Verifying IPSec on IOS / router

is there a way to verify from Cisco router syslogs that an IPSec tunnel is being successfully established with another Cisco router / peer? I've been looking at the System Message manuals (SEC, Crypto events) and only see stuff that would indicate problems - would like to be able to check syslogs to validate that a tunnel came up without issue, or if a tunnel drops, etc. but not sure what these messages look like.
thanks
-randy

Randy, I understand now!
What I would do in this case is couple of things, but this still needs some minor configuration on the router, it depends on the router managed provider but.. you should be able to ask the provider know that you want to get syslog traps from the router to your syslog server, and they should be able to provide this to you and they should provide that, after all, you are paying for services even though is a managed router by provider.
On the router thye would configure a secondary logging server.
e.i
say your syslog server is 20.20.20.20
router(config)#logging 20.20.20.20
router(config)#logging trap informational
the above informational is facility #6 out of the 7 levels of facility, 0 being emergencies 1 alerts 2 critical and so on..I believe with this facility# you will see tunnel info on the syslog.
additionally, on the access-lists pertaining to the L2L Ipsec tunnel add the keyword log at the end of each of its access-list, with the keywork log the router will send traps pertaining to the access-list to your syslog thus providing you that the connection is stablihed or not.
Rgds
-Jorge

Similar Messages

  • L2TP/IPSec on IOS router

    The following topic describes how to do L2TP/IPSec on Windows 8.
    https://supportforums.cisco.com/document/9878401/l2tp-over-ipsec-cisco-ios-router-using-windows-8
    However, I am trying to use the same template for Chrome OS clients and it does not work. Has it ever been set up successfully? Any ideas would be greatly appreciated.
    Thank you,
    Aram.

    Randy, I understand now!
    What I would do in this case is couple of things, but this still needs some minor configuration on the router, it depends on the router managed provider but.. you should be able to ask the provider know that you want to get syslog traps from the router to your syslog server, and they should be able to provide this to you and they should provide that, after all, you are paying for services even though is a managed router by provider.
    On the router thye would configure a secondary logging server.
    e.i
    say your syslog server is 20.20.20.20
    router(config)#logging 20.20.20.20
    router(config)#logging trap informational
    the above informational is facility #6 out of the 7 levels of facility, 0 being emergencies 1 alerts 2 critical and so on..I believe with this facility# you will see tunnel info on the syslog.
    additionally, on the access-lists pertaining to the L2L Ipsec tunnel add the keyword log at the end of each of its access-list, with the keywork log the router will send traps pertaining to the access-list to your syslog thus providing you that the connection is stablihed or not.
    Rgds
    -Jorge

  • SSLVPN with iPhone Anyconnect and Cisco IOS Router, Certificate Authentication failed

    Hello,
    i have a problem regarding the authentication with a certificate from the iPhone Anyconnect 2.5 Client to a 1802 Cisco Router.
    Cisco 1802 Router:
    Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.1(1)T, RELEASE SOFTWARE (fc1)
    First i configured SSLVPN with username and password, in this configuration the Anyconnect Client of my iPhone works.
    then i enrolled a certificate from my Windows 2008 R2 CA to the Router with the Attributes: Server Authentication and IPSEC
    and i enrolled a certificate for my iPhone with Client Authentication and IPSEC
    after a bunch of time ( i realy could not find a really good documentation on how to do this) i got it done, in the webvpn context configuration i made this changes here:
    no aaa authentication list default
    authentication certificate
    ca trustpoint CA
    as the "SSL VPN Configuration Guide, Cisco IOS Release 15.1M&T" says: if i want only certificate authentication i had to user the "authentication certificate" command and thats it.
    as i look into the debugs it seems to me that the Router accepts the certificate of the iPhone, but then i receive a window on the iphone that wants an additional username and password authentication, and no matter what i enter there's always the same dialog coming back..
    any ideas what the problem could be???
    here is the configuration:
    webvpn gateway WEBVPN_GW_OFFICE2
    ip interface Dialer0 port 1444
    ssl trustpoint CA
    inservice
    webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 1
    webvpn install svc flash:/webvpn/anyconnect-win-3.0.4235-k9.pkg sequence 2
    webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 3
    webvpn context WEBVPN_CONTEXT2
    secondary-color white
    title-color #669999
    text-color black
    ssl authenticate verify all
    policy group WEBVPN_POLICY2
       functions svc-enabled
       mask-urls
       svc address-pool "SSLVPN_OFFICE1"
       svc default-domain "domain.internal"
       svc keep-client-installed
       svc split include 192.168.0.0 255.255.0.0
       svc dns-server primary 192.168.53.33
       svc dns-server secondary 192.168.53.35
    virtual-template 3
    default-group-policy WEBVPN_POLICY2
    gateway WEBVPN_GW_OFFICE2
    authentication certificate
    ca trustpoint CA
    inservice
    here is the debug:
    OfficeRouter1# PASSING appctx is [0x89FAFFCC]
    Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
    Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
    Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
    Nov 19 22:39:53.607: WV: Entering APPL with Context: 0x86529380,
          Data buffer(buffer: 0x86543A40, data: 0x15A07AB8, len: 469,
          offset: 0, domain: 0)
    Nov 19 22:39:53.607: WV: http request: / with no cookie
    Nov 19 22:39:53.607: WV: validated_tp : CA cert_username :  matched_ctx :
    Nov 19 22:39:53.607: WV: Received appinfo
    validated_tp : CA, matched_ctx : ,cert_username :
    Nov 19 22:39:53.607: WV: Trustpoint match successful
    Nov 19 22:39:53.607: WV: Extracted username:  pass: ?
    Nov 19 22:39:53.607: WV: Client side Chunk data written..
    buffer=0x86543640 total_len=661 bytes=661 tcb=0x8811FE60
    Nov 19 22:39:53.607: WV: Appl. processing Failed : 2
    Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
    BueroRouter1# PASSING appctx is [0x89FAEEC4]
    Nov 19 22:40:24.028: WV: sslvpn process rcvd context queue event
    Nov 19 22:40:24.032: WV: sslvpn process rcvd context queue event
    Nov 19 22:40:24.132: WV: sslvpn process rcvd context queue event
    Nov 19 22:40:24.132: WV: Entering APPL with Context: 0x86529380,
          Data buffer(buffer: 0x86543A40, data: 0x160C4038, len: 469,
          offset: 0, domain: 0)
    Nov 19 22:40:24.132: WV: http request: / with no cookie
    Nov 19 22:40:24.132: WV: validated_tp : CA cert_username :  matched_ctx :
    Nov 19 22:40:24.132: WV: Received appinfo
    validated_tp : CA, matched_ctx : ,cert_username :
    Nov 19 22:40:24.132: WV: Trustpoint match successful
    Nov 19 22:40:24.132: WV: Extracted username:  pass: ?
    Nov 19 22:40:24.132: WV: Client side Chunk data written..
    buffer=0x86543640 total_len=661 bytes=661 tcb=0x88D11EEC
    Nov 19 22:40:24.136: WV: Appl. processing Failed : 2
    Nov 19 22:40:24.136: WV: sslvpn process rcvd context queue event
    Nov 19 22:40:39.764: WV: sslvpn process rcvd context queue event
    Nov 19 22:40:39.880: WV: sslvpn process rcvd context queue event
    Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event
    Nov 19 22:40:39.892: WV: Entering APPL with Context: 0x86529380,
          Data buffer(buffer: 0x86543A40, data: 0x1616FD38, len: 610,
          offset: 0, domain: 0)
    Nov 19 22:40:39.892: WV: http request: /webvpn.html with domain cookie
    Nov 19 22:40:39.892: WV: validated_tp :  cert_username :  matched_ctx :
    Nov 19 22:40:39.892: WV: Received appinfo
    validated_tp : CA, matched_ctx : ,cert_username :
    Nov 19 22:40:39.892: WV: Trustpoint match successful
    Nov 19 22:40:39.892: WV: Client side Chunk data written..
    buffer=0x86543640 total_len=607 bytes=607 tcb=0x88D11EEC
    Nov 19 22:40:39.892: WV: Appl. processing Failed : 2
    Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event

    http://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml
    HI,
    Refer to
    AnyConnect VPN Client FAQ
    Q. Is it possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router?
    A. No. It is not possible to connect  the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router.  AnyConnect on iPad/iPhone can connect only to an ASA that runs version  8.0(3).1 or later. Cisco IOS is not supported by the AnyConnect VPN  Client for Apple iOS. For more information, refer to the Security Appliances and Software Supported section of the Release Notes for Cisco AnyConnect Secure Mobility Client 2.4, Apple iOS 4.2 and 4.3.

  • ISE continue to receiving authentication message after removed the radius host test configuration on a IOS router

    I have two issues but related and need help:    
    anyone know how to disable or stop a radius host test message send every seconds from a IOS router after the test statement removed and all radius server information removed from the configuration?   I have this odd testing for the new ISE server.  the purpose of testing is not for load balancing, but find out if IOS support different protocol using radius other than PAP if PPP is not used. after the test, I cannot stop it.  I have a case opened with Cisco, the answer is no way to stop it other than reboot the router. I tried to remove aaa new model and add it back, no help. I have put an access-list on the LAN interface deny the IP any to the radius host and port, no match found.
    On the ISE (version 1.1.1), due to the IOS router test cannot be stopped, the alive authentication page fills up all the authentication failure messages. anyone know how to block the host from ISE live authentication log (the router has been removed from the device page)? 
    below is part of messages from the IOS router (version 15.0.1M6) debug. where 10.2.2.144 is the ISE IP and totally removed from the config. there is no any radius or the ISE IP in the config.
    Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
    Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
    Aug 28 10:21:15.384: AAA/SG/TEST: Verifying if further testing required to determine server state.
    Aug 28 10:21:15.384: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
    Aug 28 10:21:15.384: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
    Aug 28 10:21:33.752: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
    Aug 28 10:21:33.976: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
    Aug 28 10:21:33.976: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
    Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
    Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
    Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
    Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) quarantined.
    Aug 28 10:22:33.976: AAA/SG/TEST: Sending 1 Access-Requests, 1 Accounting-Requests in current batch.
    Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
    Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
    Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
    Aug 28 10:22:33.976: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
    Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
    Aug 28 10:22:52.760: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
    Aug 28 10:22:53.176: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
    Aug 28 10:22:53.176: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
    Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
    Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
    Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
    Aug 28 10:21:15.384: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
    Aug 28 10:21:15.384: AAA/SG/TEST: Verifying if further testing required to determine server state.
    Aug 28 10:21:15.384: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
    Aug 28 10:21:15.384: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
    Aug 28 10:21:33.752: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
    Aug 28 10:21:33.976: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
    Aug 28 10:21:33.976: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
    Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
    Aug 28 10:21:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
    Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
    Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) quarantined.
    Aug 28 10:22:33.976: AAA/SG/TEST: Sending 1 Access-Requests, 1 Accounting-Requests in current batch.
    Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Access-Request.
    Aug 28 10:22:33.976: AAA/SG/TEST(Req#: 1): Sending test AAA Accounting-Request.
    Aug 28 10:22:33.976: AAA/SG/TEST: Verifying if further testing required to determine server state.
    Aug 28 10:22:33.976: AAA/SG/TEST: DEAD state verification already in progress for server (10.2.2.144:1645,1646).
    Aug 28 10:22:33.976: AAA/SG/TEST: Server (10.2.2.144:1645,1646) assumed DEAD. Dead time updated to 60 secs(s).
    Aug 28 10:22:52.760: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
    Aug 28 10:22:53.176: AAA/SG/TEST: No Test response from server (10.2.2.144:1645,1646)
    Aug 28 10:22:53.176: AAA/SG/TEST: Necessary responses NOT received from server (10.2.2.144:1645,1646).
    Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) marked DEAD. Dead time set for 60 sec(s).
    Aug 28 10:22:53.176: AAA/SG/TEST: Server (10.2.2.144:1645,1646) removed from quarantine.
    Thanks in advance,

    It seems reload is the only way to fix it. I don't think there is any way to stop or ignore messages for specific host in live authentication page of ISE. From security point of view it is required to logs all the authentication hits.
    Regards,
    ~JG
    Do rate helpful posts!

  • AnyConnect VPN Client on IOS Router

    Hi Guys, I configured AnyConnect SSL VPN on Cisco 2811 router. It works perfectly when I login via web and run secure mobility client. However, when I connect directly from the mobility client connection fails. It does not even ask me for username and password.
    Mar  7 21:36:47.613: %SSLVPN-5-SSL_TLS_CONNECT_OK: vw_ctx: UNKNOWN vw_gw: VPN_GATEWAY i_vrf: 0 f_vrf: 0 status: SSL/TLS connection successful with remote at
    Mar  7 21:36:47.617: WV: sslvpn process rcvd context queue event
    Mar  7 21:36:47.621: WV: sslvpn process rcvd context queue event
    Mar  7 21:36:47.745: WV: sslvpn process rcvd context queue event
    Mar  7 21:36:47.749: WV: Entering APPL with Context: 0x49233618,
          Data buffer(buffer: 0x4925DA18, data: 0x3F57ED98, len: 1,
          offset: 0, domain: 0)
    Mar  7 21:36:47.749: WV: Fragmented App data - buffered
    Mar  7 21:36:47.749: WV: Entering APPL with Context: 0x49233618,
          Data buffer(buffer: 0x4925D818, data: 0x3F2033F8, len: 242,
          offset: 0, domain: 0)
    Mar  7 21:36:47.749: WV: Appl. processing Failed : 2
    Mar  7 21:36:47.749: WV: server side not ready to send.
    Mar  7 21:36:47.749: WV: server side not ready to send.
    Mar  7 21:36:47.749: WV: server side not ready to send.
    Mar  7 21:36:47.753: WV: sslvpn process rcvd context queue event
    Mar  7 21:36:47.753: WV: server side not ready to send.
    ====================
    Here is the config:
    =====================
    crypto pki trustpoint VPN_TRUSTPOINT
    enrollment selfsigned
    serial-number
    subject-name CN=academy-certificate
    revocation-check crl
    rsakeypair RSA_KEY
    crypto pki certificate chain VPN_TRUSTPOINT
    ip local pool VPN_POOL 192.168.7.100 192.168.7.150
    webvpn gateway VPN_GATEWAY
    ip address <ip>
    ssl trustpoint VPN_TRUSTPOINT
    logging enable
    inservice
    webvpn install svc flash:/webvpn/anyconnect-win-3.1.02040-k9.pkg sequence 1
    webvpn context VPN_CONTEXT
    title "<title>"
    ssl authenticate verify all
    login-message "<message>"
    policy group VPNPOLICY
       functions svc-required
       svc address-pool "VPN_POOL"
       svc keep-client-installed
       svc rekey method new-tunnel
       svc split include 192.168.1.0 255.255.255.0
    default-group-policy VPNPOLICY
    aaa authentication list default
    gateway VPN_GATEWAY
    max-users 10
    inservice
    I have not figured out yet, why mobility client works when launched from the web and why it does not work directly. Any input or hints would be much appreciated

    Hi Giorgi,
    This could be related to CSCti89976.
    AnyConnect 3.0 doesn't work with existing IOS.
    Symptoms:
    Standalone AnyConnect 3.0 client does not work with an existing IOS headend.
    Conditions:
    AnyConnect 3.0 with an IOS Router as the headend.
    Workaround:
    Use AnyConnect 2.5 or use weblaunch.
    Upgrade IOS
    Would it be possible to upgrade the IOS version?
    HTH.
    Portu.

  • Cisco IOS Router to PIX VPN Issues

    Hi Everyone,
    I have a small issue here which someone may be able to shed some light on.
    I have a Cisco IOS router which is terminating a site-to-site VPN connection on the dialer interface. The PIX on the other end is behind a NAT router. The tunnel is being established and one subnet is able to see another when the tunnel is up. The thing we are having an issue is both networks on each side of the VPN contain multiple subnets and i cannot connect to all the subnets over the same tunnel.
    Any ideas.

    Yes all this is setup.
    I have just found out that Cisco IOS can only make connections from 1 network per crypt map unless multiple connections are made from server to host. This is quite disturbing because i have not seen this in any documentation.
    Does anyone know of IOS to PIX IPsec with multiple subnets on each side of the network.

  • PIX - IOS Router Redundancy

    PIX at remote, Dual Interface/Dual ISP IOS Router at core.
    Is there a way to have an IPSEC Tunnel fromt he PIX to the Dual ISP Router at the core?
    Can't get the PIX to pass traffic over the second IPSEC Tunnel when one ISP/Interface goes down at the IOS Router.
    Help!
    Thanks,
    Bob

    PIX-501 at the remote
    Cisco1721 with Dual ISP feeds at Central site.
    I want two tunnels from the PIX to the Cisco1721.
    One ISP goes down, tarffic goes over the second tunnel.
    Thanks,
    Bob

  • VPN between ASA and IOS router

    We have established a VPN tunnel between IOS router and ASA, however it i working only from the latter. What are the common dissimilarities whcih occur between these two devices when setting up VPN?

    Do a search for the following on cisco.com- "Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions"
    It should help fix any problems.
    HTH and please rate.

  • IPhone 2.1 now supports Cisco VPN Client to IOS router

    Just tested it. The Cisco VPN Client in iPhone 2.1 now connects to my IOS router. Excellent.

    I have a Cisco 1812 with 12.4(20)T. I know that 12.4(6)T and some other versions have an issue with the negotiation of IPSec policies which basically means that only the first proposal is considered. If the first proposal matches you have a connection. If it does not match, the connection is refused even though other proposals would be O.K.
    The relevant isakmp/ipsec config should be:
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration group myvpn
    key mysecretkey
    dns 10.0.0.2 10.0.0.3
    wins 10.0.0.2
    domain mydomain.example.com
    pool ippool
    acl 150
    split-dns mydomain.example.com
    netmask 255.255.255.0
    crypto isakmp profile ike-myvpn-profile
    match identity group myvpn
    client authentication list userauthen
    isakmp authorization list groupauthor
    client configuration address respond
    virtual-template 2
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec profile myvpn
    set transform-set ESP-3DES-SHA
    set isakmp-profile ike-myvpn-profile
    interface Virtual-Template2 type tunnel
    ip unnumbered FastEthernet1
    ip nat inside
    ip virtual-reassembly
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile myvpn
    See also http://www.cisco.com/en/US/docs/ios/security/configuration/guide/secipsec_virt_tunnl_ps6441_TSD_Products_Configuration_GuideChapter.html
    If you have IOS 12.4(6)T or similar which has the bug I have mentioned you have to use aes instead of 3des for the transform set. The first proposal of the iPhone is aes. Be sure to check the "debug crypto ipsec" and "debug crypto isakmp" output for troubleshooting.

  • HT4623 update process fails with the following message "Unable to Verify Update.  iOS 6.1 failed verification because you are no longer connected Internet."

    my iphone 5 is connected to a wi-fi network and i'm able to browse the web and receive emails.  however when i try to update the software the process fails with the following message "Unable to Verify Update.  iOS 6.1 failed verification because you are no longer connected Internet." It gives an open to "Close" or "Try again", but the retry is also unsuccessful.

    Try to connect to secure web site. If you can't, that would mean that your iphone is unable to authenticate itself to apple servers in order to download update. If you can - I would still guess same but with less certainty and suggest to update on another network.

  • IOS router & SIP proxy server

    I am trying to make VoIP call with sip between two IOS router running 12.2(15)T H.323 plus feature. When I try to make call through the SIP proxy server, it fail. The problem is how can I register the prefix my router user agent responsible for to the SIP proxy server. There seem no such command to do so in the IOS document.
    When the sip voip call is between the two router directly, it work.

    Here is a helpful url with an overview of VoIP and SIPs:
    http://www.cisco.com/univercd/cc/td/doc/product/voice/sipsols/biggulp/bgsipsol.htm

  • DHCP issue on Cisco IOS router

    Hi experts,
    I recently got complaints that some clients can't get IP address through the DHCP server configured on a Cisco IOS router. I turned on debugging on DHCP events and packets and I see the following logs.
    Mar 22 15:33:41: DHCPD: DHCPREQUEST received from client 0100.1b63.f246.8c.
    Mar 22 15:33:41: DHCPD: Finding a relay for client 0100.1b63.f246.8c on interface FastEthernet1/0.10.
    Mar 22 15:33:41: DHCPD: Seeing if there is an internally specified pool class:
    Mar 22 15:33:41:   DHCPD: htype 1 chaddr 001b.63f2.468c
    Mar 22 15:33:41:   DHCPD: remote id 020a0000cf6050011000000a
    Mar 22 15:33:41:   DHCPD: circuit id 00000000
    Mar 22 15:34:02: DHCPD: DHCPREQUEST received from client 0100.1b63.f246.8c.
    Mar 22 15:34:02: DHCPD: Finding a relay for client 0100.1b63.f246.8c on interface FastEthernet1/0.10.
    Mar 22 15:34:02: DHCPD: Seeing if there is an internally specified pool class:
    Mar 22 15:34:02:   DHCPD: htype 1 chaddr 001b.63f2.468c
    Mar 22 15:34:02:   DHCPD: remote id 020a0000cf6050011000000a
    Mar 22 15:34:02:   DHCPD: circuit id 00000000
    Then it will repeat and repeat for this MAC. Any reason why the router is not assigning an IP to it? It actually happens to some other MACs as well... They are from different vendors and located on different switches... I can't really find a pattern for this problem... The DHCP pool hasn't run out and it still has available IPs in it.
    Thanks

    Hi Alain, thanks for quick reply. The followings contain the output that you required. I hided the prefix of the IP with a.b.c. Thanks!
    interface FastEthernet1/0.10
    description : DHCP for EXHIBITION VLAN
    encapsulation dot1Q 10
    ip address a.b.c.1 255.255.255.128
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    end
    r#sh ip dhcp pool
    Pool EXHIBIT :
    Utilization mark (high/low)    : 100 / 0
    Subnet size (first/next)       : 0 / 0
    Total addresses                : 126
    Leased addresses               : 47
    Pending event                  : none
    1 subnet is currently in the pool :
    Current index        IP address range                    Leased addresses
    a.b.c.118        a.b.c.1      - a.b.c.126     47
    #sh run | in/be dhcp
    no ip dhcp use vrf connected
    ip dhcp excluded-address a.b.c.1 a.b.c.11
    ip dhcp excluded-address a.b.c.126
    ip dhcp excluded-address a.b.c.100 a.b.c.101
    ip dhcp excluded-address a.b.c.51
    ip dhcp pool EXHIBIT
       network a.b.c.0 255.255.255.128
       default-router a.b.c.1
       dns-server 207.172.3.8 207.172.3.9
       domain-name xyz.com
    #sh ip dhcp binding
    Bindings from all pools not associated with VRF:
    IP address          Client-ID/              Lease expiration        Type
                        Hardware address/
                        User name
    a.b.c.19        0168.7f74.6260.9b       Mar 23 2011 01:56 PM    Automatic
    a.b.c.52        0100.4854.897d.17       Mar 23 2011 12:53 PM    Automatic
    a.b.c.56        0100.4063.e7b5.b2       Mar 23 2011 03:33 PM    Automatic
    a.b.c.57        0100.1b63.f246.8c       Mar 23 2011 03:34 PM    Automatic
    a.b.c.68        015c.5948.0b97.d6       Mar 22 2011 05:59 PM    Automatic
    a.b.c.69        0168.7f74.626d.67       Mar 23 2011 07:07 AM    Automatic
    a.b.c.70        0198.fc11.5027.1d       Mar 22 2011 07:04 PM    Automatic
    a.b.c.71        01dc.2b61.04ba.af       Mar 22 2011 10:26 PM    Automatic
    a.b.c.72        017c.c537.58e6.64       Mar 22 2011 08:37 PM    Automatic
    a.b.c.73        017c.6d62.3303.57       Mar 23 2011 03:54 AM    Automatic
    a.b.c.74        0124.ab81.cda4.68       Mar 23 2011 05:01 AM    Automatic
    a.b.c.75        0100.1e52.8f11.a5       Mar 23 2011 02:47 PM    Automatic
    a.b.c.76        0100.264a.5fc8.e3       Mar 23 2011 07:13 AM    Automatic
    a.b.c.77        017c.6d62.38cd.40       Mar 23 2011 02:06 PM    Automatic
    a.b.c.78        0100.1d4f.f647.79       Mar 23 2011 02:37 PM    Automatic
    a.b.c.79        0100.26b0.8637.3d       Mar 23 2011 01:16 PM    Automatic
    a.b.c.81        0130.694b.e9de.82       Mar 23 2011 03:19 PM    Automatic
    a.b.c.82        0100.21e9.6864.80       Mar 23 2011 12:04 PM    Automatic
    a.b.c.83        0124.ab81.63e6.b5       Mar 23 2011 09:38 AM    Automatic
    a.b.c.84        0100.16b6.0455.c2       Mar 23 2011 09:42 AM    Automatic
    a.b.c.85        0100.1302.4c96.9e       Mar 23 2011 09:49 AM    Automatic
    a.b.c.86        0140.a6d9.741c.e0       Mar 23 2011 12:12 PM    Automatic
    a.b.c.87        0100.264a.b8e9.50       Mar 23 2011 10:16 AM    Automatic
    a.b.c.88        0140.a6d9.4911.67       Mar 23 2011 03:19 PM    Automatic
    a.b.c.89        013c.7437.1e32.96       Mar 23 2011 10:27 AM    Automatic
    a.b.c.90        01d8.3062.689c.4b       Mar 23 2011 11:55 AM    Automatic
    a.b.c.91        0158.946b.4df8.bc       Mar 23 2011 10:49 AM    Automatic
    a.b.c.92        0100.2215.7368.26       Mar 23 2011 10:23 AM    Automatic
    a.b.c.93        0100.23df.76ea.90       Mar 23 2011 02:33 PM    Automatic
    a.b.c.94        0124.ab81.708d.83       Mar 23 2011 03:58 PM    Automatic
    a.b.c.95        0100.1cb3.163d.5a       Mar 23 2011 03:13 PM    Automatic
    a.b.c.96        01cc.08e0.2aeb.96       Mar 23 2011 01:27 PM    Automatic
    a.b.c.97        0188.c663.d0d0.55       Mar 23 2011 01:57 PM    Automatic
    a.b.c.98        0100.1b77.08bb.89       Mar 23 2011 01:15 PM    Automatic
    a.b.c.99        0100.1ec2.47d7.19       Mar 23 2011 12:43 PM    Automatic
    a.b.c.102       0100.1310.8e74.78       Mar 23 2011 12:41 PM    Automatic
    a.b.c.103       0100.24d6.58b0.82       Mar 23 2011 01:44 PM    Automatic
    a.b.c.104       0100.2608.7df2.68       Mar 23 2011 03:23 PM    Automatic
    a.b.c.106       01c8.bcc8.1a86.41       Mar 23 2011 03:56 PM    Automatic
    a.b.c.107       01a4.6706.1e54.94       Mar 23 2011 04:08 PM    Automatic
    a.b.c.108       017c.c537.46ac.0e       Mar 23 2011 02:41 PM    Automatic
    a.b.c.111       0100.037f.0ea2.19       Mar 23 2011 02:47 PM    Automatic
    a.b.c.112       01d8.3062.75c5.9c       Mar 23 2011 03:33 PM    Automatic
    a.b.c.113       0021.9116.449e          Mar 23 2011 03:36 PM    Automatic
    a.b.c.114       0100.1ff3.46d9.a9       Mar 23 2011 03:40 PM    Automatic
    a.b.c.116       0104.1e64.4a0d.a3       Mar 23 2011 04:21 PM    Automatic
    a.b.c.117       0190.27e4.4ae8.94       Mar 23 2011 04:24 PM    Automatic
    Thanks!

  • IPSec pass-through in IOS router

    Is there any command need to enable IPSec pass-through on 2800 router?

    Assuming there are no ACLs on the interfaces, no. If there are ACL's on the interface(s) then you will need to allow it through via the ACL.
    HTH and please rate.

  • IPsec VPN IOS - ASA

    Hi,
    I'm in the process of migrating some old IOS IPsec VPN configurations from IOS to ASA.
    What immediately becomes a problem is that there is no way to virtualize the routing tables on a single ASA. The original IOS setups uses separate VRF:s for each customers and therefore overlapping LAN networks or even VPN pools aint a problem.
    This has been in the past avoided (in other ASAs) by using default route for each customer interface on the ASA (with different metric). With this we can have overlapping LAN networks for the customer. Though the limit for the customer links become = metric value range. So basically even if we had an ASA with support for 1000 Vlans we still couldnt use this setup as we would run out of usable metric values for the default routes pointing to the customer links/networks.
    So looking at the above situation it seems we would just need to have a load of ASAs with support for 250 Vlans handling each customer groups and not a single ASA which could handle all the VPNs (if theres more than the mentioned approx. 250)
    Another option is I guess using a single link on the ASA for all the customer with a tunneled default route and handling the virtualisation on the core device by using PBR to route the packets to different VRF. This in turn would create alot of more configurations on the core device and a single VPN configuration/connection would become harder to manage.
    Has anyone run into a similiar situation and how have you handled it? Have you moved to another device manufacturer or sticked with the IOS perhaps? Its unfortunate that the ASA can't handle this by itself.
    - Jouni

    Hi,
    I've heard from our local Cisco contact that L2L VPN is coming. (Though in his words most people were waiting for Client VPN support, as were we) L2L VPN only provides minimal help to our situation as most connections are Client VPN.
    Basically the ultimate goal is to eventually migrate all IPsec Client VPN users to start using AnyConnect.
    The goal now is to get the old IPsec Client and L2L VPNs of the current device so we can remove the actual 6509/VPN/FWSM device from the network. (Because of the old hardware)
    Even though we have newer IOS devices in our network we would rather keep the Client VPN off the IOS devices. So the idea was to quickly move the Client VPNs to ASA and L2L VPN to another IOS device (by moving the L2L VPN peer IP address to the newer IOS device along with the configurations)
    We also started considering hosting the VPN services on a more high end device(s) which could support everything we need. In this case the ASA seemed a natural choice. Then again IOS gives alot more flexibility and the most important to us is the ability to virtualise routing.
    I've read that AnyConnect VPN has also come to IOS devices.
    Quick Google search gives this Cisco document
    http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080af314a.shtml#intro
    How is the AnyConnect on IOS compared to ASA? Would IOS devices at some point (or already?) become a viable option for hosting all the VPNs? (The use of AnyConnect and Clientless VPN has kept us away from continuing with IOS)
    Also on another note, I guess I missed one thing when writing the original post.
    I guess you can actually use specific routes on the ASA for the overlapping customer networks with different metrics (instead of the default routes with different metrics) This would enable you to handle the routing for more customer links than when simply using default routes towards each customer link with different metric. As now each network range could overlap on 255 customers.
    Heres a small sample of a lab configuration of that kind of situation
    interface GigabitEthernet0/0
    description TRUNK
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/0.1000
    description ASIAKAS-1
    vlan 1000
    nameif asiakas-1
    security-level 100
    ip address 172.32.100.2 255.255.255.0
    interface GigabitEthernet0/0.2000
    description ASIAKAS-2
    vlan 2000
    nameif asiakas-2
    security-level 100
    ip address 172.32.200.2 255.255.255.0
    route asiakas-1 10.10.10.0 255.255.255.0 172.32.100.1 1
    route asiakas-2 10.10.10.0 255.255.255.0 172.32.200.1 2
    group-policy ASIAKAS-1-GP attributes
    vlan 1000
    group-policy ASIAKAS-2-GP attributes
    vlan 2000
    Basically to my understanding in the above situation the "vlan xxxx" configuration under group-policy defines the eggress interface of the traffic from the VPN and therefore the route for vlan2000/GigabitEthernet0/0.2000 would apply in the case (and provide the next-hop IP) where the VPN user was connecting with a connection using group-policy ASIAKAS-2-GP
    I tested this setup and it seemed to work fine. Though this would naturally be an administrative nightmare to manage. (As would be the PBR solution mentioned in the original post)
    I'm not sure if I'm making any sense
    - Jouni

  • RV220W: IPsec and iOS (iPhone/iPad)

    Hi,
    Yesterday i've bought rv220w router. Basicaly for its VPN connectivity. Specification says that this router supports IPsec.
    I've done everything, but coudn't establish a connection between router and my iPhone. As you know iPhone supports IPsec. So there must not be any problems, however it is.
    I want to use this router only for its IPsec.
    PPTP is working well, but that is not an option. PPTP is not secure because of the MSCHAP V2 authentication and other stuff.
    The main reason i bought this router is IPsec. So please help me to configure IPsec connection with my iOS devices.
    Arnas

    Good morning
    Hi  Arnas, thanks for using our forum, my name is Johnnatan and I am part of the Small business Support community. I´ve seen your post and I found a couple of articles that could help you. One of them is about IKE policies and the other one is about the VPN policies.
    http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=2273
    http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=1435
    I hope you find this answer useful,
    *Please mark the question as Answered or rate it so other users can benefit from it"
    Greetings,
    Johnnatan Rodriguez Miranda.
    Cisco Network Support Engineer.

Maybe you are looking for