Cisco :: GRE Over IPSEC Loss In IOS 15.x / ISR X9xx Routers
Sep 23, 2011
We have about 200 sites connected to us via GRE tunnels over IPSEC over MPLS for primary connectivity, and GRE over IPSEC over the Internet for backup, and EIGRP routing handling the failover.
Most of them are 2811HSEC/K9's, and they're working great. We've recently discovered issues with a couple of clients. They run fine over their primary GRE over IPSEC connection, but when they failover to backup we're losing certain packets (details will follow).
What we found is that they're all on either 1941's or 2911's, and are running 15.0Mx IOS with advanced IP services. The rest of our clients are on 12.4T train, and none of them have any problems. We suspect it is an issue with the 15.x IOS.
Specifically, we're seeing two packets consistently lost. The first is a TCP 'SYN-ACK' from a telnet server, and the second is a UDP SIP REGISTER OK message. Both packets are quite small (well under 500 bytes), so I don't suspect an MTU issue. Packet captures both show that they're being encrypted and sent by the head-end, but are lost before they reach the decrypted tunnel interface. So either they're being lost in the path across the Internet, or the decryption is failing.
We see larger packets get through just fine, and other connections work great. We've opened a ticket with TAC.
Since these routers can't be downgraded to 12.4, our current plans are to ship a 2811HSEC bundle with an identical configuration to these clients to see if we can verify that it's a 15.0 issue, but I'm curious if anybody's seen anything similar, or if somebody who's more familiar than I am with bug tracker can find anything.
I have a Cisco WRVS4400N Gigabit Router. I recently upgraded my Internet service to 50MB download speed. When I connect directly to the cable modem and run a speed test, using speedtest.net, I get 59MB download speed consistently. When I connect the modem to the router and plug into one of the 4 ports the speed is cut in less than half. The max speed is cut to between 23-24 MB download speeds. I have tried this via wireless as well with the same result.
I am having issues where different laptops are dropping packets when communicating to the WAP on the RV220W. I have placed 3 laptops directly next to the router so there is no chance for walls to interfere. From each machine 1 at a time I perform a continuous ping. Here is a quick output from one of them:
Reply from 192.168.0.1: bytes=32 time=3ms TTL=64 Reply from 192.168.0.1: bytes=32 time=1ms TTL=64 Reply from 192.168.0.1: bytes=32 time=3ms TTL=64
After upgrading an RV042 from 1.3.12.19 to 1.3.13.02, it loses connectivity after several hours. RV042 WAN1 is connected to cable modem (WAN2/DMZ is unused), configured to obtain IP Address.
Cold booting all devices, RV042, AP & Cable modem, re-established connectivity. Only to lose connectivity again several hours later.
Reset RV042 to factory default via reset switch and cleared log. Minimal configuration applied (domain name, hostname, ntp, WAN1 bw=8000).
Checked early this morning and no connectivity. Summary screen showed the same IP on WAN1 port. All appeared normal. Clicked renew, and connectivity was re-established. Same IP as before.
The RV042, when running 1.3.12.19, would run for many months without a hiccup.
This is the log entry when I clicked 'renew':
Aug 18 04:12:40 2011 System Log DHCP lease info: ip[68.202.x.x] mask[255.255.240.0] gw[68.202.x.x]
[Code].....
Clicking 'renew' did re-establish connectivity, but I'm not sure if it's a dhcp issue or not. If I read the log entry correctly, the router has the IP lease for an hour, which means it renews several times successfully. Connectivity is down in the morning after several hours go by without use. I'm not sure if that has anything to do with it. Again, nothing changed but the code and the RV042 ran without problems for months with the 1.3.12.19 code.
I have a DB750N Router (Model F9K1103V1) that upon initial set-up was able to see both the 2.4 GHz and 5 GHz bands. I then added a Range Extender (Model F9K1106v1 and was able to see both bands for a short period. Both the Router and the Extender have the latest firmware upgrades installed. I can no longer see the 5GHz band and have been unsuccessful at attempts to get it to appear on devices connected to my wireless network.
Recent incountered an issue with our elastix pbx and packet loss. Noticed this morning that when I turn on the firewall on our RV082, packet loss begins around the level 3 servers I see in my traceroute, and then slow spread out to all hops. When I turn the firewall back off, all hops have no packet loss or less than 1%. The weird part is, previously, I had the firewall enabled, and never had this issue.
Our clients claims the problem of loss startup configuration with power outage especially with 877 series , all the router are configured to store configuration in NVRAM ( confreg = 0x2101),
I have a RV220W with the latest firmware (1.0.2.4) and I loose about one in every 20-40 packets.
I have tried with both wireless/wired, on different ports, laptops, and Ethernet cables.
My configuration is fairly simple:
1.) I reconfigured the default subnet
2.) I setup a WAP on the same vlan (VLAN1)
3.) I setup a WAP on Vlan2 for guests
Other than that, settings are out of box (save a hostname/etc).
just purchased it, and am thinking I'll have to phone Cisco for RMA.... There is a similar thread where people noticed this on wireless (not sure if they tried wired as I have). RV220W Packet Loss over wireless
Lately I encountered random Internet connection issues?My router is a Netgear Wireless ADSL Firewall Modem Router DG834 (Firmware V1.05.0) and my ISP, isn't the most reliable regarding bandwidth... All clients (max 3 at the same time) connect wireless.The problem is that the last few weeks my connections is very unstable, all clients lose the internet connection until you restart the router manually.I can't even connect to the webinterface (192.168.0.1), during the downtimes.
Is it possible to have a site-to-site IPSEC tunnel between 2 identical RV110W routers?I basically want one of them to initiate a secure tunnel with the second so that computers from one router subnet see the computers from the other router subnet.
the RV110W IPSEC site-to-site tunnel, are there necessary 2 x public IPs for it to work, or only 1 public IP is enough? [code]If it works with 1 public ip, the "CLIENT" RV110W configuration should be straightforward (in Advanced VPN SetupRemote Endpoint i fill in the dyndns address?), but how do i setup "HOST" RV110W?
I've got a network of SRP547Ws connected with site to site IPSec VPNs. But I can't get to the administrator loging page of the remote SRP547s over the VPN. Is there a setting or method I need to use ?
I have looked at the remote administration settings but this appears to be for adminsitration over the WAN interface rather the the IPSec VPN
Any news on a new firmware for the RV180? I have the most recent version but it still has lots of bugs. IPSec needs polishing. In addition the Logging functions don't work well. I can't send to a syslog and when I try to email the logs I get a email saying there is no data even though several pages of enteries are visible in the web GUI. I've checked the profiles and they are correct. I even tried using just the 'default' profile but no luck.
We have Cisco SA520 and we want to use VPN to access the office servers from home. We have been able to configure the VPN server on the SA520 however the connection is very unstable.We use OS X 10.7 lion built-in Cisco compatible VPN clients and this is a typical output of ping from 3G mobile network to a server inside the office network. It works the same way also if I am trying to access from my home ADSL connection so the problem is not the instability of the 3G connection.
Some sample traffic sequeezed:
PING ns.svm (192.168.60.27): 56 data bytes 64 bytes from 192.168.60.27: icmp_seq=0 ttl=63 time=98.022 ms 64 bytes from 192.168.60.27: icmp_seq=1 ttl=63 time=76.934 ms 64 bytes from 192.168.60.27: icmp_seq=2 ttl=63 time=278.201 ms
I have a problem to configure a IPSEC VPN on the SA520W ( 1.0.39) with Cisco VPN Client (5.0.05.290). In the logs are following error:
ERROR: Could not find configuration for x.x.x.xERROR: Could not find configuration for x.x.x.xERROR: Could not find configuration for x.x.x.xERROR: Could not find configuration for x.x.x.x
Recently we have purchased a few SRP541W for our small branch office VPN sites. While working with the config I have discoved that when trying to create a IPSec VPN policy, I am limited to only one "remote network" entry. This is typically not how VPN tunnels are bulit. We generally put the following remote networks in the tunnel. How do I open a BUG ticket with Cisco and ask that they change the code?
We have about 9 1900 routers and 1 ASA 5510 for partail mesh VPN network. So 8 1900 connect to 1 1900 and ASA located in HQ and datacenter. All worked well however there is one site running really strange. The tunnel between 1900 is up for a while and down. Reboot router seems to be the only fix. But tunnel to ASA does not seem to be down at all.
The issue happened again today, we rebooted the router on site but tunnel still not up. DEBUG shows: deleting SA reason "Death by retransmission P1 "
I can see alot of Apr 24 19:57:55.271: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
To me it seems like the IDE packet sent but never got reply and timed out. I did also check on the other end, the HQ. All other tunnels are still running fine on that router, just this remote site. Plus I got the similiar output when debugging on HQ router.
One thing do notice though, there was no match on both router for the ACL to match/permit ESP traffic... I asked on-site staff to reboot the modem used in remote site.
WRVS4400N Version V2.0.0.7.I have been attempting for weeks to connect an IPSEC tunnel between a Cisco ASA 5510 Version 8.0(2) and a WRVS4400N . Phase one seems connect okay, where as phase two always give me the errors below. This as far as I have got, I tried disabling keep alive monitor, the device never attempted phase 2. I have read endless documentation on both devices and tried almost every combination of setting that I am aware of. The best case scenario answer would be detailed steps on how to setup the IPSEC VPN (linksys) & the site to site VPN (CISCO) as I cannot find any reference material for this combination .
I am not having much success setting up a IPSec VPN tunnel between a RV042 V3 running v4.0.0.07 firmware and PIX 525 running 8.0(4) code.
Let's say the configuration looks like this:
The RV042 has public IP 70.0.0.1 and private LAN IP 192.168.1.1 /24 The PIX has outside IP 69.0.0.1 and inside LAN IP 172.16.0.1 /24 The RV042 is running as DHCP server on it's private LAN A Windows server at 172.16.0.2 is the DHCP server on the PIX's inside LAN.
I've tried every option on the RV042 for Phase 1 and Phase 2, but I am not certain how to configure the Advanced features especially Aggressive Mode, Compress, Keep-Alive, AH Hash Algorithm and Dead Peer Detection.
On the PIX I've tried the basic setup through ADSM, but it's not as clear or obvious to configure both sides with compatible settings compared to setting up a tunnel between two RV042s.
Here is the situation: A CISCO871 router is configured to establish an IP SEC tunnel with a CISCO ASA5520. The configuration is OK about that. I wish to configure the same CISCO871 in order to establish a LAN-to-LAN IP sec Tunnel with another CISCO871 at the same time in order to reach private network. So, I have followed the Cisco procedure Document ID: 71462 "LAN-to-LAN IP sec Tunnel Between Two Routers Configuration Example"; it works, I can reach the peer private network BUT ONLY when the IP SEC tunnel with ASA is not established.
It seems to be a routing problem...I don't find how to configure to make both tunnels up and functional at the same time.
Our ISP supplies a Cisco SRP-521w router with our WIMax connection but I have had no experience with these and they look like a ex Linksys product? What they a like for use as a spoke router connected to the core hub (Cisco 2921 ISR G2)?We would be using a GRE Tunnel protected with IPsec 3DES encrypted.The SRP would be using PPPoE to authenticate to the ISP.Any known traps and limitations with the Cisco SRP-521w?We currently use a Cisco 877 for this but wanted to save them fr our adsl links
I'm working on setting up my Blackberry Playbook to access the network over our IPsec VPN however so far I have had no luck. I'm also posting this on the Blackberry playbook support forum.
Settings on BlackBerry Playbook
Server Address: My IP Address Authentication type: XAuth-PSK Group Username: remote.com
We bought a RV220W in order to get a VPN in our Small Business. The RV220W will only be used to let clients connect to it and not a tunnel between another VPN box.We could use QuickVPN, but it won't be working in our case, because in order to use QuickVPN, the router wants to change its IP 10.x.y.1. Because we have multiple servers/services that are using a static IP, it would be quite painful to change the subnet. Therefore, we would like to stay on the same subnet and change it in worst case scenario only. This is why QuickVPN is not an option here.We could use SSL VPN, but most of our clients who will connect to the VPN are using Windows 7 x64. I have tried the Windows 7 x64 fix told in the latest firmware release notes, but I can't get it to work on my computer, which is a Win7 x64. It might still be broken. Many of them are not very tech-savyy, so I can't tell them to use a virtual machine to connect.We want a secure connection, therefore IPSec is better than PPTP. I've been trying to setup IPSec for the past hours but I can't get it working. At first, I wanted to use an SSL certificate, but having no luck with this, I switched to a Pre-shared Key (PSK) in order to get things simpler. Eventually I would like to use an SSL certificate, however I would like to get PSK working first to confirm that the IPSec connection is working.
I have attached with this post, screenshots of the IKE and VPN Policies. I have used the VPN Wizard in order to complete these fields. The local identifier is the WAN DynDNS FQDN. However, as for the remote FQDN, there should be none really, because clients are connecting to it, so the RV220W won't know in advance who's connecting and from where. I have read that when using the Responder type, the remote settings should not matter. Also, the PSK is 25 caracters long.After setting the RV220W up, I have set up a L2TP/IPSec VPN connection on my Windows 7. I have set up the connection to connect to the DynDNS address and set up the PSK in the Advanced settings. After I typed my IPSec username and password to connect (which was created in the IPSec users section), Windows tries to connect and times out :
Error 789 : The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.
At the same time on the RV220W, this error shows up in the logs :
2012-08-26 23:45:24: [rv220w][IKE] ERROR: Could not find configuration for 24.54.xx.xx[500]
I can't figure out what I am doing wrong. I've read the Administration manual quite a few times and it seems that I have followed everything by the book.I have tried to enable/disable my Windows firewall, but did not get any luck. The RV220W is located at a remote office, to make sure that I can connect from the outside, before you think that I'm trying to connect to the outside, from the inside I have changed few settings in the IKE policy to try to make it work. Settings such as the Exchange Mode, because I've read that the Aggressive mode had issues. At this moment, the settings are back to default, once the wizard has been run. I'm thinking about setting a PPTP to confirm that this works, then move up to IPSec PSK, then to IPSec SSL Certificate.
I have an RV220w in office, which I have configure it for ipsec vpn connections. Behind router there is a NAS for file storage. [code]I have managed to connect to router from my home with ShrewVPN and I can ping every client connected to RV220w.The problem is that I can't connect to neither to router's web interface nor to NAS web interface or any other intranet web page ( the browser doesn't give any error, but keeps loading without showing the web page). Although, I can access web pages from my laptop.Also, in windows file explorer when I connect to NAS, although I can browse folders I can't copy files from my laptop to NAS and vice versa, I always get timeout error (I have checked the permissions to NAS and in addition I succeed to copy a small txt file 1kb, but no luck with bigger files).I also tried with QuickVPN client, but I had the same results. When I connect with pptp from windows everything works like a charm.My laptop has windows 7 64bit.
originally had two Netgear FVS318s set up with a VPN tunnel and everything worked as expected. I could connect to the server at the office from a machine at home and browse the files and more importantly do nightly backups of files that had changed at the office over the VPN to the house. The problem with the FVS318s was that for wireless I had to have another device and that the WAN to LAN throughput was something like 7Mbps. Kind of limiting when you consistently get 22Mbps from the ISP.So, I bought two Cisco RV220Ws to replace them with. I started by replacing the one at home and was able to get it going with the FVS318 at the office. The VPN was stable and I had no problem browsing the files on the server as I had already been doing. A couple weeks later I replaced the FVS318 at the office with the other RV220W and the VPN came up fine but I lost all ability to file share between the two sites. I've watched the phase 1 and 2 negotiations and they look good from both ends. =
