WRV54 to Cisco 1811W Peer to Peer Tunnel
I am attempting to set up a VPN, peer to peer, tunnel between a LinkSys WRV54G and a Cisco 1811W.
The WRV54G seems to be pretty straight forward, and logiclly looks like what I have in there should work.
The problem comes when I attempt to set up the VPN Tunnel on the Cisco 1811W using SDM.
It seems to me that using SDM you have too many choices, and you are pretty limited in going back to edit or tweak what you set up.
Is this a pretty standard type of thing to want to be able to do ? Does anyone have a procedure that will set up a minimal VPN peering arrangement between LinkSys and Cisco products ?
A good cheat sheet would be useful
jayr
JayR
Jay Clark
We you be able to post the output of the show crypto ipsec sa command for the remote site as well? If those two outputs are mirror images of eachother and don't point to a possible issue, then it would help to see the running config of both ASAs.
Please remember to select a correct answer and rate helpful posts
Similar Messages
-
Cisco 1811W stopped allowing wireless connection of domain laptops
I have a Cisco 1811W that after several years in service suddenly stopped allowing any wireless connection to laptops on the domain. It allows hard wired connections and devices that are just using the wireless hot spot like iPads and Iphones but not devices on the domain. These same laptops connect wirelessly without issue at our other facilities which use the same hardware.
Here is the config file...
Here is the config file of the router in question...
router#show run
Building configuration...
Current configuration : 11776 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone year
service password-encryption
hostname xxx
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 4096
no logging console
enable secret 5 xxxx
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
crypto pki trustpoint TP-self-signed-1083484987
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1083484987
revocation-check none
rsakeypair TP-self-signed-xxxx
dot11 syslog
dot11 ssid xxxx
vlan 44
authentication open
authentication key-management wpa
wpa-psk ascii 7
dot11 ssid xxxx
vlan 144
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address xxx.xxx.xxx.xxx
ip dhcp excluded-address xxx.xxx.xxx.xxx
ip dhcp excluded-address xxx.xxx.xxx.xxx
ip dhcp pool xxx-LAN
networkxxx.xxx.xxx.xxx 255.255.255.0
domain-name xxxx
dns-server xxx.xxx.xxx.xxx
default-router xxx.xxx.xxx.xxx
lease 0 2
ip dhcp pool VLAN44
network xxx.xxx.xxx.xxx 255.255.255.0
default-router xxx.xxx.xxx.xxx
domain-name xxxx
dns-server xxx.xxx.xxx.xxx
lease 4
ip dhcp pool VLAN144
network xxx.xxx.xxx.xxx 255.255.255.0
default-router xxx.xxx.xxx.xxx
domain-name xxxx
dns-server 12.127.16.67 12.127.16.68
lease 4
ip cef
ip domain name xxxx
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip inspect tcp reassembly queue length 24
ip inspect name IPFW tcp timeout 3600
ip inspect name IPFW udp timeout 15
ip inspect name IPFW ftp
ip inspect name IPFW realaudio
ip inspect name IPFW smtp
ip inspect name IPFW h323
ip inspect name IPFW ftps
ip inspect name IPFW http
ip inspect name IPFW https
ip inspect name IPFW icmp
ip inspect name IPFW imap
ip inspect name IPFW imaps
ip inspect name IPFW irc
ip inspect name IPFW ircs
ip inspect name IPFW ntp
ip inspect name IPFW pop3
ip inspect name IPFW pop3s
ip inspect name IPFW radius
ip inspect name IPFW sip
ip inspect name IPFW sip-tls
ip inspect name IPFW ssh
ip inspect name IPFW telnet
ip inspect name IPFW telnets
ip inspect name IPFW vdolive
ip inspect name IPFW webster
ip inspect name IPFW dns
no ipv6 cef
multilink bundle-name authenticated
password encryption aes
file prompt quiet
username admin password n
username laneadmin password n
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key 5122662533fedcbabcdef address 12.97.225.232
crypto isakmp key 5122662533fedcbabcdef address 12.97.224.120
crypto isakmp key 5122662533fedcbabcdef address 12.97.225.152
crypto isakmp key 5122662533fedcbabcdef address 12.97.230.154
crypto isakmp key 5122662533fedcbabcdef address 12.97.225.226
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES256-SHA-LZO esp-aes 256 esp-sha-hmac comp-lzs
crypto ipsec df-bit clear
crypto ipsec profile SITE-to-SITE-DMVPN-Profile
set transform-set ESP-AES256-SHA
crypto ipsec client ezvpn ezvpn-client
connect auto
mode client
xauth userid mode interactive
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
path scp://cisco:wrs-.o#d8Au8M@fs00/$h-$t
write-memory
ip ssh version 2
bridge irb
interface Loopback0
ip address 1.1.1.5 255.255.255.252
interface Tunnel0
ip address xxx.xxx.xxx.xxx 255.255.255.0
no ip redirects
ip nhrp map xxx.xxx.xxx.xxx 12.97.230.154
ip nhrp map multicast 12.97.230.154
ip nhrp map xxx.xxx.xxx.xxx 12.97.225.226
ip nhrp map multicast 12.97.225.226
ip nhrp network-id 1
ip nhrp nhs xxx.xxx.xxx.xxx
ip nhrp nhs xxx.xxx.xxx.xxx
tunnel source 12.97.225.234
tunnel mode gre multipoint
tunnel protection ipsec profile SITE-to-SITE-DMVPN-Profile
interface Dot11Radio0
no ip address
no dot11 extension aironet
encryption vlan 44 mode ciphers tkip
encryption vlan 144 mode ciphers tkip
ssid XXXX
ssid XXX-guest
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
no cdp enable
interface Dot11Radio0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
interface Dot11Radio0.144
encapsulation dot1Q 144
bridge-group 144
bridge-group 144 subscriber-loop-control
bridge-group 144 spanning-disabled
bridge-group 144 block-unknown-source
no bridge-group 144 source-learning
no bridge-group 144 unicast-flooding
interface Dot11Radio1
no ip address
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
interface FastEthernet0
description 604 AT&T static IP
ip address 12.97.225.234 255.255.255.248
ip access-group IPFW-ACL-outside-A in
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect IPFW out
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet2
switchport access vlan 4
spanning-tree portfast
interface FastEthernet3
description phone system
switchport access vlan 4
spanning-tree portfast
interface FastEthernet4
switchport access vlan 4
spanning-tree portfast
interface FastEthernet5
switchport access vlan 4
spanning-tree portfast
interface FastEthernet6
switchport access vlan 4
spanning-tree portfast
interface FastEthernet7
switchport access vlan 4
spanning-tree portfast
interface FastEthernet8
switchport access vlan 4
spanning-tree portfast
interface FastEthernet9
description switchport uplink
switchport access vlan 4
interface Vlan1
no ip address
interface Vlan4
ip address xxx.xxx.xxx.xxx 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1200
ip policy route-map NONAT-LAN
interface Vlan5
no ip address
interface Vlan10
no ip address
interface Vlan44
description nnn private WLAN
no ip address
ip nat inside
ip virtual-reassembly
ip policy route-map NONAT-LAN
bridge-group 44
bridge-group 44 spanning-disabled
interface Vlan144
description nnn Guest WLAN
no ip address
ip nat inside
ip virtual-reassembly
ip policy route-map NONAT-LAN
bridge-group 144
bridge-group 144 spanning-disabled
interface Async1
no ip address
encapsulation slip
interface BVI44
description Bridge to nnn private WLAN
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip nat inside
ip virtual-reassembly
interface BVI144
description Bridge to nnn Guest WLAN
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip nat inside
ip virtual-reassembly
router eigrp 1
network xxx.xxx.xxx.xxx
network xxx.xxx.xxx.xxx
no auto-summary
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 12.97.225.233
no ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet0 overload
ip nat inside source static tcp xxx.xxx.xxx.xxx 22 interface FastEthernet0 22222
ip nat inside source route-map NO-NAT interface FastEthernet0 overload
ip access-list standard VTY-ACL
permit 192.168.0.0 0.0.63.255
ip access-list extended IPFW-ACL-outside
permit udp any any eq isakmp
permit udp any eq isakmp any
permit esp any any
permit tcp any host 12.97.225.234 eq 23232
permit icmp any any administratively-prohibited
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
deny ip any any
ip access-list extended IPFW-ACL-outside-A
permit tcp any host 12.97.225.234 eq 22222
permit udp any any eq isakmp
permit udp any eq isakmp any
permit esp any any
permit tcp any host 12.97.225.234 eq 23232
permit icmp any any administratively-prohibited
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
deny ip any any
ip access-list extended NAT-ACL
deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 any
deny ip 192.168.44.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.44.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.44.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip 192.168.44.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip 192.168.44.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.44.0 0.0.0.255 any
deny ip 192.168.144.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.144.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.144.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip 192.168.144.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip 192.168.144.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.144.0 0.0.0.255 any
ip access-list extended NONAT-LAN-RETURNING-ACL
permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.44.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.44.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.44.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.44.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.144.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.144.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.144.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.144.0 0.0.0.255 192.168.0.0 0.0.0.255
ip access-list extended VTY-ACL-A
deny ip 192.168.160.0 0.0.0.255 any
permit ip 192.168.44.0 0.0.0.255 any
permit ip 192.168.144.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit ip 192.168.5.0 0.0.0.255 any
permit tcp any any eq 22
deny ip any any
logging trap notifications
logging source-interface Vlan5
logging 192.168.0.225
route-map NONAT-LAN permit 10
match ip address NONAT-LAN-RETURNING-ACL
set interface Loopback0
route-map NO-NAT permit 10
match ip address NAT-ACL
snmp-server community XXXsnmppub RO
control-plane
bridge 44 route ip
bridge 144 route ip
banner login ^C
Unauthorized access is prohibited and will be monitored and prosecuted.
If you are not explicitly authorized to access this device, you must
disconnect now.
^C
banner motd ^C
Unauthorized access is prohibited and will be monitored and prosecuted.
If you are not explicitly authorized to access this device, you must
disconnect now.
^C
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
access-class VTY-ACL-A in
password 7 nnn
transport input ssh
line vty 5 15
webvpn gateway webgateway
ssl trustpoint TP-self-signed-1083484987
no inservice
webvpn gateway sslvpn.xxx
hostname www.nnn
ssl trustpoint TP-self-signed-1083484987
inservice
end
router#It was a two fold problem. There is another stronger Wi-Fi signal that exists at the facility from another entity on a different domain that the two laptops were trying to associate to in lieu of the network signal from our 1811. This could only be seen while watching the Intel wireless Proset app NOT the Windows wireless management app. Then by deleting all other old Wi-Fi networks listed in the Intel Proset app except ours it connected. Also set devices to never connect to the other signal. This was not an issue when I brought the laptop to another faciIity without a competing Wi-Fi signal becuase they would connect using the strongest and ONLY Wi-Fi network signal which was ours.
-
DMVPN in Cisco 3945 output drop in tunnel interface
I configured DMVPN in Cisco 3945 and checked the tunnel interface. I found out that I have output drop. How can I remove that output drop? I already set the ip mtu to 1400.
CORE-ROUTER#sh int tunnel 20
Tunnel20 is up, line protocol is up
Hardware is Tunnel
Description: <Voice Tunneling to HO>
Internet address is 172.15.X.X./X
MTU 17878 bytes, BW 1024 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.15.X.X (GigabitEthernet0/1)
Tunnel Subblocks:
src-track:
Tunnel20 source tracking subblock associated with GigabitEthernet0/1
Set of tunnels with source GigabitEthernet0/1, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport multi-GRE/IP
Key 0x3EA, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1438 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "tunnel_protection_profile_2")
Last input 00:00:01, output never, output hang never
--More-- Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 7487
Queueing strategy: fifo
Output queue: 0/0 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
48007 packets input, 4315254 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
42804 packets output, 4638561 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
interface Tunnel20
description <Bayantel Voice tunneling>
bandwidth 30720
ip address 172.15.X.X 255.255.255.128
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 20
no ip split-horizon eigrp 20
ip nhrp authentication 0r1x@IT
ip nhrp map multicast dynamic
ip nhrp network-id 1002
ip nhrp holdtime 300
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0/1
tunnel mode gre multipoint
tunnel key 1002
tunnel protection ipsec profile tunnel_protection_profile_2 sharedHi,
Thanks for the input. If the radio is sending out the packet but client did not receive, not output drop should be seen since packet is sent out, right?
From my understanding, output drop is related to congested interface. Outgoing interface cannot take the rate packets coming in and thus droping it. What I don't understand is input and output rate has not reached limit yet. Also input queue is seeing drop of packet as well even though input queue is empty.
Any idea? -
Advise on how to deploy my network on a Cisco 1811W
Hello all
First time working with any Cisco products
I need a little advise from anyone that may be familiar with a Cisco 1811W.
First the layout, then the questions at the bottom. :)
THE LAYOUT -
WAN 1 - DSL modem with dynamic IP.
Bridged to 1811W FastEthernet0
1811W FastEthernet0 IP = DHCP
WAN 2 - iDirect satellite modem network 215.235.110.24/30,,
Modem IP 215.235.110.25
1811W FastEthernet1 IP = DHCP (216.235.110.26)
VLAN 1 - Inside 1811W (10.10.10.0/29) Management only
Switch port FastEthernet port 9
VLAN 2 - Inside 1811W (10.0.0.0/24) Home Network
BV2 Bridge:
Wireless dot11radio 1 and 2
Switch ports FastEthernet 2,3,4 and 5
Home Network:
Multiple devices including two laptops that need to access VLAN 2 and 3
Majority of devices going through simple switch and wireless into 1811W switchports
VLAN 3 - Inside 1811W (10.0.1.0/24) Work Network (!!! Used for testing only !!!) (I DO NOT WANT TO LOAD BALANCE)
Switch ports FastEthernet 6, 7 and 8
Work Network:
Test Laptop - 10.0.1.17 (needs telnet access to WAN 2 modem 215.235.110.25)
Running VNC on port 5904
Satellite Antenna Controller1 - 10.0.1.20 (needs telnet access to WAN 2 modem 215.235.110.25)
Running VNC on port 5902
Satellite Antenna Controller2 - 10.0.1.21 (needs telnet access to WAN 2 modem 215.235.110.25)
Running VNC on port 5903
Additional requirements:
WAN1 has to forward ports 5902 thru 5904 to VLAN 3 IPs
WAN2 is not used for internet access
(I DO NOT WANT TO LOAD BALANCE)
(WAN 2 is only necessary for the Satellite Controllers and Laptop telnet requirement to communicate with the modem 215.235.110.25)
(When the WAN modem establishes a satellite link there will be access to the internet through it but it would be ok to stop all traffic inbound period)
VLAN3 should be able to access WAN1 and WAN2
VLAN2 IP 10.0.0.201 and 202 need to route to VLAN2, VLAN3, WAN1 and WAN2
VLAN2 other IPs should not be able to access VLAN 3 or WAN2
QUESTIONS -
1 - Based on that criteria here is the dilemma I have:
2 - Should I make the 215.235.110.24/30 network as VLAN (4) instead of a WAN and then route
all necessary IPs from VLAN2 and VLAN3 to VLAN4????
3 - Would it be more secure doing it as a WAN due to NAT on WAN and no NAT on VLAN 4 etc?
4 - How do I keep all VLANs from using WAN2 as internet access and only route outside on
WAN1?
5 - Is there a cleaner way to do this?
Right now the 1811W is set to work with WAN1 and VLAN1, 2 and 3 but I have not added WAN2
yet.
Thanks much in advancehello, Ana Laura.
i agree with Rakesh. working as support for a company already using SAP will help "get your feet wet". the advantage is you can review SD settings for a specific set of business requirements. you could also get mentoring from a more senior SD guy inside this company, assuming he/she is willing to help you. i wouldn't stay as an in-house person for long because sooner or later the opportunities for growth will be limited.
however, there are advantages and disadvantages to other alternatives as well, such as working for a consulting outfit. you would have to be a little more adventurous. it is a more unstable existence but the opportunities for personal growth are there. one moment, you may be sitting in the office for weeks without an assignment, and next thing you know you will be deployed as the lead consultant (mainly because there's noone else).
but whatever your choice, just have a positive attitude, be grateful and don't forget to relax every now and then.
our best wishes to you and welcome to the world of SAP SD.
jty
p.s.
if you're looking for a SAP SD partner for Canada, just give me a holler (hahahaha - half joking but half serious). -
How to increase built-in cisco vpn peer response timer?
Hi,
I use OS x in-built cisco vpn client to connect to work VPN.
The VPN server, or perhaps the radius server, takes a long time to return a response. OS X always try for 10 seconds, then drop the conneciton when no response from the remote peer. When I use cisco vpn client on a windows machine, the vpn client has a setting to allow for 90 seconds remote peer response time. It works fine using cisco vpn client.
I prefer to use os x as my primary working environment, so I need to fix this problme. My question is how to increase the phase 1 & 2 timer for vpn under 10.6.7. I have tried to change racoon.conf phase 1 & phase 2 timer, but it made no difference. OS X only try for 10 seconds.
Any ideas? (besides asking work people to fix the server or radius problem)
Thanks
jmsherry123i have the same problem ... certificate is imported in keychain, but cant select it when setup vpn connection
-
Cisco dial-peer path selection with "preference"
Hi everybody,
for a test lab environment i'm testing the integration between cisco voice gateway 3925 and third party voice gateway by means of isdn PRI.
here the connection schema:
PSTN (emulated)-----> port0/0/0-Cisco3925-port0/0/1 <------- Third party Voice Gateway
| (ethernet)
Cisco CUCM (172.23.112.20)
in brief:
- i'm emulating PSTN with a cisco voice gateway, this gateway is connected to cisco3925's port 0/0/0.
- cisco3925's port 0/0/1 is connected to Third party Voice Gateway.
- cisco 3925 speaks with Cisco CUCM in H323.
Now let's go for an incoming call from the PSTN when 3925 has no connection to CUCM, with called number 321672711 (321672... is the GNR of the site):
1. inbound: dial-peer 110 finds match so the called number is transformed to 591711 (it is a DN not registered to SRST cisco gateway)
2. outbound: i expect dial-peer 100 to be matched, because 172.23.112.20 is no more reacheable. From the show call active voice dial-peer 1 is matched as the attached. I need to set preference 1 in dial-peer 100 because when WAN is UP i don't want dial-peer 100 to be matched (and it works). But when WAN is down dial-peer 100 must match. If i remove preference 1, dial-peer 100 finds match; but for correct path selection i cannot remove it.
What am I forgetting?
thanks for support
voice translation-rule 1
rule 1 /^321672/ /591/
voice translation-profile ENTRANTE
translate called 1
(translate calling omitted)
dial-peer voice 1 voip
description Inbound per USCENTI - Outbound per ENTRANTI
corlist incoming CSSSRSTInternazionali
tone ringback alert-no-PI
destination-pattern 591...
session target ipv4:172.23.112.20
voice-class codec 1
dtmf-relay h245-alphanumeric
no vad
dial-peer voice 100 pots
preference 1
translation-profile outgoing NOMIG
destination-pattern 591...
port 0/0/1:15
dial-peer voice 110 pots
corlist incoming CSSSRSTInternazionali
description Inbound per ENTRANTI
translation-profile incoming ENTRANTE
incoming called-number 321672...
direct-inward-dial
port 0/0/0:15Hello Marco,
There could be two possibilities:
1. To avoid dial-peer 1 being selected in the dialplan match, when gateway is trying to route the call, you can configure ICMP Probe , which would mark dial-peer as down, in case of WAN failure. So call will use dial-peer 100, automatically, as that will only be an possible match.
Here is document , in case you are interested in ICMP Probe:
http://www.cisco.com/c/en/us/td/docs/ios/voice/command/reference/vr_book/vr_m3.html#wp1397581
2. Ideally default dial-peer hunting mechanism is, Longest - Preference - Random , so as both the dial-peer has same destination pattern, in terms of specific digits and number of wild cards. So it should be looking as preference value of two possible matches, so in this test dial-peer 1 would win. Router will try to route the call using that dial-peer, if fails it should automatically fall back to dial-peer 100 as next choice.
But please note that it will still use dial-peer 1 at first attempt, as dial-peer status is not linked to interface status or WAN status. To verify this theory , you can remove session target command, and you will see that dial-peer 1, is not even selected in match, that's because removing session target command, will mark is as DOWN for outgoing status.
Taking below said debugs would help further, in case configuring ICMP probe is not viable option.
debug voip ccapi inout ( it will help understand , dial-peer match and hunting process ).
debug voip dialpeer inout
Hope that helps. -
Dear Sir,
Due to mis-communications of two companies, My Cisco IP telephone Dial extension is conflicting with other newly installed Telephone extension, because its started on same 4.. number.
Example;
Riyadh Branch (4 Digits) 4119
dial-peer voice 551 voip
tone ringback alert-no-PI
destination-pattern 4...$
session protocol sipv2
session target ipv4:200.200.200.13:5068
session transport tcp
dtmf-relay rtp-nte
codec g711ulaw
fax protocol none
no vad
*Newly Added Configuration*
Jeddah Branch - (3 Digits) 411
dial-peer voice 302 voip
corlist incoming EMPInt
destination-pattern 4..
video codec h263+
session protocol sipv2
session target ipv4:172.16.22.2
dtmf-relay h245-alphanumeric
codec g711ulaw
no vad
What will be the possible soultion, they dont want to change the extension of both Branches/Offices.
All Calls from 4 digits will automatically forward & route to 3 digits extension.
Thanks in advance.
Michael
ITHi Michael,
Here is one solution from my side...
Apply access code to each site which are overlapping .
Suppose for Riyadh Branch access code is 7 and for Jeddah Branch code is 6. Change dial-peer according to access code and apply translation to convert those number to normal 4 and 3 digit numbers after it matches dial-peer.
voice translation-rule 1
rule 1 /^6\(4..$\)/ /\1/
voice translation-rule 2
rule 1 /^7\(4...$\)/ /\1/
voice translation-profile Jeddah
translate called 1
voice translation-profile Riyadh
translate called 2
Riyadh Branch (4 Digits) 4119
dial-peer voice 551 voip
translation-profile outgoing Riyadh
destination-pattern 74...$
Jeddah Branch - (3 Digits) 411
dial-peer voice 302 voip
translation-profile outgoing Jeddah
destination-pattern 64..$
Rate all the helpful post.
Thanks
Manish -
Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP
Hi Rizwan,
Thanks for your response. I updated the configuration per your response below... It still doesn't work. please see my new config files below. Please help. Thanks in advance for your help....
Hi Pinesh,
Please make follow changes on host: officeasa
remove this line below highlighted.
crypto dynamic-map L2LMap 1 match address Crypto_L2L
It is only because group1 is weak, so please change it to group2
crypto dynamic-map L2LMap 1 set pfs group1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117
Please make follow changes on host: homeasa
It is only because group1 is weak, so please change it to group2
crypto map L2Lmap 1 set pfs group1
route outside 10.10.5.0 255.255.255.0 xxx.xxx.xxx.xxx default gateway on homeasa.
Hope that helps, if not please open a new thread.
Thanks
Rizwan Rafeek
New config files..
Site-A: (Office):
Hostname: asaoffice
Inside: 10.10.5.0/254
Outside e0/0: Static IP 96.xxx.xxx.118/30
Site-B: (Home):
Hostname: asahome
Inside: 10.10.6.0/254
Outside e0/0: Dynamic IP (DG: 66.xxx.xxx.1)
SIte-A:
officeasa(config)# sh config
: Saved
: Written by enable_15 at 15:34:23.899 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname officeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address 96.xxx.xxx.118 255.255.255.252
interface Vlan3
nameif inside
security-level 100
ip address 10.10.5.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 192.168.100.0 255.2
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255.255.2
access-list ormtST standard permit 10.10.5.0 255.255.255.0
access-list OCrypto_L2L extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ormtIPP 192.168.100.100-192.168.100.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 96.xxx.xxx.117 1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set OSite2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map OL2LMap 1 set pfs
crypto dynamic-map OL2LMap 1 set transform-set OSite2Site
crypto dynamic-map OL2LMap 1 set reverse-route
crypto map out_L2lMap 65535 ipsec-isakmp dynamic OL2LMap
crypto map out_L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.5.101-10.10.5.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy ormtGP internal
group-policy ormtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ormtST
address-pools value ormtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type remote-access
tunnel-group ormtProfile type remote-access
tunnel-group ormtProfile general-attributes
default-group-policy ormtGP
tunnel-group ormtProfile webvpn-attributes
group-alias OFFICE enable
tunnel-group defaultL2LGroup type ipsec-l2l
tunnel-group defaultL2LGroup ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:46d5c2e1ac91d73293f2fb1a0045180c
officeasa(config)#
Site-B:
Home ASA Configuration:
homeasa# sh config
: Saved
: Written by enable_15 at 15:48:42.479 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname homeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif inside
security-level 100
ip address 10.10.6.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list hrmtST standard permit 10.10.6.0 255.255.255.0
access-list Crypto_L2L extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool hrmtIPP 192.168.101.100-192.168.101.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 10.10.5.0 255.255.255.0 66.xxx.xxx.1 1 (IP address of the Dynamic IP from ISP)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map L2Lmap 1 match address Crypto_L2L
crypto map L2Lmap 1 set peer 96.xxx.xxx.118
crypto map L2Lmap 1 set transform-set Site2Site
crypto map L2LMap 1 set pfs
crypto map L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.6.101-10.10.6.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy hrmtGP internal
group-policy hrmtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value hrmtST
address-pools value hrmtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type admin
tunnel-group hrmtProfile type remote-access
tunnel-group hrmtProfile general-attributes
default-group-policy hrmtGP
tunnel-group hrmtProfile webvpn-attributes
group-alias hrmtCGA enable
tunnel-group 96.xxx.xxx.118 type ipsec-l2l
tunnel-group 96.xxx.xxx.118 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d16a0d49f275612dff7e404f49bcc499
homeasa#Thanks Rizwan,
Still no luck. I can't even ping the otherside (office).. I am not sure if i'm running the debug rightway. Here are my results...
homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side. I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
Success rate is 0
homeasa(config)# debug crypto isakmp 7
homeasa(config)# debug crypto ipsec 7
homeasa(config)# sho crypto isakmp 7
^
ERROR: % Invalid input detected at '^' marker.
homeasa(config)# sho crypto isakmp
There are no isakmp sas
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Global IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
There are no ipsec sas
homeasa(config)# -
Cisco 881 ISR IPSec VPN Tunnel does not pass traffic from the vlan.
I have a cisco 881 ISR Router with a site-to-site IPsec vpn tunnel to a mikrotik device on the other end (I inherited this from my client). The tunnel is constructed properly and is up, however traffic does not pass or get routed to the FA4 interface. I see in my packet captures that it hits the vlan1 interface (vlans are required on the L2 ports) and does not pass to the tunnel.
This is my configuration:
141Kerioth#sh config
Using 3763 out of 262136 bytes
! Last configuration change at 01:02:41 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
141Kerioth#do wr mem
^
% Invalid input detected at '^' marker.
141Kerioth#wr mem
Building configuration...
[OK]
141Kerioth#sh run
Building configuration...
Current configuration : 5053 bytes
! Last configuration change at 01:38:06 UTC Mon May 26 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 141Kerioth
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-580381394
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-580381394
revocation-check none
rsakeypair TP-self-signed-580381394
crypto pki certificate chain TP-self-signed-580381394
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35383033 38313339 34301E17 0D313430 35323231 38323333
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 30333831
33393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B001A012 2CA6970C 0648798B 2A786704 84F2D989 83974B19 9B4287F2 4503D2C9
173F23C4 FF34D160 202A7565 4A1CE08B 60B3ADAE 6E19EE6E 9CD39E72 71F9650E
930F22FE C4441F9C 2D7DD420 71F75DFC 3CCAC94E BA304685 E0E62658 A3E8D01C
D01D7D6A 5AF0B0E6 3CF6AF3A B7E51F83 9BF6D38E 65254E1F 71369718 ADADD691
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014D6 24878F12 1FFADF2F 537A438E 6DD7FB6B D79E4130 1D060355
1D0E0416 0414D624 878F121F FADF2F53 7A438E6D D7FB6BD7 9E41300D 06092A86
4886F70D 01010505 00038181 00771667 FCA66002 8AB9E5FB F210012F C50B586F
9A9640BB 45B4CEFD 030A38C0 E610AAC8 B41EF3C4 E55810F9 B2C727CF C1DEFCF1
0846E7BC 1D95420E 5DADB5F8 EFE7EB37 B5433B80 4FF787D4 B1F2A527 06F065A4
00522E97 A9D2335C E83C4AE1 E68D7A41 9D0046A7 ADCC282B 7527F84D E71CC567
14EF37EA 15E57AD0 3C5D01F3 EF
quit
ip dhcp excluded-address 10.0.16.1
ip dhcp pool ccp-pool
import all
network 10.0.16.0 255.255.255.0
default-router 10.0.16.1
dns-server 8.8.8.8
lease 0 2
ip domain name kerioth.com
ip host hostname.domain z.z.z.z
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip cef
no ipv6 cef
license udi pid CISCO881-K9 sn FTX180483DD
username admin privilege 15 secret 4 CmmfIy.RPySmo4Q2gEIZ2jlr3J.bTBAszoe5Bry0z4c
username meadowbrook privilege 0 password 0 $8UBr#Ux
username meadowbrook autocommand exit
policy-map type inspect outbound-policy
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
crypto isakmp key 141Township address z.z.z.z
crypto isakmp keepalive 10
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
crypto map mymap 10 ipsec-isakmp
set peer z.z.z.z
set transform-set TS
match address 115
interface Loopback0
no ip address
interface Tunnel1
no ip address
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description $FW_OUTSIDE_WAN$
ip address 50.y.y.y 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map mymap
interface Vlan1
description $ETH_LAN$
ip address 10.0.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 115 interface Vlan1 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 50.x.x.x
access-list 110 deny ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 110 permit ip 10.0.16.0 0.0.0.255 any
access-list 115 permit ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 144 permit icmp host c.c.c.c host 10.0.1.50
access-list 144 permit icmp host p.p.p.p host 10.0.16.105
access-list 199 permit ip a.a.a.a 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 100
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
transport preferred ssh
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
cns trusted-server all-agents x.x.x.x
cns trusted-server all-agents hostname
cns trusted-server all-agents hostname.domain
cns id hardware-serial
cns id hardware-serial event
cns id hardware-serial image
cns event hostname.domain 11011
cns config initial hostname.domain 80
cns config partial hostname.domain 80
cns exec 80
endWhy do you have following command on the PIX?
crypto map outside_map 40 set transform-set 165.228.x.x
Also you have this transform set on the PIX:
crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac
This does not match the transfor set on the router:
crypto ipsec transform-set tritest esp-3des esp-md5-hmac
Where are you using the access-list/route-map
101 ? -
Cisco 3745, VPN and Split Tunneling
I tried following the model here: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns27/networking_solutions_white_paper09186a008018914d.shtml
but after doing so, the situation was actually reversed. While connected to the vpn client you were able to browse the internet but not able to access vpn resources. I undid and redid the configuration several times to rule out keying in problems.
Can one help with this problem... If needed Ill post necessary configs from my router.. Thanks
(btw: do these froms have a search?)I am having the same problems with pix 501. With split tunnel, I get web but no lan access. Without split tunnel, full lan access, no web. My acl for the splitTunnel is:
permit ip host 192.168.1.0 any
Is this wrong? -
NTP sync for Cisco routers through a VPN tunnel
I have a 3002 tunnel to a 3015. Behind the 3002 is a Cisco router with NTP setup on it. No NTP traffic appears to be traversing the tunnel, there are no filters on the tunnel prevent NTP (123) traffic.
Is there something in the 3015 that has to be set to allow NTP traffic to go through?
NTP working on all other non-tunnelled connections.Make sure the 3002 is in NEM mode, and remember that the 3002 will only tunnel the directly-connected subnet's traffic. Unless that router has an interface in the 3002 private interface's subnet, and it is using that as the source address in its NTP requests, it won't work. Can you ping from that router to the NTP server across the tunnel?
-
GRE IPSEC tunnel between 2 cisco routers
Hello all,
I have configure a GRE tunnel between 2 sites on cisco router,although the GRE tunnel works fine.
once i have configure the IPSEC ...tunnel, the same is not stable .it goes down after sometime & keeps going into MM_State
#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
x.x.x.x. x.x.x.x.x MM_NO_STATE 0 ACTIVE
although the GRE tunnel works fine
Regards
TejasHi David,
it is quite strange but when i started this discussion my issue was that show crypto isakmp sa shows state as "MM_NO_STATE" but now the problem is different
now today morning, i followed some steps
step 1. configure simple GRE tunnel between my 2 locations , able to ping other end tunnel IP with source tunnel IP all works fine .
step 2. started conditional debug for peer along with crypto isakmp & cryptp ipsec debug on both locations.
step 3 implement the IPSEC config on both the router, i have attach the same in a separate file
Now the problem is IPSEC negotiation has been successful see output below but my tunnel is down
SITE A
sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
114.143.78.X 14.102.64.X QM_IDLE 1015 ACTIVE
SITE B
#sh crypto isakmp sa | include 14.102.64.X
14.102.64.X 114.143.78.X QM_IDLE 15532 ACTIVE
Now i am not sure why my tunnel is down ???
Please check the attach notepad
Regards
Tejas -
Automatic tunnel group selection through radius on Cisco ASA
Hi all. I try to let Cisco ASA automatic select a tunnel group for users, after user input username and password. I try to do this without user selection a connection profile on login page. Authentication on ASA<>ACS 5.3<>MS AD. How i can will do this? Radius attribute class=group_policy don't work.
May be someone did expirience this?You can't select a tunnel-group from RADIUS. But you can assign the right group-policy for your user with the class-attribute. For that you need to have different group-policies configured on your ASA. Alternatively instead of assigning the group-policy you can assign the individual parameters like IP, VPN-filter and so on.
Sent from Cisco Technical Support iPad App -
Setting up site to site vpn with cisco asa 5505
I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
IP of remote office router is 71.37.178.142
IP of the main office firewall is 209.117.141.82
Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
ciscoasa# show run
: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password TMACBloMlcBsq1kp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 209.117.141.82
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username [email protected] password ********* store-local
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
: end
ciscoasa#
Thanks!Hi Mandy,
By using following access list define Peer IP as source and destination
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
you are not defining the interesting traffic / subnets from both ends.
Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
!.1..source subnet(called local encryption domain) at your end 192.168.200.0
!..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
!..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
!...at your end 192.168.200.0
!..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
!...at other end 192.168.100.0
Please use Baisc Steps as follows:
A. Configuration in your MAIN office having IP = 209.117.141.82 (follow step 1 to 6)
Step 1.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
Step 2.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256 --->2nd parameter of ISAKMP Policy is OK
hash sha ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 3.
Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 71.37.178.142
or , but not both
crypto isakmp key 6 CISCO123 address71.37.178.142
step 4.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 5.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 6.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Configure the same but just change ACL on other end in step one by reversing source and destination
and also set the peer IP of this router in other end.
So other side config should look as follows:
B. Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
Step 7.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
Step 8.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256 --->2nd parameter of ISAKMP Policy is OK
hash sha ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 9.
Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 209.117.141.82
or , but not both
crypto isakmp key 6 CISCO123 address 209.117.141.82
step 10.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 11.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set, only one is permissible
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 12.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Now initite a ping
Here is for your summary:
IPSec: Site to Site - Routers
Configuration Steps
Phase 1
Step 1: Configure Mirrored ACL/Crypto ACL for Interesting Traffic
Step 2: Configure ISAKMP Policy
Step 3: Configure ISAKMP Key
Phase 2
Step 4: Configure Transform Set
Step 5: Configure Crypto Map
Step 6: Apply Crypto Map to an Interface
To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
Router#debug crpyto isakmp
Router#debug crpyto ipsec
Router(config)# logging buffer 7
Router(config)# logging buffer 99999
Router(config)# logging console 6
Router# clear logging
Configuration
In R1:
(config)# access-list 101 permit ipo host 10.1.1.1 host 10.1.2.1
(config)# crypto isakmp policy 10
(config-policy)# encryption 3des
(config-policy)# authentication pre-share
(config-policy)# group 2
(config-policy)# hash sha1
(config)# crypto isakmp key 0 cisco address 2.2.2.1
(config)# crypto ipsec transform-set TSET esp-3des sha-aes-hmac
(config)# crypto map CMAP 10 ipsec-isakmp
(config-crypto-map)# set peer 2.2.2.1
(config-crypto-map)# match address 101
(config-crypto-map)# set transform-set TSET
(config)# int f0/0
(config-if)# crypto map CMAP
Similarly in R2
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Change to Transport Mode, add the following command in Step 4:
(config-tranform-set)# mode transport
Even after doing this change, the ipsec negotiation will still be done through tunnel mode if pinged from Loopback to Loopback. To overcome this we make changes to ACL.
Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
(config)# crypto isakmp peer address 2.2.2.1
(config-peer)# set aggressive-mode password cisco
(config-peer)# set aggressive-mode clien-endpoint ipv4-address 2.2.2.1
Similarly on R2.
The below process is for the negotiation using RSA-SIG (PKI) as authentication type
Debug Process:
After we debug, we can see the negotiation between the two peers. The first packet of the interesting traffic triggers the ISAKMP (Phase1) negotiation. Important messages are marked in BOLD and explanation in RED
R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
Mar 2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) // Router tried to find any IPSec SA matching the outgoing connection but no valid SA has been found in Security Association Database (SADB)
Mar 2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
Mar 2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
Mar 2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
Mar 2 16:18:42.939: ISAKMP: local port 500, remote port 500
Mar 2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE
Mar 2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
Mar 2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
Mar 2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar 2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Mar 2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
Mar 2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Mar 2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947:.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R2(config)# ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
Mar 2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Mar 2 16:18:42.947: ISAKMP: encryption 3DES-CBC
Mar 2 16:18:42.947: ISAKMP: hash SHA
Mar 2 16:18:42.947: ISAKMP: default group 2
Mar 2 16:18:42.947: ISAKMP: auth RSA sig
Mar 2 16:18:42.947: ISAKMP: life type in seconds
Mar 2 16:18:42.947: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Mar 2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Mar 2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
Mar 2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Mar 2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
Mar 2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Mar 2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
Mar 2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Mar 2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
Mar 2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:43.007: Choosing trustpoint CA_Server as issuer
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
Mar 2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM4
Mar 2 16:18:43.011: ISAKMP:(1008):Send initial contact
Mar 2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
Mar 2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
Mar 2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
Mar 2 16:18:43.011: ISAKMP (1008): ID payload
next-payload : 6
type : 2
FQDN name : R2
protocol : 17
port : 500
length : 10
Mar 2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
Mar 2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
Mar 2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
Mar 2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM5
Mar 2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
// "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
Mar 2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP (1008): ID payload
next-payload : 6
type : 2
FQDN name : ASA1
protocol : 0
port : 0
length : 12
Mar 2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
Mar 2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
Mar 2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
Mar 2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
Mar 2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
Mar 2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
Mar 2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
Mar 2 16:18:43.067: ISAKMP:received payload type 17
Mar 2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
Mar 2 16:18:43.067: ISAKMP:(1008):SA authentication status:
authenticated
Mar 2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
Mar 2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/, and inserted successfully 46519678. // SA inserted into SADB
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5 New State = IKE_I_MM6
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_I_MM6
Mar 2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
Mar 2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
Mar 2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Mar 2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Mar 2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
Mar 2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
Mar 2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
Mar 2 16:18:43.079: ISAKMP: attributes in transform:
Mar 2 16:18:43.079: ISAKMP: SA life type in seconds
Mar 2 16:18:43.079: ISAKMP: SA life duration (basic) of 3600
Mar 2 16:18:43.079: ISAKMP: SA life type in kilobytes
Mar 2 16:18:43.079: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Mar 2 16:18:43.079: ISAKMP: encaps is 1 (Tunnel)
Mar 2 16:18:43.079: ISAKMP: authenticator is HMAC-SHA
Mar 2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
Mar 2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
Mar 2 16:18:43.083: inbound SA from 20.1.1.10 to 40.1.1.1 (f/i) 0/ 0
(proxy 1.1.1.1 to 2.2.2.2)
Mar 2 16:18:43.083: has spi 0xA9A66D46 and conn_id 0
Mar 2 16:18:43.083: lifetime of 3600 seconds
Mar 2 16:18:43.083: lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
(proxy 2.2.2.2 to 1.1.1.1)
Mar 2 16:18:43.083: has spi 0x2B367FB4 and conn_id 0
Mar 2 16:18:43.083: lifetime of 3600 seconds
Mar 2 16:18:43.083: lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
Mar 2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Kindly rate if you find the explanation useful !!
Best Regards
Sachin Garg -
Per Tunnel QoS: NHRP-3-QOS_POLICY_APPLY_FAILED
Hello,
another day another problem :-)
Since I got DMVPN Netzwork up and running for a few month now, the customer wishes to implement voice-over-ip, therefore I tryied to configure Per-Tunnel-QoS in the DMVPN Network.
The Policy Map on the Hub-Site is as followed:
class-map match-all BULK-DATA match ip dscp af11 af12
class-map match-all INTERACTIVE-VIDEO
match ip dscp af41 af42
class-map match-all VOICE
match ip dscp ef
class-map match-all SCAVENGER
match ip dscp cs1
class-map match-any INTERNETWORK-CONTROL
match ip dscp cs6
match access-group name IKEclass-map match-any CALL-SIGNALING
match ip dscp cs3
match ip dscp af31
class-map match-all TRANSACTIONAL-DATA match ip dscp af21 af22
policy-map voice
class VOICE
priority percent 18
class INTERACTIVE-VIDEO
priority percent 15
class CALL-SIGNALING
bandwidth percent 5
class INTERNETWORK-CONTROL
bandwidth percent 5
class TRANSACTIONAL-DATA bandwidth percent 27
queue-limit 18 packets class BULK-DATA
bandwidth percent 4
queue-limit 3 packets class SCAVENGER
bandwidth percent 1
queue-limit 1 packets
class class-default
bandwidth percent 25
queue-limit 16 packets
The Hub and the Spokes are configured with the proper NHRP Group, but when checking the QoS State, the Spokes appair to be in the right NHRP Group but the QoS service policy is not applied.
Hub#sh dmvpn detailLegend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================
Interface Tunnel1 is up/up, Addr. is 192.168.205.1, VRF ""
Tunnel Src./Dest. addr: 2.2.2.1/MGRE, Tunnel VRF "" Protocol/Transport: "multi-GRE/IP", Protect "Schmidt-Group"
Interface State Control: Disabled
Type:Hub, Total NBMA Peers (v4/v6): 1
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network----- --------------- --------------- ----- -------- ----- -----------------
1 1.1.1.1 192.168.205.2 UP 00:40:52 D 192.168.205.2/32NHRP group: voice
Output QoS service-policy applied: none
Crypto Session Details:--------------------------------------------------------------------------------
Interface: Tunnel1Session: [0x8693F664]
IKE SA: local 2.2.2.1/500 remote 1.1.1.1/500 Active
Capabilities:D connid:2001 lifetime:23:19:07
Crypto Session Status: UP-ACTIVE fvrf: (none), Phase1_id: 1.1.1.1
IPSEC FLOW: permit 47 host 2.2.2.1 host 1.1.1.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 574 drop 0 life (KB/Sec) 4487723/1147 Outbound: #pkts enc'ed 560 drop 0 life (KB/Sec) 4487725/1147 Outbound SPI : 0xABF33617, transform : esp-256-aes esp-sha-hmac
Socket State: Open
Pending DMVPN Sessions:
A debugging on QoS events results with the message:
Oct 18 08:20:51.883: %NHRP-3-QOS_POLICY_APPLY_FAILED: Failed to apply QoS policy voice mapped to NHRP
group voice on interface Tunnel1, to tunnel 1.1.1.1 due to policy installation failure
I'm greatfull for any suggestions or hints!
Kind regards
ThomasI have the same problem. I found this info, it might be related to your problem. For me, I only have one spoke on my QoS/DMVPN Hub tunnel. However, I am running MPLS-VPN, multiple Hub tunnels connecting to multiple spokes so the policy could be see all spokes connected to my router, not just the hub tunnel.
https://cisco-images.test.edgekey.net/en/US/docs/ios/ios_xe/3/release/notes/asr1k_rn_3s_rel_notes_book_pdf.pdf
CSCts62082
Symptoms: Router generates the following message:%NHRP-3-QOS_POLICY_APPLY_FAILED: Failed to apply QoS policy 10M-shape mapped
to NHRP group xx on interface Tunnelxx, to tunnel x.x.x.x due to policy
installation failureConditions: This symptom is observed when “per-tunnel” QoS is applied and there are more than
nine DMVPN spokes. (Up to eight spokes, with QoS applied is fine.)
Workaround: There is no workaround.
Maybe you are looking for
-
Mac Mini for Parents (photo editing)
Hello all and thank you in advance. My parents (for reference in their mid 60s) have finally decided to come to the mac universe. They are asking for assistance in buying a computer. I was thinking of getting them a mac mini. In regards to their nee
-
in library/system/library/startupitems I have Apache, Appleshare, AppServices, AuthServer, CrashReporter, Disk, FibreChannel, IFCStart, IPServices, Metadata, NetworkTime, NFS, NIS, Printing Services, RemoteDesktopAgent,SNMP Which of these are importa
-
How do I change camera from black screen?
-
Commit Button Still Disabled After Table Edit
I am using JDeveloper 11.1.1.6. I have a table on my page that is clickToEdit. I have CreateInsert and Delete buttons. I have Commit and Rollback buttons that are initially disabled. When I edit the value of an existing field and press Enter, the Com
-
The Photos app on my IP4 has stopped responding to touch. I can launch the app, and see 4 Albums (Camera Roll, Photo Library, Last 12 Months, & Last Import iPhoto) but when i tap on any of the albums nothing happens. Also the icons on the bottom of t