RV016 V3 vs RV082 V3 VPN Tunnel Backup not available on RV016

VPN tunnel backup is not available on the RV016 firmware version 4.0.2.08 (it IS on the RV082. The data sheet and the manual for the RV016 is wrong. I have purchased several RV016 hardware V3 and several RV082 hardware V3. Both have the same current firmware version. We have noted that the RV016 does not have the VPN tunnel failover option found in the RV082. It also does not have split DNS (noted in the manual. A I would have thought that the firmware would provide equal options on the RV042, RV082, and RV016. Good job, Cisco!

We did not have VPN back up with the V1 RV016, either. Also tried V2 and at the time it was not working. The product that we have found works as expected is the Peplink Balance. There is still a few second delay on failover, but if you have two broadband connections, it is imperceptible. We gave up on the Cisco products.

Similar Messages

Site-2-Site IPSEC VPN tunnel will not come up.

Hello Experts,
Just wondering if I can get some help on setting up a IPSEC VPN tunnel between a Cisco 2921 and ASA 550x. Below is the config
show run | s crypto
crypto pki token default removal timeout 0
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxxxxxxxxxxxxxxxxxxx address A.A.A.A
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
mode transport
crypto map ICQ-2-ILAND 1 ipsec-isakmp
set peer A.A.A.A
set transform-set ESP-AES128-SHA
match address iland_london_s2s_vpn
crypto map ICQ-2-ILAND
The config on the remote end has not been shared with me, so I don't know if I am doing something wrong locally or if the remote end is wrongly configured.
The command Sh crypto isakmp sa displays the following
show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
A.A.A.A    B.B.B.B   MM_NO_STATE       1231 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
show crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: A.A.A.A port 500
IKEv1 SA: local B.B.B.B/500 remote A.A.A.A/500 Inactive
IKEv1 SA: local B.B.B.B/500 remote A.A.A.A/500 Inactive
IPSEC FLOW: permit ip 10.20.111.0/255.255.255.0 10.120.1.0/255.255.255.0
        Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.10.0.0/255.255.0.0 10.120.1.0/255.255.255.0
        Active SAs: 0, origin: crypto map
The debug logs from the debug crypto isakmp command are listed below.
ISAKMP:(0): local preshared key found
Dec 6 08:51:52.019: ISAKMP : Scanning profiles for xauth ...
Dec 6 08:51:52.019: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Dec 6 08:51:52.019: ISAKMP:      encryption AES-CBC
Dec 6 08:51:52.019: ISAKMP:      keylength of 128
Dec 6 08:51:52.019: ISAKMP:      hash SHA
Dec 6 08:51:52.019: ISAKMP:      default group 2
Dec 6 08:51:52.019: ISAKMP:      auth pre-share
Dec 6 08:51:52.019: ISAKMP:      life type in seconds
Dec 6 08:51:52.019: ISAKMP:      life duration (basic) of 28800
Dec 6 08:51:52.019: ISAKMP:(0):atts are acceptable. Next payload is 0
Dec 6 08:51:52.019: ISAKMP:(0):Acceptable atts:actual life: 0
Dec 6 08:51:52.019: ISAKMP:(0):Acceptable atts:life: 0
Dec 6 08:51:52.019: ISAKMP:(0):Basic life_in_seconds:28800
Dec 6 08:51:52.019: ISAKMP:(0):Returning Actual lifetime: 28800
Dec 6 08:51:52.019: ISAKMP:(0)::Started lifetime timer: 28800.
Dec 6 08:51:52.019: ISAKMP:(0): processing vendor id payload
Dec 6 08:51:52.019: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Dec 6 08:51:52.019: ISAKMP:(0): vendor ID is NAT-T v2
Dec 6 08:51:52.019: ISAKMP:(0): processing vendor id payload
Dec 6 08:51:52.019: ISAKMP:(0): processing IKE frag vendor id payload
Dec 6 08:51:52.019: ISAKMP:(0):Support for IKE Fragmentation not enabled
Dec 6 08:51:52.019: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec 6 08:51:52.019: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Dec 6 08:51:52.019: ISAKMP:(0): sending packet to A.A.A.A my_port 500 peer_port 500 (I) MM_SA_SETUP
Dec 6 08:51:52.019: ISAKMP:(0):Sending an IKE IPv4 Packet.
Dec 6 08:51:52.019: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec 6 08:51:52.019: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Dec 6 08:51:52.155: ISAKMP (0): received packet from A.A.A.A dport 500 sport 500 Global (I) MM_SA_SETUP
Dec 6 08:51:52.155: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec 6 08:51:52.155: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Dec 6 08:51:52.155: ISAKMP:(0): processing KE payload. message ID = 0
Dec 6 08:51:52.175: ISAKMP:(0): processing NONCE payload. message ID = 0
Dec 6 08:51:52.175: ISAKMP:(0):found peer pre-shared key matching A.A.A.A
Dec 6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
Dec 6 08:51:52.175: ISAKMP:(1227): vendor ID is Unity
Dec 6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
Dec 6 08:51:52.175: ISAKMP:(1227): vendor ID seems Unity/DPD but major 92 mismatch
Dec 6 08:51:52.175: ISAKMP:(1227): vendor ID is XAUTH
Dec 6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
Dec 6 08:51:52.175: ISAKMP:(1227): speaking to another IOS box!
Dec 6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
Dec 6 08:51:52.175: ISAKMP:(1227):vendor ID seems Unity/DPD but hash mismatch
Dec 6 08:51:52.175: ISAKMP:received payload type 20
Dec 6 08:51:52.175: ISAKMP (1227): His hash no match - this node outside NAT
Dec 6 08:51:52.175: ISAKMP:received payload type 20
Dec 6 08:51:52.175: ISAKMP (1227): No NAT Found for self or peer
Dec 6 08:51:52.175: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec 6 08:51:52.179: ISAKMP:(1227):Old State = IKE_I_MM4 New State = IKE_I_MM4
Dec 6 08:51:52.179: ISAKMP:(1227):Send initial contact
Dec 6 08:51:52.179: ISAKMP:(1227):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Dec 6 08:51:52.179: ISAKMP (1227): ID payload
        next-payload : 8
        type         : 1
        address      : B.B.B.B
        protocol     : 17
        port         : 500
        length       : 12
Dec 6 08:51:52.179: ISAKMP:(1227):Total payload length: 12
Dec 6 08:51:52.179: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) MM_KEY_EXCH
Dec 6 08:51:52.179: ISAKMP:(1227):Sending an IKE IPv4 Packet.
Dec 6 08:51:52.179: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec 6 08:51:52.179: ISAKMP:(1227):Old State = IKE_I_MM4 New State = IKE_I_MM5
Dec 6 08:51:52.315: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) MM_KEY_EXCH
Dec 6 08:51:52.315: ISAKMP:(1227): processing ID payload. message ID = 0
Dec 6 08:51:52.315: ISAKMP (1227): ID payload
        next-payload : 8
        type         : 1
        address      : A.A.A.A
        protocol     : 17
        port         : 0
        length       : 12
Dec 6 08:51:52.315: ISAKMP:(0):: peer matches *none* of the profiles
Dec 6 08:51:52.315: ISAKMP:(1227): processing HASH payload. message ID = 0
Dec 6 08:51:52.315: ISAKMP:received payload type 17
Dec 6 08:51:52.315: ISAKMP:(1227): processing vendor id payload
Dec 6 08:51:52.315: ISAKMP:(1227): vendor ID is DPD
Dec 6 08:51:52.315: ISAKMP:(1227):SA authentication status:
        authenticated
Dec 6 08:51:52.315: ISAKMP:(1227):SA has been authenticated with A.A.A.A
Dec 6 08:51:52.315: ISAKMP: Trying to insert a peer B.B.B.B/A.A.A.A/500/, and inserted successfully 2B79E8BC.
Dec 6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec 6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM5 New State = IKE_I_MM6
Dec 6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec 6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM6 New State = IKE_I_MM6
Dec 6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec 6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Dec 6 08:51:52.315: ISAKMP:(1227):beginning Quick Mode exchange, M-ID of 1511581970
Dec 6 08:51:52.315: ISAKMP:(1227):QM Initiator gets spi
Dec 6 08:51:52.315: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) QM_IDLE
Dec 6 08:51:52.315: ISAKMP:(1227):Sending an IKE IPv4 Packet.
Dec 6 08:51:52.315: ISAKMP:(1227):Node 1511581970, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Dec 6 08:51:52.315: ISAKMP:(1227):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Dec 6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Dec 6 08:51:52.315: ISAKMP:(1227):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Dec 6 08:51:52.455: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) QM_IDLE
Dec 6 08:51:52.455: ISAKMP: set new node -1740216573 to QM_IDLE
Dec 6 08:51:52.455: ISAKMP:(1227): processing HASH payload. message ID = 2554750723
Dec 6 08:51:52.455: ISAKMP:(1227): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 0, message ID = 2554750723, sa = 0x2B78D574
Dec 6 08:51:52.455: ISAKMP:(1227):deleting node -1740216573 error FALSE reason "Informational (in) state 1"
Dec 6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Dec 6 08:51:52.455: ISAKMP:(1227):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Dec 6 08:51:52.455: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) QM_IDLE
Dec 6 08:51:52.455: ISAKMP: set new node 1297146574 to QM_IDLE
Dec 6 08:51:52.455: ISAKMP:(1227): processing HASH payload. message ID = 1297146574
Dec 6 08:51:52.455: ISAKMP:(1227): processing DELETE payload. message ID = 1297146574
Dec 6 08:51:52.455: ISAKMP:(1227):peer does not do paranoid keepalives.
Dec 6 08:51:52.455: ISAKMP:(1227):deleting SA reason "No reason" state (I) QM_IDLE       (peer A.A.A.A)
Dec 6 08:51:52.455: ISAKMP:(1227):deleting node 1297146574 error FALSE reason "Informational (in) state 1"
Dec 6 08:51:52.455: ISAKMP: set new node -1178304129 to QM_IDLE
Dec 6 08:51:52.455: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) QM_IDLE
Dec 6 08:51:52.455: ISAKMP:(1227):Sending an IKE IPv4 Packet.
Dec 6 08:51:52.455: ISAKMP:(1227):purging node -1178304129
Dec 6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Dec 6 08:51:52.455: ISAKMP:(1227):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Dec 6 08:51:52.455: ISAKMP:(1227):deleting SA reason "No reason" state (I) QM_IDLE       (peer A.A.A.A)
Dec 6 08:51:52.455: ISAKMP: Unlocking peer struct 0x2B79E8BC for isadb_mark_sa_deleted(), count 0
Dec 6 08:51:52.455: ISAKMP: Deleting peer node by peer_reap for A.A.A.A: 2B79E8BC
Dec 6 08:51:52.455: ISAKMP:(1227):deleting node 1511581970 error FALSE reason "IKE deleted"
Dec 6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec 6 08:51:52.455: ISAKMP:(1227):Old State = IKE_DEST_SA New State = IKE_DEST_SA
would appreciate any help you can provide.
Regards,
Sidney Dsouza

Hi Anuj,
thanks for responding. Here are the logs from the debug crypto ipsec
Dec 10 15:54:38.099 UTC: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= B.B.B.B:500, remote= A.A.A.A:500,
    local_proxy= 10.20.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 10.120.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Dec 10 15:54:38.671 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
thats all that appeared after pinging the remote subnet.

Cisco 881 ISR IPSec VPN Tunnel does not pass traffic from the vlan.

I have a cisco 881 ISR Router with a site-to-site IPsec vpn tunnel to a mikrotik device on the other end (I inherited this from my client). The tunnel is constructed properly and is up, however traffic does not pass or get routed to the FA4 interface. I see in my packet captures that it hits the vlan1 interface (vlans are required on the L2 ports) and does not pass to the tunnel.
This is my configuration:
141Kerioth#sh config
Using 3763 out of 262136 bytes
! Last configuration change at 01:02:41 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
141Kerioth#do wr mem
              ^
% Invalid input detected at '^' marker.
141Kerioth#wr mem
Building configuration...
[OK]
141Kerioth#sh run
Building configuration...
Current configuration : 5053 bytes
! Last configuration change at 01:38:06 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-580381394
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-580381394
revocation-check none
rsakeypair TP-self-signed-580381394
crypto pki certificate chain TP-self-signed-580381394
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35383033 38313339 34301E17 0D313430 35323231 38323333
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 30333831
33393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B001A012 2CA6970C 0648798B 2A786704 84F2D989 83974B19 9B4287F2 4503D2C9
173F23C4 FF34D160 202A7565 4A1CE08B 60B3ADAE 6E19EE6E 9CD39E72 71F9650E
930F22FE C4441F9C 2D7DD420 71F75DFC 3CCAC94E BA304685 E0E62658 A3E8D01C
D01D7D6A 5AF0B0E6 3CF6AF3A B7E51F83 9BF6D38E 65254E1F 71369718 ADADD691
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014D6 24878F12 1FFADF2F 537A438E 6DD7FB6B D79E4130 1D060355
1D0E0416 0414D624 878F121F FADF2F53 7A438E6D D7FB6BD7 9E41300D 06092A86
4886F70D 01010505 00038181 00771667 FCA66002 8AB9E5FB F210012F C50B586F
9A9640BB 45B4CEFD 030A38C0 E610AAC8 B41EF3C4 E55810F9 B2C727CF C1DEFCF1
0846E7BC 1D95420E 5DADB5F8 EFE7EB37 B5433B80 4FF787D4 B1F2A527 06F065A4
00522E97 A9D2335C E83C4AE1 E68D7A41 9D0046A7 ADCC282B 7527F84D E71CC567
14EF37EA 15E57AD0 3C5D01F3 EF
        quit
ip dhcp excluded-address 10.0.16.1
ip dhcp pool ccp-pool
import all
network 10.0.16.0 255.255.255.0
default-router 10.0.16.1
dns-server 8.8.8.8
lease 0 2
ip domain name kerioth.com
ip host hostname.domain z.z.z.z
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip cef
no ipv6 cef
license udi pid CISCO881-K9 sn FTX180483DD
username admin privilege 15 secret 4 CmmfIy.RPySmo4Q2gEIZ2jlr3J.bTBAszoe5Bry0z4c
username meadowbrook privilege 0 password 0 $8UBr#Ux
username meadowbrook autocommand exit
policy-map type inspect outbound-policy
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
crypto isakmp key 141Township address z.z.z.z
crypto isakmp keepalive 10
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
crypto map mymap 10 ipsec-isakmp
set peer z.z.z.z
set transform-set TS
match address 115
interface Loopback0
no ip address
interface Tunnel1
no ip address
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description $FW_OUTSIDE_WAN$
ip address 50.y.y.y 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map mymap
interface Vlan1
description $ETH_LAN$
ip address 10.0.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 115 interface Vlan1 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 50.x.x.x
access-list 110 deny   ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 110 permit ip 10.0.16.0 0.0.0.255 any
access-list 115 permit ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 144 permit icmp host c.c.c.c host 10.0.1.50
access-list 144 permit icmp host p.p.p.p host 10.0.16.105
access-list 199 permit ip a.a.a.a 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 100
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
transport preferred ssh
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
cns trusted-server all-agents x.x.x.x
cns trusted-server all-agents hostname
cns trusted-server all-agents hostname.domain
cns id hardware-serial
cns id hardware-serial event
cns id hardware-serial image
cns event hostname.domain 11011
cns config initial hostname.domain 80
cns config partial hostname.domain 80
cns exec 80
end

Why do you have following command on the PIX?
crypto map outside_map 40 set transform-set 165.228.x.x
Also you have this transform set on the PIX:
crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac
This does not match the transfor set on the router:
crypto ipsec transform-set tritest esp-3des esp-md5-hmac
Where are you using the access-list/route-map
101 ?

Latest backup not available

hello,
i´m running 9.2.0.4.0 without catalog.
my problem: the latest backup from 2006/03/09 (which is shown by "list backup") is not available (deleted), but i have one from 2006/03/07 - which is NOT shown by "list backup", so i don´t have the tag of the backupset.
do i have a chance to restore the db?
thanks in advance!

How can you be sure that you have the backup from 2006/03/07? Is the backup from 2006/03/09 in the list of the output of "list backup"? It is marked as expired? Did you execute a crosscheck?
Usually, it the backupset is not registered in the controlfile you are not able to restore from this backup. However, you can try to register it using the CATALOG command.
Bye, Aron

RV082 - SRP527W - VPN behind NAT not working

Hello,
I've really strange behaviors with my routers. We managed to get things running but once a week, the VPN link is down.
The connection is not restart, both routers shows "connected" but are not, and we had to click on "disconnect" to get the link back.
That was before an update in our infrastructure. Now, both routers are behind routers, so both NAT.
Now, the connection works for some time, but once a week, the link disconnected but i'm unable to get it back ! NOTHING works.
Last time, i spent 2Hours to configure the link again, setting the same parameters almost 10 time, and suddenly by magic, the 11st time it worked again. I read many people have troubles with RVXXX firmware so i don't know what to think.
Anyway, my BIG concern now, is that the link is down again, and it has been 6hours since we can't got it back. I restarted the routers many times, i've made some changes in the configuration, but if it worked, why should i modify it ?????? Why is it not working anymore ?
The log for the RV082 is almost empty about the link. Here's a snippet :
Feb 10 19:01:52 2014
VPN Log
(g2gips0) #8: initiating Main Mode
Feb 10 19:01:52 2014
VPN Log
(g2gips0) #8: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Feb 10 19:01:52 2014
VPN Log
(g2gips0) #8: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Feb 10 19:01:52 2014
System Log
gateway_to_gateway.htm is changed.
Feb 10 19:09:08 2014
VPN Log
(g2gips0): deleting connection
Feb 10 19:09:08 2014
VPN Log
(g2gips0) #8: deleting state (STATE_MAIN_I1)
Feb 10 19:09:08 2014
VPN Log
added connection description (g2gips0)
Feb 10 19:09:08 2014
VPN Log
listening for IKE messages
Feb 10 19:09:08 2014
VPN Log
forgetting secrets
Feb 10 19:09:08 2014
VPN Log
loading secrets from '/etc/ipsec.d/ipsec.secrets'
Feb 10 19:09:09 2014
System Log
gateway_to_gateway.htm is changed.
The log for the SRP527W is full of this :
Dump pluto log message in syslog : cat /var/log/messages |grep plutoJan 1 02:29:39 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1Jan 1 02:29:39 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: STATE_MAIN_R1: sent MR1, expecting MI2Jan 1 02:30:09 TLSR0254 authpriv.warn pluto[1156]: "G2" #186: max number of retransmissions (2) reached STATE_MAIN_R1Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=109 Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: responding to Main ModeJan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1Jan 1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: STATE_MAIN_R1: sent MR1, expecting MI2Jan 1 02:30:25 TLSR0254 authpriv.warn pluto[1156]: pending Quick Mode with 37.1.XXX.XXX "G2" took too long -- replacing phase 1Jan 1 02:30:25 TLSR0254 authpriv.warn pluto[1156]: "G2" #189: initiating Main Mode to replace #185Jan 1 02:30:49 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: max number of retransmissions (2) reached STATE_MAIN_R1Jan 1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=109 Jan 1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109Jan 1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109Jan 1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]Jan 1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: "G2" #190: responding to Main Mode
Please help me to get things sorted. I just don't understand why nothing is written in the log about the SRP trying to make a connection. I also don't understand why suddenly the link is broken, and without changing anything, it can't get it back normally !!
Best Regards

Hi again,
Samir, i rebooted all the routers dozens of time when that happened, and it doesn't changed anything. Anyway, i called the Cisco Hotline. They could connect by VPN to RV082, but not the SRP, they didn't know why. Hardware or software failure.
Anyway, i bought another router.
Now i would like to use the SRP527W as a WIFI hotspot only. It doesn't work.
My settings are :
- Router defined as BRIDGE only (using Port lan 4 as Ethernet WAN)
- WAN Interface is assigned 192.168.0.246 / 24
- Gateway for the WAN interface is 192.168.0.254
- Ethernet cable is plugged from LAN4/WAN to my new Modem/Router on LAN3.
- Port LAN2 of SRP527W is defined with VLAN IP Address 192.168.15.254.
When connected to the SRP527W on LAN2, from my computer (192.168.15.200), i can't ping 192.168.0.246 neither 0.254 (gateway is set to 15.254)
Still, when connected to the SRP527W and with the Ping Dagnosis interface, pinging "192.168.0.254" shows "timed out".
I tried almost every configuration, none worked.
Please note that when connected from my computer directly to my new modem/router on port LAN3, with IP Address 192.168.0.200, i can access internet and ping everything. When set as DHCP too, i can grab an IP Address from my DHCP Windows Server.
So, why is the SRP527W unable to work in this configuration ? it seems nothing pass through WAN port.
If i'm right, there is only the WAN port that should be plugged to my modem router. With this settings, SSID should go directly to Internet, and for the other SSID, my LAN (through the modem/router). However, it doesn't work.
Could you help me please ? Thank you

4 out of 25 VPN tunnel is not getting up.....

Hi Experts,
I have found one strange problem with IPSec VPN, the scenario is like this, our corporate office is connected to its 25 remote office with IPSec VPN, at corporate site, cisco 2811 router is installed and same type of router is installed at each remote site and IPSec VPN is configured between remote office and corporate office and further each remote site router has two other VPN configured which are working properly. Now the problem is, 4 out of 25 remote offices are not getting up with corporate office, I mean the VPN is not getting up for these location. I sit at corporate office and have tried my level best to up these VPN but the problem not getting resolved.
Now the strange problem is that the VPN gets up by itself, after sometime like in 10days or 20days, for sometime and gets down by itself later.
Anyone who can give some insights where the problem could be and how could i troubleshoot the problem?
Thanks in advance for your valuable response

Hi Mike,
Thanks for your reply...
Below are some logs from corporate router with one of the tunnel which is not getting up::
RTR-FTR-PJB#debug crypto isakmp
Crypto ISAKMP debugging is on
RTR-FTR-PJB#ping 172.26.10.1 source l1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.26.10.1, timeout is 2 seconds:
Packet sent with a source address of 172.21.128.1
*Mar 22 12:19:32.147: ISAKMP: local port 500, remote port 500
*Mar 22 12:19:32.147: ISAKMP: set new node 0 to QM_IDLE
*Mar 22 12:19:32.147: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 459BC390
*Mar 22 12:19:32.147: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar 22 12:19:32.147: ISAKMP:(0):found peer pre-shared key matching remote_ipsec_peer
*Mar 22 12:19:32.147: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar 22 12:19:32.147: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar 22 12:19:32.147: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar 22 12:19:32.147: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar 22 12:19:32.147: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 22 12:19:32.147: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Mar 22 12:19:32.147: ISAKMP:(0): beginning Main Mode exchange
*Mar 22 12:19:32.147: ISAKMP:(0): sending packet to remote_ipsec_peer my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 22 12:19:32.147: ISAKMP:(0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
RTR-FTR-PJB#
*Mar 22 12:19:42.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 22 12:19:42.147: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 22 12:19:42.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 22 12:19:42.147: ISAKMP:(0): sending packet to remote_ipsec_peer my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 22 12:19:42.147: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 22 12:19:52.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 22 12:19:52.147: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar 22 12:19:52.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 22 12:19:52.147: ISAKMP:(0): sending packet to remote_ipsec_peer my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 22 12:19:52.147: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 22 12:20:02.143: ISAKMP: set new node 0 to QM_IDLE
*Mar 22 12:20:02.143: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.100.103.2, remote remote_ipsec_peer)
*Mar 22 12:20:02.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 22 12:20:02.147: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar 22 12:20:02.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 22 12:20:02.147: ISAKMP:(0): sending packet to remote_ipsec_peer my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 22 12:20:02.147: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 22 12:20:03.847: ISAKMP:(0):purging node 1974447943
*Mar 22 12:20:03.847: ISAKMP:(0):purging node -1277953536
*Mar 22 12:20:12.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 22 12:20:12.147: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar 22 12:20:12.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 22 12:20:12.147: ISAKMP:(0): sending packet to remote_ipsec_peer my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 22 12:20:12.147: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 22 12:20:13.847: ISAKMP:(0):purging SA., sa=451DF344, delme=451DF344
*Mar 22 12:20:22.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 22 12:20:22.147: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar 22 12:20:22.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 22 12:20:22.147: ISAKMP:(0): sending packet to remote_ipsec_peermy_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 22 12:20:22.147: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 22 12:20:32.147: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 22 12:20:32.147: ISAKMP:(0):peer does not do paranoid keepalives.
*Mar 22 12:20:32.147: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer remote_ipsec_peer)
*Mar 22 12:20:32.147: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer remote_ipsec_peer)
*Mar 22 12:20:32.147: ISAKMP:(0):deleting node -1242602279 error FALSE reason "IKE deleted"
*Mar 22 12:20:32.147: ISAKMP:(0):deleting node 275856152 error FALSE reason "IKE deleted"
*Mar 22 12:20:32.147: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 22 12:20:32.147: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
*Mar 22 12:21:22.147: ISAKMP:(0):purging node -1242602279
*Mar 22 12:21:22.147: ISAKMP:(0):purging node 275856152
*Mar 22 12:21:32.147: ISAKMP:(0):purging SA., sa=459BC390, delme=459BC390
RTR-FTR-PJB#debug crypto ipsec
Crypto IPSEC debugging is on
RTR-FTR-PJB#ping 172.26.10.1 source l1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.26.10.1, timeout is 2 seconds:
Packet sent with a source address of 172.21.128.1
*Mar 22 12:23:27.411: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.100.103.2, remote= remote_ipsec_peer,
local_proxy= 172.21.128.0/255.255.252.0/0/0 (type=4),
remote_proxy= 172.26.10.0/255.255.254.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0.....
Success rate is 0 percent (0/5)
RTR-FTR-PJB#
*Mar 22 12:23:57.411: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 10.100.103.2, remote= remote_ipsec_peer,
local_proxy= 172.21.128.0/255.255.252.0/0/0 (type=4),
remote_proxy= 172.26.10.0/255.255.254.0/0/0 (type=4)
*Mar 22 12:23:57.411: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.100.103.2, remote= remote_ipsec_peer,
local_proxy= 172.21.128.0/255.255.252.0/0/0 (type=4),
remote_proxy= 172.26.10.0/255.255.254.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
RTR-FTR-PJB#debug crypto engine
*Mar 22 12:28:59.415: crypto_engine: Generate IKE hash
*Mar 22 12:28:59.415: crypto_engine: Generate IKE hash
*Mar 22 12:28:59.415: crypto_engine: Encrypt IKE packet
*Mar 22 12:28:59.727: crypto_engine: Generate IKE hash
*Mar 22 12:28:59.727: crypto_engine: Encrypt IKE packet
*Mar 22 12:28:59.763: crypto_engine: Decrypt IKE packet
*Mar 22 12:28:59.763: crypto_engine: Generate IKE hash
*Mar 22 12:29:00.099: crypto_engine: Decrypt IKE packet
*Mar 22 12:29:00.099: crypto_engine: Generate IKE hash
*Mar 22 12:29:00.099: crypto_engine: Generate IKE hash
*Mar 22 12:29:00.099: crypto_engine: Encrypt IKE packet
*Mar 22 12:29:00.239: crypto_engine: Generate IKE hash
*Mar 22 12:29:00.239: crypto_engine: Encrypt IKE packet
*Mar 22 12:29:00.271: crypto_engine: Decrypt IKE packet
*Mar 22 12:29:00.271: crypto_engine: Generate IKE hash
*Mar 22 12:29:00.359: crypto_engine: Decrypt IKE packet
*Mar 22 12:29:00.359: crypto_engine: Generate IKE hash
*Mar 22 12:29:00.359: crypto_engine: Generate IKE hash
*Mar 22 12:29:00.363: crypto_engine: Encrypt IKE packet
*Mar 22 12:29:00.403: crypto_engine: Generate IKE hash
Few things i would like mention here are:
1. I am able to ping remote_ipsec_peer from my router.
2. At both routers other tunnels are working fine.
3. NATing is not involved at both sides router, we have static ip at both side and static routes are configured to reach the peer.
Anyone who can provide some insights by looking the above log, where the problem could be?

Time Machine backups not available on new MBP

Okay, I've had issues with an early 2011 15" MBP that I've had for a couple years. I was replacing it today. Did a backup last night (to a LaCie FW800 external drive). Brought the new MBP home today (2.4 GHz i7 Retina). I try to migrate during initial setup. It doesn't see my backup drive (via USB). I call Apple. Create new acct. and migrate. Still can't see the drive. I try plugging the drive into my Airport Extreme. Migration Asst. sees the drive but says there are no backups on it. I go into Recovery Mode, it sees 2 out of 8 backups, latest one being 18 days ago. Apple tech tells me to not use it due to it being a 10.8.2 backup on an old machine. I run out and get a FW to Thunderbolt adapter with the hopes of success. No success. I'm totally stumped. Googling isn't helping and neither is the senior tech I've been talking to.
A few notes.
In TM, it sees the old backups, but they appear as black windows that I can't click on
I tried putting the backup drive into a new enclosure. Same result.
I would rather avoid a clean install of everything or a manual migration. Any ideas before I do one of these things?

Ah, good. Connect it directly to your Mac.
Open the drive with the Finder. You should see only a single Backups.backupdb folder at the top level of the drive. If not, what do you see?
The Time Machine browser (the "Star Wars" display) normally only shows the backups of the Mac it's running on. You should be able to see the backups from the old Mac via the Browse Other Backup Disks, per the green box in #E2 of Time Machine - Troubleshooting.
But Migration Assistant should see them (that's what it's for!).
Does it show anything at all on this window?
If not, the backups may be damaged. Try Repairing them, per #A5 in Time Machine - Troubleshooting.

Time Machine backups not available after Lion upgrade

I just upgraded from Snow Leopard to Lion a week ago. Today I went to my Time Machine (backups on a Time Capsule), and can't access old files. Past dates are shown in purple, with dates since the Lion update in the usual gray. However, none of them show any files. Any ideas?

https://discussions.apple.com/docs/DOC-4055

Older Time Machine backups not available in Mountain Lion?

My wife relies heavily on Time Machine to restore old files that have been deleted or previous versions of a file. Recently I upgraded her Mac OS from Snow Leopard to Mountain Lion. Today she discovered that she is unable to search and/or restore files from any point before the upgrade to Mountain Lion, although she can see dates along the timeline that indicate that there are backups present. She has backups going back almost 3 years now, so this is a pretty serious potential loss. Is there a work around for this? If not, we'll have to roll back to her Snow Leopard OS from theTime Machine. Just FYI, her system specs are: iMac (24-inch Mid 2007) Mac OS 10.8.x 3GB RAM

https://discussions.apple.com/docs/DOC-4055

VPN tunnel Problem

Hi all ,
I need create VPN tunnels between two ASAs devices . And these devices are connected through DSL . And as you know in this case we use private outside IP address , because there is a NAT device at the outside . The problem is that no VPN tunnel is created even though all the parameters and the pre-shared-key are typical .

I hve allready configured following configuration.
no crypto map newmap interface outside
no crypto map newmap 171 set peer 195.11.199.144
no isakmp key ********* address 195.11.199.144 netmask 255.255.255.255 no-xauth no-config-mode
crypto map newmap 171 set peer 195.11.204.5
isakmp key ******** address 195.11.204.5 netmask 255.255.255.255 no-xauth no-config-mode
clear crypto ipsec sa
clear crypto isakmp sa
crypto map newmap interface outside
Setting were applied successfully however Still VPN tunnel is not been initiated.

RV016 split VPN tunnel support?

I read a rumor that the RV016 does not support split VPN tunnels.
See here:
http://www.smallnetbuilder.com/lanwan/lanwan-reviews/31525-cisco-rv082-and-rv016-v3-vpn-routers-reviewed
My understanding is that VPN tunnels on my RV042 routers will send internet traffic out the local gateway, and only send traffic thru the VPN tunnel if it is destined for the remote subnet. That is my understanding of "split tunnel".
Is that not true with the RV016?

Your understanding about split tunnel is correct. RV016 behaves the same as RV042 in this regard.

How to redirect Internet traffic from RV082 to RV042 through a VPN Tunnel??

Fellows,
We have offices in USA and Venezuela.
In our USA office we have a RV042 router and in Venezuela we have a RV082 router.
We have connected a VPN tunnel (gateway-to-gateway) between both offices.
The point is:
How   could we redirect the internet traffic from our Venezuela office   (RV082) to the USA Office (RV042) to navigate using USA public IP's?
The   reason for this is that we need to use online streaming services which   are only available for IP's from USA and we can't use them from the   Venezuelan IP's.
We can not use the PPTP option since the equipment which will use the streaming services (like hulu, crackle, etc.) in Venezuela is a Google TV device which doesn't allow the configuration of proxy navegation or PPTP VPN connections itself. That's the reason why we need to do that through the routers.
We will really appreciate your support on this matter.
Daniel

Hi Daniel, this is called ESP wildcard forwarding which the router does support.
https://supportforums.cisco.com/docs/DOC-12534   <- This is older but applicable
https://supportforums.cisco.com/message/3766661
-Tom
Please mark answered for helpful posts

RV082 to SA540 tunnel but no ping - HELP

I'll try my best to explani and give details.
SA540 v.2.1.71 at host
RV082 v4.2.1.02 at remote site.
Trying to setup tunnel between the 2. WHEN this works, I'll have 20 remote sites tunneling into the SA540 host.
SA540:
SA540 says site to site vpn is up and IPsec SA Established.
192.168.1.0
Gateway Policies
Client Policies
Exchange Mode:
Main
Aggressive
ID Type:
Local WAN IP
FQDN
Local WAN ID:
Local WAN IP
local.com
Remote WAN ID:
N/A
remote.com
Encryption Algorithm:
AES-128
AES-128
Authentication Algorithm:
SHA-1
SHA-1
Authentication Method:
Pre-shared Key
Pre-shared Key
Key-Group:
DH-Group 2 (1024 bit)
DH-Group 2 (1024 bit)
Life Time:
8 hours
8 hours
VPN Wizard default values for VPN:
Encryption Algorithm:
AES-128
Authentication Algorithm:
SHA-1
Life Time:
1 hour
PFS Key Group:
DH-Group 2(1024 bit)
NETBIOS:
Enabled (Gateway Policies)
Disabled (Client Policies)
WAN Security Checks
Block Ping to WAN interface
Enable Stealth Mode
Block TCP flood
RV082:
RV082 says gateway to gateway is Connected.
192.168.2.0
same settings w/ Aggressive, Keep Alive and NAT Traversal checked.
Firewall Setting Status
SPI (Stateful Packet Inspection) :
On
DoS (Denial of Service) :
On
Block WAN Request :
Off
Remote Management :
On
FROM RV082 diagnostics on router, I cannot ping 192.168.1.1 router or 192.168.1.70 server inside host.
FROM SA540 host diagnostics, I CAN ping 192.168.2.1 when I check Ping through VPN tunnel, but I canNOT ping an XP computer at 192.168.2.100 which has firewall turned off.
What am I missing?
Goal is to establish full tunneling and computer/server access between sites.
Any help is greatly appreciated.

I have added the permit any any on the outside and vpn interfaces of both ASAs. I also change the source and destination of the nat exempt rule to any any.

No Internet access when easy vpn tunnel is down.

Hi.
I have an error. i have a 819 router. with a Easy vpn tunnel.
And i am using the Identical Addressing feature, where i nat vlan1 over loopback0
I also have a vlan2 where i dont use identical addressing.
I have the Easy vpn tunnel configured on loopback0 and vlan2
from Vlan1 i nat to looopback0 with
ip nat inside source static Network 192.168.250.0 192.168.5.0 /24
and i nat outside with
ip nat inside source list INET interface GigabitEhternet0 Overload
ip access-list extended INET
permit ip 192.168.5.0 0.0.0.255 any
When tunnel is up, there is internet from vlan1, vlan2 and loopback0
But when the tunnel is Down, i can only get internet from Vlan2 and loopback0
The route for the tunnel is 0.0.0.0, i need all data to go to the vpn when its up. and to the internet when its Down.
Any ideas?
Thanks.

That is correct.
Config.
controller Cellular 0
no cdp run
track 1 ip sla 1 reachability
default-state up
ip tcp synwait-time 10
ip ftp source-interface Vlan1
ip ssh rsa keypair-name Router.yourdomain.com
crypto ipsec client ezvpn VPN-Cel
connect auto
group VPN key -key-
mode network-extension
peer 12.12.12.12
virtual-interface 1
username RouterCel password Password
xauth userid mode local
crypto ipsec client ezvpn VPN-Eth
connect auto
group PANTst key -key-
backup VPN-Cel track 1
mode network-extension
peer 12.12.12.12
virtual-interface 1
username Router password Password
xauth userid mode local
interface Loopback0
ip address 192.168.6.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly in
crypto ipsec client ezvpn VPN-Cel inside
crypto ipsec client ezvpn VPN-Eth inside
interface Cellular0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly in
ip verify unicast reverse-path
encapsulation slip
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer string hspa-R7
dialer-group 1
no peer default ip address
async mode interactive
crypto ipsec client ezvpn VPN-Cel
interface FastEthernet0
no ip address
interface FastEthernet1
switchport access vlan 2
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface GigabitEthernet0
ip dhcp client route track 1
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly in
duplex auto
speed auto
crypto ipsec client ezvpn VPN-Eth
interface Serial0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
clock rate 2000000
interface Virtual-Template1 type tunnel
no ip address
ip nat outside
ip virtual-reassembly in
tunnel mode ipsec ipv4
interface Vlan1
ip address 192.168.250.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
no autostate
interface Vlan2
ip address 192.168.16.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
no autostate
crypto ipsec client ezvpn VPN-Cel inside
crypto ipsec client ezvpn VPN-Eth inside
interface Dialer2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip local policy route-map myRoutes
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list INTERNET interface GigabitEthernet0 overload
ip nat inside source static network 192.168.250.0 192.168.6.0 /24
ip route 0.0.0.0 0.0.0.0 Cellular0 254
ip route 8.8.4.4 255.255.255.255 Cellular0
ip access-list extended INTERNET
permit ip 192.168.6.0 0.0.0.255 any
permit ip 192.168.16.0 0.0.0.255 any
ip sla auto discovery
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0
ip sla schedule 1 life forever start-time now
dialer-list 1 protocol ip list 1
dialer-list 2 protocol ip permit
route-map myRoutes permit 10
match ip address 101
set ip next-hop dynamic dhcp
access-list 1 permit any
access-list 23 permit 12.12.12.12
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 101 permit icmp any host 8.8.8.8 echo
control-plane

Site-to-Site VPN Tunnel fails after upgrade 8.3(2) to 8.4(4)

Hello Team Cisco,
I upgraded an ASA 5505 from 8.3(2) to 8.4(4) this evening. The 5505 is a backup and used to perform testing prior to production changes. After the upgrade was complete, a VPN tunnel began to fail. I did a limited search online to see if this was a known issue or something new. I also reviewed the release notes but did not see anything that matched the issue I received.
My concern is that this tunnel configuration is scheduled to be deployed to the production firewalls next week after their upgrade. But if it failed on the upgraded test unit, it may fail on the production units.
I downgraded the backup unit to 8.3(1) and verified that the tunnel indeed worked at that level.
Any input or thoughts would be greatly appreciated.
Thanks,
Michael

Hi Chris,
Thanks for the response. Unfortunately not. I'll need to upgrade and capture logs and upload for review. I may not get to that until this afternoon or Monday of next week.
Regards,
Michael

RV016 V3 vs RV082 V3 VPN Tunnel Backup not available on RV016

Similar Messages

Maybe you are looking for