Per-Tunnel QoS on a DMVPN Tunnel Not Working.

Similar Messages

• DMVPN per tunnel QOS. show policy-map multipoint not working

  Hi All,
  I have a DMVPN hub which is a 1841 with image c1841-advsecurityk9-mz.151-4.M1.bin .
  I have been using DMVPN and its awesome but now trying to get the QOS sorted out and having issues.
  I have configured the interface like so.
  interface Tunnel1
  ip address 10.255.255.1 255.255.255.0
  no ip redirects
  ip mtu 1400
  ip nhrp authentication xxx
  ip nhrp map multicast dynamic
  ip nhrp map group ADSL1 service-policy output ADSL1
  ip nhrp network-id 1
  ip nhrp redirect
  ip tcp adjust-mss 1360
  no ip split-horizon
  ip ospf 1 area 0
  tunnel source Loopback0
  tunnel mode gre multipoint
  tunnel key 1
  tunnel path-mtu-discovery
  tunnel protection ipsec profile VPN
  end
  policy-map ADSL1
  class class-default
    shape average 1000000
    service-policy Classes
  policy-map Classes
  class Silver
    bandwidth percent 25
    fair-queue
  class Gold
    bandwidth percent 50
    fair-queue
  class Scavanger
    bandwidth percent 5
  class class-default
    fair-queue
  The output of show dmvpn detail shows it has applied the QOS rule.
  NG-SR-WE-RT-2#show dmvpn detail
  Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
      N - NATed, L - Local, X - No Socket
      # Ent --> Number of NHRP entries with same NBMA peer
      NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
      UpDn Time --> Up or Down Time for a Tunnel
  ==========================================================================
  Interface Tunnel1 is up/up, Addr. is 10.255.255.1, VRF ""
     Tunnel Src./Dest. addr: 10.32.0.100/MGRE, Tunnel VRF ""
     Protocol/Transport: "multi-GRE/IP", Protect "VPN"
     Interface State Control: Disabled
  Type:Hub, Total NBMA Peers (v4/v6): 1
  # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
      1  x.x.x.x    10.255.255.2    UP    1d18h    D    10.255.255.2/32
  NHRP group: ADSL1
  Output QoS service-policy applied: ADSL1
  but my router cannot run show policy-map multipoint... it doesnt come up with a tab but i can write it in by hand.  Even when i write it in by hand it outputs blank.
  I cut the ADSL1 shape down to 512k and it didnt take affect so i dont think the qos is working at all.
  Is my feature set too low?
  Cheers,
  Simon

  Ray,
  There could be multiple reasons for it not to function, the config on hub seems just fine, we'd need to inspect the spokes and check (most likely) in debugs if correct group is being sent from spoke.
  Also coexistance of other service-policy etc etc.
  The feature is quite simple (some level of simplification), spoke says he is in group X when registering, hub assigns this NHRP mapping a service-policy.
  M.

• I need help installing Lightroom 5.  I tried the trial and it does not have an uninstall feature.  Thus, I'm trying to activate with my new $9.99 per month subscription and it simply will not work. Very frustrating you already took my money and no results

  I need help installing Lightroom 5.  I tried the trial and it does not have an uninstall feature.  Thus, I'm trying to activate with my new $9.99 per month subscription and it simply will not work. Very frustrating you already took my money and no results, and very difficult to get help.

  Lightroom Trial uninstall wrote:
  Very frustrating you already took my money and no results, and very difficult to get help.
  Just for clarity, "we" haven't taken your money - this is a user-to-user forum, and you're not talking to Adobe.
  Like Rob I'm a Windows user, and - like him - I thought "uninstalling" on Macs was simply a case of trashing the application. Google would seem to concur.
  Not really a Lightroom/Adobe issue, then?

• I've tried to fix as per your FAQ instructions, but Zeon does not work, how can I make ADOBE my default to bypass ZEON?

  I can not open many things b/c Zeon Plus doesn't work. It is not shown when I open/check current plug-ins - it's listed as unknown. I would prefer to have Adobe, as it doesn't crash all the time. How can I change this?

  First, try a system reset.  It cures many ills and it's quick, easy and harmless...
  Hold down the on/off switch and the Home button simultaneously until the screen blacks out or you see the Apple logo.  Ignore the "Slide to power off" text if it appears.  You will not lose any apps, data, music, movies, settings, etc.
  If the Reset doesn't work, try a Restore.  Note that it's nowhere near as quick as a Reset.  Connect via cable to the computer that you use for sync.  From iTunes, select the iPad/iPod and then select the Summary tab.  Follow directions for Restore and be sure to say "yes" to the backup.  You will be warned that all data (apps, music, movies, etc.) will be erased but, as the Restore finishes, you will be asked if you wish the contents of the backup to be copied to the iPad/iPod.  Again, say "yes."
  At the end of the basic Restore, you will be asked if you wish to sync the iPad/iPod.  As before, say "yes."  Note that that sync selection will disappear and the Restore will end if you do not respond within a reasonable time.  If that happens, only the apps that are part of the IOS will appear on your device.  Corrective action is simple -  choose manual "Sync" from the bottom right of iTunes.
  If you're unable to do the Restore, go into Recovery Mode per the instructions here.

• QoS Police on 3945 router not working

  I am trying to police backup traffic between data centers on a 3945 router.  I want to limit the amount of traffic to 40 Mbps.  I have created a policy and applied on input to the Ethernet WAN facing interface of the router.
  Configuration looks like this:
  class-map match-any commvault
   match access-group name commvault
  policy-map police
   class commvault
    police rate 40000000  burst 20000
     conform-action set-dscp-transmit af13
     exceed-action drop
     violate-action drop
  interface GigabitEthernet0/1
  service-policy input police
  Show policy map interface below.  The problem is that all packets are being marked as conforming even though the byte rate is well above 40 Mbps.  I'm not sure if this is a configuration issue or a bug or something that just isn't supported on this router. 
  GigabitEthernet0/1
    Service-policy input: police
      Class-map: commvault (match-any)
        2807844 packets, 225300484 bytes
        30 second offered rate 1162000 bps, drop rate 0000 bps
        Match: access-group name commvault
          2807844 packets, 225300484 bytes
          30 second rate 1162000 bps
        police:
            rate 40000000 bps, burst 20000 bytes, peak-burst 20000 bytes
          conformed 2807844 packets, 225300484 bytes; actions:
            set-dscp-transmit af13
          exceeded 0 packets, 0 bytes; actions:
            drop
          violated 0 packets, 0 bytes; actions:
            drop
          conformed 1162000 bps, exceeded 0000 bps, violated 0000 bps
      Class-map: class-default (match-any)
        8824278 packets, 1864242262 bytes
        30 second offered rate 14071000 bps, drop rate 0000 bps
        Match: any

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  Where do you see the byte rate (for this class) exceed 40 Mbps?  You have a snapshot stat of that?
  You're policing WAN ingress?

• Per Tunnel QoS: NHRP-3-QOS_POLICY_APPLY_FAILED

  Hello,
  another day another problem :-)
  Since I got DMVPN Netzwork up and running for a few month now, the customer wishes to implement voice-over-ip, therefore I tryied to configure Per-Tunnel-QoS  in the DMVPN Network.
  The Policy Map on the Hub-Site is as followed:
  class-map match-all BULK-DATA match ip dscp af11  af12
  class-map match-all INTERACTIVE-VIDEO
  match ip dscp af41  af42
  class-map match-all VOICE
  match ip dscp ef
  class-map match-all SCAVENGER
  match ip dscp cs1
  class-map match-any INTERNETWORK-CONTROL
  match ip dscp cs6
  match access-group name IKEclass-map match-any CALL-SIGNALING
  match ip dscp cs3
  match ip dscp af31
  class-map match-all TRANSACTIONAL-DATA match ip dscp af21  af22
  policy-map voice
  class VOICE
      priority percent 18
  class INTERACTIVE-VIDEO
      priority percent 15
  class CALL-SIGNALING
      bandwidth percent 5
  class INTERNETWORK-CONTROL
      bandwidth percent 5
  class TRANSACTIONAL-DATA    bandwidth percent 27
      queue-limit 18 packets class BULK-DATA
      bandwidth percent 4
      queue-limit 3 packets class SCAVENGER
      bandwidth percent 1
      queue-limit 1 packets
  class class-default
      bandwidth percent 25
      queue-limit 16 packets
  The Hub and the Spokes are configured with the proper NHRP Group, but when checking the QoS State, the Spokes appair to be in the right NHRP Group but the QoS service policy is not applied.
  Hub#sh dmvpn detailLegend: Attrb --> S - Static, D - Dynamic, I - Incomplete
          N - NATed, L - Local, X - No Socket
          # Ent --> Number of NHRP entries with same NBMA peer
          NHS Status: E --> Expecting Replies, R --> Responding
          UpDn Time --> Up or Down Time for a Tunnel
  ==========================================================================
  Interface Tunnel1 is up/up, Addr. is 192.168.205.1, VRF ""
     Tunnel Src./Dest. addr: 2.2.2.1/MGRE, Tunnel VRF ""   Protocol/Transport: "multi-GRE/IP", Protect "Schmidt-Group"
     Interface State Control: Disabled
  Type:Hub, Total NBMA Peers (v4/v6): 1
  # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target  Network----- --------------- --------------- ----- -------- -----  -----------------
      1        1.1.1.1   192.168.205.2    UP 00:40:52    D   192.168.205.2/32NHRP group: voice
  Output QoS service-policy applied: none
  Crypto Session Details:--------------------------------------------------------------------------------
  Interface: Tunnel1Session: [0x8693F664]
    IKE SA: local 2.2.2.1/500 remote 1.1.1.1/500 Active
            Capabilities:D connid:2001 lifetime:23:19:07
    Crypto Session Status: UP-ACTIVE  fvrf: (none), Phase1_id: 1.1.1.1
    IPSEC FLOW: permit 47 host 2.2.2.1 host 1.1.1.1
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 574 drop 0 life (KB/Sec) 4487723/1147        Outbound: #pkts enc'ed 560 drop 0 life (KB/Sec) 4487725/1147   Outbound SPI : 0xABF33617, transform : esp-256-aes esp-sha-hmac
      Socket State: Open
  Pending DMVPN Sessions:
  A debugging on QoS events results with the message:
  Oct 18 08:20:51.883: %NHRP-3-QOS_POLICY_APPLY_FAILED: Failed to apply QoS  policy voice mapped to NHRP
  group voice on interface Tunnel1, to tunnel 1.1.1.1  due to policy installation failure
  I'm greatfull for any suggestions or hints!
  Kind regards
  Thomas

  I have the same problem. I found this info, it might be related to your problem. For me, I only have one spoke on my QoS/DMVPN Hub tunnel. However, I am running MPLS-VPN, multiple Hub tunnels connecting to multiple spokes so the policy could be see all spokes connected to my router, not just the hub tunnel.
  https://cisco-images.test.edgekey.net/en/US/docs/ios/ios_xe/3/release/notes/asr1k_rn_3s_rel_notes_book_pdf.pdf
  CSCts62082
  Symptoms: Router generates the following message:%NHRP-3-QOS_POLICY_APPLY_FAILED: Failed to apply QoS policy 10M-shape mapped
  to NHRP group xx on interface Tunnelxx, to tunnel x.x.x.x due to policy
  installation failureConditions: This symptom is observed when “per-tunnel” QoS is applied and there are more than
  nine DMVPN spokes. (Up to eight spokes, with QoS applied is fine.)
  Workaround: There is no workaround.

• Per session QoS for LNS

  We have some LNSs running 12.4 SP Services, running with the following config (qos specific lines and currently not working):
  class-map match-all voice-signaling
  match access-group 101
  class-map match-all voice-traffic
  match access-group 102
  policy-map sub-policy
  class voice-traffic
  priority 240
  class voice-signaling
  bandwidth 16
  policy-map XXX_qos-voice
  class class-default
  shape average 256000
  fair-queue
  service-policy sub-policy
  interface Virtual-Template1
  ip unnumbered Loopback0
  ip mroute-cache
  no peer default ip address
  ppp authentication chap
  no clns route-cache
  access-list 101 remark -- SCCP/H323/MGCP/SIP --
  access-list 101 permit tcp any any range 2000 2002
  access-list 101 permit tcp any any eq 1720
  access-list 101 permit tcp any any range 11000 11999
  access-list 101 permit udp any any eq 2427
  access-list 101 permit udp any any eq 4569
  access-list 101 permit udp any any eq 5036
  access-list 101 permit udp any any eq 5060
  access-list 102 remark -- RTP Traffic --
  access-list 102 permit udp any any range 16384 32767
  in the feature set for the IOS currently running it suggests this configuration should work, however it will not apply the policy via the Cisco-AVPair command (the command is visible via the debug AAA per user so radius is working, even when we test it by applying the service-policy to the actual virtual-template it errors saying it will only work on an MPL bundle. From what I have read it is suggested that even though this feature is supposed to work, it does not in practice and an upgrade to a feature set which includes QoS:per session shaping and queueing on LNS is needed.
  If anyone has any experience of the or has any suggestion of if we can achieve our QoS for voice per session with the current IOS that would be great.

  This feature is not related to the NPE type. This feature is performance impacting so you should do some tests to see if your NPE-400 can support the number of L2TP tunnels you want with this feature enabled. If it's not the case, you will have to upgrade your NPE.
  HTH
  Laurent.

• DMVPN Design: Multi-Hub, Router Per-Tunnel QoS

  Some DMVPN questions:
  1) A site I've worked with has about 7 hubs and 5 spokes. This looks at best a bit odd to me. The Cisco design docs all have at most 2 hub sites. Is more than 2 DMVPN hub sites a good idea / bad idea? Pros / cons / drawbacks? I've googled this topic heavily, found little.
  2) If two sites are DMVPN hub sites that have NHRP map statements for  each other, can they both be doing the Per-Tunnel QoS feature to get some QoS shaping towards each other?
  3) What is recommended for DMVPN QoS in general? And for a spoke site where the hub site is doing the Per-Tunnel QoS? Just put some QoS on the physical link?

  Ray,
  There could be multiple reasons for it not to function, the config on hub seems just fine, we'd need to inspect the spokes and check (most likely) in debugs if correct group is being sent from spoke.
  Also coexistance of other service-policy etc etc.
  The feature is quite simple (some level of simplification), spoke says he is in group X when registering, hub assigns this NHRP mapping a service-policy.
  M.

• IPSEC Tunnel Protection and per-tunnel QOS shaping doesnt do any shaping.

  I am having a small brain implosion as to why this will not work.
  I have tried the QOS policy on the tunnel interfaces and on the ATM interface. No shaping occurs. The interfaces transmit at their leisure.
  Please can someone having a better day than me tell me what I am doing wrong?
  Below is the relevant (and standard) config. without the service-policy command applied anywhere. Any help appreciated.
  class-map match-any APPSERVERS
   match access-group name TERMINALSERVERS
  class-map match-any VOICE
   match protocol sip
   match protocol rtp
   match  dscp ef
  policy-map QOSPOLICY
   class VOICE
      priority 100
   class APPSERVERS
      bandwidth percent 33
   class class-default
      fair-queue 16
  policy-map TUNNEL
   class class-default
      shape average 350000
    service-policy QOSPOLICY
  interface Tunnel0
   bandwidth 350
   ip address 172.20.58.2 255.255.255.0
   ip mtu 1420
   load-interval 30
   qos pre-classify
   tunnel source Dialer0
   tunnel destination X.X.X.X
   tunnel mode ipsec ipv4
   tunnel path-mtu-discovery
   tunnel protection ipsec profile IPSECPROFILE
  interface Tunnel1
   bandwidth 350
   ip address 172.21.58.2 255.255.255.0
   ip mtu 1420
   load-interval 30
   delay 58000
   qos pre-classify
   tunnel source Dialer0
   tunnel destination Y.Y.Y.Y
   tunnel mode ipsec ipv4
   tunnel path-mtu-discovery
   tunnel protection ipsec profile IPSECPROFILE
  interface ATM0/0/0
   no ip address
   load-interval 30
   no atm ilmi-keepalive
  interface ATM0/0/0.1 point-to-point
   pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  interface Dialer0
   bandwidth 400
   ip address negotiated
  Thanks,
  Paul

  Hi mate,
  This is an 1841 with 12.4 (20) but Ive tried it on 15.1 on a 1941 also. I get some measure of traffic reduction but I cannot fathom what it is actually doing.
  In the lab with the 1841 and a flat shaper I get this:
  policy-map SHAPE
   class class-default
      shape average 600000
  interface Tunnel0
   bandwidth 700
   service-policy output SHAPE
  R1#sh policy-map int
   Tunnel0
    Service-policy output: SHAPE
      Class-map: class-default (match-any)
        18664 packets, 26423115 bytes
        30 second offered rate 452000 bps, drop rate 0 bps
        Match: any
        Queueing
        queue limit 64 packets
        (queue depth/total drops/no-buffer drops) 45/0/0
        (pkts output/bytes output) 18659/27808530
        shape (average) cir 600000, bc 2400, be 2400
        target shape rate 600000
  R1#sh policy-map int
   Tunnel0
    Service-policy output: SHAPE
      Class-map: class-default (match-any)
        19044 packets, 26964413 bytes
        30 second offered rate 451000 bps, drop rate 0 bps
        Match: any
        Queueing
        queue limit 64 packets
        (queue depth/total drops/no-buffer drops) 45/0/0
        (pkts output/bytes output) 19039/28378426
        shape (average) cir 600000, bc 2400, be 2400
        target shape rate 600000
  It just holds the data rate around 450 kbps. ??
  Here are the types of results I get when the HQoS is applied to the Tunnel interface in the lab:
  policy-map QOS
   class IP2
      drop
   class IP3
      priority 300
   class class-default
  policy-map TUNNEL
   class class-default
      shape average 600000
    service-policy QOS
  interface Tunnel0
   bandwidth 700
   service-policy output TUNNEL
  R1#sh policy-map int
   Tunnel0
    Service-policy output: TUNNEL
      Class-map: class-default (match-any)
        14843 packets, 20884436 bytes
        30 second offered rate 362000 bps, drop rate 75000 bps
        Match: any
        Queueing
        queue limit 64 packets
        (queue depth/total drops/no-buffer drops) 0/3942/0
        (pkts output/bytes output) 14009/15858326
        shape (average) cir 600000, bc 2400, be 2400
        target shape rate 600000
        Service-policy : QOS
          queue stats for all priority classes:
            Queueing
            queue limit 64 packets
            (queue depth/total drops/no-buffer drops) 0/3942/0
            (pkts output/bytes output) 6464/9540288
          Class-map: IP2 (match-all)
            385 packets, 533940 bytes
            30 second offered rate 28000 bps, drop rate 28000 bps
            Match: access-group 102
            drop
          Class-map: IP3 (match-all)
            10411 packets, 14628188 bytes
            30 second offered rate 191000 bps, drop rate 75000 bps
            Match: access-group 103
            Priority: 300 kbps, burst bytes 7500, b/w exceed drops: 3942
          Class-map: class-default (match-any)
            4047 packets, 5722308 bytes
            30 second offered rate 143000 bps, drop rate 0 bps
            Match: any
            queue limit 64 packets
            (queue depth/total drops/no-buffer drops) 0/0/0
            (pkts output/bytes output) 7545/6318038
  This is after 10 minutes of running transfers to all endpoints to utilise the classes in the policy.
  So why dont we see shaping that moves towards the configured values?
  Thanks.

• DMVPN Per Spoke QOS ServicePolicy Limit

  I want to impliment per spoke QOS using isakmp profiles and service policy.
  My problem is that I have more than 64 tunnels and I understand that service policy configurations are limited to one level of nesting and only 64 classifications.
  Does anyone have experience of per spoke QOS greater than 64 flows?

  Only if you show me yours for > 64 flows
  LOL

• VPN Split-Tunneling not working

  Hello,
  First off - thanks to all who post here.  I often browse the forums and search for help on here and its very useful, so a great pat on the back for everyone who contributes.  My first time posting so here goes.....
  I have my ASA 5505 v8.2 configured to allow AnyConnect. This is working.  Client can connect and access the remote systems through VPN.  What is causing me a massive headache is that the client loses internet connectivity.  I have played around with my config somewhat so what I am about to post I know for certain is incorrect but any help is greatly appreciated.
  Notes
  1.  The Router was set up for a standard site-to-site VPN which is no longer functional but as you can see all the settings are still in the router.
  2.  The router also has a DMZ setup to allow some clients access to the internet through it using the DMZ
  CONFIGURATION:
  ASA Version 8.2(5)
  hostname MYHOST
  enable password mUUvr2NINofYuSh2 encrypted
  passwd UNDrnIuGV0tAPtz2 encrypted
  names
  name x.x.x.x AIME-SD
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  switchport access vlan 7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.101.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address x.x.x.x 255.255.0.0
  interface Vlan7
  no forward interface Vlan1
  nameif DMZ
  security-level 20
  ip address 137.57.183.1 255.255.255.0
  ftp mode passive
  clock timezone MST -7
  object-group network obj_any_dmz
  access-list 10 extended permit ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255                                                                                        .255.0
  access-list no_nat extended permit ip host x.x.x.x 192.168.25.0 255.255.25                                                                                        5.0
  access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
  access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu DMZ 1500
  ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 10 interface
  nat (inside) 0 access-list no_nat
  nat (inside) 1 access-list nonat
  nat (DMZ) 10 137.57.183.0 255.255.255.0
  route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
  route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable 64000
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set batus esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map batus 100 match address 10
  crypto map batus 100 set peer AIME-SD
  crypto map batus 100 set transform-set batus
  crypto map batus interface outside
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment self
  subject-name CN=MYHOST
  keypair ClientX_cert
  crl configure
  crypto ca certificate chain ASDM_TrustPoint1
  certificate 0f817951
      308201e7 30820150 a0030201 0202040f 81795130 0d06092a 864886f7 0d010105
      05003038 31173015 06035504 03130e41 494d452d 56504e2d 42415455 53311d30
      1b06092a 864886f7 0d010902 160e4149 4d452d56 504e2d42 41545553 301e170d
      31333036 32373137 32393335 5a170d32 33303632 35313732 3933355a 30383117
      30150603 55040313 0e41494d 452d5650 4e2d4241 54555331 1d301b06 092a8648
      86f70d01 0902160e 41494d45 2d56504e 2d424154 55533081 9f300d06 092a8648
      86f70d01 01010500 03818d00 30818902 818100c9 ff840bf4 cfb8d394 2c940430
      1887f25a 49038aa0 1299cf10 bda2a436 227dcdbf f1c5566b c35c2f19 8b3514d3
      4e24f5b1 c8840e8c 60e2b39d bdc0082f 08cce525 97ffefba d42bb087 81b9adb9
      db0a8b2f b643e651 d17cd6f8 f67297f2 d785ef46 c3acbb39 615e1ef1 23db072c
      783fe112 acd6dc80 dc38e94b 6e56fe94 d59d5d02 03010001 300d0609 2a864886
      f70d0101 05050003 8181007e 29e90ea0 e337976e 9006bc02 402fd58a a1d30fe8
      b2c1ab49 a1828ee0 488d1d2f 1dc5d150 3ed85f09 54f099b2 064cd622 dc3d3821
      fca46c69 62231fd2 6e396cd1 7ef586f9 f41205af c2199174 3c5ee887 42b684c9
      7f4d2045 4742adb5 d70c3805 4ad13191 8d802bbc b2bcd8c7 8eec111b 761d89f3
      63ebd49d 30dd06f4 e0fa25
    quit
  crypto isakmp enable outside
  crypto isakmp policy 40
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 DMZ
  ssh timeout 10
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
  ssl trust-point ASDM_TrustPoint1 outside
  webvpn
  enable outside
  svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
  svc enable
  group-policy ClientX_access internal
  group-policy ClientX_access attributes
  vpn-tunnel-protocol svc
  split-tunnel-network-list value split-tunneling
  default-domain value access.local
  address-pools value Internal_Range
  ipv6-address-pools none
  webvpn
    svc mtu 1406
    svc rekey time none
    svc rekey method ssl
  username ClientX password ykAxQ227nzontdIh encrypted privilege 15
  username ClientX attributes
  vpn-group-policy ClientX_access
  service-type admin
  tunnel-group x.x.x.x type ipsec-l2l
  tunnel-group x.x.x.x ipsec-attributes
  pre-shared-key *****
  tunnel-group ClientX type remote-access
  tunnel-group ClientX general-attributes
  address-pool Internal_Range
  default-group-policy ClientX_access
  tunnel-group SSLClientProfile type remote-access
  tunnel-group SSLClientProfile general-attributes
  default-group-policy ClientX_access
  tunnel-group ClientX_access type remote-access
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:e7d92a387d1c5f07e14b3c894d159ec1
  : end
  Thank you for any help!!

  Karsten!
  That fixed my internet access problem.  Yippee!
  Unfortunately it seems to have broken my access to the internal network.  Boo!
  I can no longer access/ping anything on the internal IP range (192.168.101.x). 
  I assume this is a nat issue somewhere along the line.  Posting the top half of my config for any assistance and the info requested by Raj (although VPN is connecting fine).  Thank you both for your very prompt replies!!!
  Short Config
  object-group network obj_any_dmz
  access-list 10 extended permit ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255.255.0
  access-list no_nat extended permit ip host x.x.x.x 192.168.25.0 255.255.255.0
  access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
  access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu DMZ 1500
  ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 10 interface
  nat (inside) 0 access-list no_nat
  nat (inside) 1 access-list nonat
  nat (DMZ) 10 137.57.183.0 255.255.255.0
  route outside 0.0.0.0 0.0.0.0 207.229.2.129 1
  route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  Show vpn-sessiondb svc
  Session Type: SVC
  Username     : ClientX                 Index        : 9
  Assigned IP  : 192.168.101.125        Public IP    : x.x.x.x
  Protocol     : Clientless SSL-Tunnel DTLS-Tunnel
  License      : SSL VPN
  Encryption   : RC4 AES128             Hashing      : MD5 SHA1
  Bytes Tx     : 11662                  Bytes Rx     : 62930
  Group Policy : ClientX_access          Tunnel Group : DefaultWEBVPNGroup
  Login Time   : 22:40:56 MST Mon Jul 1 2013
  Duration     : 0h:11m:08s
  Inactivity   : 0h:00m:00s
  NAC Result   : Unknown
  VLAN Mapping : N/A                    VLAN         : none

• All the traffic go through IPsec tunnel(site to site ) ,but something seems not working correctly

  Hi, all,
    I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site ,  I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
  Quote :
  Question ? :
  Mine is a very simple configuration.  I have 2 sites linked via an IPsec tunnel.  Dallas is my Main HQ R1 and Austin R2 is my remote office.  I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
  Dallas (Main) Lan Net is: 10.10.200.0/24
  Austin (Remote) LAN Net is: 10.20.2.0/24
  The Dallas (Main) site has a VPN config of:
  Local Net: 0.0.0.0/0
  Remote Net: 10.20.2.0/24
  The Austin (Remote) site has a VPN config of:
  10.20.2.0/24
  Remote Net: 0.0.0.0/0
  The tunnel gets established just fine.  From the Austin LAN clients, I can ping the router at the main site (10.10.200.1).  This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
  I'm sure it's something simple I failed to configure.  Anyone have any pointers or hints?
  Answer:
  Thanks to Jimp from the other thread, I was able to see why it was not working.  To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network.
  Once I made this change, Voila!  Traffic from the remote side started heading out to the Internet.  Now all traffic flows thru the Main site.  It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
  My question ?
  The answer said "To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network." what this mean and
  how to do it , could anybody give me the specific configuration ? thanks a lot.

  Thank you for Jouni's reply,  following is the configuration on Cisco 2800 router ,no firewall enable, :
  crypto isakmp policy 100
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
  crypto isakmp keepalive 60
  crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
  crypto dynamic-map IPsecdyn 100
  set transform-set IPsectrans
  match address 102
  crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
  interface Loopback1
  ip address 10.10.200.1 255.255.255.0
  interface FastEthernet0/0
  ip address 113.113.1.1 255.255.255.128
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map IPsecmap
  interface FastEthernet0/1
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip route 0.0.0.0 0.0.0.0 113.113.1.2
  ip http server
  no ip http secure-server
  ip nat inside source list 100 interface FastEthernet0/0 overload
  access-list 100 permit ip 192.168.1.0 0.0.0.255 any
  access-list 102 permit ip any 10.20.2.0 0.0.0.255

• Is it possible to have 2 DMVPN tunnels on a spoke router having 2 ISPs to the same hub?

  I have a router R1 acting as a hub for DMVPN. I have a spoke router R2 which has 2 ISPs. Can I establish a DMVPN tunnel via each ISPs to R1 from R2?

  the other posters are correct all you need is osx lion. i have tried it out and it works.
  the bottom line and most important thing to remember about multiple users using the same mac is:
  each user needs their seperate account. for example, if bob is on the screen, and tim logs on using vnc
  then tim gets his own desktop and kbd and mouse. but if bob is on the screen and bob logs on using vnc
  then they share the same desktop
  so if u want say 2 or 5 users or whatever the limit is, and i don't know. you are going to need 2 or 5 or whatever
  seperate users
  on the host mac you go into system preferences, sharing, screen sharing, and turn it on
  and on the remote mac you run finder, click on connect to server and type vnc:// and the address to the computer
  like vnc://192.168.1.4 and it should work great over the local network
  theres no other hardware or software you need, you just need to be running osx lion
  there is also vnc clients available you can download that might be better then the vnc client in finder

• Does LMS 4.2.1. display DMVPN tunnels at topology service?

  Hi,
  Can you ask at question in header please?
  Thanks,
  Oleg

  Not generally.
  I haven't tried it; but if your DMVPN tunnel is running with GRE mode (vs the more common IPsec) you may be able to enable CDP on the tunnel interface at both ends (must be explicitly enabled - even if CDP is globally enabled) and discover the neighbor relationship that way.

• Microsoft Teredo tunneling adapter #2 is not working

  Hi, i'm having problems with "microsoft teredo tunneling adapter #2". I've tried to fix it, but it keeps on saying that it's not working.When i set the tcpip6/parameters value to 0 it only fixed the teredo tunneling adapter but the teredo tunneling
  adapter #2 is still not working. any ideas?

  Sten
  This is a known problem if Zone alarm is installed.  If you have it installed remove it at least to check
  To turn off Teredo tunneling interface 6to4 open an elevated command prompt and type
  netsh interface terredo set state disabled.
  To Re-install it
  Click on Start.
  Type Device Manager in search box and open it.
  Click the Action tab at the top and click add legacy hardware
  then click next and next again it will then scan and find nothing click next on the screen after that.
  Wait a minute and you will see a list of hardware appear, scroll down and choose network adapters then click next, then from the left column choose Microsoft then in the right hand column scroll down and choose Microsoft Teredo Tunneling Adapter, then click
  next and this will install it.
  To check just make sure it is set to show hidden devices, right click on device manager on the right and click view then show hidden devices.
  Wanikiya and Dyami--Team Zigzag