Per-Tunnel QoS on a DMVPN Tunnel Not Working.
Hello, I am trying to get per-Tunnel QoS working on one of my Hub tunnels, and believe to have the configurations correctly, but when I do "show ip nhrp group-map" I get NONE. I am running a MPLS-VPN network and this router has multiple DMVPN Tunnels with different VRFs. I am not running QoS on the other tunnels.
router#show ip nhrp group-map
Interface: Tunnel1
NHRP group: testgroup
QoS policy: test-QoS
Tunnels using the QoS policy: None
here is my config
interface Tunnel1
ip vrf forwarding test
ip address 172.16.1.1 255.255.255.240
no ip redirects
ip mtu 1376
ip nhrp authentication test
ip nhrp map multicast dynamic
ip nhrp map group testgroup service-policy output TEST-QoS
ip nhrp network-id #####
ip tcp adjust-mss 1200
load-interval 30
tunnel source Loopback1
tunnel mode gre multipoint
tunnel key #####
tunnel vrf test_internet
tunnel protection ipsec profile IPSECPROFILE shared
Router Version
(C7200-ADVENTERPRISEK9-M), Version 15.0(1)M3
I understand that I could do qos pre-classify in the tunnel and then do a service policy on the physical interface, but the question I have is why does it say " Tunnels using the QoS policy: None " when I configured a qos policy on the tunnel interface? Is this a bug?
Thank you for your help!
Ray,
There could be multiple reasons for it not to function, the config on hub seems just fine, we'd need to inspect the spokes and check (most likely) in debugs if correct group is being sent from spoke.
Also coexistance of other service-policy etc etc.
The feature is quite simple (some level of simplification), spoke says he is in group X when registering, hub assigns this NHRP mapping a service-policy.
M.
Similar Messages
-
DMVPN per tunnel QOS. show policy-map multipoint not working
Hi All,
I have a DMVPN hub which is a 1841 with image c1841-advsecurityk9-mz.151-4.M1.bin .
I have been using DMVPN and its awesome but now trying to get the QOS sorted out and having issues.
I have configured the interface like so.
interface Tunnel1
ip address 10.255.255.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication xxx
ip nhrp map multicast dynamic
ip nhrp map group ADSL1 service-policy output ADSL1
ip nhrp network-id 1
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon
ip ospf 1 area 0
tunnel source Loopback0
tunnel mode gre multipoint
tunnel key 1
tunnel path-mtu-discovery
tunnel protection ipsec profile VPN
end
policy-map ADSL1
class class-default
shape average 1000000
service-policy Classes
policy-map Classes
class Silver
bandwidth percent 25
fair-queue
class Gold
bandwidth percent 50
fair-queue
class Scavanger
bandwidth percent 5
class class-default
fair-queue
The output of show dmvpn detail shows it has applied the QOS rule.
NG-SR-WE-RT-2#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel1 is up/up, Addr. is 10.255.255.1, VRF ""
Tunnel Src./Dest. addr: 10.32.0.100/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "VPN"
Interface State Control: Disabled
Type:Hub, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
1 x.x.x.x 10.255.255.2 UP 1d18h D 10.255.255.2/32
NHRP group: ADSL1
Output QoS service-policy applied: ADSL1
but my router cannot run show policy-map multipoint... it doesnt come up with a tab but i can write it in by hand. Even when i write it in by hand it outputs blank.
I cut the ADSL1 shape down to 512k and it didnt take affect so i dont think the qos is working at all.
Is my feature set too low?
Cheers,
SimonRay,
There could be multiple reasons for it not to function, the config on hub seems just fine, we'd need to inspect the spokes and check (most likely) in debugs if correct group is being sent from spoke.
Also coexistance of other service-policy etc etc.
The feature is quite simple (some level of simplification), spoke says he is in group X when registering, hub assigns this NHRP mapping a service-policy.
M. -
I need help installing Lightroom 5. I tried the trial and it does not have an uninstall feature. Thus, I'm trying to activate with my new $9.99 per month subscription and it simply will not work. Very frustrating you already took my money and no results, and very difficult to get help.
Lightroom Trial uninstall wrote:
Very frustrating you already took my money and no results, and very difficult to get help.
Just for clarity, "we" haven't taken your money - this is a user-to-user forum, and you're not talking to Adobe.
Like Rob I'm a Windows user, and - like him - I thought "uninstalling" on Macs was simply a case of trashing the application. Google would seem to concur.
Not really a Lightroom/Adobe issue, then? -
I can not open many things b/c Zeon Plus doesn't work. It is not shown when I open/check current plug-ins - it's listed as unknown. I would prefer to have Adobe, as it doesn't crash all the time. How can I change this?
First, try a system reset. It cures many ills and it's quick, easy and harmless...
Hold down the on/off switch and the Home button simultaneously until the screen blacks out or you see the Apple logo. Ignore the "Slide to power off" text if it appears. You will not lose any apps, data, music, movies, settings, etc.
If the Reset doesn't work, try a Restore. Note that it's nowhere near as quick as a Reset. Connect via cable to the computer that you use for sync. From iTunes, select the iPad/iPod and then select the Summary tab. Follow directions for Restore and be sure to say "yes" to the backup. You will be warned that all data (apps, music, movies, etc.) will be erased but, as the Restore finishes, you will be asked if you wish the contents of the backup to be copied to the iPad/iPod. Again, say "yes."
At the end of the basic Restore, you will be asked if you wish to sync the iPad/iPod. As before, say "yes." Note that that sync selection will disappear and the Restore will end if you do not respond within a reasonable time. If that happens, only the apps that are part of the IOS will appear on your device. Corrective action is simple - choose manual "Sync" from the bottom right of iTunes.
If you're unable to do the Restore, go into Recovery Mode per the instructions here. -
QoS Police on 3945 router not working
I am trying to police backup traffic between data centers on a 3945 router. I want to limit the amount of traffic to 40 Mbps. I have created a policy and applied on input to the Ethernet WAN facing interface of the router.
Configuration looks like this:
class-map match-any commvault
match access-group name commvault
policy-map police
class commvault
police rate 40000000 burst 20000
conform-action set-dscp-transmit af13
exceed-action drop
violate-action drop
interface GigabitEthernet0/1
service-policy input police
Show policy map interface below. The problem is that all packets are being marked as conforming even though the byte rate is well above 40 Mbps. I'm not sure if this is a configuration issue or a bug or something that just isn't supported on this router.
GigabitEthernet0/1
Service-policy input: police
Class-map: commvault (match-any)
2807844 packets, 225300484 bytes
30 second offered rate 1162000 bps, drop rate 0000 bps
Match: access-group name commvault
2807844 packets, 225300484 bytes
30 second rate 1162000 bps
police:
rate 40000000 bps, burst 20000 bytes, peak-burst 20000 bytes
conformed 2807844 packets, 225300484 bytes; actions:
set-dscp-transmit af13
exceeded 0 packets, 0 bytes; actions:
drop
violated 0 packets, 0 bytes; actions:
drop
conformed 1162000 bps, exceeded 0000 bps, violated 0000 bps
Class-map: class-default (match-any)
8824278 packets, 1864242262 bytes
30 second offered rate 14071000 bps, drop rate 0000 bps
Match: anyDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Where do you see the byte rate (for this class) exceed 40 Mbps? You have a snapshot stat of that?
You're policing WAN ingress? -
Per Tunnel QoS: NHRP-3-QOS_POLICY_APPLY_FAILED
Hello,
another day another problem :-)
Since I got DMVPN Netzwork up and running for a few month now, the customer wishes to implement voice-over-ip, therefore I tryied to configure Per-Tunnel-QoS in the DMVPN Network.
The Policy Map on the Hub-Site is as followed:
class-map match-all BULK-DATA match ip dscp af11 af12
class-map match-all INTERACTIVE-VIDEO
match ip dscp af41 af42
class-map match-all VOICE
match ip dscp ef
class-map match-all SCAVENGER
match ip dscp cs1
class-map match-any INTERNETWORK-CONTROL
match ip dscp cs6
match access-group name IKEclass-map match-any CALL-SIGNALING
match ip dscp cs3
match ip dscp af31
class-map match-all TRANSACTIONAL-DATA match ip dscp af21 af22
policy-map voice
class VOICE
priority percent 18
class INTERACTIVE-VIDEO
priority percent 15
class CALL-SIGNALING
bandwidth percent 5
class INTERNETWORK-CONTROL
bandwidth percent 5
class TRANSACTIONAL-DATA bandwidth percent 27
queue-limit 18 packets class BULK-DATA
bandwidth percent 4
queue-limit 3 packets class SCAVENGER
bandwidth percent 1
queue-limit 1 packets
class class-default
bandwidth percent 25
queue-limit 16 packets
The Hub and the Spokes are configured with the proper NHRP Group, but when checking the QoS State, the Spokes appair to be in the right NHRP Group but the QoS service policy is not applied.
Hub#sh dmvpn detailLegend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel1 is up/up, Addr. is 192.168.205.1, VRF ""
Tunnel Src./Dest. addr: 2.2.2.1/MGRE, Tunnel VRF "" Protocol/Transport: "multi-GRE/IP", Protect "Schmidt-Group"
Interface State Control: Disabled
Type:Hub, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network----- --------------- --------------- ----- -------- ----- -----------------
1 1.1.1.1 192.168.205.2 UP 00:40:52 D 192.168.205.2/32NHRP group: voice
Output QoS service-policy applied: none
Crypto Session Details:--------------------------------------------------------------------------------
Interface: Tunnel1Session: [0x8693F664]
IKE SA: local 2.2.2.1/500 remote 1.1.1.1/500 Active
Capabilities:D connid:2001 lifetime:23:19:07
Crypto Session Status: UP-ACTIVE fvrf: (none), Phase1_id: 1.1.1.1
IPSEC FLOW: permit 47 host 2.2.2.1 host 1.1.1.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 574 drop 0 life (KB/Sec) 4487723/1147 Outbound: #pkts enc'ed 560 drop 0 life (KB/Sec) 4487725/1147 Outbound SPI : 0xABF33617, transform : esp-256-aes esp-sha-hmac
Socket State: Open
Pending DMVPN Sessions:
A debugging on QoS events results with the message:
Oct 18 08:20:51.883: %NHRP-3-QOS_POLICY_APPLY_FAILED: Failed to apply QoS policy voice mapped to NHRP
group voice on interface Tunnel1, to tunnel 1.1.1.1 due to policy installation failure
I'm greatfull for any suggestions or hints!
Kind regards
ThomasI have the same problem. I found this info, it might be related to your problem. For me, I only have one spoke on my QoS/DMVPN Hub tunnel. However, I am running MPLS-VPN, multiple Hub tunnels connecting to multiple spokes so the policy could be see all spokes connected to my router, not just the hub tunnel.
https://cisco-images.test.edgekey.net/en/US/docs/ios/ios_xe/3/release/notes/asr1k_rn_3s_rel_notes_book_pdf.pdf
CSCts62082
Symptoms: Router generates the following message:%NHRP-3-QOS_POLICY_APPLY_FAILED: Failed to apply QoS policy 10M-shape mapped
to NHRP group xx on interface Tunnelxx, to tunnel x.x.x.x due to policy
installation failureConditions: This symptom is observed when “per-tunnel” QoS is applied and there are more than
nine DMVPN spokes. (Up to eight spokes, with QoS applied is fine.)
Workaround: There is no workaround. -
We have some LNSs running 12.4 SP Services, running with the following config (qos specific lines and currently not working):
class-map match-all voice-signaling
match access-group 101
class-map match-all voice-traffic
match access-group 102
policy-map sub-policy
class voice-traffic
priority 240
class voice-signaling
bandwidth 16
policy-map XXX_qos-voice
class class-default
shape average 256000
fair-queue
service-policy sub-policy
interface Virtual-Template1
ip unnumbered Loopback0
ip mroute-cache
no peer default ip address
ppp authentication chap
no clns route-cache
access-list 101 remark -- SCCP/H323/MGCP/SIP --
access-list 101 permit tcp any any range 2000 2002
access-list 101 permit tcp any any eq 1720
access-list 101 permit tcp any any range 11000 11999
access-list 101 permit udp any any eq 2427
access-list 101 permit udp any any eq 4569
access-list 101 permit udp any any eq 5036
access-list 101 permit udp any any eq 5060
access-list 102 remark -- RTP Traffic --
access-list 102 permit udp any any range 16384 32767
in the feature set for the IOS currently running it suggests this configuration should work, however it will not apply the policy via the Cisco-AVPair command (the command is visible via the debug AAA per user so radius is working, even when we test it by applying the service-policy to the actual virtual-template it errors saying it will only work on an MPL bundle. From what I have read it is suggested that even though this feature is supposed to work, it does not in practice and an upgrade to a feature set which includes QoS:per session shaping and queueing on LNS is needed.
If anyone has any experience of the or has any suggestion of if we can achieve our QoS for voice per session with the current IOS that would be great.This feature is not related to the NPE type. This feature is performance impacting so you should do some tests to see if your NPE-400 can support the number of L2TP tunnels you want with this feature enabled. If it's not the case, you will have to upgrade your NPE.
HTH
Laurent. -
DMVPN Design: Multi-Hub, Router Per-Tunnel QoS
Some DMVPN questions:
1) A site I've worked with has about 7 hubs and 5 spokes. This looks at best a bit odd to me. The Cisco design docs all have at most 2 hub sites. Is more than 2 DMVPN hub sites a good idea / bad idea? Pros / cons / drawbacks? I've googled this topic heavily, found little.
2) If two sites are DMVPN hub sites that have NHRP map statements for each other, can they both be doing the Per-Tunnel QoS feature to get some QoS shaping towards each other?
3) What is recommended for DMVPN QoS in general? And for a spoke site where the hub site is doing the Per-Tunnel QoS? Just put some QoS on the physical link?Ray,
There could be multiple reasons for it not to function, the config on hub seems just fine, we'd need to inspect the spokes and check (most likely) in debugs if correct group is being sent from spoke.
Also coexistance of other service-policy etc etc.
The feature is quite simple (some level of simplification), spoke says he is in group X when registering, hub assigns this NHRP mapping a service-policy.
M. -
IPSEC Tunnel Protection and per-tunnel QOS shaping doesnt do any shaping.
I am having a small brain implosion as to why this will not work.
I have tried the QOS policy on the tunnel interfaces and on the ATM interface. No shaping occurs. The interfaces transmit at their leisure.
Please can someone having a better day than me tell me what I am doing wrong?
Below is the relevant (and standard) config. without the service-policy command applied anywhere. Any help appreciated.
class-map match-any APPSERVERS
match access-group name TERMINALSERVERS
class-map match-any VOICE
match protocol sip
match protocol rtp
match dscp ef
policy-map QOSPOLICY
class VOICE
priority 100
class APPSERVERS
bandwidth percent 33
class class-default
fair-queue 16
policy-map TUNNEL
class class-default
shape average 350000
service-policy QOSPOLICY
interface Tunnel0
bandwidth 350
ip address 172.20.58.2 255.255.255.0
ip mtu 1420
load-interval 30
qos pre-classify
tunnel source Dialer0
tunnel destination X.X.X.X
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile IPSECPROFILE
interface Tunnel1
bandwidth 350
ip address 172.21.58.2 255.255.255.0
ip mtu 1420
load-interval 30
delay 58000
qos pre-classify
tunnel source Dialer0
tunnel destination Y.Y.Y.Y
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile IPSECPROFILE
interface ATM0/0/0
no ip address
load-interval 30
no atm ilmi-keepalive
interface ATM0/0/0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Dialer0
bandwidth 400
ip address negotiated
Thanks,
PaulHi mate,
This is an 1841 with 12.4 (20) but Ive tried it on 15.1 on a 1941 also. I get some measure of traffic reduction but I cannot fathom what it is actually doing.
In the lab with the 1841 and a flat shaper I get this:
policy-map SHAPE
class class-default
shape average 600000
interface Tunnel0
bandwidth 700
service-policy output SHAPE
R1#sh policy-map int
Tunnel0
Service-policy output: SHAPE
Class-map: class-default (match-any)
18664 packets, 26423115 bytes
30 second offered rate 452000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 45/0/0
(pkts output/bytes output) 18659/27808530
shape (average) cir 600000, bc 2400, be 2400
target shape rate 600000
R1#sh policy-map int
Tunnel0
Service-policy output: SHAPE
Class-map: class-default (match-any)
19044 packets, 26964413 bytes
30 second offered rate 451000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 45/0/0
(pkts output/bytes output) 19039/28378426
shape (average) cir 600000, bc 2400, be 2400
target shape rate 600000
It just holds the data rate around 450 kbps. ??
Here are the types of results I get when the HQoS is applied to the Tunnel interface in the lab:
policy-map QOS
class IP2
drop
class IP3
priority 300
class class-default
policy-map TUNNEL
class class-default
shape average 600000
service-policy QOS
interface Tunnel0
bandwidth 700
service-policy output TUNNEL
R1#sh policy-map int
Tunnel0
Service-policy output: TUNNEL
Class-map: class-default (match-any)
14843 packets, 20884436 bytes
30 second offered rate 362000 bps, drop rate 75000 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/3942/0
(pkts output/bytes output) 14009/15858326
shape (average) cir 600000, bc 2400, be 2400
target shape rate 600000
Service-policy : QOS
queue stats for all priority classes:
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/3942/0
(pkts output/bytes output) 6464/9540288
Class-map: IP2 (match-all)
385 packets, 533940 bytes
30 second offered rate 28000 bps, drop rate 28000 bps
Match: access-group 102
drop
Class-map: IP3 (match-all)
10411 packets, 14628188 bytes
30 second offered rate 191000 bps, drop rate 75000 bps
Match: access-group 103
Priority: 300 kbps, burst bytes 7500, b/w exceed drops: 3942
Class-map: class-default (match-any)
4047 packets, 5722308 bytes
30 second offered rate 143000 bps, drop rate 0 bps
Match: any
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 7545/6318038
This is after 10 minutes of running transfers to all endpoints to utilise the classes in the policy.
So why dont we see shaping that moves towards the configured values?
Thanks. -
DMVPN Per Spoke QOS ServicePolicy Limit
I want to impliment per spoke QOS using isakmp profiles and service policy.
My problem is that I have more than 64 tunnels and I understand that service policy configurations are limited to one level of nesting and only 64 classifications.
Does anyone have experience of per spoke QOS greater than 64 flows?Only if you show me yours for > 64 flows
LOL -
VPN Split-Tunneling not working
Hello,
First off - thanks to all who post here. I often browse the forums and search for help on here and its very useful, so a great pat on the back for everyone who contributes. My first time posting so here goes.....
I have my ASA 5505 v8.2 configured to allow AnyConnect. This is working. Client can connect and access the remote systems through VPN. What is causing me a massive headache is that the client loses internet connectivity. I have played around with my config somewhat so what I am about to post I know for certain is incorrect but any help is greatly appreciated.
Notes
1. The Router was set up for a standard site-to-site VPN which is no longer functional but as you can see all the settings are still in the router.
2. The router also has a DMZ setup to allow some clients access to the internet through it using the DMZ
CONFIGURATION:
ASA Version 8.2(5)
hostname MYHOST
enable password mUUvr2NINofYuSh2 encrypted
passwd UNDrnIuGV0tAPtz2 encrypted
names
name x.x.x.x AIME-SD
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.0.0
interface Vlan7
no forward interface Vlan1
nameif DMZ
security-level 20
ip address 137.57.183.1 255.255.255.0
ftp mode passive
clock timezone MST -7
object-group network obj_any_dmz
access-list 10 extended permit ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255 .255.0
access-list no_nat extended permit ip host x.x.x.x 192.168.25.0 255.255.25 5.0
access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 access-list nonat
nat (DMZ) 10 137.57.183.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable 64000
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set batus esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map batus 100 match address 10
crypto map batus 100 set peer AIME-SD
crypto map batus 100 set transform-set batus
crypto map batus interface outside
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=MYHOST
keypair ClientX_cert
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate 0f817951
308201e7 30820150 a0030201 0202040f 81795130 0d06092a 864886f7 0d010105
05003038 31173015 06035504 03130e41 494d452d 56504e2d 42415455 53311d30
1b06092a 864886f7 0d010902 160e4149 4d452d56 504e2d42 41545553 301e170d
31333036 32373137 32393335 5a170d32 33303632 35313732 3933355a 30383117
30150603 55040313 0e41494d 452d5650 4e2d4241 54555331 1d301b06 092a8648
86f70d01 0902160e 41494d45 2d56504e 2d424154 55533081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 818100c9 ff840bf4 cfb8d394 2c940430
1887f25a 49038aa0 1299cf10 bda2a436 227dcdbf f1c5566b c35c2f19 8b3514d3
4e24f5b1 c8840e8c 60e2b39d bdc0082f 08cce525 97ffefba d42bb087 81b9adb9
db0a8b2f b643e651 d17cd6f8 f67297f2 d785ef46 c3acbb39 615e1ef1 23db072c
783fe112 acd6dc80 dc38e94b 6e56fe94 d59d5d02 03010001 300d0609 2a864886
f70d0101 05050003 8181007e 29e90ea0 e337976e 9006bc02 402fd58a a1d30fe8
b2c1ab49 a1828ee0 488d1d2f 1dc5d150 3ed85f09 54f099b2 064cd622 dc3d3821
fca46c69 62231fd2 6e396cd1 7ef586f9 f41205af c2199174 3c5ee887 42b684c9
7f4d2045 4742adb5 d70c3805 4ad13191 8d802bbc b2bcd8c7 8eec111b 761d89f3
63ebd49d 30dd06f4 e0fa25
quit
crypto isakmp enable outside
crypto isakmp policy 40
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 DMZ
ssh timeout 10
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint1 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
group-policy ClientX_access internal
group-policy ClientX_access attributes
vpn-tunnel-protocol svc
split-tunnel-network-list value split-tunneling
default-domain value access.local
address-pools value Internal_Range
ipv6-address-pools none
webvpn
svc mtu 1406
svc rekey time none
svc rekey method ssl
username ClientX password ykAxQ227nzontdIh encrypted privilege 15
username ClientX attributes
vpn-group-policy ClientX_access
service-type admin
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group ClientX type remote-access
tunnel-group ClientX general-attributes
address-pool Internal_Range
default-group-policy ClientX_access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy ClientX_access
tunnel-group ClientX_access type remote-access
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e7d92a387d1c5f07e14b3c894d159ec1
: end
Thank you for any help!!Karsten!
That fixed my internet access problem. Yippee!
Unfortunately it seems to have broken my access to the internal network. Boo!
I can no longer access/ping anything on the internal IP range (192.168.101.x).
I assume this is a nat issue somewhere along the line. Posting the top half of my config for any assistance and the info requested by Raj (although VPN is connecting fine). Thank you both for your very prompt replies!!!
Short Config
object-group network obj_any_dmz
access-list 10 extended permit ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list no_nat extended permit ip host x.x.x.x 192.168.25.0 255.255.255.0
access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 access-list nonat
nat (DMZ) 10 137.57.183.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 207.229.2.129 1
route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
Show vpn-sessiondb svc
Session Type: SVC
Username : ClientX Index : 9
Assigned IP : 192.168.101.125 Public IP : x.x.x.x
Protocol : Clientless SSL-Tunnel DTLS-Tunnel
License : SSL VPN
Encryption : RC4 AES128 Hashing : MD5 SHA1
Bytes Tx : 11662 Bytes Rx : 62930
Group Policy : ClientX_access Tunnel Group : DefaultWEBVPNGroup
Login Time : 22:40:56 MST Mon Jul 1 2013
Duration : 0h:11m:08s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none -
Hi, all,
I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site , I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
Quote :
Question ? :
Mine is a very simple configuration. I have 2 sites linked via an IPsec tunnel. Dallas is my Main HQ R1 and Austin R2 is my remote office. I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
Dallas (Main) Lan Net is: 10.10.200.0/24
Austin (Remote) LAN Net is: 10.20.2.0/24
The Dallas (Main) site has a VPN config of:
Local Net: 0.0.0.0/0
Remote Net: 10.20.2.0/24
The Austin (Remote) site has a VPN config of:
10.20.2.0/24
Remote Net: 0.0.0.0/0
The tunnel gets established just fine. From the Austin LAN clients, I can ping the router at the main site (10.10.200.1). This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
I'm sure it's something simple I failed to configure. Anyone have any pointers or hints?
Answer:
Thanks to Jimp from the other thread, I was able to see why it was not working. To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network.
Once I made this change, Voila! Traffic from the remote side started heading out to the Internet. Now all traffic flows thru the Main site. It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
My question ?
The answer said "To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network." what this mean and
how to do it , could anybody give me the specific configuration ? thanks a lot.Thank you for Jouni's reply, following is the configuration on Cisco 2800 router ,no firewall enable, :
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60
crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
crypto dynamic-map IPsecdyn 100
set transform-set IPsectrans
match address 102
crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
interface Loopback1
ip address 10.10.200.1 255.255.255.0
interface FastEthernet0/0
ip address 113.113.1.1 255.255.255.128
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map IPsecmap
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 113.113.1.2
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any 10.20.2.0 0.0.0.255 -
Is it possible to have 2 DMVPN tunnels on a spoke router having 2 ISPs to the same hub?
I have a router R1 acting as a hub for DMVPN. I have a spoke router R2 which has 2 ISPs. Can I establish a DMVPN tunnel via each ISPs to R1 from R2?
the other posters are correct all you need is osx lion. i have tried it out and it works.
the bottom line and most important thing to remember about multiple users using the same mac is:
each user needs their seperate account. for example, if bob is on the screen, and tim logs on using vnc
then tim gets his own desktop and kbd and mouse. but if bob is on the screen and bob logs on using vnc
then they share the same desktop
so if u want say 2 or 5 users or whatever the limit is, and i don't know. you are going to need 2 or 5 or whatever
seperate users
on the host mac you go into system preferences, sharing, screen sharing, and turn it on
and on the remote mac you run finder, click on connect to server and type vnc:// and the address to the computer
like vnc://192.168.1.4 and it should work great over the local network
theres no other hardware or software you need, you just need to be running osx lion
there is also vnc clients available you can download that might be better then the vnc client in finder -
Does LMS 4.2.1. display DMVPN tunnels at topology service?
Hi,
Can you ask at question in header please?
Thanks,
OlegNot generally.
I haven't tried it; but if your DMVPN tunnel is running with GRE mode (vs the more common IPsec) you may be able to enable CDP on the tunnel interface at both ends (must be explicitly enabled - even if CDP is globally enabled) and discover the neighbor relationship that way. -
Microsoft Teredo tunneling adapter #2 is not working
Hi, i'm having problems with "microsoft teredo tunneling adapter #2". I've tried to fix it, but it keeps on saying that it's not working.When i set the tcpip6/parameters value to 0 it only fixed the teredo tunneling adapter but the teredo tunneling
adapter #2 is still not working. any ideas?Sten
This is a known problem if Zone alarm is installed. If you have it installed remove it at least to check
To turn off Teredo tunneling interface 6to4 open an elevated command prompt and type
netsh interface terredo set state disabled.
To Re-install it
Click on Start.
Type Device Manager in search box and open it.
Click the Action tab at the top and click add legacy hardware
then click next and next again it will then scan and find nothing click next on the screen after that.
Wait a minute and you will see a list of hardware appear, scroll down and choose network adapters then click next, then from the left column choose Microsoft then in the right hand column scroll down and choose Microsoft Teredo Tunneling Adapter, then click
next and this will install it.
To check just make sure it is set to show hidden devices, right click on device manager on the right and click view then show hidden devices.
Wanikiya and Dyami--Team Zigzag
Maybe you are looking for
-
Destination for media files changed unexpectedly
My iTunes media files are stored on a NAS. Recently, for the second time, I have seen (annoyingly after importing new music files) that the address specified for the iTunes Media folder location in iTunes Preferences has somehow changed to point to t
-
Access exchange mailbox you have permissions to
From the mail application (predominantly iPad) it is possible to connect to my exchange mailbox, works like a dream, what I would like to do is also connect to a second mailbox on same exchange server that I do have permissions too. Is this possible,
-
FaxSTF fails to send - but only from my main user account!
I bought FaxSTF in version 6 for OS 9, and version 10.5.3 for OS X. My woes with it in OS X are not so much of the kind that I've read while searching this area for answers; they are rather peculiar, and I suspect FaxSTF might not even be at fault (t
-
Fully deleting Ipad - Icloud problems
I've sold my ipad 2 on ebay and thought I had it all cleared out and ready to send. However, I discovered that after logging out of everything (including icloud and app store), and deleting the ipad, it was still (according to my iphone 6) broadcasti
-
Adobe flash 11 is slowing pc and having trouble getting on ie9
I had to uninstall it to get back to normal...on the adobe flash forum many others are having the same issue...is anyone else here getting the same trouble?