L2TPv3 tunnel
I have created L2TPv3 tunnel between two routers. Now i don't know that the tunnel is up or down. I have run the command but it is giving the following output:
R2#show l2tp tunnel
%No active L2TP tunnels
Can anyone tell me how can we check L2TPv3 tunnel is up or down?
Is there any show command or debug command to check the status of tunnel?
Regards,
Mukesh Kumar
Network Engineer
Spooster IT Services
Mukesh,
The only problem I can see is that you have VLAN 5 on the subinterface, but not on the main interface, this means that the traffic might not get to the other end due to the Dot1q encapsulation. If you were to set both to the same dot1q tag it should come up.
Regards,
Alex Sanchez
CCIE R&S #37454
Similar Messages
-
L2TPv3 tunnel up but pings are failing
Hi,
I have configured an L2TP tunnel between loopbacks on an ASR1004 and an ASR1001. The tunnel gets established, and even shows me some two-way traffic counters (they don't increment in line with ICMP requests so don't know if they represent my ping attempts per se).
When I generate ICMP traffic, I learn MAC addresses on both ends, including within the ARP tables on the hosts. However, the pings time out. I have attached a diagram and have pasted some show outputs below.
Any ideas or suggestions would be greatly appreciated, thanks!
Wlg-COR-02#show ver
Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSAL-M), Version 15.1(1)S, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Mon 22-Nov-10 12:32 by mcpre
Cisco IOS-XE software, Copyright (c) 2005-2010 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
Wlg-COR-02 uptime is 2 weeks, 6 days, 14 hours, 59 minutes
Uptime for this control processor is 2 weeks, 6 days, 15 hours, 0 minutes
System returned to ROM by reload at 17:33:31 NZST Tue Aug 12 2014
System restarted at 00:22:39 NZDT Thu Oct 9 2014
System image file is "bootflash:/asr1001-universal.03.02.00.S.151-1.S.bin"
Last reload reason: PowerOn
License Info:
License UDI:
Device# PID SN UDI
*0 ASR1001 JAE15290CAP ASR1001:JAE15290CAP
License Package Information for Module:'asr1001'
Module name Image level Priority Configured Valid license
asr1001 adventerprise 1 NO adventerprise
advipservices 2 NO advipservices
ipbase 3 NO ipbase
Current License Level: advipservices
cisco ASR1001 (1RU) processor with 1217912K/6147K bytes of memory.
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7782399K bytes of eUSB flash at bootflash:.
Configuration register is 0x2102
Wlg-COR-02#show l2tun session all
L2TP Session Information Total tunnels 1 sessions 1
Session id 3769661188 is up, logical session id 65548, tunnel id 3529463940
Remote session id is 1878828549, remote tunnel id 1043662242
Remotely initiated session
Unique ID is 12
Session Layer 2 circuit, type is Ethernet Vlan, name is Port-channel2.532:532
Session vcid is 532
Circuit state is UP
Local circuit state is UP
Remote circuit state is UP
Call serial number is 2074100010
Remote tunnel name is Air-COR-01
Internet address is 210.48.12.100
Local tunnel name is Wlg-COR-02
Internet address is 210.48.12.105
IP protocol 115
Session is L2TP signaled
Session state is established, time since change 03:41:52
57 Packets sent, 48 received
8190 Bytes sent, 6645 received
Last clearing of counters never
Counters, ignoring last clear:
57 Packets sent, 48 received
8190 Bytes sent, 6645 received
Receive packets dropped:
out-of-order: 0
other: 0
total: 0
Send packets dropped:
exceeded session MTU: 0
other: 0
total: 0
DF bit off, ToS reflect disabled, ToS value 0, TTL value 255
Sending UDP checksums are disabled
Received UDP checksums are verified
No session cookie information available
FS cached header information:
encap size = 24 bytes
45000014 00000000 ff73fe48 d2300c69
d2300c64 6ffca605
Sequencing is off
Conditional debugging is disabled
SSM switch id is 8197, SSM segment id is 8201
Wlg-COR-02#
Wlg-COR-02#
Wlg-COR-02#show run inter
Wlg-COR-02#show run interface Po2.532
Building configuration...
Current configuration : 123 bytes
interface Port-channel2.532
encapsulation dot1Q 532
xconnect 210.48.12.100 532 encapsulation l2tpv3 pw-class l2tp
end
Wlg-COR-02#
Wlg-COR-02#
Wlg-COR-02#show run | beg pseudowire
pseudowire-class mpls-ethernet
encapsulation mpls
interworking ethernet
pseudowire-class l2tp
encapsulation l2tpv3
ip local interface Loopback4770
Air-COR-01#show version
Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.2(4)S4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Sun 01-Sep-13 09:53 by mcpre
IOS XE Version: 03.07.04.S
Cisco IOS-XE software, Copyright (c) 2005-2013 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: IOS-XE ROMMON
Air-COR-01 uptime is 35 weeks, 1 day, 15 hours, 26 minutes
Uptime for this control processor is 35 weeks, 1 day, 15 hours, 29 minutes
System returned to ROM by reload at 23:57:45 NZDT Mon Feb 24 2014
System restarted at 00:01:45 NZDT Tue Feb 25 2014
System image file is "bootflash:asr1000rp1-advipservicesk9.03.07.04.S.152-4.S4.bin"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco ASR1004 (RP1) processor with 1688640K/6147K bytes of memory.
Processor board ID FOX1544G2KE
16 Gigabit Ethernet interfaces
4 Ten Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
937983K bytes of eUSB flash at bootflash:.
39004543K bytes of SATA hard disk at harddisk:.
Configuration register is 0x2102
Air-COR-01#show l2tun session all
L2TP Session Information Total tunnels 1 sessions 1
Session id 1878828549 is up, logical session id 42736, tunnel id 1043662242
Remote session id is 3769661188, remote tunnel id 3529463940
Locally initiated session
Unique ID is 0
Session Layer 2 circuit, type is Ethernet Vlan, name is Port-channel2.532:532
Session vcid is 532
Circuit state is UP
Local circuit state is UP
Remote circuit state is UP
Call serial number is 2074100010
Remote tunnel name is Wlg-COR-02
Internet address is 210.48.12.105
Local tunnel name is Air-COR-01
Internet address is 210.48.12.100
IP protocol 115
Session is L2TP signaled
Session state is established, time since change 03:47:28
48 Packets sent, 58 received
6645 Bytes sent, 8437 received
Last clearing of counters never
Counters, ignoring last clear:
48 Packets sent, 58 received
6645 Bytes sent, 8437 received
Receive packets dropped:
out-of-order: 0
other: 0
total: 0
Send packets dropped:
exceeded session MTU: 0
other: 0
total: 0
DF bit off, ToS reflect disabled, ToS value 0, TTL value 255
Sending UDP checksums are disabled
Received UDP checksums are verified
No session cookie information available
FS cached header information:
encap size = 24 bytes
45000014 00000000 ff73fe48 d2300c64
d2300c69 e0b07704
Sequencing is off
Conditional debugging is disabled
SSM switch id is 14061, SSM segment id is 5875
%No active PPTP tunnels
Air-COR-01#
Air-COR-01#
Air-COR-01#
Air-COR-01#
Air-COR-01#show run int
Air-COR-01#show run interface Po2.532
Building configuration...
Current configuration : 123 bytes
interface Port-channel2.532
encapsulation dot1Q 532
xconnect 210.48.12.105 532 encapsulation l2tpv3 pw-class l2tp
end
Air-COR-01#
Air-COR-01#
Air-COR-01#show run | beg pseudowire
pseudowire-class l2tp
encapsulation l2tpv3
ip local interface Loopback4770
air-agg-1-1#show mac address-table vlan 532
Legend: * - primary entry
age - seconds since last seen
n/a - not available
S - secure entry
R - router's gateway mac address entry
D - Duplicate mac address entry
Displaying entries from DFC switch [1] linecard [1]:
vlan mac address type learn age ports
----+----+---------------+-------+-----+----------+-----------------------------
532 0050.569e.681d dynamic Yes 150 Po7
532 0050.5695.0f0c dynamic Yes 320 Po7
R 532 0008.e3ff.fc04 static No - Router
WLG-AGG-01#show mac address-table vlan 532
Mac Address Table
Vlan Mac Address Type Ports
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0180.c200.0000 STATIC CPU
All 0180.c200.0001 STATIC CPU
All 0180.c200.0002 STATIC CPU
All 0180.c200.0003 STATIC CPU
All 0180.c200.0004 STATIC CPU
All 0180.c200.0005 STATIC CPU
All 0180.c200.0006 STATIC CPU
All 0180.c200.0007 STATIC CPU
All 0180.c200.0008 STATIC CPU
All 0180.c200.0009 STATIC CPU
All 0180.c200.000a STATIC CPU
All 0180.c200.000b STATIC CPU
All 0180.c200.000c STATIC CPU
All 0180.c200.000d STATIC CPU
All 0180.c200.000e STATIC CPU
All 0180.c200.000f STATIC CPU
All 0180.c200.0010 STATIC CPU
All ffff.ffff.ffff STATIC CPU
532 0050.5695.0f0c DYNAMIC Po2
532 0050.569e.681d DYNAMIC Po4
Total Mac Addresses for this criterion: 22
WLG-AGG-01#What does your ACL statement look like for defining access from your Celerra_Replication network, to your GP_Celerra_Replication network?
Also, do you reference that ACL in your crypto map?
A sanitized config may help me help you
-Chris -
Hello All,
I'm trying to configure a L2TP tunnel between two ASR9Ks. The configuration is pretty straightforward and the tunnel came up tidy. However I’m unable to pass traffic throught the tunnel. All the traffic if dropped in the inbound interface.
Configuration
interface GigabitEthernet0/0/0/5.100 l2transport
encapsulation dot1q 100
l2vpn
pw-class L2TP-CLASS
encapsulation l2tpv3
protocol l2tpv3 class L2TP-CLASS
ipv4 source 172.25.200.10
transport-mode vlan
xconnect group L2TP
p2p L2TP
interface GigabitEthernet0/0/0/5.100
neighbor 172.25.200.11 pw-id 654
pw-class L2TP-CLASS
Outputs
RP/0/RSP0/CPU0:A9K-LAB03#sh l2vpn xconnect group L2TP detail
Tue Mar 4 11:27:33.571 WET
Group L2TP, XC L2TP, state is up; Interworking none
AC: GigabitEthernet0/0/0/5.100, state is up
Type VLAN; Num Ranges: 1
VLAN ranges: [100, 100]
MTU 9182; XC ID 0x840006; interworking none
Statistics:
packets: received 0, sent 0
bytes: received 0, sent 0
drops: MTU exceeded 0, other 0
PW: neighbor 172.25.200.11, PW ID 654, state is up ( established )
PW class L2TP-CLASS, XC ID 0x840006
Encapsulation L2TPv3, protocol L2TPv3
PW type Ethernet VLAN, control word disabled, interworking none
PW backup disable delay 0 sec
Sequencing not set
L2TP class L2TP-CLASS, IPv4 source address 172.25.200.10
TOS 0 (reflect disabled), TTL 255, DF bit not set
Path MTU: disabled
Tunnel state connected, remote circuit status up
L2TPv3 Local Remote
Session 792824663 3260689897
Cookie size 0 bytes 0 bytes
Cookie unassigned unassigned
MTU 9182 9182
Control word disabled disabled
PW type Ethernet VLAN Ethernet VLAN
Create time: 04/03/2014 11:23:44 (00:03:43 ago)
Last time status changed: 04/03/2014 11:24:14 (00:03:13 ago)
Statistics:
packets: received 0, sent 0
bytes: received 0, sent 0
drops: out of sequence 0, other 0
RP/0/RSP0/CPU0:A9K-LAB03#sh l2tp tunnel detail
Tue Mar 4 11:53:33.658 WET
Tunnel id 715704093 is up, remote id is 3012491936, 1 active sessions
Locally initiated tunnel
Tunnel state is established, time since change 00:13:37
Tunnel transport is IP (115)
Remote tunnel name is A9K-LAB04
Internet Address 172.25.200.11, port 0
Local tunnel name is A9K-LAB03
Internet Address 172.25.200.10, port 0
VRF table id is 0xe0000000
Tunnel group id
L2TP class for tunnel is L2TP-CLASS
Control Ns 18, Nr 18
Local RWS 512 (default), Remote RWS 512
Control channel Congestion Control is disabled
Tunnel PMTU checking disabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 2
Total resends 0, ZLB ACKs sent 16
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled
RP/0/RSP0/CPU0:A9K-LAB03#sh l2tp counters forwarding session
Tue Mar 4 11:55:50.613 WET
LocID RemID TunID Pkts-In Pkts-Out
Bytes-In Bytes-Out
123327359 1688338792 715704093 0 0
0 0
Any idea of what might be wrong?
Cheers,
PMHi Saurabh, Eddie,
Thanks for your reply.
Could you please confirm if L2TPv3 for IPv4 is supported on CRS? In what version?
Thanks.
Regards,
PM -
Ping does not work on L2TPv3 tunnel
Hi, I have a simple lab setup for testing the L2TPv3. Diagram is attached.
The router simulated PCs (192.168.10.1 and 192.168.10.2) just can not ping each other. Here below are the comfiguration of the 2 routers. I tried to put in "ip pmtu" under pseudowire-class; I tried to adjust-mss under interface of the two router simulated PCs to 1400 or even 1360, none of them changed a thing.
Please advise.
+++++++++++++++R1++++++++++++++++++
hostname R1
interface Loopback0
ip address 10.0.1.1 255.255.255.255
interface FastEthernet 1/1
ip address 4.2.2.1 255.255.255.0
no shut
router ospf 1
router-id 10.0.1.1
network 0.0.0.0 255.255.255.255 area 0
l2tp-class L2TPV3class
authentication
password L2TPV3
retransmit initial retries 30
cookie size 8
pseudowire-class HQ2R2
encapsulation l2tpv3
protocol none
ip local interface Loopback0
default inter fa1/0
interface FastEthernet1/0
description HQ_LAN_R2Branch
no ip address
no shut
no cdp enable
xconnect 10.0.2.2 102 encapsulation l2tpv3 manual pw-class HQ2R2
l2tp id 101 200
l2tp cookie local 4 221200
l2tp cookie remote 4 122200
l2tp hello L2TPV3class
+++++++++++++++R2++++++++++++++++++
hostname R2
interface Loopback0
ip address 10.0.2.2 255.255.255.255
interface FastEthernet 1/0
ip address 4.2.2.2 255.255.255.0
no shut
router ospf 1
router-id 10.0.2.2
network 0.0.0.0 255.255.255.255 area 0
l2tp-class L2TPV3class
authentication
password L2TPV3
retransmit initial retries 30
cookie size 8
pseudowire-class R2Branch2HQ
encapsulation l2tpv3
protocol none
ip local interface Loopback0
ip pmtu
default inter fa0/0
interface FastEthernet0/0
description R2Branch_LAN_HQ
no ip address
no shut
no cdp enable
xconnect 10.0.1.1 201 encapsulation l2tpv3 manual pw-class R2Branch2HQ
l2tp id 200 101
l2tp cookie local 4 221200
l2tp cookie remote 4 122200
l2tp hello L2TPV3classI'm having similar trouble on itunes for OSX.
For the last 5 days i've had:
+We could not complete your iTunes Store request.+
+An unknown werror occured (5002)+
+There was an error in the iTunes Store. Please try again later.+
It works okay now on my iPhone 3GS but did error a few times 2 days ago. -
IPSec secured L2TPv3 - one way traffic in L2 tunnel
Sigh... after 7 hours battling coming here because I've exhausted all my options to find an answer for my problem.
So here is the topology - standard (boring) IPSec secured L2TPv3 tunnel: on one side - 897 connected to a DSL box, on another side - 1921 with two interfaces.
Purpose to setup a plain L2TPv3 tunnel between those locations so computers plugged into the 897's 8-port switch interface can communicate with number of devices connected to 1921 on other side.
897:
crypto ikev2 keyring key1
peer destination_ip_address
address local_outside_ip_address
pre-shared-key key
crypto ikev2 profile default
match identity remote address 1921_outside_ip_address 255.255.255.255
identity local address 897_outside_ip_address
authentication remote pre-share
authentication local pre-share
keyring local key1
crypto ikev2 dpd 30 3 periodic
controller VDSL 0
ip ssh rsa keypair-name router-key
ip ssh version 2
pseudowire-class DZD
encapsulation l2tpv3
ip local interface Loopback1
ip pmtu
ip dfbit set
ip tos reflect
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit set
crypto map local 1 ipsec-isakmp
set peer 1921_outside_ip_address
set ikev2-profile default
match address 130
interface Loopback1
ip address 172.16.1.1 255.255.255.255
interface ATM0
no ip address
no atm ilmi-keepalive
interface Ethernet0
no ip address
interface GigabitEthernet0
no ip address
interface GigabitEthernet1
no ip address
interface GigabitEthernet2
no ip address
interface GigabitEthernet3
no ip address
xconnect 172.16.1.2 1 encapsulation l2tpv3 pw-class DZD
interface GigabitEthernet4
no ip address
interface GigabitEthernet5
no ip address
interface GigabitEthernet6
no ip address
interface GigabitEthernet7
no ip address
interface GigabitEthernet8
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Wlan-GigabitEthernet8
no ip address
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
interface Vlan1
ip address 10.97.2.29 255.255.255.0
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ipv6 address autoconfig
ppp authentication pap callin
ppp pap sent-username DSL_username password DSL_password
crypto map local
ip forward-protocol nd
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 130 permit ip host 172.16.1.1 host 172.16.1.2
dialer-list 1 protocol ip permit
c897#
1921:
crypto ikev2 keyring key1
peer 897_outside_ip_address
address 897_outside_ip_address
pre-shared-key key
crypto ikev2 profile default
match identity remote address 897_outside_ip_address 255.255.255.255
identity local address 1921_outside_ip_address
authentication remote pre-share
authentication local pre-share
keyring local key1
crypto ikev2 dpd 30 3 periodic
ip ssh version 2
lldp run
pseudowire-class ZRH
encapsulation l2tpv3
ip local interface Loopback1
ip pmtu
ip dfbit set
ip tos reflect
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit set
crypto map local 1 ipsec-isakmp
set peer 897_outside_ip_address
set ikev2-profile default
match address 130
interface Loopback1
ip address 172.16.1.2 255.255.255.255
interface Embedded-Service-Engine0/0
no ip address
interface GigabitEthernet0/0
description WAN-ACC
ip address 1921_outside_ip_address 255.255.255.0
duplex auto
speed auto
crypto map local
interface GigabitEthernet0/1
description LAN-Trunk
no ip address
duplex auto
speed auto
xconnect 172.16.1.1 1 encapsulation l2tpv3 pw-class ZRH
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 default_gateway_of_1921
logging host 10.96.2.21
access-list 130 permit ip host 172.16.1.2 host 172.16.1.1
pnc01921#
Note - 1921 is connected to the Nexus 2248TP FEX, here is the config of the interface of the FEX:
pnc00001# sh run int e101/1/6
!Time: Thu May 1 06:15:02 2014
version 5.0(3)N2(2b)
interface Ethernet101/1/6
switchport access vlan 702
Now, IPsec tunnel comes up and does pass traffic - I can ping from one l1 another l1, below is the output from 897:
sh cry ike sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 897_outside_ip_address/500 1921_outside_ip_address/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/76 sec
IPv6 Crypto IKEv2 SA
#sh cry ips sa
interface: Dialer1
Crypto map tag: local, local addr 897_outside_ip_address
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.1.2/255.255.255.255/0/0)
current_peer 1921_outside_ip_address port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 897_outside_ip_address, remote crypto endpt.: 1921_outside_ip_address
path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
current outbound spi: 0x852BF1F2(2234249714)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x5D9DFB1A(1570634522)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000040, crypto map: local
sa timing: remaining key lifetime (k/sec): (4190855/3504)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x852BF1F2(2234249714)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map: local
sa timing: remaining key lifetime (k/sec): (4190863/3504)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
#ping 172.16.1.2 sour l1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/24 ms
Now, L2 tunnel shows to be up on both ends as well (output from 897 here)
#sh xconnect all
Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State
UP=Up DN=Down AD=Admin Down IA=Inactive
SB=Standby RV=Recovering NH=No Hardware
XC ST Segment 1 S1 Segment 2 S2
------+---------------------------------+--+---------------------------------+--
UP ac Gi3(Ethernet) UP l2tp 172.16.1.2:1 UP
However, if you look at detailed output of l2tunn, you will see that the tunnel receives traffic from 1921, but does not send anything:
#sh l2tun tunnel all
L2TP Tunnel Information Total tunnels 1 sessions 1
Tunnel id 3504576447 is up, remote id is 2898810219, 1 active sessions
Locally initiated tunnel
Tunnel state is established, time since change 00:19:34
Tunnel transport is IP (115)
Remote tunnel name is pnc01921
Internet Address 172.16.1.2, port 0
Local tunnel name is pnc0DRZD
Internet Address 172.16.1.1, port 0
L2TP class for tunnel is l2tp_default_class
Counters, taking last clear into account:
0 packets sent, 763 received
0 bytes sent, 65693 received
Last clearing of counters never
Counters, ignoring last clear:
0 packets sent, 763 received
0 bytes sent, 65693 received
Control Ns 18, Nr 9
Local RWS 512 (default), Remote RWS 512 (max)
Control channel Congestion Control is disabled
Tunnel PMTU checking enabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 2
Total resends 0, ZLB ACKs sent 8
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled
Mirrored situation on other side - 1921 sends packets, but nothing is received:
pnc01921#sh l2tun tunnel all
L2TP Tunnel Information Total tunnels 1 sessions 1
Tunnel id 2898810219 is up, remote id is 3504576447, 1 active sessions
Remotely initiated tunnel
Tunnel state is established, time since change 00:21:15
Tunnel transport is IP (115)
Remote tunnel name is pnc0DRZD
Internet Address 172.16.1.1, port 0
Local tunnel name is pnc01921
Internet Address 172.16.1.2, port 0
L2TP class for tunnel is l2tp_default_class
Counters, taking last clear into account:
815 packets sent, 0 received
69988 bytes sent, 0 received
Last clearing of counters never
Counters, ignoring last clear:
815 packets sent, 0 received
69988 bytes sent, 0 received
Control Ns 9, Nr 20
Local RWS 1024 (default), Remote RWS 512
Control channel Congestion Control is disabled
Tunnel PMTU checking enabled
Retransmission time 1, max 1 seconds
Unsent queuesize 0, max 0
Resend queuesize 0, max 1
Total resends 0, ZLB ACKs sent 18
Total out-of-order dropped pkts 0
Total out-of-order reorder pkts 0
Total peer authentication failures 0
Current no session pak queue check 0 of 5
Retransmit time distribution: 0 0 0 0 0 0 0 0 0
Control message authentication is disabled
There is a Windows box plugged into 897's G3 with IP address 10.97.2.25. I can ping from it 897's VLAN1 at 10.97.2.29. However I can't ping anything across the L2TPv3 tunnel. At the same time on that Windows box I can see broadcast traffic coming across the tunnel.
I give up. Anyone has some reasonable suggestion what might be wrong? I suspect that something is wrong at 897's side.
One last question - how can I create svi on 1921 and assign ip address from 10.97.2.0/24 network on it?Anybody? Opened ticket #630128425, no response from Cisco yet..
-
Dot1 tunnelled VLAN via L2TPv3 IP routed enviroment problem
I have an objective to transparently interconnect two Cat 6506 switches using dot1q trunk via ethernet switched and IP routed enviroment.
6506 trunk - 3560 dot1q tunnel via vlan 2 - 7206 terminating vlan 2 and xconnect to neighbor 7206 - 3560 with vlan 2/dot1q tunnel - 6506 trunk.
I've divided problem to 2 possible stages - QinQ and L2TPv3.
Realized QinQ works well by assigning/pinging first 7206 IP terminating dot1q tunnel.
Now I have tunnel up, dynamically negotiated with ip mtu, ip sequencing both etc, all default, but I only see sent bytes at first 7206 and no received and received/no sent bytes at the second 7206.
So it actually looks like bytes go just via one direction, from 1 7206 to 2 7206 and not the opposite direction.
What are these counters for? Only for tunneled VLAN or whole L2TPv3 tunnel? Cos hellos should create both traffic sent and received on both 72xx's.
I am confused and can't ping/trunk from the remote 3560. It's under ISP responcibility.I also cant SPAN/VSPAN for some reason to ethereal/analyze it.
Any gurus?Counters indicate total packets sent and receive for the current session.Sometimes MTU sizes could be a reason for the tunnel not working.Refer URL for configuring MTU forhttp://www.cisco.com/en/US/customer/tech/tk801/tk703/technologies_tech_note09186a0080094c4f.shtml#frag_example
-
Dot1 q tunnel via L2TPv3 problem
I have an objective to transparently interconnect two Cat 6506 switches using dot1q trunk via ethernet switched and IP routed enviroment.
6506 trunk - 3560 dot1q tunnel via vlan 2 - 7206 terminating vlan 2 and xconnect to neighbor 7206 - 3560 with vlan 2/dot1q tunnel - 6506 trunk.
I've divided problem to 2 possible stages - QinQ and L2TPv3.
Realized QinQ works well by assigning/pinging first 7206 IP terminating dot1q tunnel.
Now I have tunnel up, dynamically negotiated with ip mtu, ip sequencing both etc, all default, but I only see sent bytes at first 7206 and no received and received/no sent bytes at the second 7206.
So it actually looks like bytes go just via one direction, from 1 7206 to 2 7206 and not the opposite direction.
What are these counters for? Only for tunneled VLAN or whole L2TPv3 tunnel? Cos hellos should create both traffic sent and received on both 72xx's.
I am confused and can't ping/trunk from the remote 3560. It's under ISP responcibility.I also cant SPAN/VSPAN for some reason to ethereal/analyze it.
Any gurus?Packet counters shows the number of packets sent and received from the remote end.Look for the configuration on the other end of the router.Refer URL http://www.cisco.com/en/US/products/sw/netmgtsw/ps4748/products_user_guide_book09186a008035322e.html for more information.
-
Hi... Im trying to configure a l2tpv3 tunnel between a ASR1001 and a C3925. Im not able to find the way to activate te command pseudowire-class on the 3925. I try installing a license for security and data, but still nothing... Any clues?
Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.2(4)M4, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Thu 20-Jun-13 14:38 by prod_rel_team
ROM: System Bootstrap, Version 15.1(1r)T5, RELEASE SOFTWARE (fc1)
TEST-OSPF uptime is 23 hours, 43 minutes
System returned to ROM by reload at 14:55:47 UTC Thu Mar 26 2015
System image file is "flash0:c3900e-universalk9-mz.SPA.152-4.M4.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO3925-CHASSIS (revision 1.0) with C3900-SPE200/K9 with 755712K/292864K bytes of memory.
Processor board ID FTX1740AHUY
4 Gigabit Ethernet interfaces
DRAM configuration is 72 bits wide with parity enabled.
256K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
Device# PID SN
*0 C3900-SPE200/K9 FOC173466SN
Technology Package License Information for Module:'c3900e'
Technology Technology-package Technology-package
Current Type Next reboot
ipbase ipbasek9 Permanent ipbasek9
security None None None
uc None None None
data None None None -
Hi,
I am configuring staic L2TPv3 on Cisco 881. According to the feature navigator it is supported and I can configure without any problem. The L2TPv3 session seems to be UP but apparently there is no data I can send accross this L2TPv3 tunnel.
Anyone can give suggestion ?
thanks in advance.Please post on WAN, Routing and Switching community.
Shelley. -
Hello,
Is there a way or simple solution to terminate a bunch of "plain" L2TPv3 pseudowires to a BVI, to have a sort of VPLS? (VPLS/MPLS is not an option in my setup).
My deal is to have a distributed L2 architecture (I have a protocol that works only on L2), and it must traverse a non-ethernet IP based network. (traffic is quite low - max 1 mbps)
It can easily done with a simple linux box, terminating l2tpv3 tunnels to a bridge interface, but I would like to do that on a cisco device.
A very dirty solution can be to have a set of sub-interfaces (with xconnect) and a cable to another interface on the same router, having sub-interfaces terminated on a BVI.
Something like that:
GigaEthernet 0/0 is cabled to GigaEthernet 0/1
interface Giga 0/0.1301
encap dot1q 1301
xconnect 10.10.13.1 1301 pw-class pw1301
interface gig 0/0.1302
encap dot1q 1302
xconnect 10.10.13.2 1302 pw-class pw1302
interface gig 0/1.1301
encap dot1q 1301
bridge-group 1
interface gig 0/1.1302
encap dot1q 1302
bridge-group 1
bridge 1 protocol ieee
bridge 1 route ip
interface BVI 1
ip address 192.168.1.254 255.255.255.0
Is there a simple way to accomplish that?
thanks in advance,
stefanoI cannot implement this type of configuration with a 3945 router...it's a shame...I really need this config for a site.
-
Hi folks,
I've to implement two L2TPv3 tunnels over MPLS backbone, primary and backup. I'm thinking about L2 pseudowires, but my question is: with 2 pseudowires, how could I do, if possible, to create a primary and a backup tunnel? Something like FRR?
I've found in a recent post a configuration for two tunnels:
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddda49d
but no idea about how to implement a fault tolerance solution.
Any advice will be appreciated
Thanks
AndreaAndrea,
I think I understand where my confusion comes from. You are using L2TPv3 in a context of VPDN rather than using it as a transport a pseudowire, right?
In this case the L2TPv3 session could just be routed as IP traffic through the core. Or if you want to use pseudowires through the core, it would certainly be possible to use MPLS for this purpose.
Let me know if that helps, -
Help with Clean Access Architecture
Hello All,
I wanted to engage some of the NetPros out there about designing our Clean Access architecture. We purchased 4 3140s (2 x CAMs w/ FO, 2 x CASs w/ FO). The goal is to use Clean Access to validate select areas of our head quarters, along with validate users in a remote location.
The HQ part of the design I can understand without issue. It's when we begin to deal with the remote office that I become uncertain about the design. The remote office is MPLS connected to HQ (L3 multi-hop). We want users in the remote office to also be L2 authenticate to the Clean Access cluster at HQ. Across MPLS this does not appear to be straightforward. We'd like to do a L2 deployment, but from what I've read this will require using L2TPv3 at the remote office to "tunnel" the VLANs from HQ to remote and vice-versa. My fear is that now the default gateway for the remote clients is the HQ Clean Access cluster. Therefore... all traffic will be "switched" across their WAN link. This becomes and issue as the remote office has local Windows domain controllers for faster file access on another VLAN... and in this scenario it sounds like the workstations would have to travel across the L2TPv3 tunnel to HQ to just have to go back across the tunnel to the remote office for file access. Sounds slow!
Does anyone have recommendations as to how to design this centralized, L2, OOB architecture. In my mind I would want the clients attempting authentication to the switch... switch forward to the CAS... CAS validates posture and passes down necessary VLAN to switch. All VLAN'ing and switching is kept remote. We operate all 3750 switches... so our infrastructure can work with NAC. Sorry for the long post, just wanted to try to explain the requirements. Thanks for the help.
-Mike
http://cs-mars.blogspot.comHi Mike -
Very good questions. You definitely do not need the L2TPv3 across the WAN to control the ports at the remote site.
The CASs can be deployed L2 In-Band (IB), L3 In-Band (IB), L2 Out-of-Band (OOB) or L3 Out-of-Band (OOB).
L3 OOB can be used to control the switches at the remote sites. A 2nd vlan is required for the remote site to serve as the authentication vlan. All ports start off on this Auth Vlan when a user plugs in.
The user receives an IP Address on this Auth Vlan and the local L3 device is the GWY. The L3 device should have ACLs to protect the rest of the network from this Auth Vlan. The only permit entries in the ACL should let the users get to CAS and the remediation servers. Using a network like 192.168.x.x and varying the 3rd octet on a per-site basis simplifies the ACLs if you are using the 10.x.x.x as your internal addressing. The ACLs should be places on all the MPLS routers to protect the production network from the Auth network.
Once the user proves trustworthy, the Clean Access changes the vlan on the switch to the production/normal vlan and the user has complete access as before.
CASs can be either one of the 4 roles (L2 IB, L3 IB, L2 OOB, L3 OOB) when they are added to the CAM.
If you plan to use L2 OOB for your HQ and L3 OOB for the remotes, you may need to add 1 more CAS pair to your architecture.
We have some great diagrams that the Clean Access product team have put together that will illustrate this architecture to you.
Your local SE / CSE should be able to provide this to you.
Let us know if you have any follow up questions.
Hope this helps.
peter -
Help with VPLS across MPLS network
Hi Team,
I have been trying hard to get this going, but have never played with this before. Anyway, I would like to create a VPLS network across our sevrice provider to a reginal office. I have been told about doing a tunnel across and then running MPLS and VPLS across it, but I can't get this to work.
Here is a picture of my network in GNS3. I need to make this work between MONHUB1 and SCS2800.
https://dl.dropbox.com/u/101819653/Capture.JPG
Any help would be great. The end goal is to have the VLAN in the head office span across to the regioanl office.
ThanksHello Cory,
if the involved devices are ISR routers like 2800, VPLS is not supported over them.
However, if you just need a point to point vlan based L2 transport service you can use L2TPv3 tunneling protocol between the two routers.
see the link below
http://www.cisco.com/en/US/products/ps6587/products_white_paper09186a00800a8444.shtml
http://www.cisco.com/en/US/docs/ios/wan/configuration/guide/wan_l2_tun_pro_v3_ps6441_TSD_Products_Configuration_Guide_Chapter.html
Hope to help
Giuseppe -
Throughput in a L2TPV3 or GRE Tunnel
I want to establish a tunnel accross a 2.5 GB wavestream circuit of a partners network. I am considering L2TPV3 or GRE technologies and they will limit the throughput on there network between my 2 tunnel endpoints to 1Gbps. My question is will I get anywhere near 1Gbps in throughput, I know there will be some header overhead, but I am wondering more, can my 2 endpoints encapsulate at such a high throughput, what platforms will I need to do so. I assume there is quite a load on the router platform to do so...?
The maximum throught obtained will be upto 512-kilo byte payload. And the Maximum number of IPSec tunnels (on VPN service module [VPNSM]) is 8,000
Maximum number of L2TP tunnels per PPP regeneration session is 40,000 . -
Can I use a GRE tunnel to solve my problem?
Please see the attached file for a topology of the relevant portions of this network.
All but three of the APs at Building B are plugged into Cisco 3650 switches that are also acting as the WLCs. This allows for local switching of WiFi client traffic. The WiFi clients are tagged with VLAN 20 and the PCs at Building B are tagged with VLAN 10. Inter-VLAN routing occurs at the 3560 in Building B. This is important so that iPads on the WiFi network are switched locally with the PCs in the classroom. I then turn on the mDNS feature on the 3650/WLC so that we can use our PCs as "Apple TVs" via a program called Air Server. This allows the teacher to project the iPad onto the PC, which is then projected to the SMART Board.
My problem is with the 3 classrooms whose APs plug into a 2960-PS. These APs are managed by the dedicated WLC-5760 located at Building A. This means that the teacher PC is using the 3560 in Building B as the default gateway while the wireless traffic is being handled by the 3750 in Building A. The last time I checked, the WLC 5700 series controllers did not have Flex Connect as a feature.
Here's my question: Is there any type of IP tunneling solution I could use to tunnel a particular client or VLAN so that it can be routed at Building A? I've only played with tunneling from an IPv4/IPv6 standpoint. Thank you for your time!Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
You're correct, you cannot extend L2 across L3 unless you use some kind of encapsulation technology, for example, the already mentioned L2TPv3 or pseudo-wire over MPLS, etc.
However, what I have in mind for extending a VLAN means converting a routed p2p link to a L2 trunk link (I'm assuming the equipment, e.g. L3 switches, can support this). Across the trunk, you can extend your VLAN(s). For the routers, you can dedicate a new VLAN, across just the trunk, that takes the place of the former p2p. I.e. so you can do both L2 and L3 across the same physical link.
[edit]
I didn't see Jon's post until after I posted above, but he's explaining, in more detail, what I had in mind.
Maybe you are looking for
-
I have an old HP Desktop HP Compaq dc7900 computer. I just purchased a HP 1010 deskjet printer. The printer cord I have is not compatablile with this printer. Can this printer be connected to this computer? I am not very good with these issues an
-
Unable to test enterprise services in SAP SRM 7.0 EhP1
Hi experts, For my recent project, we have enabled "PI Independent Enterprise Services" business function in our SRM 7.01 EhP1 system. While to trying to test some of the enterprise services, we are facing some error. I am pasting the request message
-
I have updated iTunes and my ipad with the latest updates. Now, I cannot sync all my movies (6) and podcast and some songs at the same time. I can either sync movies and songs OR podcast and some songs. Anyone else having this issue? How can I fix it
-
Return from customer to unrestricted stock
Dear Expert, is there is a way to make the return from the customer from return order to be back to unrestricted stock
-
I'm exporting jpegs from .cr2 (raw) files. When I export out the version names as a .jpg the file name keeps .cr2 and adds .jpg. So my exporte file name is something like 001-HP8Q7590.CR2.jpg This is happening on 3 of our computers, but not the 4th.