Router vpn interface

Hi,
I ususally use cisco asa to connect site to site vpn.  The outside Eth0/0 intereface I ususally use for public internet static IP and eth0/1 to connect internal network.
For router.  I have saw a lot of example over the web.  It usually use FE0/1 for public internet static IP for both site to site VPN connection point and FE0/0 for internal network.  Could you tell me why ?  My concept is outside interface of FE0/0 must use for public IP address because the less security level.  Please help to explain.  Thank you

Hi,
The interface ID doesnt have anything to do with the interfaces security on its own. On an ASA the "security-level" is used to define which is the least secure interface (the one facing Internet), not the port ID.
You are free to use any physical interface on a Cisco Router or ASA to whatever purpose you want.
Most people tend to use the port with the ID 0/0 for "outside" and the others for local network connections.
There is nothing stopping you from using something different.
- Jouni

Similar Messages

  • Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

    Hii frnds,
    here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
    Below is the out put from the router
    r1#sh run
    Building configuration...
    Current configuration : 3488 bytes
    ! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
    ! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
    version 15.1
    service config
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname r1
    boot-start-marker
    boot-end-marker
    enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
    aaa new-model
    aaa authentication login local-console local
    aaa authentication login userauth local
    aaa authorization network groupauth local
    aaa session-id common
    dot11 syslog
    ip source-route
    ip cef
    ip domain name r1.com
    multilink bundle-name authenticated
    license udi pid CISCO1841 sn FHK145171DM
    username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
    username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
    redundancy
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration group ra-vpn
    key xxxxxx
    domain r1.com
    pool vpn-pool
    acl 150
    save-password
      include-local-lan
    max-users 10
    crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
    crypto dynamic-map RA 1
    set transform-set my-vpn
    reverse-route
    crypto map ra-vpn client authentication list userauth
    crypto map ra-vpn isakmp authorization list groupauth
    crypto map ra-vpn client configuration address respond
    crypto map ra-vpn 1 ipsec-isakmp dynamic RA
    interface Loopback0
    ip address 10.2.2.2 255.255.255.255
    interface FastEthernet0/0
    bandwidth 8000000
    ip address 117.239.xx.xx 255.255.255.240
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map ra-vpn
    interface FastEthernet0/1
    description $ES_LAN$
    ip address 192.168.10.252 255.255.255.0 secondary
    ip address 10.10.10.1 255.255.252.0 secondary
    ip address 172.16.0.1 255.255.252.0 secondary
    ip address 10.10.7.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    ip local pool vpn-pool 172.18.1.1   172.18.1.100
    ip forward-protocol nd
    ip http server
    ip http authentication local
    no ip http secure-server
    ip dns server
    ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
    ip nat inside source list 100 pool INTERNETPOOL overload
    ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
    access-list 100 permit ip 10.10.7.0 0.0.0.255 any
    access-list 100 permit ip 10.10.10.0 0.0.1.255 any
    access-list 100 permit ip 172.16.0.0 0.0.3.255 any
    access-list 100 permit ip 192.168.10.0 0.0.0.255 any
    access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
    access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
    access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
    control-plane
    line con 0
    login authentication local-console
    line aux 0
    line vty 0 4
    login authentication local-console
    transport input telnet ssh
    scheduler allocate 20000 1000
    end
    r1>sh ip route
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route, + - replicated route
    Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
    S*    0.0.0.0/0 [1/0] via 117.239.xx.xx
          10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
    C        10.2.2.2/32 is directly connected, Loopback0
    C        10.10.7.0/24 is directly connected, FastEthernet0/1
    L        10.10.7.1/32 is directly connected, FastEthernet0/1
    C        10.10.8.0/22 is directly connected, FastEthernet0/1
    L        10.10.10.1/32 is directly connected, FastEthernet0/1
          117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C        117.239.xx.xx/28 is directly connected, FastEthernet0/0
    L        117.239.xx.xx/32 is directly connected, FastEthernet0/0
          172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
    C        172.16.0.0/22 is directly connected, FastEthernet0/1
    L        172.16.0.1/32 is directly connected, FastEthernet0/1
          172.18.0.0/32 is subnetted, 1 subnets
    S        172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
          192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
    C        192.168.10.0/24 is directly connected, FastEthernet0/1
    L        192.168.10.252/32 is directly connected, FastEthernet0/1
    r1#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    117.239.xx.xx   49.206.59.86    QM_IDLE           1043 ACTIVE
    IPv6 Crypto ISAKMP SA
    r1 #sh crypto ipsec sa
    interface: FastEthernet0/0
        Crypto map tag: giet-vpn, local addr 117.239.xx.xx
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
       remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
       current_peer 49.206.59.86 port 50083
         PERMIT, flags={}
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 0, #recv errors 0
         local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
         path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
         current outbound spi: 0x550E70F9(1427009785)
         PFS (Y/N): N, DH group: none
         inbound esp sas:
          spi: 0x5668C75(90606709)
            transform: esp-3des esp-md5-hmac ,
            in use settings ={Tunnel UDP-Encaps, }
            conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
            sa timing: remaining key lifetime (k/sec): (4550169/3437)
            IV size: 8 bytes
            replay detection support: Y
            Status: ACTIVE
         inbound ah sas:
         inbound pcp sas:
         outbound esp sas:
          spi: 0x550E70F9(1427009785)
            transform: esp-3des esp-md5-hmac ,
            in use settings ={Tunnel UDP-Encaps, }
            conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
            sa timing: remaining key lifetime (k/sec): (4550170/3437)
            IV size: 8 bytes
            replay detection support: Y
            Status: ACTIVE
         outbound ah sas:
         outbound pcp sas:

    hi  Maximilian Schojohann..
    First i would like to Thank you for showing  interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF "  Router cpu processer goes to 99% and hangs...
    In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
    so plz give me an alternate solution ....thanks in advance....

  • 2851 router vpn to 851 router lan clients cannot ping

    Greets - I'm expanding my lab experience by adding a 2851 router to my mix of 18xx and 851/871 units. Some of this infrastructure is in production, some just lab work. I have established good connectivity between 18xx's and 851/871's with IPSEC VPNs (site-to-site static and dynamic), but my problem is with adding in a 2851.
    Setup: 2851 with 12.4 ADVENTK9, WAN on GE0/0 as 216.189.223.bbb/26, LAN on GE0/1 as 172.20.0.1/20 (VPN module, but no additional HWIC modules)
    851 with 12.4 ADVENTK9, WAN on FE4 as 216.53.254.aaa/24, LAN on FE0..3 via BVI1 as 172.21.1.1/24
    The two router WAN ports are bridged via a 3rd router (a Zywall with 216.0.0.0/8 route, with the router at 216.1.1.1) affectionately called the "InterNOT", which provides a surrogate to the great web, minus actual other hosts and dns, but it doesn't matter. As both my WAN addresses are within 216.x.x.x, this works quite well. This surrogate has tested fine and is known to not be part of a problem.
    The 851 has been tested against another 851 with complementary setup and a successful VPN can run between the two.
    I have good LAN-WAN connections on each router. I do have a "Good" VPN connection between the two routers.
    The problem: I cannot ping from a LAN host on 172.20.x.x on the 2851 to any 172.21.1.x (eg 172.21.1.1) host on the 851, and vice versa.
    From a LAN host, I can ping to my InterNOT - for example a dhcp host 172.20.6.2 on the 2851 LAN can ping 216.1.1.1 fine. I can also ping the 851's WAN address at 216.53.254.aaa.
    To complicate matters, if I connect to the routers via console, I CAN ping across the vpn to the destination LAN hosts, in both directions.
    This seems to indicate that there is a bridging problem between the LAN interfaces to the VPN interfaces. I suspect this is a config problem on the 2851, as I have had a similar config working on my 851 to 851 site-to-site setups. I also suspect it is in the 2851's config as I'm still just starting out with this particular router.
    So some stripped-down configs:
    For the 2851:
    no service config
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname router2851
    boot-start-marker
    boot-end-marker
    no logging buffered
    no logging console
    enable password mypassword2
    no aaa new-model
    dot11 syslog
    no ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 172.20.0.1 172.20.6.1
    ip dhcp excluded-address 172.20.6.254 172.20.15.254
    ip dhcp pool Internal_2000
       import all
       network 172.20.0.0 255.255.240.0
       domain-name myseconddomain.int
       default-router 172.20.0.1
       lease 7
    no ip domain lookup
    multilink bundle-name authenticated
    voice-card 0
     no dspfarm
    crypto pki <<truncated>>
    crypto pki certificate chain TP-self-signed-2995823027
     <<truncated>>
          quit
    username myusername privilege 15 password 0 mypassword2
    archive
     log config
      hidekeys
    crypto isakmp policy 1
     encr 3des
     authentication pre-share
     group 2
    crypto isakmp key mysharedkey address 216.53.254.aaa
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map SDM_CMAP_1 1 ipsec-isakmp
     description Tunnel to216.53.254.aaa
     set peer 216.53.254.aaa
     set transform-set ESP-3DES-SHA
     match address 100
    interface GigabitEthernet0/0
     description $ETH-WAN$
     ip address 216.189.223.bbb 255.255.255.192
     ip nat outside
     ip virtual-reassembly
     duplex auto
     speed auto
     crypto map SDM_CMAP_1
     no shut
    interface GigabitEthernet0/1
     description $FW_INSIDE$$ETH-LAN$
     ip address 172.20.0.1 255.255.240.0
     ip nat inside
     ip virtual-reassembly
     no ip route-cache
     duplex auto
     speed auto
     no mop enabled
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
    ip http server
    ip http authentication local
    ip http secure-server
    ip dns server
    ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
    access-list 1 remark CCP_ACL Category=2
    access-list 1 permit 172.20.0.0 0.0.15.255
    access-list 100 remark CCP_ACL Category=4
    access-list 100 remark IPSec Rule
    access-list 100 permit ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
    access-list 101 remark CCP_ACL Category=2
    access-list 101 remark IPSec Rule
    access-list 101 deny   ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
    access-list 101 permit ip 172.20.0.0 0.0.15.255 any
    route-map SDM_RMAP_1 permit 1
     match ip address 101
    control-plane
    banner motd ~This is a private computer system for authorized use only. And Stuff~
    line con 0
    line aux 0
    line vty 0 4
     privilege level 15
     password mypassword
     login local
     transport input telnet ssh
    scheduler allocate 20000 1000
    end
    And for the 851:
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname router851
    boot-start-marker
    boot-end-marker
    logging buffered 52000 debugging
    no logging console
    enable password mypassword
    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local
    aaa session-id common
    resource policy
    clock timezone PCTime -5
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    no ip dhcp use vrf connected
    ip dhcp excluded-address 172.21.1.1 172.21.1.100
    ip dhcp pool Internal_2101
       import all
       network 172.21.1.0 255.255.255.0
       default-router 172.21.1.1
       domain-name mydomain.int
       dns-server 172.21.1.10
       lease 4
    ip cef
    ip domain name mydomain.int
    ip name-server 172.21.1.10
    crypto pki <<truncated>>
    crypto pki certificate chain TP-self-signed-3077836316
     <<truncated>>
      quit
    username myusername privilege 15 password 0 mypassword2
    crypto isakmp policy 1
     encr 3des
     authentication pre-share
     group 2
    crypto isakmp key mysharedkey address 216.189.223.aaa
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
    crypto map SDM_CMAP_1 1 ipsec-isakmp
     description Tunnel to216.189.223.bbb
     set peer 216.189.223.bbb
     set transform-set ESP-3DES-SHA2
     match address 100
    bridge irb
    interface FastEthernet0
     spanning-tree portfast
    interface FastEthernet1
     spanning-tree portfast
    interface FastEthernet2
     spanning-tree portfast
    interface FastEthernet3
     spanning-tree portfast
    interface FastEthernet4
     description $ETH-WAN$
     ip address 216.53.254.aaa 255.255.254.0
     ip nat outside
     ip virtual-reassembly
     ip tcp adjust-mss 1460
     duplex auto
     speed auto
     no cdp enable
     crypto map SDM_CMAP_1
     no shut
    interface Vlan1
     description Internal Network
     no ip address
     ip nat inside
     ip virtual-reassembly
     bridge-group 1
     bridge-group 1 spanning-disabled
    interface BVI1
     description Bridge to Internal Network
     ip address 172.21.1.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly
    ip route 0.0.0.0 0.0.0.0 FastEthernet4
    ip route 172.21.1.0 255.255.255.0 BVI1
    ip http server
    ip http secure-server
    ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
    access-list 1 remark CCP_ACL Category=2
    access-list 1 permit 172.21.1.0 0.0.0.255
    access-list 100 remark CCP_ACL Category=4
    access-list 100 remark IPSec Rule
    access-list 100 permit ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
    access-list 101 remark CCP_ACL Category=2
    access-list 101 remark IPSec Rule
    access-list 101 deny   ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
    access-list 101 remark IPSec Rule
    access-list 101 deny   ip 172.21.1.0 0.0.0.255 172.21.101.0 0.0.0.31
    access-list 101 permit ip 172.21.1.0 0.0.0.255 any
    route-map SDM_RMAP_1 permit 1
     match ip address 101
    control-plane
    bridge 1 route ip
    banner motd ~This is a private computer system for authorized use only. And Stuff.~
    line con 0
     password mypassword
     no modem enable
    line aux 0
    line vty 0 4
     password mypassword
    scheduler max-task-time 5000
    end
    Note that the above are somewhat stripped-down configs, without firewall or WAN ACL's - interestingly my default WAN-Inbound ACLs seem to break connectivity when included, so I realize I have some more cleanup to do there, but the 2851 LAN bridging seems to be what I should concentrate on first.
    I'm still googling some of the particulars with the 2851, but any assistance is appreciated.
    Regards,
    Ted.

    Hi,
    First,please delete NAT.If we configured the NAT in the RRAS,the source IP address in all packets sent to 192.168.1.0/24 would be translated to 192.168.1.224.
    Second,please enable the LAN routing in RRAS server.To enable LAN routing,please follow the steps below,
    1.In the RRAS server,Open Routing and Remote Access.
    2.Right-click the server name,then click
    properties.
    3.On the General tab,select
    IPv4 Router check box,and then click Local area network(LAN) routing only.
    Then,announce the 172.16.0.0 network to the router.
    To learn more details about enabling LAN routing, please refer to the link below,
    http://technet.microsoft.com/en-us/library/dd458974.aspx
    Best Regards,
    Tina

  • Router-to-Router VPN Security

    Hi there,
    Should we worry about the the security on router-to-router VPN over internet (IPSec) ?
    We have two offices.
    Office A has Cisco 2811 router (internal, private) and ASA 5510 firewall.
    Office B has Cisco 2821 router (internal, private) and ASA 5505 firewall.
    Office B has private subnets that extend to 7 hops away. (running RIP)
    If we want to set up a site-to-stie VPN between these two offices, should we set it up on ASA's or routers?
    If we set up VPN on routers, does that mean we need to connect one interface to the internet on each router and suffer from Internet attacks?
    How do we defend our routers then?
    Thanks in advance!
    -Andrew

    Hi,
    when it comes to site to site vpn I usually prefer routers. Whith a little bit of tweaking NAT and routing you should be able to operate a public address on the routers even if they are behind the firewall.
    The advantage of IOS based VPN is e.g. the possibility of routing protocols through the VPN tunnels which would give another level of resiliency. Configure tunnel interfaces on the routers with a tunnel mode IPsec and a tunnel protection profile. You can then run e.g. EIGRP to find a possible alternate path if one of the tunnels fails. Its much easier than anything I can think of on the ASA.
    Rgds, MiKa

  • 877 using fe as WAN (ISP provider modem/router) - VPN won't come up!

    Hi,
    Due some changes with our ISP, the atm interface on the 877 router won't support stable connections anymore. The fix I'm having to do is to use our ISP provided modem/router, and have the 877 use an fe port as a WAN port and instigate the VPN from there.
    I've had issues with getting the WAN port to work correctly that I got fixed here:
    https://supportforums.cisco.com/message/4090973
    Now I've got to get this bit going then I'm all good!
    Basic set up is:
    Remote firewall <-> internet <-> local ISP (modem/router) <-> Cisco 877 <-> laptop/switch etc
    172.20.0.0/16                             192.168.1.254       192.168.1.139    172.30.99.1     172.30.99.0/24
    Current config is:
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    hostname ITTEST
    boot-start-marker
    boot system flash:c870-advipservicesk9-mz.124-24.T6.bin
    boot-end-marker
    logging message-counter syslog
    logging buffered 10240
    enable secret
    enable password
    no aaa new-model
    clock timezone GMT 0
    clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
    dot11 syslog
    no ip source-route
    ip dhcp excluded-address 172.30.99.1 172.30.99.100
    ip dhcp pool dhcppool
       import all
       network 172.30.99.0 255.255.255.0
       default-router 172.30.99.1
       dns-server 172.30.99.1 172.20.0.120 172.20.0.121
       domain-name gratte.com
       update arp
    ip cef
    ip domain name gratte.com
    ip name-server 192.168.1.254
    ip name-server 172.20.0.120
    ip name-server 172.20.0.121
    no ipv6 cef
    multilink bundle-name authenticated
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key <presharedkey> address xxx.xxx.xxx.xxx no-xauth
    crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
    crypto ipsec profile IPSEC-VPN
    set transform-set 3DESSHA
    archive
    log config
      hidekeys
    interface Tunnel0
    description --- IPSec Tunnel to KX ---
    ip address 172.30.99.10 255.255.255.252
    ip ospf mtu-ignore
    load-interval 30
    tunnel source Vlan1
    tunnel destination xxx.xxx.xxx.xxx
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile IPSEC-VPN
    interface ATM0
    no ip address
    shutdown
    no atm ilmi-keepalive
    interface FastEthernet0
    description DATA
    spanning-tree portfast
    interface FastEthernet1
    description VOICE
    switchport access vlan 100
    switchport voice vlan 100
    spanning-tree portfast
    interface FastEthernet2
    shutdown
    interface FastEthernet3
    switchport access vlan 666
    no cdp enable
    spanning-tree portfast
    interface Vlan1
    ip address 172.30.99.1 255.255.255.252
    ip nat inside
    ip virtual-reassembly
    interface Vlan666
    ip address 192.168.1.139 255.255.255.0
    ip nat outside
    ip virtual-reassembly
    interface Dialer0
    no ip address
    ip default-gateway 192.168.1.254
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 192.168.1.254
    ip route 10.20.0.0 255.255.0.0 Tunnel0
    ip route 10.21.0.0 255.255.0.0 Tunnel0
    ip route 64.156.192.220 255.255.255.255 Tunnel0
    ip route 64.156.192.245 255.255.255.255 Tunnel0
    ip route 74.50.50.16 255.255.255.255 Tunnel0
    ip route 74.50.63.14 255.255.255.255 Tunnel0
    ip route 172.16.0.0 255.240.0.0 Tunnel0
    ip route 172.30.99.0 255.255.255.0 Vlan1
    no ip http server
    no ip http secure-server
    ip dns server
    ip nat inside source list 100 interface Vlan666 overload
    access-list 100 permit ip 172.30.99.0 0.0.0.255 any
    access-list 199 permit icmp any any
    snmp-server community public RO
    snmp-server community blobby RW
    control-plane
    line con 0
    password
    login
    no modem enable
    line aux 0
    line vty 0 4
    password
    login
    scheduler max-task-time 5000
    ntp server 72.8.140.222
    ntp server 172.20.0.120
    ntp server 172.20.0.121
    end
    Hope someone can help!

    And pretty much an hour to the time of when it dropped out, it's kicked back in:
    02:00:40: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
    02:00:40: %CRYPTO-4-IKMP_NO_SA: IKE message from has no SA and is not an initialization offer
    02:00:42: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
    02:00:45: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
    02:00:45: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
    02:00:50: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
    02:00:50: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
    02:00:55: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
    02:00:57: IPSEC(sa_request): ,
      (key eng. msg.) OUTBOUND local= 172.30.99.1, remote= ,
        local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
        remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
        protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
        lifedur= 3600s and 4608000kb,
        spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
    02:00:57: IPSEC(lifetime_expiry): SA lifetime threshold reached, expiring in 68 seconds
    02:00:57: ISAKMP: set new node 0 to QM_IDLE
    02:00:57: SA has outstanding requests  (local 132.76.193.228 port 500, remote 132.76.193.200 port 500)
    02:00:57: ISAKMP:(2002): sitting IDLE. Starting QM immediately (QM_IDLE      )
    02:00:57: ISAKMP:(2002):beginning Quick Mode exchange, M-ID of 1560671909
    02:00:57: ISAKMP:(2002):QM Initiator gets spi
    02:00:57: ISAKMP:(2002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE
    02:00:57: ISAKMP:(2002):Sending an IKE IPv4 Packet.
    02:00:57: ISAKMP:(2002):Node 1560671909, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
    02:00:57: ISAKMP:(2002):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
    02:00:58: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
    02:00:58: ISAKMP: set new node 1105416027 to QM_IDLE
    02:00:58: ISAKMP:(2002): processing HASH payload. message ID = 1105416027
    02:00:58: ISAKMP:(2002): processing SA payload. message ID = 1105416027
    02:00:58: ISAKMP:(2002):Checking IPSec proposal 1
    02:00:58: ISAKMP: transform 1, ESP_3DES
    02:00:58: ISAKMP:   attributes in transform:
    02:00:58: ISAKMP:      SA life type in seconds
    02:00:58: ISAKMP:      SA life duration (basic) of 3600
    02:00:58: ISAKMP:      encaps is 1 (Tunnel)
    02:00:58: ISAKMP:      key length is 192
    02:00:58: ISAKMP:      authenticator is HMAC-SHA
    02:00:58: ISAKMP:(2002):atts are acceptable.
    02:00:58: ISAKMP:(2002):Checking IPSec proposal 1
    02:00:58: ISAKMP: transform 2, ESP_3DES
    02:00:58: ISAKMP:   attributes in transform:
    02:00:58: ISAKMP:      SA life type in seconds
    02:00:58: ISAKMP:      SA life duration (basic) of 3600
    02:00:58: ISAKMP:      encaps is 1 (Tunnel)
    02:00:58: ISAKMP:      authenticator is HMAC-SHA
    02:00:58: ISAKMP:(2002):atts are acceptable.
    02:00:58: IPSEC(validate_proposal_request): proposal part #1
    02:00:58: IPSEC(validate_proposal_request): proposal part #1,
      (key eng. msg.) INBOUND local= 172.30.99.1, remote= ,
        local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
        remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
        protocol= ESP, transform= NONE  (Tunnel),
        lifedur= 0s and 0kb,
        spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0
    02:00:58: Crypto mapdb : proxy_match
            src addr     : 0.0.0.0
            dst addr     : 0.0.0.0
            protocol     : 0
            src port     : 0
            dst port     : 0
    02:00:58: ISAKMP:(2002): processing NONCE payload. message ID = 1105416027
    02:00:58: ISAKMP:(2002): processing ID payload. message ID = 1105416027
    02:00:58: ISAKMP:(2002): processing ID payload. message ID = 1105416027
    02:00:58: ISAKMP:(2002):QM Responder gets spi
    02:00:58: ISAKMP:(2002):Node 1105416027, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    02:00:58: ISAKMP:(2002):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
    02:00:58: ISAKMP:(2002): Creating IPSec SAs
    02:00:58:         inbound SA from to 172.30.99.1 (f/i)  0/ 0
            (proxy 0.0.0.0 to 0.0.0.0)
    02:00:58:         has spi 0x48E03F51 and conn_id 0
    02:00:58:         lifetime of 3600 seconds
    02:00:58:         outbound SA from 172.30.99.1 to (f/i) 0/0
            (proxy 0.0.0.0 to 0.0.0.0)
    02:00:58:         has spi  0xD4AF8B3C and conn_id 0
    02:00:58:         lifetime of 3600 seconds
    02:00:58: ISAKMP:(2002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE
    02:00:58: ISAKMP:(2002):Sending an IKE IPv4 Packet.
    02:00:58: ISAKMP:(2002):Node 1105416027, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
    02:00:58: ISAKMP:(2002):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
    02:00:58: IPSEC(key_engine): got a queue event with 1 KMI message(s)
    02:00:58: Crypto mapdb : proxy_match
            src addr     : 0.0.0.0
            dst addr     : 0.0.0.0
            protocol     : 0
            src port     : 0
            dst port     : 0
    02:00:58: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer
    02:00:58: IPSEC(create_sa): sa created,
      (sa) sa_dest= 172.30.99.1, sa_proto= 50,
        sa_spi= 0x48E03F51(1222655825),
        sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 5
        sa_lifetime(k/sec)= (4450631/3600)
    02:00:58: IPSEC(create_sa): sa created,
      (sa) sa_dest= , sa_proto= 50,
        sa_spi= 0xD4AF8B3C(3568274236),
        sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 6
        sa_lifetime(k/sec)= (4450631/3600)
    02:00:58: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
    02:00:58: ISAKMP:(2002):deleting node 1105416027 error FALSE reason "QM done (await)"
    02:00:58: ISAKMP:(2002):Node 1105416027, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    02:00:58: ISAKMP:(2002):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
    02:00:58: IPSEC(key_engine): got a queue event with 1 KMI message(s)
    02:00:58: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
    02:00:58: IPSEC(key_engine_enable_outbound): enable SA with spi 3568274236/50
    02:00:58: IPSEC(update_current_outbound_sa): updated peer current outbound sa to SPI D4AF8B3C
    02:00:59: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
    02:00:59: ISAKMP: set new node -1124267365 to QM_IDLE
    02:00:59: ISAKMP:(2002): processing HASH payload. message ID = -1124267365
    02:00:59: ISAKMP:(2002): processing DELETE payload. message ID = -1124267365
    02:00:59: ISAKMP:(2002):peer does not do paranoid keepalives.
    02:00:59: ISAKMP:(2002):deleting node -1124267365 error FALSE reason "Informational (in) state 1"
    02:00:59: IPSEC(key_engine): got a queue event with 1 KMI message(s)
    02:00:59: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    02:00:59: IPSEC(key_engine_delete_sas): delete SA with spi 0xBDD33AB1 proto 50 for
    02:00:59: IPSEC(delete_sa): deleting SA,
      (sa) sa_dest= 172.30.99.1, sa_proto= 50,
        sa_spi= 0x539777E6(1402435558),
        sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3
        sa_lifetime(k/sec)= (4412467/3600),
      (identity) local= 172.30.99.1, remote= ,
        local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
        remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
    02:00:59: IPSEC(delete_sa): deleting SA,
      (sa) sa_dest= , sa_proto= 50,
        sa_spi= 0xBDD33AB1(3184736945),
        sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4
        sa_lifetime(k/sec)= (4412467/3600),
      (identity) local= 172.30.99.1, remote= ,
        local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
        remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
    02:01:00: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
    02:01:00: ISAKMP: set new node -2105526428 to QM_IDLE
    02:01:00: ISAKMP:(2002): processing HASH payload. message ID = -2105526428
    02:01:00: ISAKMP:(2002): processing NOTIFY DPD/R_U_THERE protocol 1
            spi 0, message ID = -2105526428, sa = 844CC060
    02:01:00: ISAKMP:(2002):deleting node -2105526428 error FALSE reason "Informational (in) state 1"
    02:01:00: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    02:01:00: ISAKMP:(2002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
    02:01:00: ISAKMP:(2002):DPD/R_U_THERE received from peer , sequence 0x22D
    02:01:00: ISAKMP: set new node 971443288 to QM_IDLE
    02:01:00: ISAKMP:(2002):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
            spi 2220478360, message ID = 971443288
    02:01:00: ISAKMP:(2002): seq. no 0x22D
    02:01:00: ISAKMP:(2002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE
    02:01:00: ISAKMP:(2002):Sending an IKE IPv4 Packet.
    02:01:00: ISAKMP:(2002):purging node 971443288
    02:01:00: ISAKMP:(2002):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
    02:01:00: ISAKMP:(2002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
    02:01:02: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
    02:01:02: ISAKMP:(2002): processing HASH payload. message ID = 1560671909
    02:01:02: ISAKMP:(2002): processing SA payload. message ID = 1560671909
    02:01:02: ISAKMP:(2002):Checking IPSec proposal 1
    02:01:02: ISAKMP: transform 1, ESP_3DES
    02:01:02: ISAKMP:   attributes in transform:
    02:01:02: ISAKMP:      encaps is 1 (Tunnel)
    02:01:02: ISAKMP:      SA life type in seconds
    02:01:02: ISAKMP:      SA life duration (basic) of 3600
    02:01:02: ISAKMP:      SA life type in kilobytes
    02:01:02: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
    02:01:02: ISAKMP:      authenticator is HMAC-SHA
    02:01:02: ISAKMP:(2002):atts are acceptable.
    02:01:02: IPSEC(validate_proposal_request): proposal part #1
    02:01:02: IPSEC(validate_proposal_request): proposal part #1,
      (key eng. msg.) INBOUND local= 172.30.99.1, remote= ,
        local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
        remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
        protocol= ESP, transform= NONE  (Tunnel),
        lifedur= 0s and 0kb,
        spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
    02:01:02: Crypto mapdb : proxy_match
            src addr     : 0.0.0.0
            dst addr     : 0.0.0.0
            protocol     : 0
            src port     : 0
            dst port     : 0
    02:01:02: ISAKMP:(2002): processing NONCE payload. message ID = 1560671909
    02:01:02: ISAKMP:(2002): processing ID payload. message ID = 1560671909
    02:01:02: ISAKMP:(2002): processing ID payload. message ID = 1560671909
    02:01:02: ISAKMP:(2002): Creating IPSec SAs
    02:01:02:         inbound SA from to 172.30.99.1 (f/i)  0/ 0
            (proxy 0.0.0.0 to 0.0.0.0)
    02:01:02:         has spi 0x84F77E7D and conn_id 0
    02:01:02:         lifetime of 3600 seconds
    02:01:02:         lifetime of 4608000 kilobytes
    02:01:02:         outbound SA from 172.30.99.1 to (f/i) 0/0
            (proxy 0.0.0.0 to 0.0.0.0)
    02:01:02:         has spi  0xCA486707 and conn_id 0
    02:01:02:         lifetime of 3600 seconds
    02:01:02:         lifetime of 4608000 kilobytes
    02:01:02: ISAKMP:(2002): sending packet to my_port 500 peer_port 500 (I) QM_IDLE
    02:01:02: ISAKMP:(2002):Sending an IKE IPv4 Packet.
    02:01:02: ISAKMP:(2002):deleting node 1560671909 error FALSE reason "No Error"
    02:01:02: ISAKMP:(2002):Node 1560671909, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    02:01:02: ISAKMP:(2002):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
    02:01:02: IPSEC(key_engine): got a queue event with 1 KMI message(s)
    02:01:02: Crypto mapdb : proxy_match
            src addr     : 0.0.0.0
            dst addr     : 0.0.0.0
            protocol     : 0
            src port     : 0
            dst port     : 0
    02:01:02: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer
    02:01:02: IPSEC(create_sa): sa created,
      (sa) sa_dest= 172.30.99.1, sa_proto= 50,
        sa_spi= 0x84F77E7D(2230812285),
        sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 7
        sa_lifetime(k/sec)= (4550947/3600)
    02:01:02: IPSEC(create_sa): sa created,
      (sa) sa_dest= , sa_proto= 50,
        sa_spi= 0xCA486707(3393742599),
        sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 8
        sa_lifetime(k/sec)= (4550947/3600)
    02:01:02: IPSEC(update_current_outbound_sa): updated peer current outbound sa to SPI CA486707
    02:01:02: IPSEC(check_delete_duplicate_sa_bundle): found duplicated fresh SA bundle, aging it out. min_spi=48E03F51
    02:01:02: IPSEC(early_age_out_sibling): sibling outbound SPI D4AF8B3C expiring in 30 seconds due to it's a duplicate SA bundle.
    02:01:03: ISAKMP (2002): received packet from dport 500 sport 500 Global (I) QM_IDLE
    02:01:03: ISAKMP: set new node 2041302203 to QM_IDLE
    02:01:03: ISAKMP:(2002): processing HASH payload. message ID = 2041302203
    02:01:03: ISAKMP:(2002): processing DELETE payload. message ID = 2041302203
    02:01:03: ISAKMP:(2002):peer does not do paranoid keepalives.
    02:01:03: ISAKMP:(2002):deleting node 2041302203 error FALSE reason "Informational (in) state 1"
    02:01:03: IPSEC(key_engine): got a queue event with 1 KMI message(s)
    02:01:03: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    02:01:03: IPSEC(key_engine_delete_sas): delete SA with spi 0xD4AF8B3C proto 50 for
    02:01:03: IPSEC(delete_sa): deleting SA,
      (sa) sa_dest= 172.30.99.1, sa_proto= 50,
        sa_spi= 0x48E03F51(1222655825),
        sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 5
        sa_lifetime(k/sec)= (4450631/3600),
      (identity) local= 172.30.99.1, remote= ,
        local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
        remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
    02:01:03: IPSEC(delete_sa): deleting SA,
      (sa) sa_dest= , sa_proto= 50,
        sa_spi= 0xD4AF8B3C(3568274236),
        sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 6
        sa_lifetime(k/sec)= (4450631/3600),
      (identity) local= 172.30.99.1, remote= ,
        local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
        remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
    02:01:48: ISAKMP:(2002):purging node 1105416027
    02:01:49: ISAKMP:(2002):purging node -1124267365
    02:01:50: ISAKMP:(2002):purging node -2105526428
    02:01:52: ISAKMP:(2002):purging node 1560671909
    02:01:53: ISAKMP:(2002):purging node 2041302203

  • EA6500 - VPN interface and VLan configuration feature?

    Does EA6500 has any kind of built-in VPN interface and also built-in VLan configuration feature??

    This particular router has VPN passthrough and you may open ports when needed for VPN to work behind it. As for VLAN configuration, this router is not designed for that. Everything that you would like to know about the router just click here

  • Router to Router VPN with Overlapping internal networks

    Hello Experts,
    One quick question. How do I configure a Router to Router VPN with overlapping internal networks???
    Both of my internal networks have ip address of 192.168.10.0 and 192.168.10.0
    Any link or config will be appreciated. I've been looking but no luck.
    Thanks,
    Randall

    Randall,
    Please refer the below URL for configuration details:
    Configuring an IPSec Tunnel Between Routers with Duplicate LAN Subnets
    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml
    Let me know if it helps.
    Regards,
    Arul
    ** Please rate all helpful posts **

  • Why assign IP addresses to router/switch interfaces?

    I get why I would ever want to assign a IP address to a router or switch, for remote login and IP for hosts to reach it. But why assign IP addresses to the interfaces? Is it so the router/switch knows which port to send the packet out? Route summation? But I thought they do that through the routing table, like " that address is out this port".
    So why would we ever need to assign IP addresses to specific port interfaces?

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    You normally assign IP addresses to L3 interfaces so other L3 devices have an IP address to forward traffic to.  (L2 IP address are generally only used for management.)
    Suppose you had Host (192.168.1.5/24) <> R1 <> R2 <> (192.168.2.8/24) Host, and you want the two hosts to intercommunicate.  How would you get this to work?
    You might started by providing interface IPs on the router interfaces facing the host, such as:
    Host (192.168.1.5/24) <> (192.168.1.1/24) R1 <> R2 (192.168.2.1/24) <> (192.168.2.8/24) Host
    You then configure "gateway" IPs on both hosts:
    Host (192.168.1.5/24 - GW 192.168.1.1) <> (192.168.1.1/24) R1 <> R2 (192.168.2.1/24) <> (192.168.2.8/24 - GW 192.168.2.1) Host
    Now each hosts "knows" to send all its off local subnet, traffic physically to the GW IP.  So, for example, if 192.168.1.5 want to sent to 192.168.2.8, it would forward the traffic to the GW IP, 192.168.1.1.  This is a example of why you want an IP on the router's L3 interface.
    Next we want R1 to forward the packet to R2, but it too needs a "next hop" IP address, so we assign addresses on the link between the two router, e.g.:
    Host (192.168.1.5/24 - GW 192.168.1.1) <> (192.168.1.1/24) R1 (192.168.3.1/24) <> (192.168.3.2/24) R2 (192.168.2.1/24) <> (192.168.2.8/24 - GW 192.168.2.1) Host
    R1 then needs to "know" where to send packets with an destination IP network of 192.168.2.0/24, in this case, it need to "know" to send the to IP 192.168.3.2.  When it does, R2, having and interface with 192.168.2.1, will also know 192.168.2.8 can be reached by sending the packet out that interface.
    Hopefully, the above will show why IP addresses on router L3 interfaces are needed.
    BTW, normally for the R1<>R2 link, you would assign a /30 or /31 network or you might use "unnumbered" interfaces (which "borrow" IPs from another interface).

  • Disable BFD in multiple Router Sub interfaces that participates in OSPF

    Hi team,
    Please help me on this. Here is the scenario:
    We are on an enterprise set up and running on 100+ routers.
    We have 200 to 300+ sub interfaces for virtual circuits
    Our protocol is OSPF over MPLS
    One of our provider in LA encountered link flaps on SONET causing our LA router that is directly connected to that link to recalculate multiple times.
    Recalculation of OSPF routes caused disconnection of users in LA VM's.
    We were advised by our provider in LA to disable BFD so minor link flaps will no affect recalculation of routes.
    We are now tasked by our design team to Disable BFD in multiple Router Sub interfaces that participates in OSPF.
    My questions are:
    What is the implication in disabling all BFD in routers' interface and sub interface?
    Will this improve recalculation of OSPF routes in cause of link flaps or it will totally ignore the link flaps?
    Will the routers only recognize a "full down" status of the interface?
    How can we Disable BFD in multiple Router Sub interfaces that participates in OSPF in a faster way? Or do we have to do this one by one?
    Please advise before we present this to the CAB and implementation. Thank you.

    My questions are:
    What is the implication in disabling all BFD in routers' interface and sub interface?
    Answer:  the implication would be eliminating sub-second millisecond convergence.
    BFD detect failure at the link layer very fast , once detected it informs the upper layer protocol about the failure causing it to converge immediately. 
    Will this improve recalculation of OSPF routes in cause of link flaps or it will totally ignore the link flaps?
    Answer: if your Provider experiencing intermittent flaps, then yes it will be advisable to turn BFD off. this however doesn't totally ignore the link flaps, once the upper protocol detect the failure based on the dead interval parameter on OSPF, it will recalculate OSPF routes again.  Keep in mind, if you have redundant or more links to your provider , then I wouldn't recommend disabling BFD , as it should improve Convergence and you shouldn't notice the failure. 
    Will the routers only recognize a "full down" status of the interface?
    Answer: disabling BFD allows the router recognize a full down status once the upper protocol dead interval occurs or full down status of interface. which ever occurs the earliest.
    How can we Disable BFD in multiple Router Sub interfaces that participates in OSPF in a faster way? Or do we have to do this one by one?
    You can disable it one by one. or if you have configuration management software, it allows you to do it for all nodes at a time. but this depends if you have it or not.
    Please consider not to disable BFD if you have multiple OSPF links towards your provider from any branch, as it shouldn't impact your VMs, it should rather improve Convergence at milliseconds which is absolutely not noticeable.
    BR,
    Mohamed 

  • Upgraded router VPN no longer working - LCP: timeout sending Config-Request

    I recently upgraded my small office router from a Linksys WRT54G to a Linksys WRT610N. I duplicated all of the port forwarding configs from my previous router, but everytime I try to connect to my server I get the following error:
    Could not negotiate a connection with the remote PPP server. Please verify your settings and try again.
    The ports I have forwarded to my server are the following:
    1701 UDP
    500 UDP
    1723 TCP
    4500 UDP
    While I am connecting I have been watching the log from Server Admin, and this is what I see:
    2008-07-11 06:09:35 PDT Incoming call... Address given to client = 192.168.1.63
    Fri Jul 11 06:09:35 2008 : Directory Services Authentication plugin initialized
    Fri Jul 11 06:09:35 2008 : Directory Services Authorization plugin initialized
    Fri Jul 11 06:09:35 2008 : PPTP incoming call in progress from '76.172.xxx.xxx'...
    Fri Jul 11 06:09:35 2008 : PPTP connection established.
    Fri Jul 11 06:09:35 2008 : using link 0
    Fri Jul 11 06:09:35 2008 : Using interface ppp0
    Fri Jul 11 06:09:35 2008 : Connect: ppp0 <--> socket[34:17]
    Fri Jul 11 06:09:35 2008 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xef7517xx> <pcomp> <accomp>]
    Fri Jul 11 06:10:05 2008 : LCP: timeout sending Config-Requests
    Fri Jul 11 06:10:05 2008 : Connection terminated.
    Fri Jul 11 06:10:05 2008 : PPTP disconnecting...
    Fri Jul 11 06:10:05 2008 : PPTP disconnected
    2008-07-11 06:10:05 PDT --> Client with address = 192.168.1.63 has hungup
    I am still using 10.5.3. This may be very obvious to someone, but I'd appreciate any help.
    Thanks!
    Scott

    I am having sever issues with routers vs. VPN and I am hoping someone here can tell me how they got PPTP and L2TP working through the Apple Airport Extreme.
    Basically, I used to have a cheap, old, but perfectly working Linksys router. I opened ports for PPTP and L2TP pass through and VPN worked fine. I decided to upgrade the router because I wanted something with basic firewall functionality...
    I tried two new linksys products and gave up in disgust. Then I thought I had a brainwave and ordered the Apple Extreme Base Station. Well, this is almost as hopeless.
    I can get PPTP to connect now but the remote clients can't connect to the AFP server. L2TP simply won't work. I have 1701, 500, 1723 and 4500 ports forwarded to my server so I don't know what I am doing wrong.
    Also, I see on Apple's Server page that the Server will set up the Apple Extreme Base Station automatically??? How does this work?
    Lastly, Do I want to enable NAT port mapping protocol?
    Thank you,
    Gareth

  • EAZYVPN and DMVPN on the same router,same interface

    Hi all,
               First of all, thanks in advance for the help. I have setup DMVPN and EAZYVPN on  one router. Tunnel interface on Spoke one and Spoke two are up/up and show crypto ISakmp sa shows both tunnels are in idle. However, tunnel to Spoke one(10.10.1.1) keep bouncing on and off(see below). Every 30 sec or so, the tunnel gone back to IKE phase while tunnel for spoke two(5.5.5.1) still leave active. THe configuration on the HUB side is the same for both spoke!! show crypto ipsec sec shows both side has the same life time(IOS default). Could that be an IOS debug on the spoke one?
    Hub :
    Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 15.1(3)T2, RELEASE SOFTWARE (fc1)
    HUB#sh crypto ipsec security-association
    Security association lifetime: 4608000 kilobytes/3600 seconds
    Spoke one:
    Cisco IOS Software, C2600 Software (C2600-ADVSECURITYK9-M), Version 12.4(8), RELEASE SOFTWARE (fc1)
    SPOKE1#sh crypto ipsec security-association
    Security association lifetime: 4608000 kilobytes/3600 seconds
    HUB#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    5.5.5.1         5.5.5.2         QM_IDLE           1002 ACTIVE
    10.10.1.1       10.10.1.2       MM_NO_STATE       1134 ACTIVE (deleted)
    10.10.1.1       1.1.1.10        QM_IDLE           1126 ACTIVE
    10.10.1.1       1.1.1.10        QM_IDLE           1076 ACTIVE
    HUB#sh crypto se
    HUB#sh crypto session
    Crypto session current status
    Interface: Serial0/1/1
    Username: testuser
    Profile: AccountingPro
    Group: Accounting
    Assigned address: 20.20.20.1
    Session status: UP-ACTIVE    
    Peer: 1.1.1.10 port 60201
      IKEv1 SA: local 10.10.1.1/500 remote 1.1.1.10/60201 Active
      IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 20.20.20.1
            Active SAs: 2, origin: dynamic crypto map
    Interface: Serial0/1/1
    Username: testuser
    Profile: AccountingPro
    Group: Accounting
    Assigned address: 20.20.20.2
    Session status: UP-ACTIVE    
    Peer: 1.1.1.10 port 49768
      IKEv1 SA: local 10.10.1.1/500 remote 1.1.1.10/49768 Active
      IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 20.20.20.2
            Active SAs: 2, origin: dynamic crypto map
    Interface: FastEthernet0/1
    Profile: DMVPN
    Session status: UP-IDLE
    Peer: 5.5.5.2 port 500
      IKEv1 SA: local 5.5.5.1/500 remote 5.5.5.2/500 Active
    Interface: Serial0/1/1
    Profile: DMVPN
    Session status: DOWN-NEGOTIATING
    Peer: 10.10.1.2 port 500
      IKEv1 SA: local 10.10.1.1/500 remote 10.10.1.2/500 Inactive
    HUB#
    2.  My second issue is, I use the same interface(s0/1/1=10.10.1.1) for eazyvpn access. The client from eazyvpn is connected fine,but does not receive traffric back(statics window show no decrypted=0 and reeiced=0). The eazy vpn can't even ping the IP address assigned to the vpn client(20.20.20.2), and the client can only pin 10.10.1.1 address. Reverse router is able but the 20.20.20.0/24 network didn't show up in the ip table of the HUB router!!!
    DMVPN AND EAZYVPN SERVER config..
    crypto keyring dmvpnkey 
      pre-shared-key address 0.0.0.0 0.0.0.0 key DMVPNLAB
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp policy 10
    encr aes
    authentication pre-share
    group 2
    crypto isakmp policy 20
    encr aes
    authentication pre-share
    group 2
    crypto isakmp policy 30
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp policy 40
    authentication pre-share
    crypto isakmp keepalive 30
    crypto isakmp xauth timeout 90
    crypto isakmp client configuration group Accounting
    key eazypvn
    dns 4.2.2.2
    wins 4.2.2.2
    domain bigBois.com
    pool dmAccouting
    crypto isakmp profile AccountingPro
       match identity group Accounting
       client authentication list access_in
       isakmp authorization list my_vpn
       client configuration address respond
    crypto isakmp profile DMVPN
       keyring dmvpnkey
       match identity address 0.0.0.0
    crypto ipsec transform-set DMVPN ah-sha-hmac esp-aes
    mode transport
    crypto ipsec transform-set EAZYVPN esp-3des esp-md5-hmac
    crypto ipsec profile dmvpnlab
    set transform-set DMVPN
    set isakmp-profile AccountingPro
    crypto dynamic-map Remote_Acc 20
    set transform-set EAZYVPN
    set isakmp-profile AccountingPro
    reverse-route
    crypto map RemoteAcc client authentication list access_in
    crypto map Remote_Acc client authentication list my_vpn
    crypto map Remote_Acc 20 ipsec-isakmp dynamic Remote_Acc
    interface Loopback0
    ip address 192.168.200.1 255.255.255.0
    interface Loopback2
    ip address 172.16.10.1 255.255.255.0
    interface Loopback3
    ip address 172.16.15.1 255.255.255.0
    interface Tunnel1
    bandwidth 10000
    ip address 4.4.4.1 255.255.255.0
    no ip redirects
    ip mtu 1400
    no ip next-hop-self eigrp 10
    ip nhrp authentication DMVPN
    ip nhrp map multicast dynamic
    ip nhrp network-id 7940
    ip nhrp registration timeout 10
    ip tcp adjust-mss 1360
    tunnel source Serial0/1/1
    tunnel mode gre multipoint
    tunnel key 7940
    tunnel protection ipsec profile dmvpnlab
    interface FastEthernet0/0
    description OUTSIDE
    ip address 1.1.1.1 255.255.255.0
    ip virtual-reassembly in
    duplex auto
    speed auto
    interface FastEthernet0/1
    description INSIDE
    ip address 5.5.5.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    interface Serial0/1/0
    no ip address
    shutdown
    clock rate 2000000
    interface Serial0/1/1
    description to SPOKE1
    ip address 10.10.1.1 255.255.255.0
    crypto map Remote_Acc
    interface Serial0/3/0
    no ip address
    shutdown
    router eigrp 10
    network 4.4.4.0 0.0.0.255
    network 5.5.5.0 0.0.0.255
    network 10.0.0.0
    network 10.10.10.0 0.0.0.3
    network 172.16.0.0 0.0.0.255
    network 172.16.1.0 0.0.0.255
    network 172.16.10.0 0.0.0.255
    network 172.16.15.0 0.0.0.255
    network 192.168.200.0
    ip local pool dmAccouting 20.20.20.1 20.20.20.10
    ip forward-protocol nd
    ip http server
    ip http authentication local
    ip http secure-server
    THanks  a bunch for the help,
    Ernest

    Any ideas why devices keep renewing phase 1?
    Thanks,

  • VPN Server won't route VPN client to gateway

    We have a WIndows 7 VPN client that successfully connects with the 2012 VPN server and can access servers and resources on the remote 96.0 LAN; however, the VPN client can not access the 96.1 default gateway and thus no subnets outside of 96.0. 
    Use default gateway on remote network is NOT checked, but does not work with it checked either. 
    RRAS on the VPN server does allow for routing IPv4 and is setup to assign addresses via DHCP.

      You probably don't need a static route to get the traffic to the other subnets. Is the VPN router also the router for subnets? If it is, the packets should be delivered directly to any client in an attached subnet. You do have the remotes
    using their own subnet? If not, Bing of Google off subnet addressing. You need that to be able to route the VPN traffic at the central site.
      What you do need is a static route at the router which is the gateway router for the LAN segment to send the traffic to the VPN server, not to your Internet gateway (which would be the default behaviour. Whether the Internet gateway
    is the VPN server or another router depends on your network config).
      Exactly how you set it up depends on how your local network is configured. I haven't done that sort of thing lately, but you probably have to use the IP address of the VPN demand-dial interface as the target address of the route command rather than
    the RRAS internal interface.
    Bill

  • MPLS Customer router physical interface

    My provider wants to sell me MPLS services but I can't seem to get a straight answer regarding what the physical interface on my customer router needs to be.  Some personnel tell me it will be a normal ethernet connection, other say it'll be a DS3 or T1 connection depending on the speed.
    Please give me some advice on what to expect regarding an MPLS circuit?  Or point me to some good documentation to maybe I can communicate better with the service provider.
    Thank you.

    Hi Tod
    Few points from my side for your query
    Access Link should be considered based on whether we are going for MPLS L3 VPN or MPLS L2 VPN Soilution
    MPLS L3 VPN from my understanding is independent of Access Media but the Access Media will definitely put different hardware requirements for your Customer Edge Router
    The Access Link Type and Bandwidth would vary depending upon the BW requirements for the network. The T1/T3 or a Subrate T3 Access Links would be a choice when we have BW requirements in that range(<45 Megs)
    Using FE as an Acces link would require SP to provide Colocation Services or rather go for spanning a Fiber out from their Colo and deploying Optical Mux at Customer Premises and again suitable for BW requirements more than 45 Megs
    MPLS L2 VPN
    Ethernet is the choice for taking MPLS L2 VPN Services to connect your different branches in a point-to-multipoint fashion using VPLS at SP end.
    You can go through the Cisco Doc - "Layer 3 MPLS VPN Enterprise Consumer Guide" which should help you gain more insight for choosing the PE-CE Routing Protocol and other points to consider for an MPLS L3 VPN Service.
    Thats from my understanding. Hope you will get more good advises on this.
    Regards
    Vaibhava Varma

  • 2851 Router VPN - stack for level DMA/Timer Interrupt running low 36/9000

    I have a site to site VPN. On my hub router I am seeing the following message EVERY minute in the log!
    %sys-6-stacklow: stack for level DMA/Timer Interrupt running low, 36/9000
    I have been trying to figure out what the DMA/Timer Interrupt is and what is causing it to run low.
    If I run the "show stacks" command I can see:
    <output omitted>
    Interrupt level stacks:
    Level     Called     Unused/Size     Name
    2      1578216246     36/9000     DMA/Timer Interrupt
    I am also occasionaly seeing the following
    %crypto--4-pkt_replay_error:decrypt: replay check failed connection id=7 sequence number=16171319
    I don't know if they are related or not, but I need to find out what is causing the DMA/timer interrupt messages.
    Thanks.

    It just rebooted
    This router it just stands in front of a few servers and applies NAT.
    So far this had happened a few times but since morning it rebooted already 3 times.
    The Sagem ADSL router at my house has longer uptime. wtf!?!?
    cisco>show stacks
    Minimum process stacks:
    Free/Size   Name
    5396/6000   Inspect Init Msg
    5368/6000   SPAN Subsystem
    58920/60000  EEM Auto Registration Proc
    4772/6000   Auto Upgrade Startup Process
    5164/6000   DIB error message
    5396/6000   SASL MAIN
    4968/6000   LICENSE AGENT DEFAULT
    5368/12000  Init
    4216/6000   Update prst
    4384/6000   VPN_HW_MIB_CREATION
    5188/6000   RADIUS INITCONFIG
    2124/3000   Rom Random Update Process
    5316/6000   URPF stats
    Interrupt level stacks:
    Level    Called Unused/Size  Name
      1      319293   6284/9000  Network interfaces
      2      716358   8548/9000  DMA/Timer Interrupt
      3           1   8388/9000  PA Management Int Handler
      4         115   8612/9000  Console Uart
      5           0   9000/9000  External Interrupt
    Interrupt level stacks:
    Level    Called Unused/Size  Name
      7       72787   8564/9000  NMI Interrupt Handler
    Spurious interrupts: 3
    System was restarted by bus error at PC 0x4183BC0C, address 0xC3D1CB7 at 10:51:53 UTC Tue Apr 23 2013
    2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Compiled Wed 25-Feb-09 17:55 by prod_rel_team
    Image text-base: 0x40016C60, data-base: 0x42B47360
    Stack trace from system failure:
    FP: 0x4759C678, RA: 0x4183BC0C
    FP: 0x4759C6D0, RA: 0x41836D18
    FP: 0x4759C708, RA: 0x4164D7E0
    FP: 0x4759C768, RA: 0x41650314
    FP: 0x4759C7E8, RA: 0x41650C68

  • I can no longer login to my router web interface from Safari on iPad.

    I made a mistake today. After accidentally opening up the web interface login screen to my router in Safari, I just pressed cancel in the login box. Since then, Safari just hangs on 192.168.0.1 when I want to access the router and the login box no longer appears. I can still login via the Terra browser on the same iPad. I would really appreciate any guidance as to how to undo whatever setting I have changed. I have tried clearing cache/cookies/history. Thanks.
    Edit: Could I have refused a permission to access in some way? I am now wondering if in my haste, I may have mistaken a permission box for the login box. Is there somewhere in the settings I could check if I have refused a permission? Thanks again.

    there should be an X on the right side of each tab. clicking on it should close that tab

Maybe you are looking for

  • Production order and planned order qty should not consider in MRP

    Dear All, i do not want to consider the previous month production order qty and plenned order qty (Nothing but WIP qty) in the current momth MRP, but the stock has to consider in MRP. Example, Before MRP, material : XYZ Stock : 1000 Prod Qty : 500 fo

  • Ipod not detected

    I've been having this problem for quite a long time now, it's really disturbing since i've tried almost all suggestions of support, but to no avail My Problem started a few days ago, when i docked my iPod to my computer, iTunes gave a notification sa

  • Segfault - JRE2 1.4.2_03-b02/win98se

    I'm at a lose :( On cold boot, I can run any java program. ie. Java Web app, etc. but once I close java program and try to start any java program a second time, I get "java caused invalid segfault" module unknown. It seems strange that everything run

  • Duplicate Records in Output

    I have a script which works fine however what I cant seem to work out is why I get duplicate records in the output. If anyone knows why it would be a great help/ My code is below: Connect-QADService "domain.com" Function CheckUserExistance { if(Get-Q

  • MOVED: P45D3 Platinum Unable to Overclock

    This topic has been moved to Overclockers & Undervolting & Modding Corner. https://forum-en.msi.com/index.php?topic=149837.0