Cisco VPN :: 1811 / Dual-Hub DMVPN With PKI And Subject-name Don't Work
Oct 15, 2012
I have a Dual-Hub DMVPN with PKI dep[oyment infrastructure and with 2 Hub on Cisco 1811 and Spokes on Cisco 1841. When I enter the 'subject-name' parameter (pki trustpoint configuration mode) on a Spoke routers, one of two Tunnel is up, but the second Tunnel is not up. ISAKMP-negotiation select the rsa-sig-mode is correctly. If I select pre-shared-mode or if i remove 'subject-name' from Spokes, DMVPN work is fine!
Configuration example:
1. HUB:
--------------------------------------------------------------------------------
Cisco IOS Software, C181X Software (C181X-ADVENTERPRISEK9-M), Version 12.4(15)T15, RELEASE SOFTWARE (fc3)
Technical Support: [URL]
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 08-Mar-11 06:09 by prod_rel_team
I have a Dual-Hub DMVPN with PKI dep[oyment infrastructure and with 2 Hub on Cisco 1811 and Spokes on Cisco 1841. When I enter the 'subject-name' parameter (pki trustpoint configuration mode) on a Spoke routers, one of two Tunnel is up, but the second Tunnel is not up. ISAKMP-negotiation select the rsa-sig-mode is correctly. If I select pre-shared-mode or if i remove 'subject-name' from Spokes, DMVPN work is fine!
Central Router (WAN: 1.1.1.1) <--> Internet <--> (WAN: Dynamic IP) Branch RouterTunnel 172.31.254.1/26 Tunnel 172.31.254.9/26
Central router is a Cisco 1811 running IOS c181x-advipservicesk9-mz.151-4.M.bin.Branch router is a Cisco 1941 running IOS c1900-universalk9-mz.SPA.151-4.M.bin.
When I do a Ping test directly from the branch to central router over the Internet I have no packet loss:
branch#ping 1.1.1.1 source GigabitEthernet 0/0 repeat 1000Type escape sequence to abort.Sending 1000, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:Packet sent with a source address of 192.168.0.100!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!(...)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Success rate is 100 percent (1000/1000), round-trip min/avg/max = 40/41/60 msbranch#
When doing a Ping test over the DMVPN tunnel (which is using the WAN IP as source) I see packetloss.
branch#ping 172.31.254.1 source Tunnel 3 repeat 1000Type escape sequence to abort.Sending 1000, 100-byte ICMP Echos to 172.31.254.1, timeout is 2 seconds:Packet sent with a source address of 172.31.254.9!!!!!!!!!!.!!!!!!!!!!.!.!!!!!!.!!!!!..!!!!!!..!!!!!!!!.!!.!!!!!.!!!!!!!!!!!!.!!!!!.!!!.!!!!!!!!!!!..!!!!.!.!.!!!!!.!!!!!!!!!.!..!!!.!.!!!!!.(...)!!!!!!.!!!.!!!!.!!!!.!.!!.!!!!!!!!!!!!!!!.!!.!!!!!!!!!.!!!.!!.!.!!!!!...!!!!!!!!!!..!!!!!!Success rate is 79 percent (795/1000), round-trip min/avg/max = 40/43/568 msbranch#
Central:
interface Tunnel0 description Testing (DMVPN) bandwidth 10000 ip address 172.31.254.1 255.255.255.192 no ip redirects ip mtu 1400 ip nhrp authentication testing ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 600 ip nhrp redirect ip tcp adjust-mss 1360 no ip split-horizon eigrp 1 tunnel source FastEthernet1 tunnel mode gre multipoint tunnel key 100003 tunnel bandwidth transmit 10000 tunnel bandwidth receive 10000 tunnel protection ipsec profile secure_profile shared
Branch:
interface Tunnel3 description Testing (DMVPN) bandwidth 2000 ip address 172.31.254.9 255.255.255.192 no ip redirects ip mtu 1400 ip nhrp authentication testing ip nhrp map multicast 1.1.1.1 ip nhrp map 172.31.254.1 1.1.1.1 ip nhrp network-id 1 ip nhrp holdtime 300 ip nhrp nhs 172.31.254.1 ip nhrp shortcut ip nhrp redirect ip tcp adjust-mss 1360 no ip split-horizon eigrp 1 delay 1000 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 100003 tunnel bandwidth transmit 2000 tunnel bandwidth receive 2000 tunnel protection ipsec profile secure_profile shared
Crypto parameters on both central and branch routers:
I have a DMVPN network with 2 hubs (2821's). This setup is used for VoIP applications over the Internet for teleworkers. At the main hub site I used to have only 1 Internet feed which was DSL with a static IP. Now I have 2 WAN feeds for this site - 1 FTTB w/ PPPoE & the DSL with static IP. Since this site also hosts a PRI, I want all voice communications to go through the FTTB link instead of the DSL for obvious reasons, but keep the DSL as DMVPN Hub for all NHRP lookups as this link has a static IP address & is very stable. We originally put the PRI router as a DMVPN spoke which connected through the FTTB link, with another router acting as the DMVPN hub on the DSL link. This was obviously a waste of machinery. I want to combine both routers into one. So I tried something like this (don't laugh):
Gi0/0 to FTTB (Dialer1 connects to Internet) Gi0/1 to DSL (Public IP towards 877 demarc) Tun0 attaches to Dialer1 public IP and connects to other spokes, no VRF Tun1 attaches to Gi0/1 public IP and acts as DMVPN hub (ip nhrp map multicast dynamic) under VRF "Hub"
EIGRP AS 1 is set up twice, once under router eigrp 1, and the other using router eigrp 2 using an address-family under the Hub VRF.This kinda works but obviously Tun0 & Tun1 do not speak to each other. I also had to remove the ip nhrp map instruction that pointed to Hub1 on Tun0, as this was causing a weird condition in the router where it was repeatedly trying to connect a tunnel to itself, and crash the router because the NHRP process would go haywire. So my users must rely on the Hub2 to get a NHRP lookup for the PRI site. If Hub2 goes down, everything works in the network except for tunnel connections to the FTTB link. I'd rather not have to configure 2 tunnels on each spoke router unless I really have to.
I have 5 cisco 1812 routers that i set up in a hub-spoke dmvpn configuration between 5 sites. All routers have a secondary internet connection . Could i set up a second tunnel interface on each router to create a backup dmvpn that will use this secondary internet connection? i use EIGRP for routing.
Basically, he has an office he's supporting on a contract basis, they have a cable modem uplink. They move very large (100MB or so) EXCEL files to/from a server "somewhere out there"...The place has 19 users on cable modem (presumably commercial level). They're having "severe latency due to all the users". They're also using VOIP (not sure what product, shouldn't really matter)this doesn't pass the sniff test to me- I have 70+ users on 4 T1s and don't have the problems they claim to be having. Suspect they should be doing some packet sniffing to see who's camping on Youtube, but this is not an option....They're adding in a second cable modem line and want to bind both together. I immediately figured they should do QOS, dedicate the mission-critical traffic to 1 line and let it bleed over onto the other and take precedence if necessary. They have a Cisco 1811 router. I haven't messed with those before, but what I am seeing is they are a "fixed-configuration router". Obviously there has to be SOME config changeable- if for nothing other than IP assignment to interface and such. So what does Cisco mean by "fixed-config"? Is this basically a dumbed-down Linksys router?
i have two branch offices A & B both connected by a vpn. i am planning to add another isp on both the locations and have it just for the vpn. i.e have the second isp do just vpn and all other traffic go through the older ISP.. what are my options ? am not planning to add any extra hardware and also am not planning on acheiving any fail-over or load-balancing because i know ASA 5510 does not do load-balancing.
I have an 1811 with 2 WAN connections, Fiber and ADSL (both Ethernet). I'm having a heck of a time getting traffic out the ADSL link.As it stands, I can ping the next hop 75.158.58.1, but no further. ping source FastEthernet1 times out to any external address nor can I NAT internal subnets out the interface.I'm really at a loss as to why, especially since I can ping
no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone
I'm trying to configure cisco 1811 with dual isp internet connections. Everything is working fine till i get to setting up port forwards.The port forwards for 2nd ISP do not work while connection to 1st isp is active. If if shutdown the connection to isp1 the port forwards work fine.
here's relevant section of the config
Code: track 123 ip sla 1 reachability delay down 15 up 10 ! track 456 ip sla 2 reachability delay down 15 up 10
[code]....
I can access the 192.168.2.131 web server using the ISP1 ip but not ISP2 ip If i shutdown ISP1 interface the server becomes accessible through ISP2.Also while ISP1 is active I can't remote desktop to 192.168.1.210There are no acls, firewall zones or anything else.
I want to migrate Exchange server to Exchange 2010, I would like to know if ACE and SSLM support Subject Alternative Name (SAN).
1. Can the current CSM (WS-SVC-SSL-1-K9) support SSL certificates that have Subject Alternative Names? I.e. a certificate that has both of these names in it.
a. exchange.ww.edu b. legexchange.ww.edu.
2) Can the new ACE( ACE20-MOD-K9) support SSL certificates that have Subject Alternative Names? I.e. a certificate that has both of these names in it:
I generated a wildcard certificate for my company type *. [URL] in a CSS 11501. For the site [URL] worked fine, for the site [URL] didn't worked. I read on the web that should generate a wildcard certificate with subject alternative names. Is it possible in CSS? how can I do it?
Is there any way to change the subject line of the email alerts that are sent? Right now mine are coming with the MAC address, date and time. I would like to remove the MAC address and date and time so that I can sort them into one folder when I sort my email by subject.
Region : Denmark Model : TL-WDR4300 Hardware Versin : V1 Firmware Version : 3.13.23 Build 121225 Rel.37950n ISP :
my TP-Link USB Controller after my latest firmware upgrade, and therefor my USB-printer (connected to the router) do not function any more, and i can not find a new software for the Controller
I have a new ACS 5.3 configure and a ASA5550 to authenticate VPN users using a remote LDAP server. Once I try to authenticate the users with the ACS it gives me the error message "22056 Subject not found in the applicable identity store(s)."
I checked out the documentation and have already configure the Identity store sequences to redirect everything to the LDAP server, I also did the Bind test and it says that is ok, but I still have the same problem.
I validated the Access Policies Menu, and tried to create a new Service Selection Rules, but whet I get to the option of modifying the Identity option I get the error: "This System Failure occurred: {0}. Your changes have not been saved.Click OK to return to the list page. " and I'm not able to modify the identity, not in this new option I created, nor in the ones already created in the ACS.
I have two ACS v 5.2 (primary and secundary) and some users are in the internal stor and the others are in the AD.The local site topology is like this:
PC - AP - WLC - ACS - AD
Authentication method is PEAP(EAP-MSCHAPv2) and all user have the certificate company installed. The OS in the client users is Windows 7.Users was working fine but some users reports intranet disconnections. I see in the ACS log many "22056 Subject not found in the applicable identity store(s)." and "24415 User authentication against Active Directory failed since user's account is locked out" alarms.I believed it was because user wasn´t in the AD data base, but some times the same user is authenticated successfull and other i see the "22056...." or "24415...." alarms.
I switched the role for ACS primary to works as secundary and we see the same alarms.
I would like to make a design with 4 Nexus 5596UP. 2 of them equipped with Layer 3 Expansion Module so they can serve as core layer and the other 2 Nexus used as Layer 2 for aggregation server layer.The 2 Nexus in the core layer will run HSRP and will peer with ISP via BGP for Internet connection The 2 Nexus in the aggregation layer will be configured as layer 2 device and have FEX and switches connected to them.What I am ensure of is how the vpc and port-channel configuration should look like between the 4 nexus. What I was thinking is to run vpc between the 2 Nexus in the aggregation layer and between the 2 Nexus in the core layer. Than I was thinking of connecting each Nexus in the aggragtion layer to both Nexus in the core layer using port-channel and vice-versa.
how to change our wireless setup. Currently, we have 2 Cisco AiroNet 1130 WAP's in the office that go directly into the 2 POE ports on our Cisco ASA 5500. These WAP's have 1 SSID and are using WEP for security. After demonstrating the flaws of WEP to my boss, he has agreed that we should use something more secure and I've suggested WPA. We want visitors to our office to be able to hop on our wireless but on a separate guest SSID with WEP.
I'd like the internal SSID to route to the ASA and take the default route to the internet (it will be our new fiber connection once it's installed in a couple weeks). The default route is whichever connection is working since our ASA 5500 will fail over when it detects an outage.
I'd like the guest SSID to route to the ASA and then go over our existing cable connection. This connection will be our backup once the fiber connection is installed. Since we won't be using it very often, but will be paying for it, I advised that we send all guest wireless traffic over this connection since 50/5 is plenty for guests.
The current SSID (which will be the internal SSID) has no VLAN. We do currently have a few VLANS on our network, one for voice (.42) and one for data (.100) and the default (.0). What device to I create the VLAN on (Cisco 5500?) and how to I setup the WAP? I need very basic instructions to start and I'm also trying to do this without causing downtime if possible.
I've attached a diagram of what it should look like. Red indicates our internal network and Blue indicates the guest network. I can send screenshots as well.
I wanted to ask a question about the diagram I have included. We are bringing up 2 MPLS WAN connections and would like some specifics on the best design. We are using BGP to the providers. From there we have big questions. We can run BGP internal and are licensed to do so on the N5K's. The N5Ks are currently using HSRP for inside LAN clients as default gateway. We want to load balance and provide redundant routes using a dynamic approach. Should we use BGP internal utilizing the connections between the routers? Should we use HSRP on the routers? How best to get the routes to the N5K and should we be considering this?
I run 2 RV042 V1 for home and office with Gateway to Gateway VPN connection with single WAN connection in use. Everything works like a charm!
I was even able to create VPN connection with 2 WAN connection on one Router and 1 WAN connection on another with Smart link failover and VPN Tunel Backup.
I got problem though when i tried more complex connection diagram. [URL]
So basically I now have 2 ISP connections on each point with Static IPs and I'd like VPN Connection to be alive for ALL 4 options automatically with failovers (smart links) And tunel backups but i'm not sure if that's ever possible with my equipment.
There use to be Cisco 851 routers, but lately these routers are replaced with Cisco 861-K9 routers, and these 861 routers doesn't support DMVPN, instead 851 use to be.
Is there any license file we can upload in 861 router for DMVPN capability, if yes may i know the SKU # for that. We have some customers having 6-7 locations and they are planning to have 2 more locations, we implement already DMVPN in there network, if we go with the 87X or 88X router there price is almost double the price of 861.
I have a problem with my routers (cisco 1941)I'm running a DMVPN network (Hub and spoke)All the hubs are connected to the 2 hubs. With 4 tunnels. (each hub has 2 interfaces to the spokes. the spokes only have one interface to the hubs, so I splitted them and so I now have 4 dmvpn tunnels). one of the interfaces on a hub malfuntioned and because of that the customers had problems with logging in and sending packets. I made this kind of structure because of when one of the tunnels failed the spoke could use the 3 others... BUT, what happened here was that the spoke still tried to use all 4 of the tunnels and because of that I had 25% package loss!So this didn't work. Now I read about IP SLA, but I was wondering of this could work? (I cannot test it on spare routers, and I don't want to implement it and risking a total network failure...) and how to configure it. Should I make 4 different sla processes which I should all 4 track? And when I make the ip routes, how should I make or configure it so that 1 of the tunnels/interfaces fails that the spoke would addapt the routes?
I have a setup with two Cisco 877's – 1 for the hub and 1 for the spoke. The hub has a static WAN IP and the spoke has a dynamic WAN IP. The two sites are tunneled with DMVPN and cert auth for connections via Cisco VPN Client (terminating on hub router). All routes between the two sites work fine – I can see through both ends via LAN IPs and tunnel IPs. I can connect externally through Cisco VPN Client and RDP into PC's on the spoke end via local IPs.
My issue is: I want a port forward on the hub router, pointing to the IP (172.16.1.X) of a device on the spoke end. So using the WAN IP of the hub router, I can reach a host on the spoke side. At this point I cannot get this to work and feel it's related to a NATing issue. Here is my current config for both sites:
I am trying to spec out some routers for a small DMVPN network.I was thinking 2801's for my hub routers.will these run DMVPN out of the box or do they need additional hardware modules?according to the below linkyou need a "AIM-VPN/SSL-2" module in order for it to work, but then according to"The Cisco 2800 Series supports IPSec Digital Encryption Standard (DES), Triple DES (3DES), Advanced Encryption Standard (AES) 128, AES 192, and AES 256 cryptology without consuming an AIM slot."
Building a dmvpn network with 2911 hub router.Anyone have a clue how many simultaneous vpn connections can be used? The amount of transferred data is very small.
suppose i have 2 hub location and one spoke and i want to config DMVPN between them and want to keep 1 HUB as active and 2nd HUb as passive then how its possible.
We have 7606 router without any ipsec module on it,so i check the ios and it has all commands in interface tunnel for configuring the dmvpn multipoint tunnel and also protection profile for ipsec! so i have this question: do we can run dmvpn between this router and our wan routers wich are 3845.
What router would you choose to setup 1500 dmvpn tunnels (mGRE/ipsec)? so this router will be my hub and the hub will have 1500 tunnels.this router with this many tunnels will have to be able to provide excellent service to all spokes/tunnels.the spokes will mainly use the tunnels for business, transfering small files and some email I would say they may transfer 500megabyte of data per day but that's the absolute maximum.
I have three Hub routers that I'm wanting to compare DMVPN scalabiltiy capabilities (3825 versus 3945 and 3845). I know it must be there somewhere and I'm just not looking in the right place. But I've read and read and read about DMVPN designs and I'm not finding anything. This is turning into a time killer. What are the DMVPN limitations of these three routers are?
New to the forum and not much Cisco IOS experience let alone on the security side of things. I know how to navigate the IOS and can do basic switching and routing just fine. My company currently has a DMVPN setup w/ about 10 tunnels going back to the hub. We have 4 more sites they want me to setup and I keep getting stuck at the crypto maps. I have been reading about VPN's, DMVPN's , etc. for days now but can't find any examples of how we are configured. The priority of our crypto maps start at 65536 and go up. Default max is 65335 from what I have read, and I cannot assign a priority that high statically. [code]
I'm trying to configure and DMVPN architecture with two routers ASR1006 to server a bank remote offices, one ASR in CO building and the other in CA building (CO: Operational Center; CA: Recovery Center).Each ASR have two LAN connections to internal network and two WAN links to remote office. Each WAN links belongs to differents provider.Each remote office has a router with two WAN links connected to that WAN providers.We are configuring the DMVPN considering two primary tunnels in the CO building and two failover tunnels in CA building.We made the configuration (schemas and configuration attached) but we only get two tunnels up at a time. We cannot ping from office router to four tunnels interfaces in both hubs.
We made some test disabling some tunnels and we could get communication only with two tunnels interfaces. We got communication through tunnels when we have just two.We want to have the four tunnels for high availability. We would like to know how to troubleshoot and make a design review because the examples and documentations are very limited.
Trying to setup a DMVPN on out existing equipment that is currently running all point to point vpn connections. basicly its not working. my best guess is something with the config is interfering but i'm not sure the remote router (881) is always comming back with MM_NO_STATE and the main router(2901) is either MM_NO_STATE or MM_SETUP.
I added the config for the 881, 2901 and a debug crypto isakmp and debug crypto ipsec from both routers. I have verified the Keys are correct and it is not blocking port 500. if i issue a sh crypto isakmp policy they are the same on both routers. if you need me to post anything else i will, one note i removed the configs that were part of the point to point tunnls on the 2901 router.
Is DMVPN supported on Cisco 7200 XVR NPE-400, and would the NPE-400 module support QoS, multicast etc. I found an old doc mentioning DMVPN and this specific module.
I am setting up a DMVPN between several dozen sites using 2800, 2900 and 3900 series ISRs. The DMVPN Design Guide recommends current 12.4 or 12.4T IOS, but the DG was last updated in July 2008. I cannot seem to find any recommendations newer than this. I'm hoping Cisco or the community can give me an updated recommendation.
