipsec client ezvpn jashanvpn
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.2.0.0 255.255.248.0 10.2.0.2
ip route 10.2.0.3 255.255.255.255 SM1/0
ip route 10.2.6.1 255.255.255.255 10.2.0.2
ip route 10.2.7.1 255.255.255.255 10.2.0.2
ip route 172.16.5.0 255.255.255.0 10.2.0.2
access-list 100 deny   ip 10.2.4.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 100 deny   ip 10.2.4.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 100 deny   ip 10.2.4.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 100 deny   ip 10.2.4.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 100 deny   ip 172.16.5.0 0.0.0.255 10.1.6.0 0.0.0.255
access-list 100 permit ip 10.2.4.0 0.0.0.255 any
access-list 100 permit ip 172.16.5.0 0.0.0.255 any
access-list 110 deny   ip 10.2.0.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.2.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.3.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.1.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.5.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.5.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.3.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.2.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 10.1.9.0 0.0.0.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 deny   ip 10.2.6.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny   ip 10.2.6.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.6.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.9.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 permit ip host 10.2.6.1 any
access-list 110 permit ip host 10.2.6.2 any
access-list 110 permit ip host 10.2.6.3 any
access-list 110 permit ip host 10.2.6.4 any
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 86.96.201.72 eq 10008
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 86.96.254.136 eq 10008
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 216.52.207.67 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.151.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.148.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.149.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.150.22 eq www
access-list 110 permit tcp 172.16.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.4.0 0.0.0.255 any
access-list 150 permit ip 10.2.0.0 0.0.0.255 any
access-list 150 permit ip 10.2.1.0 0.0.0.255 any
access-list 150 permit ip 10.2.2.0 0.0.0.255 any
access-list 150 permit ip 10.2.3.0 0.0.0.255 any
access-list 150 permit ip 10.2.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.6.0 0.0.0.255 any
access-list 150 permit ip 172.16.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.7.0 0.0.0.255 any
route-map temp permit 100
match ip address 100
set ip next-hop 10.2.0.9
route-map temp permit 110
route-map nonat permit 10
match ip address 110
snmp-server community xxxxxxxx
snmp-server location JNC AbuDhabi Office
snmp-server contact xxxxxxxx
snmp-server enable traps tty
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server host xxxxx version 2c jash
control-plane
voice-port 0/0/0:15
translation-profile incoming FROM_PSTN
bearer-cap Speech
voice-port 0/1/0
voice-port 0/1/1
voice-port 0/1/2
voice-port 0/1/3
mgcp profile default
dial-peer cor custom
name CCM
name 0
name 00
dial-peer cor list CCM
member CCM
member 0
member 00
dial-peer cor list 0
member 0
dial-peer cor list 00
member 0
member 00
dial-peer voice 100 voip
corlist incoming CCM
preference 1
destination-pattern [1-8]..
session target ipv4:10.1.2.12
incoming called-number [1-8]..
voice-class codec 1
voice-class h323 1
dtmf-relay h245-alphanumeric
no vad
dial-peer voice 101 voip
corlist incoming CCM
huntstop
preference 2
destination-pattern [1-8]..
session target ipv4:10.1.2.11
incoming called-number [1-8]..
voice-class codec 1
voice-class h323 1
dtmf-relay h245-alphanumeric
no vad
dial-peer voice 201 pots
corlist outgoing 0
translation-profile outgoing TO_PSTN
destination-pattern 0[1-9]T
incoming called-number .
direct-inward-dial
port 0/0/0:15
dial-peer voice 202 pots
corlist outgoing 0
translation-profile outgoing TO_PSTN
destination-pattern 00[1-9]T
incoming called-number .
direct-inward-dial
port 0/0/0:15
prefix 0
dial-peer voice 203 pots
corlist outgoing 00
translation-profile outgoing TO_PSTN
destination-pattern 000T
incoming called-number .
direct-inward-dial
port 0/0/0:15
prefix 00
gateway
timer receive-rtp 1200
gatekeeper
shutdown
call-manager-fallback
secondary-dialtone 0
max-conferences 8 gain -6
transfer-system full-consult
timeouts interdigit 4
ip source-address 10.2.0.1 port 2000
max-ephones 58
max-dn 100
system message primary Your Current Options SRST Mode
transfer-pattern .T
alias 1 300 to 279
call-forward pattern .T
time-zone 35
date-format dd-mm-yy
cor incoming 0 1 100 - 899
line con 0
password 7 030359065206234104
login local
line aux 0
password 7 030359065206234104
login local
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 110E1B08431B09014E
login local
transport input all
line vty 5 15
password 7 030359065206234104
login local
transport input all
scheduler allocate 20000 1000
ntp master 1
end

Attached is the result from packet tracer of ASA5520-ASDM

891W to 5505 EZVPN issue...No peer struct to get peer description

Hey everyone,
I've been on the forums looking for a solution to my issue in my lab....
I'm getting the No peer struct to get peer description error in my debug. I've done a search on these forums but the changes that I made did not work for me
It has to be something simple.....
I am able to ping out to my ASA
891Demo#ping 38.98.226.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 38.98.226.100, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/106/116 ms
I did a few show commands listed below if anyone wants to take a look...
891Demo#sho run
Building configuration...
Current configuration : 6370 bytes
! Last configuration change at 20:47:45 UTC Fri Jan 10 2014 by admin
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 891Demo
boot-start-marker
boot-end-marker
logging buffered 52000
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
crypto pki trustpoint TP-self-signed-1670941714
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1670941714
revocation-check none
rsakeypair TP-self-signed-1670941714
crypto pki certificate chain TP-self-signed-1670941714
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363730 39343137 3134301E 170D3133 30393130 31383038
31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36373039
34313731 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A613 DCE81A2F 27DC53B6 6ED91D5E 167EEAEA D9793CB3 33C39BBE CBC5AF0B
029C1605 3FC09722 C7811B2D 173B5887 2C87A9C7 4DDAC1C4 AE13A1C3 743B940E
A5A7AF56 26A83081 2330E910 1BA8317A BE0BC37A 631D858D E307DC04 2F76D648
1500DB09 2BC1B92A 92C0B8FE 59434385 A3D1B19D 5665D3A9 07956793 F2B98EDA
EA870203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1489C50C C4C16781 28F37E31 DABE13A9 2EE9967E 58301D06
03551D0E 04160414 89C50CC4 C1678128 F37E31DA BE13A92E E9967E58 300D0609
2A864886 F70D0101 05050003 81810053 FD39A299 CFF9E763 C89846EE 9BE0DAE4
31B890D0 969764F0 98A21C63 FD103ADB 29BA7DB4 98C142B9 1EA60C71 1D6C4BE5
921224F5 BE5FC348 2A2A4858 A5D0E680 23346C0E 8EA55314 435CE650 5167C796
1EB4EFAD 1D045B2C 84031255 C2A9F5B7 C8542ACF 3C69C46E DE0230AE EA3587EE
464A0AC0 3987D917 47A4ABDB 5B6022
        quit
ip cef
ip dhcp excluded-address 10.10.10.7 10.10.10.254
891Demo#sh run
Building configuration...
Current configuration : 6370 bytes
! Last configuration change at 20:47:45 UTC Fri Jan 10 2014 by admin
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 891Demo
boot-start-marker
boot-end-marker
logging buffered 52000
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
crypto pki trustpoint TP-self-signed-1670941714
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1670941714
revocation-check none
rsakeypair TP-self-signed-1670941714
crypto pki certificate chain TP-self-signed-1670941714
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363730 39343137 3134301E 170D3133 30393130 31383038
31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36373039
34313731 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A613 DCE81A2F 27DC53B6 6ED91D5E 167EEAEA D9793CB3 33C39BBE CBC5AF0B
029C1605 3FC09722 C7811B2D 173B5887 2C87A9C7 4DDAC1C4 AE13A1C3 743B940E
A5A7AF56 26A83081 2330E910 1BA8317A BE0BC37A 631D858D E307DC04 2F76D648
1500DB09 2BC1B92A 92C0B8FE 59434385 A3D1B19D 5665D3A9 07956793 F2B98EDA
EA870203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1489C50C C4C16781 28F37E31 DABE13A9 2EE9967E 58301D06
03551D0E 04160414 89C50CC4 C1678128 F37E31DA BE13A92E E9967E58 300D0609
2A864886 F70D0101 05050003 81810053 FD39A299 CFF9E763 C89846EE 9BE0DAE4
31B890D0 969764F0 98A21C63 FD103ADB 29BA7DB4 98C142B9 1EA60C71 1D6C4BE5
921224F5 BE5FC348 2A2A4858 A5D0E680 23346C0E 8EA55314 435CE650 5167C796
1EB4EFAD 1D045B2C 84031255 C2A9F5B7 C8542ACF 3C69C46E DE0230AE EA3587EE
464A0AC0 3987D917 47A4ABDB 5B6022
        quit
ip cef
ip dhcp excluded-address 10.10.10.7 10.10.10.254
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease 0 2
ip domain name yourdomain.com
no ipv6 cef
ipv6 multicast rpf use-bgp
multilink bundle-name authenticated
license udi pid CISCO891W-AGN-A-K9 sn FTX171783D3
username admin privilege 15 password 0 password
redundancy
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
crypto isakmp policy 50
encr 3des
authentication pre-share
group 2
crypto isakmp key D1l2w3r4 address 38.98.226.100
crypto isakmp client configuration group VPNGroupZLAB
key D1l2w3r4
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
connect auto
group DefaultL2LGroup key D1l2w3r4
mode client
peer 38.98.226.100
username ztest password D1l2w3r4
xauth userid mode local
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to38.98.226.100
set peer 38.98.226.100
set transform-set ESP-3DES-SHA
match address 102
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
no ip address
interface FastEthernet5
no ip address
interface FastEthernet6
no ip address
interface FastEthernet7
no ip address
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
interface GigabitEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Async1
no ip address
encapsulation slip
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1 254
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 192.168.1.1 254
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 dhcp 254
ip access-list extended protect_traffic
permit ip host 10.10.10.1 host 10.1.11.1
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.10.10.0 0.0.0.255 10.1.11.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 10.10.10.0 0.0.0.255 10.1.11.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.7 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.10.10.0 0.0.0.255 10.1.11.0 0.0.0.255
control-plane
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
mgcp profile default
line con 0
line 1
modem InOut
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
transport output telnet ssh
line vty 5 15
access-class 23 in
transport input telnet ssh
transport output telnet ssh
end
=============================================
=============================================
891Demo#sh crypto ipsec sa
interface: GigabitEthernet0
    Crypto map tag: SDM_CMAP_1, local addr 10.0.0.35
   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.11.0/255.255.255.0/0/0)
   current_peer 38.98.226.100 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 10.0.0.35, remote crypto endpt.: 38.98.226.100
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
=============================================
=============================================
891Demo#sho crypto se
Crypto session current status
Interface: GigabitEthernet0
Session status: DOWN
Peer: 38.98.226.100 port 500
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 10.1.11.0/255.255.255.0
        Active SAs: 0, origin: crypto map
891Demo#
*Jan 10 20:56:15.327: No peer struct to get peer description
=============================================
=============================================
891Demo#sh crypto isakmp default pol
Default IKE policy
Default protection suite of priority 65507
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method: Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65508
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method: Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65509
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Message Digest 5
        authentication method: Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65510
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Message Digest 5
        authentication method: Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65511
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method: Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65512
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method: Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65513
        encryption algorithm:   Three key triple DES
        hash algorithm:         Message Digest 5
        authentication method: Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite of priority 65514
        encryption algorithm:   Three key triple DES
        hash algorithm:         Message Digest 5
        authentication method: Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Any insight to this would be appreciated, i'm still going to try and figure it out as well

It is the host site not transmitting. The ACL that i see thats blocking is for a client based VPN.
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.180.0   255.255.254.0   Inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit ip object obj_any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Outside) source static DM_INLINE_NETWORK_20 DM_INLINE_NETWORK_20 destination static AT_Remote AT_Remote no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.180.232/12345 to 192.168.180.232/12345
Phase: 6
Type: ACCESS-LIST
Subtype: vpn-user
Result: DROP
Config:
Additional Information:
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

EasyVPN :crypto ipsec client ezvpn xauth

Hi
Everytime when I reboot a easyVPN client it is prompting for username and password by prompting following command "crypto ipsec client ezvpn xauth".
How do I make connection persistent, so that it won't ask for username and password during next reboot.
I am using cisco 877 router as easyVPN server and Cisco 877 router as EasyVPN client.
My Easy VPN server configuration is as follows cisco 877
sh run
Building configuration...
Current configuration : 2306 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
dot11 syslog
ip cef
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
multilink bundle-name authenticated
username cisco password 5 121A0C0411045D5679
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group vpngrp
key cisco123
save-password
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
archive
log config
hidekeys
interface Loopback10
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
shutdown
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password
crypto map clientmap
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip dns server
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
scheduler max-task-time 5000
ntp clock-period 17182092
ntp server 202.83.64.3
end
My cisco877 router client configuration...
sh run
Building configuration...
Current configuration : 1919 bytes
! No configuration change since last restart
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Goldcoast
boot-start-marker
boot-end-marker
no aaa new-model
dot11 syslog
ip cef
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
multilink bundle-name authenticated
crypto ipsec client ezvpn ez
connect auto
group vpngrp key cisco123
mode network-extension
peer 165.228.130.43
xauth userid mode interactive
archive
log config
hidekeys
interface Loopback0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
crypto ipsec client ezvpn ez inside
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
shutdown
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password
crypto ipsec client ezvpn ez
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
login
scheduler max-task-time 5000
ntp clock-period 17182119
ntp server 202.83.64.3
end
I am able to connect. But I want to make the connection dynamic rather than user interactive. Please help me.
Siva.

Sorry for the late reply.
I am getting following error after removing xauth. Here is the error.
ay 14 12:43:47.020: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:47.020: EZVPN(ez): *** Logic Error ***
May 14 12:43:47.020: EZVPN(ez): Current State: READY
May 14 12:43:47.020: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:47.020: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:47.020: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:49.272: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:49.272: EZVPN(ez): *** Logic Error ***
May 14 12:43:49.272: EZVPN(ez): Current State: READY
May 14 12:43:49.272: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:49.272: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:49.272: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:51.620: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:51.620: EZVPN(ez): *** Logic Error ***
May 14 12:43:51.620: EZVPN(ez): Current State: READY
May 14 12:43:51.620: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:51.620: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:51.624: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:53.701: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:53.701: EZVPN(ez): *** Logic Error ***
May 14 12:43:53.701: EZVPN(ez): Current State: READY
May 14 12:43:53.701: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:53.701: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:53.701: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr= Server_public_addr=
May 14 12:43:55.989: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:55.989: EZVPN(ez): *** Logic Error ***
May 14 12:43:55.989: EZVPN(ez): Current State: READY
May 14 12:43:55.989: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:55.989: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:55.989: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
Goldcoast(config-crypto-ezvpn)#
May 14 12:43:58.009: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:58.009: EZVPN(ez): *** Logic Error ***
May 14 12:43:58.009: EZVPN(ez): Current State: READY
May 14 12:43:58.009: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:58.009: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:58.009: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
Thanks,
siva.

Dual wan failover config: failback does not always work as expected for existing LAN traffic flows

I have an 881 router configured with 2 dhcp WAN connections. I am trying to configure failure detection of the primary connection (I do not really care about the secondary at this time).
I have an ip sla/track configured to monitor the primary WAN connection, and if it stops passing traffic it removes that route, passing all traffic out the second WAN connection. When the first connection is restored it should restore the route and everything should pass through the first connection again. This works for all my tests except one. If I start a ping stream from a client "ping 8.8.8.8 -t" and disconnect the primary connection it will lose a few packets but then use the secondary connection in about 15 seconds. After restoring the primary connection all new traffic will use the primary connection, but the ping stream will then stop working (fails over, but not back). If I stop the ping stream for a time (not sure how long is required, but my test was over a minute) it will then use the primary connection like all other new traffic. A stop of a few seconds is not enough, and even opening up a second command prompt to ping the same target also does not work (pinging new targets works as desired). It is as if something is caching the route/session/whatever and it has to have a window of no traffic before expiring/relearning the route. This means any sustained traffic to the original target will not work until it is stopped for a certain time to let "something" age out.
I need to know if there is a way to "flush the cache" (or whatever) during fail-back to force the primary route to be used after fail-back, or something else that will have the same effect. My suspicion is that the second route gets "preferred" because the first is removed by the sla, and when the sla returns the route to the list the existing traffic flow is not aware of the route list change, using the last known good route (which now does not pass traffic). The Issue here is that it takes a length of time for the now bad route to get flushed, which is greater than I want to have.
config (edited):
interface FastEthernet3
description Backup ISP
switchport access vlan 800
no ip address
interface FastEthernet4
description Primary ISP
ip dhcp client route track 100
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN-to-1941
interface Vlan800
description Backup ISP
ip address dhcp
ip nat outside
ip virtual-reassembly in
track 100 list boolean or
object 101
object 102
track 101 ip sla 10 reachability
track 102 ip sla 20 reachability
ip sla 10
icmp-echo 4.2.2.2 source-interface FastEthernet4
threshold 1000
timeout 1500
frequency 5
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo 208.67.222.222 source-interface FastEthernet4
threshold 1000
timeout 1500
frequency 5
ip sla schedule 20 life forever start-time now
ip route 4.2.2.2 255.255.255.255 FastEthernet4 permanent
ip route 10.1.2.0 255.255.255.0 <1941 wan ip removed>
ip route <1941 wan ip removed> 255.255.255.255 FastEthernet4 permanent
ip route 208.67.222.222 255.255.255.255 FastEthernet4 permanent
ip route 0.0.0.0 0.0.0.0 Vlan800 dhcp 254
ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
Observation: the last 2 routes appear in the order shown above. Even though the vlan800 route has a higher administrative cost it is in front of the FA4 route, could this be contributing to the issue? Is there a way to ensure the FA4 route is always listed before vlan800 at all times?

I have an 881 router configured with 2 dhcp WAN connections. I am trying to configure failure detection of the primary connection (I do not really care about the secondary at this time).
I have an ip sla/track configured to monitor the primary WAN connection, and if it stops passing traffic it removes that route, passing all traffic out the second WAN connection. When the first connection is restored it should restore the route and everything should pass through the first connection again. This works for all my tests except one. If I start a ping stream from a client "ping 8.8.8.8 -t" and disconnect the primary connection it will lose a few packets but then use the secondary connection in about 15 seconds. After restoring the primary connection all new traffic will use the primary connection, but the ping stream will then stop working (fails over, but not back). If I stop the ping stream for a time (not sure how long is required, but my test was over a minute) it will then use the primary connection like all other new traffic. A stop of a few seconds is not enough, and even opening up a second command prompt to ping the same target also does not work (pinging new targets works as desired). It is as if something is caching the route/session/whatever and it has to have a window of no traffic before expiring/relearning the route. This means any sustained traffic to the original target will not work until it is stopped for a certain time to let "something" age out.
I need to know if there is a way to "flush the cache" (or whatever) during fail-back to force the primary route to be used after fail-back, or something else that will have the same effect. My suspicion is that the second route gets "preferred" because the first is removed by the sla, and when the sla returns the route to the list the existing traffic flow is not aware of the route list change, using the last known good route (which now does not pass traffic). The Issue here is that it takes a length of time for the now bad route to get flushed, which is greater than I want to have.
config (edited):
interface FastEthernet3
description Backup ISP
switchport access vlan 800
no ip address
interface FastEthernet4
description Primary ISP
ip dhcp client route track 100
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN-to-1941
interface Vlan800
description Backup ISP
ip address dhcp
ip nat outside
ip virtual-reassembly in
track 100 list boolean or
object 101
object 102
track 101 ip sla 10 reachability
track 102 ip sla 20 reachability
ip sla 10
icmp-echo 4.2.2.2 source-interface FastEthernet4
threshold 1000
timeout 1500
frequency 5
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo 208.67.222.222 source-interface FastEthernet4
threshold 1000
timeout 1500
frequency 5
ip sla schedule 20 life forever start-time now
ip route 4.2.2.2 255.255.255.255 FastEthernet4 permanent
ip route 10.1.2.0 255.255.255.0 <1941 wan ip removed>
ip route <1941 wan ip removed> 255.255.255.255 FastEthernet4 permanent
ip route 208.67.222.222 255.255.255.255 FastEthernet4 permanent
ip route 0.0.0.0 0.0.0.0 Vlan800 dhcp 254
ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
Observation: the last 2 routes appear in the order shown above. Even though the vlan800 route has a higher administrative cost it is in front of the FA4 route, could this be contributing to the issue? Is there a way to ensure the FA4 route is always listed before vlan800 at all times?

IOS EZVPN and VPN 3k using external groups

Hi folks , i was trying to configure IOS easyvpn with vpn
concentrator. i am using an external group which is configured on acs
server.the configuration for ios eazyvpn is
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto ipsec client ezvpn ezvpn_cfg
connect manual
group ezvpn key ezvpn
mode network-extension
peer x.x.x.x
interface FastEthernet0/0
ip address x.x.x.x x.x.x.x
crypto ipsec client ezvpn ezvpn_cfg inside
interface Serial0/0
no ip address
encapsulation frame-relay
interface Serial0/0.1 point-to-point
ip address x.x.x.x x.x.x.x
frame-relay interface-dlci 100
crypto ipsec client ezvpn ezvpn_cfg
I had configured the vpn concentrator with an external group eazyvpn.
i had configured the acs server with a user eazyvpn password
eazyvpn.the radius attributes configured for this user are
[3076\012] CVPN3000-IPSec-Sec-Association
ESP-3DES-MD5
[3076\013] CVPN3000-IPSec-Authentication
RADIUS
[3076\016] CVPN3000-IPSec-Allow-Passwd-Store
Allow
[3076\027] CVPN3000-IPSec-Split-Tunnel-List
split_tunnel_list
[3076\030] CVPN3000-IPSec-Tunnel-Type
Remote-Access
[3076\031] CVPN3000-IPSec-Mode-Config
On
[3076\034] CVPN3000-IPSec-Over-UDP
On
[3076\055] CVPN3000-IPSec-Split-Tunneling-Policy
Only tunnel networks in the list
[3076\064] CVPN3000-Allow-Network-Extension-Mode
Yes
now whenever i try to connect it says phase 2 failed.my quick mode is
unsuccesfull.
the error which comes on the router is below
12:19:43: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer
at 172.31.9.2
ezvpn-router#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 2
Tunnel name : ezvpn_cfg
Inside interface list: FastEthernet0/0,
Outside interface: Serial0/0.1
Current State: SS_OPEN
Last Event: SOCKET_READY
Split Tunnel List: 1
Address : 10.1.1.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Logs for the vpn conc. is as
Group [ezvpn] User [cisco]
PHASE 1 COMPLETED
324 07/11/2007 22:36:23.980 SEV=5 IKE/35 RPT=6 x.x.x.x
Group [ezvpn] User [cisco]
Received remote IP Proxy Subnet data in ID Payload:
Address x.x.x.x, Mask x.x.x.x Protocol 0, Port 0
327 07/11/2007 22:36:23.980 SEV=5 IKE/34 RPT=10 x.x.x.x
Group [ezvpn] User [cisco]
Received local IP Proxy Subnet data in ID Payload:
Address 10.1.1.0, Mask 255.255.255.0, Protocol 0, Port 0
330 07/11/2007 22:36:23.980 SEV=5 IKE/66 RPT=10 172.31.235.93
Group [ezvpn] User [cisco]
IKE Remote Peer configured for SA: ESP-3DES-MD5
331 07/11/2007 22:36:23.990 SEV=5 IKE/75 RPT=10 x.x.x.x
Group [ezvpn] User [cisco]
Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
333 07/11/2007 22:36:41.650 SEV=4 IKEDBG/97 RPT=4 x.x.x.x
Group [ezvpn] User [cisco]
QM FSM error (P2 struct &0x35e5aa4, mess id 0x91292e44)!
NOTE: the configuration works fine when i use CLIENT mode. IT fails
when i change to NEM

Refer to the document "Configuring the Cisco VPN 3000 Concentrator to a Cisco Router"
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009482e.shtml

Cisco 1812 router as ezvpn remote client

Hi guys,
I am having hard time on configuring ezvpn remote vpn connection.
Basically, we have Cisco 1812 router and two ISP connections.
Our network = 192.168.1.0; router IP address: 192.168.1.1
ISP 1 is working on Fastethernet 0 (and its gateway is 80.65.62.1) and ISP 2 is working on Dialer 0 (gateway: 200.75.207.200). VPN network: 10.0.0.0 (gateway 10.0.0.1).
We want to use ezvpn connection on Dialer0 interface and we do not have issue on connecting it, but as soon we connect it we encounter issues. It takes over our default route and points all traffic to Virtual-Access3 interface (which brings up as soon as ezvpn is connected, split-tunneling is disabled by the policy of organization we are connecting to).
We point our traffic via route-maps and it works but we have following issue now: we have 192.168.1.15 ip address (actually some VOIP software) which needs to go via same link as VPN goes (Dialer 0), and we point it via route map (route-map VPN 12) but as soon as we do that 192.168.1.15 can not ping anything. On the router when i execute
show ip nat translations
i can see that 192.168.1.15 is trying to do natting thru VPN gateway instead of Dialer0 gateway (200.75.207.200). I assume that i am missing something with NAT or something like that. Or is there any workaround for split tunneling? :)
I would appreciate your help.

Issue is resolved, however thanks.
You can close this thread.
Regards,
KS

7940 IP Phone not working across VPN with 861 but works with ASA5505.

Hello, I've been trying to get a basic set up working with the 861w where this is being set up at my home with a 7940 IP phone hooked into it to go across an EZVPN tunnel to connect to my office's uc560.
Now, I have an ASA5505 which works fine, but I'm not sure what differences or tweaks I need to make to get it to work on the 861.
I've attached my 861 configuration. When plugged in, the IP Phone tries to configure the VLAN and CM List. It just appears to get stuck and starts over. If I hook up my 5505 instead, it connects and works just fine.
Any help would be appreciated!

Hello!
I think I spoke too soon. I can get calls to initiate and I can hear the other end and complete the calls, but I notice some pings drop when I'm trying to ping the phone system on the other end, and when I try to complete a call, it doesn't hang up when I hang the receiver up. I also see this in the 861w:
Feb 26 06:18:48.823: %FW-4-TCP_OoO_SEG: Deleting session as expected TCP segment with seq:4016134121 has not arrived even after 25 seconds - session 192.168.88.16:51758 to 192.168.248.1:2000
That always occurs after attempting to make a call, which a lot of times goes through, but then hangs and dies. The missing pings may be the issue, but why when I plug my ASA 5505 in, the calls and everything works perfectly? Do I need quality of service policies or changes to the inspect rules of the 861w?
I have to think it is the 861w configuration since the 5505 works like a charm from my end.

Cisco UC560 Not Clearing Static Routes When VPN Connections Drop

We have a Cisco UC560 (UC560-FXO-K9) running "Cisco IOS Software, UC500 Software (UC500-ADVIPSERVICESK9-M),
Version 15.1(2)T2, RELEASE SOFTWARE (fc1)" The issue is when we have end users connecting with the Cisco VPN Client to this device sometimes we are unable to connect to any devices on our LAN or sometimes we can't connect to the LAN on the other end of our site-to-site VPN. The one symptom I've observed when this happens is that old VPN sessions that have disconnected appear to leave static routes from the user's outside IP at their home to an IP on our LAN to a Virtual-Access interface. When this starts to happen, I restart the firewall to clear out the stale static routes and the problem is fixed, for a while at least. Below is the current state where we have the site-to-site VPN connected to our branch office and 2 user's connected with Cisco VPN clients. Below that is the static route table which has 5 total Virtual-Access interface routes (one is an extra route for a user currently connected so that their outside IP is in the static route table with 2 inside IP's associated.) Is there a way to fix the cleanup of VPN connections when they terminate?
#sh crypto isakmp peers
Peer: <branch office outside IP> Port: 500 Local: <firewall's outside IP>
Phase1 id: <branch office outside IP>
Peer: <users's outside IP #1> Port: 50420 Local: <firewall's outside IP>
Phase1 id: EZVPN_GRP_437
Peer: <user's outside IP #2> Port: 49345 Local: <firewall's outside IP>
Phase1 id: EZVPN_GRP_437
Bugsy#sh ip ro st
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override
Gateway of last resort is <next hop of ISP for firewall> to network 0.0.0.0
S*    0.0.0.0/0 [1/0] via <next hop of ISP for firewall>
      10.0.0.0/8 is variably subnetted, 12 subnets, 3 masks
S        10.0.0.153/32 [1/0] via <non-connected IP of VPN user>, Virtual-Access2
S        10.0.0.155/32 [1/0] via <non-connected IP of VPN user>, Virtual-Access2
S        10.0.0.156/32 [1/0] via <user's outside IP #2>, Virtual-Access3
S        10.0.0.158/32 [1/0] via <user's outside IP #1>, Virtual-Access3
S        10.0.0.159/32 [1/0] via <user's outside IP #2 again>, Virtual-Access2
S        10.1.10.1/32 is directly connected, Vlan90

Hi Brian,
This sounds like you are running into the following known issue:
CSCtl03682 - EzVPN client: Several RRI routes pointing to same virtual interface
which is Dup'd to:
CSCtf39056 - RRI routes not deleted
This is fixed since 15.1(2)T4, so I would recommend upgrading to SWP 8.2 or higher. The only other way to clean up the stuck routes is to reload the router.
Thanks,
Brandon

EzVPN sometimes ping only in one direction or only one interface

Guys, I have lots of 857's routers in the field with mostly the latest OS - 12.4(15)T17 making ezVPN connections to a 2951 with 15.1(4)M5.
All the 857's have lookback and vlan interfaces similar to :
interface Loopback0
ip address 50.43.8.1 255.255.255.255
ip tcp adjust-mss 1452
end
interface Vlan1
ip address 40.43.8.1 255.255.255.128
ip tcp adjust-mss 1452
crypto ipsec client ezvpn SMS_VPN inside
end
This is my Dialer interface :
interface Dialer0
ip ddns update hostname my_custom_host_name
ip ddns update SMS_DynDNS
ip address negotiated
ip access-group 102 in
ip access-group 101 out
ip mtu 1492
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
ppp authentication chap pap callin
ppp chap hostname my_hostname
ppp chap password 0 my_password
ppp pap sent-username my_hostname password 0 my_password
ppp ipcp dns request accept
crypto ipsec client ezvpn SMS_VPN
And their crypto's are defined as :
crypto ipsec client ezvpn SMS_VPN
connect auto
group HW_Client key my_client_key
mode network-extension
peer my_peer_ip
acl 100
username my_username password my_password
xauth userid mode local
Now lately for some or other reason we have instances where I can ping either the VLAN or the LOOPBACK interface, but not both. Or I have instances where the 2951 can ping all the interfaces on the 857, but the 857 can not ping the 2951. Or I have instances where the 2951 can not ping the 857, but the 857 can ping the 2951.
The way I have been fixing this is either to add crypto ipsec client ezvpn SMS_VPN inside to the loopback interface, or if it is there already to remove it. This usually works for a few days, but then suddenly I have to reverse this again. If that does not work then I usually do lots of clear crypt sess and/or clear crypt ipsec client ezvpn on the 857, or clear crypt sess remote 857_ip_address from the 2951 and then suddenly it starts working again.
Surely there must be something wrong, but I just can not figure out what. Any ideas ?!

Bump ... Anyone please ...

Disable the xauth in IOS router for EZVPN client

I am trying to diable the xauth option and make the authentication by default not the interactive. I have tried using the username option, still its in the xauth interactive mode.Please can anyone help me out in this.

If possible, Can you post the current configuration from the router. If not, make sure that your configuration looks like the below:
crypto ipsec client ezvpn EZVPNCLIENT
connect auto
group TEST key TEST123
mode network-extension
peer 1.1.1.1
username cisco password cisco
xauth userid mode local
Let me know if it helps.
Regards,
Arul

EzVPN or L2L - which is more appropriate?

I am in the process of desiging a solution to connect approximately 20 teleworkers to our network for the purposes of working from home. The remote users will have some form of broadband connection (cable or DSL). We have both a VPN3030 and a PIX515e(v7) in our inventory to use as the head end device. My hope is to use the 3030 since it is already in use for L2L and VPNC connections. I have an 871 router in house for testing, it seems like a good choice for the job. My questions are this:
1. Is the 871 the right device for the job? If not, what is?
2. Since the broadband connections will have dynamic IP addresses what is the most appropriate VPN type L2L or EZ?
Any advice will be appreciated. Thanks in advance,
Mike

Not sure how the LAN-to-LAN users connect currently on the VPNC. How many users do you have behind the 871 ? If it is one user, then i think the Ezvpn should do, more than 3 or 4 users you can look at a L2L

Ezvpn client on router to windows vpn server

Hi
is it possible to connect cisco router using ezvpn to windows 2008r2 server?
i spend a lot of time and got no success.
i'm trying to connect cisco 881g using ezvpn to windows vpn server (RRAS) usign pre-shared key.
or i should try to connect in any differ way ? (for e.g. using vpdn on router)
pls refer me to some docs if it possible... coz i begin to doubt
thanks in advance

lan-to-lan is also good idea . but cisco router in behind the NAT. so i'm not sure that lan-to-lan is possible. (exactly i do not know . is it possible?)
exactly i need vpn from cisco to windows 2008 . i need to pass all traffic through win2008 gateway. is it possible?
i tryed to deploy conf like that:
pseudowire-class pw-class-1 encapsulation l2tpv2 protocol l2tpv2 ip local interface FastEthernet4
interface Virtual-PPP1 ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip nat outside no ip virtual-reassembly no cdp enable ppp authentication chap callin ppp chap hostname ******* ppp chap password 0 ****** ppp ipcp route default pseudowire 1 encapsulation l2tpv2 pw-class pw-class-1 !
bt no success.. on win 2008 side i can see (with MS NET MON) that some packets come from cisco. but vpn connection was not established.

Ezvpn not so ez

Similar Messages

Maybe you are looking for