Cisco VPN :: 1811 / 1841 - Dual-Hub DMVPN With PKI And Subject-name Don't Work
Sep 25, 2011
I have a Dual-Hub DMVPN with PKI dep[oyment infrastructure and with 2 Hub on Cisco 1811 and Spokes on Cisco 1841. When I enter the 'subject-name' parameter (pki trustpoint configuration mode) on a Spoke routers, one of two Tunnel is up, but the second Tunnel is not up. ISAKMP-negotiation select the rsa-sig-mode is correctly. If I select pre-shared-mode or if i remove 'subject-name' from Spokes, DMVPN work is fine!
In what there can be a problem?
Configuration example:
1. HUB:
crypto pki trustpoint TRUSTPOINT-CA1
enrollment mode ra
enrollment url http://.../certsrv/mscep/mscep.dll
password ...
[ code]....
View 17 Replies
ADVERTISEMENT
Oct 15, 2012
I have a Dual-Hub DMVPN with PKI dep[oyment infrastructure and with 2 Hub on Cisco 1811 and Spokes on Cisco 1841. When I enter the 'subject-name' parameter (pki trustpoint configuration mode) on a Spoke routers, one of two Tunnel is up, but the second Tunnel is not up. ISAKMP-negotiation select the rsa-sig-mode is correctly. If I select pre-shared-mode or if i remove 'subject-name' from Spokes, DMVPN work is fine!
Configuration example:
1. HUB:
--------------------------------------------------------------------------------
Cisco IOS Software, C181X Software (C181X-ADVENTERPRISEK9-M), Version 12.4(15)T15, RELEASE SOFTWARE (fc3)
Technical Support: [URL]
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 08-Mar-11 06:09 by prod_rel_team
[code].....
View 14 Replies
View Related
May 12, 2011
Scenario:
Central Router (WAN: 1.1.1.1) <--> Internet <--> (WAN: Dynamic IP) Branch RouterTunnel 172.31.254.1/26 Tunnel 172.31.254.9/26
Central router is a Cisco 1811 running IOS c181x-advipservicesk9-mz.151-4.M.bin.Branch router is a Cisco 1941 running IOS c1900-universalk9-mz.SPA.151-4.M.bin.
When I do a Ping test directly from the branch to central router over the Internet I have no packet loss:
branch#ping 1.1.1.1 source GigabitEthernet 0/0 repeat 1000Type escape sequence to abort.Sending 1000, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:Packet sent with a source address of 192.168.0.100!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!(...)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Success rate is 100 percent (1000/1000), round-trip min/avg/max = 40/41/60 msbranch#
When doing a Ping test over the DMVPN tunnel (which is using the WAN IP as source) I see packetloss.
branch#ping 172.31.254.1 source Tunnel 3 repeat 1000Type escape sequence to abort.Sending 1000, 100-byte ICMP Echos to 172.31.254.1, timeout is 2 seconds:Packet sent with a source address of 172.31.254.9!!!!!!!!!!.!!!!!!!!!!.!.!!!!!!.!!!!!..!!!!!!..!!!!!!!!.!!.!!!!!.!!!!!!!!!!!!.!!!!!.!!!.!!!!!!!!!!!..!!!!.!.!.!!!!!.!!!!!!!!!.!..!!!.!.!!!!!.(...)!!!!!!.!!!.!!!!.!!!!.!.!!.!!!!!!!!!!!!!!!.!!.!!!!!!!!!.!!!.!!.!.!!!!!...!!!!!!!!!!..!!!!!!Success rate is 79 percent (795/1000), round-trip min/avg/max = 40/43/568 msbranch#
Central:
interface Tunnel0 description Testing (DMVPN) bandwidth 10000 ip address 172.31.254.1 255.255.255.192 no ip redirects ip mtu 1400 ip nhrp authentication testing ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 600 ip nhrp redirect ip tcp adjust-mss 1360 no ip split-horizon eigrp 1 tunnel source FastEthernet1 tunnel mode gre multipoint tunnel key 100003 tunnel bandwidth transmit 10000 tunnel bandwidth receive 10000 tunnel protection ipsec profile secure_profile shared
Branch:
interface Tunnel3 description Testing (DMVPN) bandwidth 2000 ip address 172.31.254.9 255.255.255.192 no ip redirects ip mtu 1400 ip nhrp authentication testing ip nhrp map multicast 1.1.1.1 ip nhrp map 172.31.254.1 1.1.1.1 ip nhrp network-id 1 ip nhrp holdtime 300 ip nhrp nhs 172.31.254.1 ip nhrp shortcut ip nhrp redirect ip tcp adjust-mss 1360 no ip split-horizon eigrp 1 delay 1000 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 100003 tunnel bandwidth transmit 2000 tunnel bandwidth receive 2000 tunnel protection ipsec profile secure_profile shared
Crypto parameters on both central and branch routers:
crypto isakmp policy 1 authentication pre-share
crypto ipsec transform-set secure_transform-set esp-3des esp-sha-hmac mode transport
crypto ipsec profile secure_profile set transform-set secure_transform-set
I disabled CEF on both the central and branch routers and no success. The EIGRP neighborship appears to be stable.
View 4 Replies
View Related
Nov 25, 2012
I have a DMVPN network with 2 hubs (2821's). This setup is used for VoIP applications over the Internet for teleworkers. At the main hub site I used to have only 1 Internet feed which was DSL with a static IP. Now I have 2 WAN feeds for this site - 1 FTTB w/ PPPoE & the DSL with static IP. Since this site also hosts a PRI, I want all voice communications to go through the FTTB link instead of the DSL for obvious reasons, but keep the DSL as DMVPN Hub for all NHRP lookups as this link has a static IP address & is very stable. We originally put the PRI router as a DMVPN spoke which connected through the FTTB link, with another router acting as the DMVPN hub on the DSL link. This was obviously a waste of machinery. I want to combine both routers into one. So I tried something like this (don't laugh):
Gi0/0 to FTTB (Dialer1 connects to Internet)
Gi0/1 to DSL (Public IP towards 877 demarc)
Tun0 attaches to Dialer1 public IP and connects to other spokes, no VRF
Tun1 attaches to Gi0/1 public IP and acts as DMVPN hub (ip nhrp map multicast dynamic) under VRF "Hub"
EIGRP AS 1 is set up twice, once under router eigrp 1, and the other using router eigrp 2 using an address-family under the Hub VRF.This kinda works but obviously Tun0 & Tun1 do not speak to each other. I also had to remove the ip nhrp map instruction that pointed to Hub1 on Tun0, as this was causing a weird condition in the router where it was repeatedly trying to connect a tunnel to itself, and crash the router because the NHRP process would go haywire. So my users must rely on the Hub2 to get a NHRP lookup for the PRI site. If Hub2 goes down, everything works in the network except for tunnel connections to the FTTB link. I'd rather not have to configure 2 tunnels on each spoke router unless I really have to.
View 2 Replies
View Related
Nov 1, 2011
I have 5 cisco 1812 routers that i set up in a hub-spoke dmvpn configuration between 5 sites. All routers have a secondary internet connection . Could i set up a second tunnel interface on each router to create a backup dmvpn that will use this secondary internet connection? i use EIGRP for routing.
View 2 Replies
View Related
Feb 20, 2013
Basically, he has an office he's supporting on a contract basis, they have a cable modem uplink. They move very large (100MB or so) EXCEL files to/from a server "somewhere out there"...The place has 19 users on cable modem (presumably commercial level). They're having "severe latency due to all the users". They're also using VOIP (not sure what product, shouldn't really matter)this doesn't pass the sniff test to me- I have 70+ users on 4 T1s and don't have the problems they claim to be having. Suspect they should be doing some packet sniffing to see who's camping on Youtube, but this is not an option....They're adding in a second cable modem line and want to bind both together. I immediately figured they should do QOS, dedicate the mission-critical traffic to 1 line and let it bleed over onto the other and take precedence if necessary. They have a Cisco 1811 router. I haven't messed with those before, but what I am seeing is they are a "fixed-configuration router". Obviously there has to be SOME config changeable- if for nothing other than IP assignment to interface and such. So what does Cisco mean by "fixed-config"? Is this basically a dumbed-down Linksys router?
View 19 Replies
View Related
Feb 2, 2011
I am exploring the possibility of having Cisco 1841's (or higher) at multiple sites. Each router will support 2 x ADSL connections (HWIC-1ADSL cards). My plan is to set up a DMVPN Full Mesh Tunnel on the first ADSL interface on each router and have RIP route these subnets, this will be for my Voice traffic only.
Further more I would like to set up a second IPSEC VPN tunnel between the head site and all other sites (the sites do not require direct communication for data purposes). This will route via static/weighted routes.
Any similar set up or sample configurations?
whether or not you can also run parallel DMVPN full mesh tunnels on a Cisco 1841 as this would be the other option.
the only restrictions are that the ADSL links cannot be upgraded to SHDSL etc.
View 3 Replies
View Related
Mar 21, 2013
I have a setup where a spoke (cisco 1841) is sending a multicast feed to a hub (cisco 2951) via a DMVPN tunnel on the Internet. The feed arrives on interface fa0/0 of the cisco 1841 and is forwarded to the tunnel interface. It is about 160,000 kbit/s and 18 pps. This always looks the same:
cisco2951-1-hub#sh run int tu10
!
interface Tunnel10
description DMVPN TUNNEL
[Code]...
View 5 Replies
View Related
Nov 9, 2011
i have two branch offices A & B both connected by a vpn. i am planning to add another isp on both the locations and have it just for the vpn. i.e have the second isp do just vpn and all other traffic go through the older ISP.. what are my options ? am not planning to add any extra hardware and also am not planning on acheiving any fail-over or load-balancing because i know ASA 5510 does not do load-balancing.
View 1 Replies
View Related
Apr 1, 2012
I have an 1811 with 2 WAN connections, Fiber and ADSL (both Ethernet). I'm having a heck of a time getting traffic out the ADSL link.As it stands, I can ping the next hop 75.158.58.1, but no further. ping source FastEthernet1 times out to any external address nor can I NAT internal subnets out the interface.I'm really at a loss as to why, especially since I can ping
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
[code]...
View 2 Replies
View Related
Oct 30, 2012
My question is wrt policy-based routing on my network. Our switch is a 3560G 24PS running Adv Ip Services image. It is connected to an 1841 and an 1811 each with a dual-wan connection . The 3560 defines 6 vlans and we are using PBR to route some vlans via the 1841 and some vlans via the 1811.
From a client on one vlan a traceroute to a client on another vlan goes through the 1811 before being routed back to the 3560. Is it possible to use PBR to detect traffic that is destined for another vlan on the same switch and then route it directly?
View 2 Replies
View Related
Nov 13, 2011
I'm trying to configure cisco 1811 with dual isp internet connections. Everything is working fine till i get to setting up port forwards.The port forwards for 2nd ISP do not work while connection to 1st isp is active. If if shutdown the connection to isp1 the port forwards work fine.
here's relevant section of the config
Code:
track 123 ip sla 1 reachability
delay down 15 up 10
!
track 456 ip sla 2 reachability
delay down 15 up 10
[code]....
I can access the 192.168.2.131 web server using the ISP1 ip but not ISP2 ip If i shutdown ISP1 interface the server becomes accessible through ISP2.Also while ISP1 is active I can't remote desktop to 192.168.1.210There are no acls, firewall zones or anything else.
View 3 Replies
View Related
Jul 28, 2012
Using the Cisco Configuration Professional software I have created a site to site VPN connection (between a cisco 1841 and 1811).The tunnel appears to be up as far as the routers are concerned, but I am unable to ping anything on the remote networks. I thought route maps may have had something to do with this but I cant see what is worng with them.Just so you know, the 1841 device already has a functioning VPN tunnel to another site. The peers I am concerned about are 141.0.59.x and 109.238.78.x.
View 12 Replies
View Related
May 16, 2012
We have two offices with two 1841 routers. Each office have two wan links (one ADSL with dialer, one SDSL) with fixed IP.The adsl link is the default route with failover.There is only one VTI working properly with the config below (the adsl one). If I remove the route "ip route 0.0.0.0 0.0.0.0 dialer 1 track 1" both VTI are working properly, however all traffic is going to SDSL witch is not the behaviour we would like to get.
get both VTI working with default route to ADSL link ?
------------------------------------------------
track 1 ip sla 1 reachability
delay down 1 up 1
!
!
crypto isakmp policy 1
encr aes
[code]....
View 4 Replies
View Related
Mar 25, 2012
I have a 1841 router with two wan access from two different ISP:throught dialer with fixed ip obtained from dhcp - ATM interface,thought fastethernet 0/1 with fixed ip and a specific gateway - can be use for Internet traffic if dialer is down.I can't manage to make them accessible at the same time (ping and ssh).In a second time I would like to have a VPN client access on one wan and site to site VPN on the other, instead of having the two on one wan.
View 12 Replies
View Related
Oct 9, 2012
We've got a 1841 router with dual-WAN connection, one is Cable and it goes to Fa0/0, another one is ADSL2+ and it goes to WIC-ADSL card.I'm trying to configure a load-balancing and failover using per-packet or per-destination connection.I can configure "ip sla" for both connections pinging 2 different DNS IPs of 2 ISPs. But I can't configure command "track 1 rtr 1 reachability" and "track 2 rtr 2 reachability". There is no "rtr" allowed to type there. And all examples shows that command for load-balancing. What command to use for that or why I cannot use the above command?
View 9 Replies
View Related
Jan 9, 2012
we are trying to configure 1841 with dual Internet connection with failover using track.
View 4 Replies
View Related
May 7, 2012
I have a Cisco 1841 router connected to two different lines (same ISP) and I would like to load balance between them. I think I have achieved this point, but the problem is that remote VPNs do not work (only from Dialer1).This is my diagram:
ISP1----ISP Router----------Fa0/1 ROUTER 1841
----------Fa0/0 LAN
ISP2 ----------------pppoe Dialer1 ROUTER 1841
I have tried to redirect all my vpn traffic through the Dialer1 with PBR, but it does not work.
View 4 Replies
View Related
Mar 11, 2011
Why in some places I can not switch on my VPN ? The strange thing is when I use the VPN server of my office , this work OK and it is the same VPN client. So this means that I do something wrong in my private CISCO 1841 ROUTER.Here bellow what does not work and at the bottom the same computer same network.
View 6 Replies
View Related
Feb 18, 2011
just configured a 1841 router and im trying to figure out why some websites work and others dont - when i put in a small TP-LINK everything works fine so its not my ISP
my config:
Building configuration...
Current configuration : 3057 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname RT1841!boot-start-markerboot-end-marker!logging message-
[Code]....
View 6 Replies
View Related
May 9, 2011
I'm trying to setup port forwarding to a citrix server but, it seems not to be working.
View 4 Replies
View Related
Jun 5, 2011
I want to migrate Exchange server to Exchange 2010, I would like to know if ACE and SSLM support Subject Alternative Name (SAN).
1. Can the current CSM (WS-SVC-SSL-1-K9) support SSL certificates that have Subject Alternative Names? I.e. a certificate that has both of these names in it.
a. exchange.ww.edu
b. legexchange.ww.edu.
2) Can the new ACE( ACE20-MOD-K9) support SSL certificates that have Subject Alternative Names? I.e. a certificate that has both of these names in it:
a. exchange.ww.edu
b. legexchange.ww.edu
View 1 Replies
View Related
Mar 5, 2012
I have a Cisco 2940 switch and a Cisco 1841 router. I want to build two different VLAN networks on the switch, which do not have to communicate one with each other, but those VLANS should communicate with the router.
I read a lot of articles, i tried to configure properly the switch and the router but i still don't get them work.
I set on the switch, the GigabitEthernet 0/1 port to Trunk port and i had to set it a native VLAN. The problem is that only from that native VLAN, i can ping the router.
View 17 Replies
View Related
Dec 17, 2011
We have a cisco 1941 with line t1 Symmetric, (Also have Cisco 1841 unused, but works) I would like to connect the Cisco 1841 to four Adsl Backup lines in case the T1 or the Main cisco 1941 go down I know a BGP is needed on our ISP site,
How can i connect four Adsl lines to The cisco 1841 (Backup) and make them work in a Load Balancing way.
View 2 Replies
View Related
Sep 6, 2012
I generated a wildcard certificate for my company type *. [URL] in a CSS 11501. For the site [URL] worked fine, for the site [URL] didn't worked. I read on the web that should generate a wildcard certificate with subject alternative names. Is it possible in CSS? how can I do it?
View 5 Replies
View Related
Feb 8, 2012
Is there any way to change the subject line of the email alerts that are sent? Right now mine are coming with the MAC address, date and time. I would like to remove the MAC address and date and time so that I can sort them into one folder when I sort my email by subject.
View 7 Replies
View Related
Apr 13, 2013
Region : Denmark
Model : TL-WDR4300
Hardware Versin : V1
Firmware Version : 3.13.23 Build 121225 Rel.37950n
ISP :
my TP-Link USB Controller after my latest firmware upgrade, and therefor my USB-printer (connected to the router) do not function any more, and i can not find a new software for the Controller
View 1 Replies
View Related
Dec 5, 2012
I have a new ACS 5.3 configure and a ASA5550 to authenticate VPN users using a remote LDAP server. Once I try to authenticate the users with the ACS it gives me the error message "22056 Subject not found in the applicable identity store(s)."
I checked out the documentation and have already configure the Identity store sequences to redirect everything to the LDAP server, I also did the Bind test and it says that is ok, but I still have the same problem.
I validated the Access Policies Menu, and tried to create a new Service Selection Rules, but whet I get to the option of modifying the Identity option I get the error: "This System Failure occurred: {0}. Your changes have not been saved.Click OK to return to the list page. " and I'm not able to modify the identity, not in this new option I created, nor in the ones already created in the ACS.
View 8 Replies
View Related
Oct 6, 2012
I have two ACS v 5.2 (primary and secundary) and some users are in the internal stor and the others are in the AD.The local site topology is like this:
PC - AP - WLC - ACS - AD
Authentication method is PEAP(EAP-MSCHAPv2) and all user have the certificate company installed. The OS in the client users is Windows 7.Users was working fine but some users reports intranet disconnections. I see in the ACS log many "22056 Subject not found in the applicable identity store(s)." and "24415 User authentication against Active Directory failed since user's account is locked out" alarms.I believed it was because user wasn´t in the AD data base, but some times the same user is authenticated successfull and other i see the "22056...." or "24415...." alarms.
I switched the role for ACS primary to works as secundary and we see the same alarms.
View 2 Replies
View Related
Feb 19, 2012
I would like to make a design with 4 Nexus 5596UP. 2 of them equipped with Layer 3 Expansion Module so they can serve as core layer and the other 2 Nexus used as Layer 2 for aggregation server layer.The 2 Nexus in the core layer will run HSRP and will peer with ISP via BGP for Internet connection The 2 Nexus in the aggregation layer will be configured as layer 2 device and have FEX and switches connected to them.What I am ensure of is how the vpc and port-channel configuration should look like between the 4 nexus. What I was thinking is to run vpc between the 2 Nexus in the aggregation layer and between the 2 Nexus in the core layer. Than I was thinking of connecting each Nexus in the aggragtion layer to both Nexus in the core layer using port-channel and vice-versa.
View 3 Replies
View Related
Dec 17, 2012
how to change our wireless setup. Currently, we have 2 Cisco AiroNet 1130 WAP's in the office that go directly into the 2 POE ports on our Cisco ASA 5500. These WAP's have 1 SSID and are using WEP for security. After demonstrating the flaws of WEP to my boss, he has agreed that we should use something more secure and I've suggested WPA. We want visitors to our office to be able to hop on our wireless but on a separate guest SSID with WEP.
I'd like the internal SSID to route to the ASA and take the default route to the internet (it will be our new fiber connection once it's installed in a couple weeks). The default route is whichever connection is working since our ASA 5500 will fail over when it detects an outage.
I'd like the guest SSID to route to the ASA and then go over our existing cable connection. This connection will be our backup once the fiber connection is installed. Since we won't be using it very often, but will be paying for it, I advised that we send all guest wireless traffic over this connection since 50/5 is plenty for guests.
The current SSID (which will be the internal SSID) has no VLAN. We do currently have a few VLANS on our network, one for voice (.42) and one for data (.100) and the default (.0). What device to I create the VLAN on (Cisco 5500?) and how to I setup the WAP? I need very basic instructions to start and I'm also trying to do this without causing downtime if possible.
I've attached a diagram of what it should look like. Red indicates our internal network and Blue indicates the guest network. I can send screenshots as well.
View 2 Replies
View Related
Mar 29, 2012
I wanted to ask a question about the diagram I have included. We are bringing up 2 MPLS WAN connections and would like some specifics on the best design. We are using BGP to the providers. From there we have big questions. We can run BGP internal and are licensed to do so on the N5K's. The N5Ks are currently using HSRP for inside LAN clients as default gateway. We want to load balance and provide redundant routes using a dynamic approach. Should we use BGP internal utilizing the connections between the routers? Should we use HSRP on the routers? How best to get the routes to the N5K and should we be considering this?
View 5 Replies
View Related
Feb 21, 2013
I run 2 RV042 V1 for home and office with Gateway to Gateway VPN connection with single WAN connection in use. Everything works like a charm!
I was even able to create VPN connection with 2 WAN connection on one Router and 1 WAN connection on another with Smart link failover and VPN Tunel Backup.
I got problem though when i tried more complex connection diagram. [URL]
So basically I now have 2 ISP connections on each point with Static IPs and I'd like VPN Connection to be alive for ALL 4 options automatically with failovers (smart links) And tunel backups but i'm not sure if that's ever possible with my equipment.
View 2 Replies
View Related
