WRVS4400N & GRE
Hi guys.
I've got an issue that has me tearing what little hair I have left out.
In my WRVS4400N router I have enabled PPTP passthrough & configured a PPTP server on my Windows server. I then created a couple of ACLs in the router. First off at the very bottom I created one that denies all traffic coming from the WAN to the LAN. Above that I selected the preconfigured PPTP service and allowed that coming from the WAN to the LAN & to the IP of my PPTP server. I've then setup the port forwarding and tested that they are working perfectly fine.
If I try to connect from anywhere it won't connect and in the ACL logs I get a single entry that has allowed the incoming connection on port 1723 followed by approx 10 entries that say
"Jul 15 16:49:56 - [Access Log ] Deny GRE Packet - SOURCE IP --> MY PPTP SERVER IP"
If I turn around and disable the last ACL (Block All) it works perfectly. For the life of me I can't find in the ACL list, GRE. Am I missing something here? Is it called something else in the list? Is there a way for me to add it? I can only see how to add ports, not protocols.
Any help would very much be appreciated so thanks in advance.
Nobody got any ideas? This is driving me nuts trying to get this working.
Similar Messages
-
WRVS4400N - Logging and Email Alerts when I use a VPN client - Firmware bug?
Hi folks -
I've got a problem with my WRVS4400N that has been dogging me for a long time now, and I'm finally fed up with the email alerts.
My wife has a VPN client for her work, on her laptop. It is nothing fancy, normal IPSec VPN, details on it I can get if needed, but it's just VPN.
My WRVS4400N is running 1.1.03 firmware, latest on the site. I have all VPN pass-throughs enabled. VPN connectivity for the wife works great, no problems that I'm aware of for her functionally.
The problem is, that I have logging turned on with email alerts. When my wife uses her VPN connection, I get flooded with alerts from the router with all sorts of goobly goo information. It's almost like there is a bug in the router firmware that is parsing information incorrectly.
Log levels are set to 0,1,2,3. Email alerts enabled. DoS threshold is 50, Log Queue is 100, Log Time is 60. SMTP information for my mail server populated of course, and Local Log enabled.
Below is a sample of the email body that gets sent. My wife has been using her VPN connection for about 3 hours tonight, and already I've been flooded with over 1000 emails.
Here's some body content:
Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LEN05 CID777216Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LEN07 CID777216Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LENH CID=054619136 Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LEN† CID=054619136Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LENy CID777216Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LENX CID=054619136Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LENq CID777216Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LENv8 CID=054619136Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LENW9 CID777216Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LEN† CID=054619136Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LENy CID777216Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LENX CID=054619136Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LENq CID777216Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LEN@3 CID=054619136Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LENQ1 CID777216Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LENX CID=054619136Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LENq CID777216Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LENX CID=054619136Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LENq CID777216Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LEN` CID=054619136Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LENu CID777216Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LENf CID=054619136Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LENq CID777216Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LENf CID=054619136Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LENq CID777216Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LEN20 CID=054619136Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LEN43 CID777216Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LEN† CID=054619136Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LENy CID777216Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LENX CID=054619136Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LENq CID777216Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LENX CID=054619136Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LENq CID777216Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LENb CID=054619136Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LENu CID777216Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LENH CID=054619136Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LEN=CID777216Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LENI CID=054619136 Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LENI CID=054619136Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LENE CID777216Jan 5 22:28:21 - CTÃ8314c0, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LENE CID777216Jan 5 22:28:24 - CTÃ831e60, MasterÁceab60, DIR=w GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LEN@3 CID=054619136 Jan 5 22:28:24 - CTÃ831e60, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LEN@3 CID=054619136Jan 5 22:28:24 - CTÃ831e60, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LENQ1 CID777216Jan 5 22:28:24 - CTÃ831e60, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LENX CID=054619136Jan 5 22:28:24 - CTÃ831e60, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LENq CID777216Jan 5 22:28:24 - CTÃ831e60, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LENX CID=054619136Jan 5 22:28:24 - CTÃ831e60, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 71.70.237.8 PRˆ0B LENq CID777216Jan 5 22:28:24 - CTÃ831e60, MasterÁceab60, DIR=iginal GRE: 192.168.0.206 -> 216.27.6.31 PRˆ0B LEN` CID=054619136
Jan 5 22:28:24 - CTÃ831e60, MasterÁceab60, DIR=ply GRE: 216.27.6.31 -> 7
Does anyone have any ideas? This seems like a code bug to me, but how do I go about reporting to Linksys?
Of course, I can turn off email alerts, but then that defeats the purpose of the router being able to tell me when something is awry.
Any help would be appreciated!
Thanks,
Jesse T.hay,
Nobody can test this?
nobody has a 5520? -
VPN connection to WRVS4400N using a Samsung Galaxy tablet
I have a Samsung Galaxy 10.1 tablet and have bee trying to connect to my WRVS4400N router with VPN through the "on board" software as well as with the Any Connect software from Cisco. I have no issues at the moment using Quick VPN from my laptop.
When using the Any Connect software I receive the following messages:
Security warning: untrusted certificate
AnyConnect cannot verify the identity of <IP address>. Would you like to continue anyway?
- Certificate does not match the server name.
- Certificate is from an untrusted source.
- Certificate is not identified for this purpose
[Accept] [Details] [Cancel]
If I select accept, the following error is received:
"Error: Connection attempt has failed due to server communication errors. Please retry the connection".
I have tried setting up the on board VPN with the Samsug Galaxy but every attempt has resulted in a time-out of the connection.
Any assistance would be greatly appreciated. Thanks.Hi Blair,
The WRVS4400N only works with the QVPN software. The only small business router at this current time works with the Cisco any connect vpn is the SA500 series routers.
I hope this helps.....
Thanks,
Tori Woods
Cisco Support Engineer
CCNA, CCNA Wireless -
Dynamin VPN/GRE can't ping other side of tunnel
I am new at this VPN stuff and tryiong to setup a GRE Dynamic IP VPN between my offfice and home. Here is what I ahve done thus far:
OFFICE
interface Tunnel0
ip address 172.30.1.1 255.255.255.252
no ip redirects
ip mtu 1400
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
interface FastEthernet0/0
ip address 40.197.68.9 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
HOME
interface Tunnel0
ip address 172.30.1.2 255.255.255.252
ip mtu 1400
ip nhrp map multicast 40.197.68.9
ip nhrp map 172.30.1.1 40.197.68.9
ip nhrp network-id 1
ip nhrp nhs 172.30.1.1
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel destination 40.197.68.9
tunnel key 1
interface GigabitEthernet0/0
description Router
ip address 192.168.30.1 255.255.255.252
duplex auto
speed auto
When I ping 172.30.1.1 from the HOME router, I get 0/5 success. Not good! I have not setup any IPSec yet.
Results for HOME router
show ip nhrp nhs detail
Legend: E=Expecting replies, R=Responding, W=Waiting
Tunnel0:
172.30.1.1 E priority = 0 cluster = 0 req-sent 53 req-failed 0 repl-recv 0
sh int t0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.30.1.2/30
MTU 17912 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 192.168.30.1 (GigabitEthernet0/0), destination 40.197.68.9
Tunnel Subblocks:
src-track:
Tunnel0 source tracking subblock associated with GigabitEthernet0/0
Set of tunnels with source GigabitEthernet0/0, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key 0x1, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1472 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:40:28, output 00:00:25, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
106 packets output, 12612 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
sh ip route
Gateway of last resort is 192.168.30.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.30.2
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.110.0.0/24 is directly connected, GigabitEthernet0/1.110
L 10.110.0.1/32 is directly connected, GigabitEthernet0/1.110
C 10.115.0.0/24 is directly connected, GigabitEthernet0/1.115
L 10.115.0.1/32 is directly connected, GigabitEthernet0/1.115
172.16.0.0/30 is subnetted, 1 subnets
S 172.16.2.0 [1/0] via 192.168.30.6
172.30.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.30.1.0/30 is directly connected, Tunnel0
L 172.30.1.2/32 is directly connected, Tunnel0
S 192.168.2.0/24 is directly connected, GigabitEthernet0/0
S 192.168.10.0/24 is directly connected, GigabitEthernet0/0
192.168.30.0/24 is variably subnetted, 4 subnets, 2 masks
C 192.168.30.0/30 is directly connected, GigabitEthernet0/0
L 192.168.30.1/32 is directly connected, GigabitEthernet0/0
C 192.168.30.4/30 is directly connected, GigabitEthernet0/1.30
L 192.168.30.5/32 is directly connected, GigabitEthernet0/1.30
S 192.168.50.0/24 [1/0] via 192.168.30.6
192.168.69.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.69.0/24 is directly connected, GigabitEthernet0/1.69
L 192.168.69.3/32 is directly connected, GigabitEthernet0/1.69
S 192.168.100.0/24 [1/0] via 192.168.30.6
S 192.168.125.0/24 [1/0] via 192.168.30.6
S 192.168.200.0/24 [1/0] via 192.168.30.6
sh dmvpn
Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 50.197.68.90 172.30.1.1 NHRP 02:30:17 S
Results for OFFICE router
show ip nhrp nhs detail
sh dmvpn
sh int t0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.30.1.1/30
MTU 17912 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 40.197.68.9 (FastEthernet0/0)
Tunnel Subblocks:
src-track:
Tunnel0 source tracking subblock associated with FastEthernet0/0
Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport multi-GRE/IP
Key 0x1, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1472 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:43:56, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
show ip route
S* 0.0.0.0/0 [1/0] via 40.197.68.94
40.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 40.197.68.8/29 is directly connected, FastEthernet0/0
L 40.197.68.9/32 is directly connected, FastEthernet0/0
172.30.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.30.1.0/30 is directly connected, Tunnel0
L 172.30.1.1/32 is directly connected, Tunnel0
S 192.168.2.0/24 [1/0] via 192.168.10.5
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, FastEthernet0/1
L 192.168.10.1/32 is directly connected, FastEthernet0/1
S 192.168.69.0/24 is directly connected, FastEthernet0/0
Why can't Io ping from the HOME router to the OFFICE router?I fugured this problem out. I needed to setup PKI/IKE and once that was done on both routers, my tunned now passes some data.
-
hi, i have at my home a WRVS4400N. before i updated the firmware on my router i was able to establish a vpn with my friend. i did a reset to factory default has included in the firmware note. here is my current vpn config:
WRVS4400N (client of vpn)
local group setup
---gateway type: IP only
---IP: XXX XXX XXX XXX (yeah censored)
---local security group: subnet
---IP address: 192.168.3.1
---subnet mask 255.255.255.0
remote group setup
---gateway type: IP only
---IP address: XXX XXX XXX XXX (again censored)
---remote security type: subnet
---IP address: 192.168.2.0
---subnet mask: 255.255.255.0
IPsec setup
---keying mode: IKE with preshared key
Phase1
---Encryption: 3DES
---Authentication: SHA1
---Group: 768 bit
---key lifetime: 3600 Sec.
Phase2
---encryption: 3DES
---Authentication: SHA1
---Perfect forward secrecy: Disable
---Preshared key: (censored)
---group: 768-bit
---key lifetime: 3600 sec.
my friend BEFVP41 (host of vpn)
local security group:
---subnet IP: 192.168.2.0
---mask: 255.255.255.0
remote secure group:
---subnet IP: 192.168.3.1
---mask: 255.255.255.0
remote security gateway: Any
---encryption: 3DES
---Authentication: SHA
---key management: Auto.(IKE)
---PFS: Not selected
---pre-shared key (censored)
---key lifetime 3600 sec.
too bad the VPN log isnt verbose enough. i cant figure out why i cant establish a vpn link. thnx.
Message Edited by sebas on 02-08-2008 09:32 PM
Message Edited by sebas on 02-08-2008 09:32 PM
Message Edited by sebas on 02-08-2008 09:33 PMany hint plz? also when is the next firmware release planned?
-
WRVS4400N DNS Options for Open VNS Using Static DNS
How can I get an ip address automatically from my ISP, but set a static DNS ip address for using Open DNS service? This can be done on many other routers including the Linksys home routers. Why doesnt it exist on WRVS4400N?
I was doing some reaserch on this router, notice the routers RV series are the ones that had this feature, however in the WRVS series this option does not exist, you can get a RV series router and use the WRVS as a access point in order to get your wireless sinal.
-
Generic GRE not working (ver 4.1.3.55)
Hi everybody.
I'm testing in Lab a configuration for one customer.
It's a basic environment with :
DATA CENTER (wccp)
1 WAEs 7341 and 1 Cat6506 routers
BRANCH (inline)
1 WAE 574.
Optimization works with l2-redirect and gre return in DATA CENTER !!
It does not work with egress-method generic-gre inteception-method wccp.
This is the problem that i can see with " show wccp gre" on the 7341..
" Packets received on a disabled service: 667790".
I read some manuals but...
I don't understand .. The service 61 and 62 works !!
So any idea ?
Thanks a lot to everybody
VittorioHy and thanks to be interested.
That's the output you ask :
WAE-DC-01#sh egress-methods
Intercept method : WCCP
TCP Promiscuous 61 :
WCCP negotiated return method : WCCP GRE
Egress Method Egress Method
Destination Configured Used
any Generic GRE Generic GRE
TCP Promiscuous 62 :
WCCP negotiated return method : WCCP GRE
Egress Method Egress Method
Destination Configured Used
any Generic GRE Generic GRE
Intercept method : Generic L2
Egress Method Egress Method
Destination Configured Used
any not configurable IP Forwarding
And here there is another useful :
WAE-DC-01#sh wccp gre
Transparent GRE packets received: 52082
Transparent non-GRE packets received: 0
Transparent non-GRE non-WCCP packets received: 0
Total packets accepted: 0
Invalid packets received: 0
Packets received with invalid service: 0
Packets received on a disabled service: 50118
Packets received too small: 1964
Packets dropped due to zero TTL: 0
Packets dropped due to bad buckets: 0
Packets dropped due to no redirect address: 0
Packets dropped due to loopback redirect: 0
Pass-through pkts dropped on assignment update:0
Connections bypassed due to load: 0
Packets sent back to router: 50118
GRE packets sent to router (not bypass): 0
Packets sent to another WAE: 0
GRE fragments redirected: 28770
GRE encapsulated fragments received: 0
Packets failed encapsulated reassembly: 0
Packets failed GRE encapsulation: 0
Packets dropped due to invalid fwd method: 0
Packets dropped due to insufficient memory: 0
Packets bypassed, no pending connection: 0
Packets due to clean wccp shutdown: 0
Packets bypassed due to bypass-list lookup: 0
Conditionally Accepted connections: 0
Conditionally Bypassed connections: 0
L2 Bypass packets destined for loopback: 0
Packets w/WCCP GRE received too small: 0
Packets dropped due to received on loopback: 0
Packets dropped due to IP access-list deny: 0
Packets fragmented for bypass: 28770
Packets fragmented for egress: 0
Packet pullups needed: 57543
Packets dropped due to no route found: 0
Any new idea ?
Thanks
Vittorio -
Confused how to set-up a PC & laptop with Cisco WRVS4400N VPN for home use
Just bought a new PC and laptop and was recommended by (CDW) to use a Cisco WRVS4400N to set up the VPN.
For home use, only the PC and laptop, both running Windows 7. I use Comcast as my ISP.
The mountains of docs confuses me to no end, can anyone simplify this for me. I look at all the details and do not know where to start.
In short,
(1) configure router to recognize my PC and Comcast, and I guess the laptop.
(2) configure laptop to go wireless and communicate with PC.
Any assistance would be much appreciated.
Thanks,
TerryFor a very small office and a minimum of admin and tech know how, one approach i'd suggest is to not worry about user id collisions at all. any time anyone wants to use a mac you just set them up as a user, using consistent names/passwords.
Have a "Work" volume on each mac that has "ignore ownership on this volume" ticked. that way UID collisions aren't important.
You can make a Desktop folder on the Work volume and make a SYMBOLIC LINK from every user's home that replaces their desktop with the desktop folder on the Work volume.
Make it known that the user's home is for personal stuff ONLY, and the Work volume (inc the desktop) is where work in progress lives.
At a later date with some confidence in your network and your admin skills you could impose consistent UIDs using an OD master -
HELP! How do I get wireless internet on both my Ipad and Desktop? Have Linksys Router WRVS4400N. Only 1 device will work at 1 time. Something about a Learn MAC address? What should I do? Thanks! Tiggergirl
Good morning
Hi Kathy, my name is Johnnatan and I am part of the Small business Support community.
If you have an old firmware it would be a good idea to go out to Cisco.com and see if there is any firmware updates. I have looked on the site for you and I see the latest firmware is:2.0.2.1
http://www.cisco.com/cisco/software/release.html?mdfid=282414016&softwareid=282487380&release=2.0.1.3&rellifecycle=&relind=AVAILABLE&reltype=all
You can also try to reset your device to its factory settings, to reset your router please take a object that has a point and hold the reset button in on the back for "atleast" 30 seconds until the lights on the front to start flashing.
About Mac address, you can map a Static IP with a specific mac address, You can folllow these steps in order to configure it.
http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=4&app=search&vw=1&articleid=1272
Thanks,
I hope you find this answer useful,if it was satisfactory for you, please mark the question as Answered.
Greetings,
Johnnatan Rodriguez Miranda.
Cisco network support engineer. -
How to tell if GRE traffic is encrypted or not?
Hi Everyone
Site A
Device A has VPN Tunnel to
Site B Device B over Wan link.
Note Here Device A and B are end device and connect to ISP and do the encryption
Site A Device X which is internal device has simple GRE tunnel to Site Bs internal device.
My question is how can i find that this GRE tunnel gets encrypted at Device A or not?
Currently encryption is only at Device A and B
Thanks
MaheshHave you utilized some of the "show" and "debug" commands to verify that the IPSec security associations have been created and are in-place? Some of the "debug" commands can show traffic hitting the crypto map.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#ipsec_sa
What model routers are Device A and B? You may be able to use something like RITE to mirror the traffic exiting the interface to a sniffer for a definitive "Doubting Thomas" proof.
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html
Ed -
IPsec over GRE not coming up, cant see why, debug inc...
Hi all,
Rattling my brains here, as far as i can see everything is fine, it should be working, but for some reason its not, and i cant see anything in the debug thats hinting to the reason why, can anyone help me out with this?
im normally good at this stuff, but this time its got me!
the hub config works with many 3 other spokes configured in the same way!
Thanks for any help guys
SPOKE
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key xxxxxxxxxxxxxxxxx address xxx.xxx.xxx.xx3
crypto isakmp keepalive 10 4
crypto isakmp nat keepalive 30
crypto ipsec transform-set AES-256_SHA esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
mode transport
crypto ipsec profile GRE_TUNNEL
set transform-set AES-SHA
archive
log config
hidekeys
ip ssh version 2
interface Tunnel1
bandwidth 100000
ip address 192.168.100.103 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication xxxxxx
ip nhrp map 192.168.100.1 xxx.xxx.xxx.xx3
ip nhrp map multicast xxx.xxx.xxx.xx3
ip nhrp network-id 100
ip nhrp holdtime 450
ip nhrp nhs 192.168.100.1
ip tcp adjust-mss 1360
qos pre-classify
tunnel source Vlan100
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile GRE_TUNNEL
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
pvc 1/50
dialer pool-member 1
protocol ppp dialer
dsl operating-mode auto
interface FastEthernet0
switchport access vlan 100
interface FastEthernet1
switchport access vlan 103
interface FastEthernet2
switchport access vlan 103
interface FastEthernet3
switchport access vlan 103
interface Vlan1
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
shutdown
interface Vlan100
ip address dhcp
ip nbar protocol-discovery
ip nat outside
ip inspect UserTraffic out
ip virtual-reassembly
interface Vlan103
ip address 192.168.103.254 255.255.255.0
ip nat inside
ip virtual-reassembly
router eigrp 100
network 192.168.100.0
network 192.168.103.0
auto-summary
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list OUTBOUND interface Vlan100 overload
ip access-list extended INBOUND
deny tcp any any eq 22
deny tcp any any eq telnet
permit ip any any
deny ip any any
ip access-list extended OUTBOUND
permit ip any any
deny ip any any
HUB
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp policy 15
encr 3des
authentication pre-share
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 7800
crypto isakmp policy 50
encr aes 256
authentication pre-share
group 5
crypto isakmp key xxxxxxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp fragmentation
crypto isakmp keepalive 10 4
crypto isakmp nat keepalive 30
crypto ipsec security-association idle-time 7800
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
mode transport
crypto ipsec transform-set AES_MD5_TUNNEL esp-aes 256 esp-md5-hmac
crypto ipsec profile DataTunnels
set transform-set AES-SHA
interface Tunnel1
bandwidth 1000
ip address 192.168.100.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 100
ip nhrp authentication xxxxxxxxxxx
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 450
ip tcp adjust-mss 1360
no ip split-horizon eigrp 100
qos pre-classify
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile DataTunnels
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 1/50
dialer pool-member 1
protocol ppp dialer
interface FastEthernet0
description INTERNAL LAN
switchport access vlan 201
interface FastEthernet1
switchport access vlan 201
interface FastEthernet2
switchport access vlan 201
interface Vlan201
ip address 192.168.201.254 255.255.255.252
ip nat inside
ip virtual-reassembly
interface Dialer1
ip address negotiated
ip access-group INBOUND in
ip nbar protocol-discovery
ip nat outside
ip inspect UserTraffic out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1300
load-interval 30
no cdp enable
router eigrp 100
network 192.168.100.0
network 192.168.201.0
redistribute static
router nhrp
router odr
ip nat inside source list OUTBOUND interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip access-list extended INBOUND
permit ip 192.168.250.0 0.0.0.15 192.168.101.0 0.0.0.255
deny tcp any any eq 22
deny tcp any any eq telnet
permit tcp any host xxx.xxx.xxx.xx3 eq www
permit tcp any host xxx.xxx.xxx.xx3 eq 443
permit tcp any host xxx.xxx.xxx.xx3 eq smtp
permit udp any host xxx.xxx.xxx.xx3 eq isakmp
permit esp any host xxx.xxx.xxx.xx3
permit ahp any host xxx.xxx.xxx.xx3
permit udp any host xxx.xxx.xxx.xx3 eq non500-isakmp
deny ip any any
permit ip any any
ip access-list extended OUTBOUND
permit tcp any any eq smtp
permit tcp any any eq 443
permit ip 192.168.201.0 0.0.0.255 any
deny ip any any
DEBUG
CWT-DATA#sh ip nhrp detail
192.168.100.1/32 via 192.168.100.1, Tunnel1 created 1w5d, never expire
Type: static, Flags: used
NBMA address: xxx.xxx.xxx.xx3
CWT-DATA#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
xxx.xxx.xxx.xx3 192.168.1.7 MM_NO_STATE 2821 0 ACTIVE (deleted)
Jul 4 12:53:35.551: ISAKMP:(2822):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:53:45.553: ISAKMP:(2822): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:53:45.553: ISAKMP:(2822):peer does not do paranoid keepalives.
Jul 4 12:53:45.553: ISAKMP:(2822):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer xxx.xxx.xxx.xx3)
Jul 4 12:53:45.553: ISAKMP:(2822):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer xxx.xxx.xxx.xx3)
Jul 4 12:53:45.553: ISAKMP: Unlocking peer struct 0x835CCCE8 for isadb_mark_sa_deleted(), count 0
Jul 4 12:53:45.553: ISAKMP: Deleting peer node by peer_reap for xxx.xxx.xxx.xx3: 835CCCE8
Jul 4 12:53:45.553: ISAKMP:(2822):deleting node -32418685 error FALSE reason "IKE deleted"
Jul 4 12:53:45.553: ISAKMP:(2822):deleting node 2092182627 error FALSE reason "IKE deleted"
Jul 4 12:53:45.553: ISAKMP:(2822):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jul 4 12:53:45.553: ISAKMP:(2822):Old State = IKE_I_MM5 New State = IKE_DEST_SA
Jul 4 12:53:45.585: ISAKMP:(0): SA request profile is (NULL)
Jul 4 12:53:45.585: ISAKMP: Created a peer struct for xxx.xxx.xxx.xx3, peer port 500
Jul 4 12:53:45.585: ISAKMP: New peer created peer = 0x835CCCE8 peer_handle = 0x800025C0
Jul 4 12:53:45.585: ISAKMP: Locking peer struct 0x835CCCE8, refcount 1 for isakmp_initiator
Jul 4 12:53:45.585: ISAKMP: local port 500, remote port 500
Jul 4 12:53:45.585: ISAKMP: set new node 0 to QM_IDLE
Jul 4 12:53:45.585: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8333DA70
Jul 4 12:53:45.585: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Jul 4 12:53:45.585: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xx3
Jul 4 12:53:45.585: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Jul 4 12:53:45.585: ISAKMP:(0): constructed NAT-T vendor-07 ID
Jul 4 12:53:45.585: ISAKMP:(0): constructed NAT-T vendor-03 ID
Jul 4 12:53:45.585: ISAKMP:(0): constructed NAT-T vendor-02 ID
Jul 4 12:53:45.585: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jul 4 12:53:45.585: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Jul 4 12:53:45.589: ISAKMP:(0): beginning Main Mode exchange
Jul 4 12:53:45.589: ISAKMP:(0): sending packet to xxx.xxx.xxx.xx3 my_port 500 peer_port 500 (I) MM_NO_STATE
Jul 4 12:53:45.589: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 4 12:53:45.653: ISAKMP (0:0): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_NO_STATE
Jul 4 12:53:45.653: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 4 12:53:45.653: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Jul 4 12:53:45.653: ISAKMP:(0): processing SA payload. message ID = 0
Jul 4 12:53:45.653: ISAKMP:(0): processing vendor id payload
Jul 4 12:53:45.653: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jul 4 12:53:45.653: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Jul 4 12:53:45.653: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xx3
Jul 4 12:53:45.653: ISAKMP:(0): local preshared key found
Jul 4 12:53:45.653: ISAKMP : Scanning profiles for xauth ...
Jul 4 12:53:45.653: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Jul 4 12:53:45.653: ISAKMP: encryption AES-CBC
Jul 4 12:53:45.653: ISAKMP: keylength of 256
Jul 4 12:53:45.653: ISAKMP: hash SHA
Jul 4 12:53:45.653: ISAKMP: default group 5
Jul 4 12:53:45.653: ISAKMP: auth pre-share
Jul 4 12:53:45.653: ISAKMP: life type in seconds
Jul 4 12:53:45.653: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jul 4 12:53:45.657: ISAKMP:(0):atts are acceptable. Next payload is 0
Jul 4 12:53:45.657: ISAKMP:(0):Acceptable atts:actual life: 0
Jul 4 12:53:45.657: ISAKMP:(0):Acceptable atts:life: 0
Jul 4 12:53:45.657: ISAKMP:(0):Fill atts in sa vpi_length:4
Jul 4 12:53:45.657: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Jul 4 12:53:45.657: ISAKMP:(0):Returning Actual lifetime: 86400
Jul 4 12:53:45.657: ISAKMP:(0)::Started lifetime timer: 86400.
Jul 4 12:53:45.657: ISAKMP:(0): processing vendor id payload
Jul 4 12:53:45.657: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jul 4 12:53:45.657: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Jul 4 12:53:45.657: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 4 12:53:45.657: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Jul 4 12:53:45.657: ISAKMP:(0): sending packet to xxx.xxx.xxx.xx3 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jul 4 12:53:45.657: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 4 12:53:45.661: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
CWT-DATA#
Jul 4 12:53:45.661: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Jul 4 12:53:45.813: ISAKMP (0:0): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_SA_SETUP
Jul 4 12:53:45.817: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 4 12:53:45.817: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Jul 4 12:53:45.817: ISAKMP:(0): processing KE payload. message ID = 0
Jul 4 12:53:45.989: ISAKMP:(0): processing NONCE payload. message ID = 0
Jul 4 12:53:45.989: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xx3
Jul 4 12:53:45.993: ISAKMP:(2823): processing vendor id payload
Jul 4 12:53:45.993: ISAKMP:(2823): vendor ID is Unity
Jul 4 12:53:45.993: ISAKMP:(2823): processing vendor id payload
Jul 4 12:53:45.993: ISAKMP:(2823): vendor ID is DPD
Jul 4 12:53:45.993: ISAKMP:(2823): processing vendor id payload
Jul 4 12:53:45.993: ISAKMP:(2823): speaking to another IOS box!
Jul 4 12:53:45.993: ISAKMP:received payload type 20
Jul 4 12:53:45.993: ISAKMP (0:2823): NAT found, the node inside NAT
Jul 4 12:53:45.993: ISAKMP:received payload type 20
Jul 4 12:53:45.993: ISAKMP:(2823):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 4 12:53:45.993: ISAKMP:(2823):Old State = IKE_I_MM4 New State = IKE_I_MM4
Jul 4 12:53:45.993: ISAKMP:(2823):Send initial contact
Jul 4 12:53:45.993: ISAKMP:(2823):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jul 4 12:53:45.993: ISAKMP (0:2823): ID payload
next-payload : 8
type : 1
address : 192.168.1.7
protocol : 17
port : 0
length : 12
Jul 4 12:53:45.993: ISAKMP:(2823):Total payload length: 12
Jul 4 12:53:45.997: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Jul 4 12:53:45.997: ISAKMP:(2823):Sending an IKE IPv4 Packet.
Jul 4 12:53:45.997: ISAKMP:(2823):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
CWT-DATA#
Jul 4 12:53:45.997: ISAKMP:(2823):Old State = IKE_I_MM4 New State = IKE_I_MM5
CWT-DATA#
Jul 4 12:53:55.794: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:53:55.794: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:53:55.794: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:53:56.294: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:53:56.294: ISAKMP (0:2823): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Jul 4 12:53:56.294: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:53:56.294: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
CWT-DATA#
Jul 4 12:53:56.294: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:54:05.795: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:05.795: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:05.795: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:06.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:06.295: ISAKMP (0:2823): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Jul 4 12:54:06.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:54:06.295: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
CWT-DATA#
Jul 4 12:54:06.295: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:54:15.797: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:15.797: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:15.797: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:16.297: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:16.297: ISAKMP (0:2823): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Jul 4 12:54:16.297: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:54:16.297: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
CWT-DATA#
Jul 4 12:54:16.297: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:54:19.537: ISAKMP: set new node 0 to QM_IDLE
Jul 4 12:54:19.537: ISAKMP:(2823):SA is still budding. Attached new ipsec request to it. (local 192.168.1.7, remote xxx.xxx.xxx.xx3)
Jul 4 12:54:19.537: ISAKMP: Error while processing SA request: Failed to initialize SA
Jul 4 12:54:19.537: ISAKMP: Error while processing KMI message 0, error 2.
CWT-DATA#
Jul 4 12:54:25.794: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:25.798: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:25.798: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:26.298: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:26.298: ISAKMP (0:2823): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Jul 4 12:54:26.298: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:54:26.298: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
CWT-DATA#
Jul 4 12:54:26.298: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:54:35.555: ISAKMP:(2822):purging node -32418685
Jul 4 12:54:35.555: ISAKMP:(2822):purging node 2092182627
Jul 4 12:54:35.795: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:35.795: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:35.795: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:36.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:36.295: ISAKMP (0:2823): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Jul 4 12:54:36.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
CWT-DATA#
Jul 4 12:54:36.295: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Jul 4 12:54:36.295: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#no debug all
All possible debugging has been turned offheres the hub debug
CWCH#
*Jul 5 11:58:16.208: ISAKMP: set new node 1382820308 to QM_IDLE
*Jul 5 11:58:16.208: ISAKMP:(2116): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 4500 (R) QM_IDLE
*Jul 5 11:58:16.208: ISAKMP:(2116):Sending an IKE IPv4 Packet.
*Jul 5 11:58:16.208: ISAKMP:(2116):purging node 1382820308
*Jul 5 11:58:16.208: ISAKMP:(2116):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
*Jul 5 11:58:16.208: ISAKMP:(2116):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:47.504: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:02:47.504: ISAKMP: set new node -146383553 to QM_IDLE
*Jul 5 12:02:47.504: ISAKMP:(2120): processing HASH payload. message ID = -146383553
*Jul 5 12:02:47.504: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -146383553, sa = 0x854A7094
*Jul 5 12:02:47.504: ISAKMP:(2120):deleting node -146383553 error FALSE reason "Informational (in) state 1"
*Jul 5 12:02:47.504: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:02:47.504: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:47.504: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE3C
*Jul 5 12:02:47.504: ISAKMP: set new node -1398198787 to QM_IDLE
*Jul 5 12:02:47.504: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -1398198787
*Jul 5 12:02:47.504: ISAKMP:(2120): seq. no 0x63A1AE3C
*Jul 5 12:02:47.504: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:02:47.504: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#
*Jul 5 12:02:47.504: ISAKMP:(2120):purging node -1398198787
*Jul 5 12:02:47.504: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:02:47.504: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CWCH#
*Jul 5 12:02:52.516: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:02:52.516: ISAKMP: set new node -459292560 to QM_IDLE
*Jul 5 12:02:52.516: ISAKMP:(2120): processing HASH payload. message ID = -459292560
*Jul 5 12:02:52.516: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -459292560, sa = 0x854A7094
*Jul 5 12:02:52.516: ISAKMP:(2120):deleting node -459292560 error FALSE reason "Informational (in) state 1"
*Jul 5 12:02:52.516: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:02:52.516: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:52.516: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE3D
*Jul 5 12:02:52.516: ISAKMP: set new node -1245354522 to QM_IDLE
*Jul 5 12:02:52.516: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -1245354522
*Jul 5 12:02:52.516: ISAKMP:(2120): seq. no 0x63A1AE3D
*Jul 5 12:02:52.516: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:02:52.516: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#
*Jul 5 12:02:52.516: ISAKMP:(2120):purging node -1245354522
*Jul 5 12:02:52.520: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:02:52.520: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CWCH#
*Jul 5 12:02:55.636: ISAKMP:(2119):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:02:55.636: ISAKMP:(2119):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:55.656: ISAKMP:(2119):purging node 926310294
CWCH#
*Jul 5 12:02:58.000: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:02:58.000: ISAKMP: set new node -1957053939 to QM_IDLE
*Jul 5 12:02:58.000: ISAKMP:(2120): processing HASH payload. message ID = -1957053939
*Jul 5 12:02:58.000: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -1957053939, sa = 0x854A7094
*Jul 5 12:02:58.000: ISAKMP:(2120):deleting node -1957053939 error FALSE reason "Informational (in) state 1"
*Jul 5 12:02:58.000: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:02:58.000: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:58.000: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE3E
*Jul 5 12:02:58.000: ISAKMP: set new node -1198504167 to QM_IDLE
*Jul 5 12:02:58.004: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -1198504167
*Jul 5 12:02:58.004: ISAKMP:(2120): seq. no 0x63A1AE3E
*Jul 5 12:02:58.004: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:02:58.004: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#
*Jul 5 12:02:58.004: ISAKMP:(2120):purging node -1198504167
*Jul 5 12:02:58.004: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:02:58.004: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CWCH#
*Jul 5 12:03:03.000: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:03:03.000: ISAKMP: set new node 599666073 to QM_IDLE
*Jul 5 12:03:03.000: ISAKMP:(2120): processing HASH payload. message ID = 599666073
*Jul 5 12:03:03.000: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 599666073, sa = 0x854A7094
*Jul 5 12:03:03.000: ISAKMP:(2120):deleting node 599666073 error FALSE reason "Informational (in) state 1"
*Jul 5 12:03:03.000: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:03:03.000: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:03:03.000: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE3F
*Jul 5 12:03:03.000: ISAKMP: set new node 1035716483 to QM_IDLE
*Jul 5 12:03:03.000: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = 1035716483
*Jul 5 12:03:03.000: ISAKMP:(2120): seq. no 0x63A1AE3F
*Jul 5 12:03:03.000: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:03:03.000: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#
*Jul 5 12:03:03.004: ISAKMP:(2120):purging node 1035716483
*Jul 5 12:03:03.004: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:03:03.004: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CWCH#
*Jul 5 12:03:08.008: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:03:08.008: ISAKMP: set new node 230166927 to QM_IDLE
*Jul 5 12:03:08.008: ISAKMP:(2120): processing HASH payload. message ID = 230166927
*Jul 5 12:03:08.008: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 230166927, sa = 0x854A7094
*Jul 5 12:03:08.008: ISAKMP:(2120):deleting node 230166927 error FALSE reason "Informational (in) state 1"
*Jul 5 12:03:08.008: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:03:08.008: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:03:08.008: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE40
*Jul 5 12:03:08.008: ISAKMP: set new node -1886395474 to QM_IDLE
*Jul 5 12:03:08.008: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -1886395474
*Jul 5 12:03:08.008: ISAKMP:(2120): seq. no 0x63A1AE40
*Jul 5 12:03:08.012: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:03:08.012: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#no
*Jul 5 12:03:08.012: ISAKMP:(2120):purging node -1886395474
*Jul 5 12:03:08.012: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:03:08.012: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:03:13.000: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:03:13.000: ISAKMP: set new node 841395293 to QM_IDLE
*Jul 5 12:03:13.000: ISAKMP:(2120): processing HASH payload. message ID = 841395293
*Jul 5 12:03:13.000: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 841395293, sa = 0x854A7094
*Jul 5 12:03:13.000: ISAKMP:(2120):deleting node 841395293 error FALSE reason "Informational (in) state 1"
*Jul 5 12:03:13.000: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:03:13.000: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:03:13.000: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE41
*Jul 5 12:03:13.000: ISAKMP: set new node -820358795 to QM_IDLE
*Jul 5 12:03:13.000: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -820358795
*Jul 5 12:03:13.000: ISAKMP:(2120): seq. no 0x63A1AE41
*Jul 5 12:03:13.000: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:03:13.000: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#no debug all
All possible debugging has been turned off
CWCH#
*Jul 5 12:03:13.004: ISAKMP:(2120):purging node -820358795
*Jul 5 12:03:13.004: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:03:13.004: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE -
WRVS4400N firmware upgrade to 1.01.03, VPN no longer works
I recently upgraded to firmware version 1.01.03 for my WRVS4400N. I have been having several problems with IPSec tunnels on the previous firmware and was hoping this release would resolve those issues. To my surprise this firmware version seems to be much much worse. Now I cannot even connect my point-to-point ipsec tunnels at all. I'm using the exact same configuration I was using before (yes I restored from factory and recreated). Anybody else have this problem with this new firmware? I've about had it with Linksys and their horrible VPN solutions. Any help would be appreciated.
Router 1: WRVS4400N
Router 2: WRV200
VPN Solution: IPSec
ThanksWe experienced the exact same problem with two of our new WRVS4400N's. We foolishly upgrade the firmware before realizing that the documentation for this significant release had not been upgraded. In the software business if the documentation isn['t done the software should never be released. Not only does it frustrate the customers but it also stresses the support organzation. Had we read the release notes we would have realized we should have 1.) backed up the settings (which would allow us to downgrade the firmware if we didn't like it - which is where we are now), 2.) reset the router to factory settings 3.) rebuild the settings from scratch. Once we finally got help from India to do this we were ok - though the VPN tunnell does go down at least once or twice a day. More frustrating though is our constant inability throughout the day to access websites (no problem pinging websites). Only way to resolve this is to reboot the router - again several times a day. We are now committed to downgrading back to the original firmware.
-
GRE tunnel could not be used by the hosts connected to the router
Hi,
I am using cisco ASR1013 (RP2) and a Mikrotik Router for setting up a GRE tunnel for LAN to LAN routing over a broadband link. The tunnel works fine (able to ping tunnel end points and also all the connected interfaces on both the Mikrotik and Cisco ASR) but the hosts that are connected directly to the Cisco router interface over a layer 2 cisco switch are unable to connect (ping) the hosts or connected interfaces on the mikrotik side. I am sure its not a mikrotik issue as i dont see any traffic coming through the tunnel using the mikrotik torch utility. There are no ACL's or firewall rules on any of the devices......
Source and destination of the tunnel are public IP's and are pingable via internet (The tunnel is connected and endpoints are pingable)
Mikrotik connected interface IP = 192.168.253.1/24
Mikrotik tunnel end point IP = 192.168.254.1/30
Cisco tunnel end point IP = 192.168.254.2/30
Connected cisco subnet to reach Mikrotik = M.N.O.32/28
Cisco interface IP for LAN = M.N.O.33
Test host IP on the LAN subnet = M.N.O.34
The below is my Cisco config
ASR-1#sh run int tun 1
Building configuration...
Current configuration : 144 bytes
interface Tunnel1
ip address 192.168.254.2 255.255.255.252
ip mtu 1400
tunnel source A.B.C.D
tunnel destination W.X.Y.Z
end
ASR-1#sh run int g0/1/7
Building configuration...
Current configuration : 280 bytes
interface GigabitEthernet0/1/7
description LAN
ip address M.N.O.33 255.255.255.240
ip verify unicast source reachable-via rx
no negotiation auto
cdp enable
end
ASR-1#sh ip ro 192.168.253.1
Routing entry for 192.168.253.0/24
Known via "static", distance 1, metric 0 (connected)
Routing Descriptor Blocks:
* directly connected, via Tunnel1
Route metric is 0, traffic share count is 1
ASR-1#ping 192.168.253.1 so M.N.O.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.253.1, timeout is 2 seconds:
Packet sent with a source address of M.N.O.33
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
ASR-1#pi M.N.O.34
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to M.N.O.34, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
If i try to ping 192.168.253.1 (network connected to Mikrotik) from the host M.N.O.34 (the gateway of this host is M.N.O.33 - Int g0/1/7 of the Cisco ASR), i cannot reach detination - request timed out.... Below are the results of trace and ping from the host connected to ASR G1/0/7
PING TO THE GATEWAY *********
[root@localhost ~]# ping M.N.O.33
PING M.N.O.33 (M.N.O.33) 56(84) bytes of data.
64 bytes from M.N.O.33: icmp_seq=1 ttl=255 time=0.161 ms
64 bytes from M.N.O.33: icmp_seq=2 ttl=255 time=0.143 ms
^C
--- M.N.O.33 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1357ms
rtt min/avg/max/mdev = 0.143/0.152/0.161/0.009 ms
PING TO THE TUNNEL END POINT IN CISCO ASR
[root@localhost ~]# ping 192.168.254.2
PING 192.168.254.2 (192.168.254.2) 56(84) bytes of data.
64 bytes from 192.168.254.2: icmp_seq=1 ttl=255 time=0.141 ms
64 bytes from 192.168.254.2: icmp_seq=2 ttl=255 time=0.141 ms
^C
--- 192.168.254.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1739ms
rtt min/avg/max/mdev = 0.141/0.141/0.141/0.000 ms
PING TO THE TUNNEL ENDPOINT IN MIKROTIK
[root@localhost ~]# ping 192.168.254.1
PING 192.168.254.1 (192.168.254.1) 56(84) bytes of data.
^C
--- 192.168.254.1 ping statistics ---
11 packets transmitted, 0 received, 100% packet loss, time 10413ms
PING TO THE CONNECTED INTERFACE ON MIKROTIK
[root@localhost ~]# ping 192.168.253.1
PING 192.168.253.1 (192.168.253.1) 56(84) bytes of data.
^C
--- 192.168.253.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3641ms
TRACE TO THE CONNECTED INTERFACE ON MIKROTIK
[root@localhost ~]# traceroute 192.168.253.1
traceroute to 192.168.253.1 (192.168.253.1), 30 hops max, 60 byte packets
1 M.N.O.33 (M.N.O.33) 0.180 ms 0.156 ms 0.145 ms
2 * * *
3 * * *
4 * * *
5 * * *
Please helpHi,
Sorry for the delayed response ....Both ends static routes are added for the connected test interfaces.....
Regards,
Mahesh -
WRVS4400N - ssid vlans are not working
I've been searching high and low and although I've found many results of people having this same exact problem there doesn't seem to be a fix, or at least no one was kind enough to post one.
Background:
I have many vlans but the 3 in question are 10, 20, 30.
10 is for my laptops and desktops with an ip range of 192.168.10.10 - 192.168.10.50.
20 is my home automation network with an orange of 192.168.20.20 - 192.168.20.150
30 is my guest network with a orange of 192.168.30.84 - 192.168.30.89
I have a dell powerconnect configured with vlans as my core switch. I trunked a port on the switch assigning 3 vlans (10,20,30) and connected it to port 1 on the wrvs4400N. On the wrvs4400 I trunked port 1 tagging vlan 10,20,30. For some reason vlan 1 is untagged on port 1 and I don't know why.
I also have a router connected to the powerconnect. Of the 3 vlans I mentioned vlan 10 and vlan 30 are the only ones with interfaces on the router. Vlan 20 is an internal network with a separate router and until I figure this out that router is physically turned off. Also the router currently turned on has no routes configured to connect my vlans. Currently there is no configured way to jump vlans.
I created 4 ssid on the wrvs4400N. Private, home, guest, and wrvs.
private - is assigned to vlan 10
home - is assigned to vlan 20
guest - is assigned to vlan 30
wrvs - is assigned to vlan 1 - this is temporary until I can get this working. I want it so the only way to manage the wireless is to walk over to it and physically plug in.
There are a couple DHCP servers.
Vlan 10 has a windows server 2008 r2 dhcp server.
vlan 20 uses it's powered off router for dhcp
vlan 30 uses the main router connected to the power connect
vlan 1 on the powerconnect uses the main router - this dhcp scope is only used until I'm done with my rebuild since I don't plan on actually using vlan 1 - the scope is 192.168.2.0
dhcp is turned off on the wrvs4400.
on the wrvs4400 I made sure to turn off inter vlan routing, and I enable ssid isolation.
The problem:
No matter what ssid I connect to I get a dhcp response from vlan 10. all my test indicates that I'm actually on vlan 10. I get internet and I can hit all devices on vlan 10. If I connect to ssid guest and change my ip address to match vlan 30 I can not ping the gateway for vlan 30 and I have no internet access. Some times I get something different. Sometimes I get an ip address from vlan 1 on the powerconnect. If I renew my ip address then I'll grab one from vlan 10 but I should be getting one from 30 or none at all for vlan 20. The absolute crazy part is my droid sometimes gets a 192.168.4.x ip address. I don't have a 192.168.4.x network or dhcp scope anywhere on my network! If I physically plug into a port on the power connect I get to the correct network 10 out of 10 times. If I configure vlans on the other 3 ports on the wrvs4400 and physically plug in, I get to the correct network 10 out of 10 times. Over the wireless all hell breaks lose.
I've reset to factory a few times and I've been all inside and out of the wrvs4400. I have no clue what could be wrong with this thing. Please help!!!
More info is available upon request.
Thanks.Kerwin,
There is a bug with these units- you will need a different unit for your current configuration to work properly. Since you're utilizing other DHCP server in your topology; this isn't the best unit for you. Please call into support center @ 1-866-606-1866 for further requests.
Thanks,
Jasbryan -
IP routing utilizing Verizon private network (GRE tunnel) with remote cellular gateways
Okay, I give up, and think I have done my due diligence (I have been engrossed and fascinated spending many more hours than allotted to try and learn some of the finer details). Time for some advice. My usual trade is controls engineering which generally require only basic knowledge of networking principals. However I recently took a job to integrate 100 or so lift stations scattered around a county into a central SCADA system. I decided to use cellular technology to connect these remote sites back to the main SCADA system. Well the infrastructure is now in and it’s time to get these things talking. Basic topology description is as follows: Each remote site has an Airlink LS300 gateway. Attached to the gateway via Ethernet is a system controller that I will be polling via Modbus TCP from the main SCADA system. The Airlinks are provisioned by Verizon utilizing a private network with static IP's. This private networks address is 192.168.1.0/24. Back at the central office the SCADA computer is sitting behind a Cisco 2911. The LAN address of the central office is 192.168.11.0/24. The 2911 is utilizing GRE tunnels that terminate with Verizon. The original turn up was done with another contractor that did a basic config of the router which you will find below. As it stands now I am pretty confident the tunnels are up and working (if I change a local computers subnet to 255.255.0.0 I can surprisingly reach the airlinks in the field), but this is obviously not the right way to solve the problem, not to mention I was unable to successfully poll the end devices on the other side of the Airlinks. I think I understand just about every part of the config below and think it is just missing a few items to be complete. I would greatly appreciate anyone’s help in getting this set up correctly. I also have a few questions about the set up that still don’t make sense to me, you will find them below the config. Thanks in advance.
no aaa new-model
ip cef
ip dhcp excluded-address 10.10.10.1
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
ip domain name yourdomain.com
no ipv6 cef
multilink bundle-name authenticated
username cisco privilege 15 one-time secret
redundancy
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key AbCdEf01294 address 99.101.15.99
crypto isakmp key AbCdEf01294 address 99.100.14.88
crypto ipsec transform-set VZW_TSET esp-3des esp-md5-hmac
mode transport
crypto map VZW_VPNTUNNEL 1 ipsec-isakmp
description Verizon Wireless Tunnel
set peer 99.101.15.99
set peer 99.100.14.88
set transform-set VZW_TSET
match address VZW_VPN
interface Tunnel1
description GRE Tunnel to Verizon Wireless
ip address 172.16.200.2 255.255.255.252
tunnel source 22.20.19.18
tunnel destination 99.101.15.99
interface Tunnel2
description GRE Tunnel 2 to Verizon Wireless
ip address 172.16.200.6 255.255.255.252
tunnel source 22.20.19.18
tunnel destination 99.100.14.88
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.10.10.1 255.255.255.248
shutdown
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.11.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet0/2
ip address 22.20.19.18 255.255.255.0
duplex full
speed 100
crypto map VZW_VPNTUNNEL
router bgp 65505
bgp log-neighbor-changes
network 0.0.0.0
network 192.168.11.0
neighbor 172.16.200.1 remote-as 6167
neighbor 172.16.200.5 remote-as 6167
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip route 0.0.0.0 0.0.0.0 22.20.19.19
ip access-list extended VZW_VPN
permit gre host 99.101.15.99 host 22.20.19.18
permit icmp host 99.101.15.99 host 22.20.19.18
permit esp host 99.101.15.99 host 22.20.19.18
permit udp host 99.101.15.99 host 22.20.19.18 eq isakmp
permit gre host 22.20.19.18 host 99.101.15.99
permit gre host 22.20.19.18 host 99.100.14.88
access-list 23 permit 10.10.10.0 0.0.0.7
control-plane
end
So after spending countless hours analyzing every portion of this, I think that adding one line to this will get it going (or at least closer).
ip route 192.168.1.0 255.255.0.0 22.20.19.19
That should allow my internal LAN to reach the Airlink gateways on the other side of the tunnel (I think)
Now for a couple of questions for those that are still actually hanging around.
#1 what is the purpose of the Ethernet address assigned to each tunnel? I only see them being used in the BGP section where they are receiving routing tables from the Verizon side (is that correct?). Why wouldn't or couldn't you just use the physical Ethernet address interface in its place (in the BGP section)?
#2 is the config above correct in pointing the default route to the physical Ethernet address? Does that force the packets into the tunnel, or shouldn’t you be pointing it towards the tunnel IP's (172.16.200.2)? If the config above is correct then I should not need to add the route I described above as if I ping out to 192.168.1.X that should catch it and force it into the tunnel where Verizon would pick it up and know how to get it to its destination??
#3 Will I need to add another permit to the VZW_VPN for TCP as in the end I need to be able to poll via Modbus which uses port 502 TCP. Or is TCP implicit in some way with the GRE permit?
I actually have alot more questions, but I will keep reading for now.
I really appreciate the time you all took to trudge through this. Also please feel free to point anything else out that I may have missed or that can be improved. Have a great day!This post is a duplicate of this thread
https://supportforums.cisco.com/discussion/12275476/proper-routing-lan-through-verizon-private-network-gre-airlink-gateways
which has a response. I suggest that all discussion of this question be done through the other thread.
HTH
Rick
Maybe you are looking for
-
Help needed in printing pc to pc (printer) using bluetooth
I require to create a application in final year in which i have to print from my pc to another persons pc who has a printer attached (both pcs are bluetooth enabled using bluetooth dongles using Microsoft stack) Do i have to use java rmi ?? How do i
-
Pictures in Facebook are too large and content is cut off, is there a way to adjust.
While using my I pad 2 for Facebook the pictures of postings are huge and some of the content gets cut off. This doesn't happen on a laptop is there a way to adjust size of content so entire post can be seen.
-
Hi, obsered that in cs13, certain raw materials are not appearing where as in cs11 all bom comonents were appeared. pls advise what is the difference between cs11, 12 and 13?
-
DW CS5 Search & Replace within a Found Set
Can't get this to work in CS5. The actions below used to work in previous DW: Action → Search and Replace See 100 found results using Find All Objective: to replace 50 of those results and leave the other 50 as is Action that used to work ↓ With the
-
Update my os x 10.8 version
i whant to update the i photo and my computer write something like this- "Photo can't be installed on "Macintosh HD" because OS X version 10.8.2 or later is required. You can update OS X from the Updates page of the App Store".and in the update page