Cisco VPN :: 1811 / Dual-Hub DMVPN With PKI And Subject-name Don't Work

Oct 15, 2012

I have a Dual-Hub DMVPN with PKI dep[oyment infrastructure and with 2 Hub on Cisco 1811 and Spokes on Cisco 1841. When I enter the 'subject-name' parameter (pki trustpoint configuration mode) on a Spoke routers, one of two Tunnel is up, but the second Tunnel is not up. ISAKMP-negotiation select the rsa-sig-mode is correctly. If I select pre-shared-mode or if i remove 'subject-name' from Spokes, DMVPN work is fine!
 
Configuration example:
 
1. HUB:
--------------------------------------------------------------------------------
Cisco IOS Software, C181X Software (C181X-ADVENTERPRISEK9-M), Version 12.4(15)T15, RELEASE SOFTWARE (fc3)
Technical Support: [URL]
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 08-Mar-11 06:09 by prod_rel_team

[code].....

View 14 Replies


ADVERTISEMENT

Cisco VPN :: 1811 / 1841 - Dual-Hub DMVPN With PKI And Subject-name Don't Work

Sep 25, 2011

I have a Dual-Hub DMVPN with PKI dep[oyment infrastructure and with 2 Hub on Cisco 1811 and Spokes on Cisco 1841. When I enter the 'subject-name' parameter (pki trustpoint configuration mode) on a Spoke routers, one of two Tunnel is up, but the second Tunnel is not up. ISAKMP-negotiation select the rsa-sig-mode is correctly. If I select pre-shared-mode or if i remove 'subject-name' from Spokes, DMVPN work is fine!
 
In what there can be a problem?
 
Configuration example:
 
1. HUB:
crypto pki trustpoint TRUSTPOINT-CA1
enrollment mode ra
enrollment url http://.../certsrv/mscep/mscep.dll
password ...
[ code]....

View 17 Replies View Related

Cisco VPN :: 1811 / Packet Loss Via DMVPN Tunnel But Not Across WAN

May 12, 2011

Scenario:
 
Central Router (WAN: 1.1.1.1) <--> Internet <--> (WAN: Dynamic IP) Branch RouterTunnel 172.31.254.1/26                                     Tunnel 172.31.254.9/26
 
Central router is a Cisco 1811 running IOS c181x-advipservicesk9-mz.151-4.M.bin.Branch router is a Cisco 1941 running IOS c1900-universalk9-mz.SPA.151-4.M.bin.
 
When I do a Ping test directly from the branch to central router over the Internet I have no packet loss:
 
branch#ping 1.1.1.1 source GigabitEthernet 0/0 repeat 1000Type escape sequence to abort.Sending 1000, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:Packet sent with a source address of 192.168.0.100!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!(...)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Success rate is 100 percent (1000/1000), round-trip min/avg/max = 40/41/60 msbranch#
 
When doing a Ping test over the DMVPN tunnel (which is using the WAN IP as source) I see packetloss.
 
branch#ping 172.31.254.1 source Tunnel 3 repeat 1000Type escape sequence to abort.Sending 1000, 100-byte ICMP Echos to 172.31.254.1, timeout is 2 seconds:Packet sent with a source address of 172.31.254.9!!!!!!!!!!.!!!!!!!!!!.!.!!!!!!.!!!!!..!!!!!!..!!!!!!!!.!!.!!!!!.!!!!!!!!!!!!.!!!!!.!!!.!!!!!!!!!!!..!!!!.!.!.!!!!!.!!!!!!!!!.!..!!!.!.!!!!!.(...)!!!!!!.!!!.!!!!.!!!!.!.!!.!!!!!!!!!!!!!!!.!!.!!!!!!!!!.!!!.!!.!.!!!!!...!!!!!!!!!!..!!!!!!Success rate is 79 percent (795/1000), round-trip min/avg/max = 40/43/568 msbranch#
 
Central:

interface Tunnel0 description Testing (DMVPN) bandwidth 10000 ip address 172.31.254.1 255.255.255.192 no ip redirects ip mtu 1400 ip nhrp authentication testing ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 600 ip nhrp redirect ip tcp adjust-mss 1360 no ip split-horizon eigrp 1 tunnel source FastEthernet1 tunnel mode gre multipoint tunnel key 100003 tunnel bandwidth transmit 10000 tunnel bandwidth receive 10000 tunnel protection ipsec profile secure_profile shared
 
Branch:
 
interface Tunnel3 description Testing (DMVPN) bandwidth 2000 ip address 172.31.254.9 255.255.255.192 no ip redirects ip mtu 1400 ip nhrp authentication testing ip nhrp map multicast 1.1.1.1 ip nhrp map 172.31.254.1 1.1.1.1 ip nhrp network-id 1 ip nhrp holdtime 300 ip nhrp nhs 172.31.254.1 ip nhrp shortcut ip nhrp redirect ip tcp adjust-mss 1360 no ip split-horizon eigrp 1 delay 1000 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 100003 tunnel bandwidth transmit 2000 tunnel bandwidth receive 2000 tunnel protection ipsec profile secure_profile shared
 
Crypto parameters on both central and branch routers:
 
crypto isakmp policy 1 authentication pre-share
  crypto ipsec transform-set secure_transform-set esp-3des esp-sha-hmac mode transport
  crypto ipsec profile secure_profile set transform-set secure_transform-set
 
I disabled CEF on both the central and branch routers and no success.  The EIGRP neighborship appears to be stable.

View 4 Replies View Related

Cisco VPN :: 2821 / DMVPN With Dual WAN?

Nov 25, 2012

I have a DMVPN network with 2 hubs (2821's).  This setup is used for VoIP applications over the Internet for teleworkers. At the main hub site I used to have only 1 Internet feed which was DSL with a static IP.  Now I have 2 WAN feeds for this site - 1 FTTB w/ PPPoE & the DSL with static IP.  Since this site also hosts a PRI, I want all voice communications to go through the FTTB link instead of the DSL for obvious reasons, but keep the DSL as DMVPN Hub for all NHRP lookups as this link has a static IP address & is very stable.  We originally put the PRI router as a DMVPN spoke which connected through the FTTB link, with another router acting as the DMVPN hub on the DSL link.  This was obviously a waste of machinery. I want to combine both routers into one.  So I tried something like this (don't laugh):
 
Gi0/0 to FTTB (Dialer1 connects to Internet)
Gi0/1 to DSL (Public IP towards 877 demarc)
Tun0 attaches to Dialer1 public IP and connects to other spokes, no VRF
Tun1 attaches to Gi0/1 public IP and acts as DMVPN hub (ip nhrp map multicast dynamic) under VRF "Hub"
 
EIGRP AS 1 is set up twice, once under router eigrp 1, and the other using router eigrp 2 using an address-family under the Hub VRF.This kinda works but obviously Tun0 & Tun1 do not speak to each other.  I also had to remove the ip nhrp map instruction that pointed to Hub1 on Tun0, as this was causing a weird condition in the router where it was repeatedly trying to connect a tunnel to itself, and crash the router because the NHRP process would go haywire.  So my users must rely on the Hub2 to get a NHRP lookup for the PRI site.  If Hub2 goes down, everything works in the network except for tunnel connections to the FTTB link.  I'd rather not have to configure 2 tunnels on each spoke router unless I really have to. 

View 2 Replies View Related

Cisco VPN :: DUAL DMVPN On 1812 Routers?

Nov 1, 2011

I have 5 cisco 1812 routers that i set up in a hub-spoke dmvpn configuration between 5 sites. All routers have a secondary internet connection . Could i set up a second tunnel interface on each router to create a backup dmvpn that will use this secondary internet connection? i use EIGRP for routing.

View 2 Replies View Related

Cisco :: Dual WAN With A 1811?

Feb 20, 2013

Basically, he has an office he's supporting on a contract basis, they have a cable modem uplink. They move very large (100MB or so) EXCEL files to/from a server "somewhere out there"...The place has 19 users on cable modem (presumably commercial level). They're having "severe latency due to all the users". They're also using VOIP (not sure what product, shouldn't really matter)this doesn't pass the sniff test to me- I have 70+ users on 4 T1s and don't have the problems they claim to be having. Suspect they should be doing some packet sniffing to see who's camping on Youtube, but this is not an option....They're adding in a second cable modem line and want to bind both together. I immediately figured they should do QOS, dedicate the mission-critical traffic to 1 line and let it bleed over onto the other and take precedence if necessary. They have a Cisco 1811 router. I haven't messed with those before, but what I am seeing is they are a "fixed-configuration router". Obviously there has to be SOME config changeable- if for nothing other than IP assignment to interface and such. So what does Cisco mean by "fixed-config"? Is this basically a dumbed-down Linksys router?

View 19 Replies View Related

Cisco VPN :: 1811 To ASA 5510 Dual Wan Vpn

Nov 9, 2011

i have two branch offices A & B both connected by a vpn. i am planning to add another isp on both the locations and have it just for the vpn. i.e have the second isp do just vpn and all other traffic go through the older ISP.. what are my options ? am not planning to add any extra hardware and also am not planning on acheiving any fail-over or load-balancing because i know ASA 5510 does not do load-balancing.

View 1 Replies View Related

Cisco WAN :: 1811 / Dual WAN Ping Source?

Apr 1, 2012

I have an 1811 with 2 WAN connections, Fiber and ADSL (both Ethernet). I'm having a heck of a time getting traffic out the ADSL link.As it stands, I can ping the next hop 75.158.58.1, but no further.  ping source FastEthernet1 times out to any external address nor can I  NAT internal subnets out the interface.I'm really at a loss as to why, especially since I can ping

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone

[code]...

View 2 Replies View Related

1811 Dual Wan Port Forward Configuration?

Nov 13, 2011

I'm trying to configure cisco 1811 with dual isp internet connections. Everything is working fine till i get to setting up port forwards.The port forwards for 2nd ISP do not work while connection to 1st isp is active. If if shutdown the connection to isp1 the port forwards work fine.

here's relevant section of the config

Code:
track 123 ip sla 1 reachability
delay down 15 up 10
!
track 456 ip sla 2 reachability
delay down 15 up 10

[code]....

I can access the 192.168.2.131 web server using the ISP1 ip but not ISP2 ip If i shutdown ISP1 interface the server becomes accessible through ISP2.Also while ISP1 is active I can't remote desktop to 192.168.1.210There are no acls, firewall zones or anything else.

View 3 Replies View Related

Cisco :: WS-SVC-SSL-1-K9 / ACE And SSLM Support Subject Alternative Name (SAN)

Jun 5, 2011

I want to  migrate Exchange server to Exchange 2010, I would like to know if ACE and SSLM support Subject Alternative Name (SAN).
  
1.   Can the current CSM (WS-SVC-SSL-1-K9) support SSL certificates that have Subject Alternative Names? I.e. a certificate that has both of these names in it.
 
a.       exchange.ww.edu
b.       legexchange.ww.edu.
 
2)      Can the new ACE( ACE20-MOD-K9) support SSL certificates that have Subject Alternative Names? I.e. a certificate that has both of these names in it:
 
a.       exchange.ww.edu
b.       legexchange.ww.edu

View 1 Replies View Related

Cisco Application :: CSS 11501 - Wildcard Certificate With Subject Alternative Names

Sep 6, 2012

I generated a wildcard certificate for my company type *. [URL] in a CSS 11501. For the site [URL] worked fine, for the site [URL] didn't worked. I read on the web that should generate a wildcard certificate with subject alternative names. Is it possible in CSS? how can I do it?

View 5 Replies View Related

D-Link DCS-942L :: Change Subject Line Of Email Alerts That Are Sent?

Feb 8, 2012

Is there any way to change the subject line of the email alerts that are sent?  Right now mine are coming with the MAC address, date and time.  I would like to remove the MAC address and date and time so that I can sort them into one folder when I sort my email by subject.

View 7 Replies View Related

TP-Link Dual-Band Wireless :: TL-WDR4300 - USB Controller Can't Work After Latest Firmware Upgrade

Apr 13, 2013

Region : Denmark
Model : TL-WDR4300
Hardware Versin : V1
Firmware Version : 3.13.23 Build 121225 Rel.37950n
ISP :

my TP-Link USB Controller after my latest firmware upgrade, and therefor my USB-printer (connected to the router) do not function any more, and i can not find a new software for the Controller

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ASA5550 / ACS 5.3 - 22056 Subject Not Found In Applicable Identity?

Dec 5, 2012

I have a new ACS 5.3 configure and a ASA5550 to authenticate VPN users using a remote LDAP server. Once I try to authenticate the users with the ACS it gives me the error message "22056 Subject not found in the applicable identity store(s)."
 
I checked out the documentation and have already configure the Identity store sequences to redirect everything to the LDAP server, I also did the Bind test and it says that is ok, but I still have the same problem.
 
I validated the Access Policies Menu, and tried to create a new Service Selection Rules, but whet I get to the option of modifying the Identity option I get the error: "This System Failure occurred: {0}. Your changes have not been saved.Click OK to return to the list page. " and I'm not able to modify the identity, not in this new option I created, nor in the ones already created in the ACS.

View 8 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Error - 22056 Subject Not Found In Applicable Identity

Oct 6, 2012

I have two ACS v 5.2 (primary and secundary) and some users are in the internal stor and the others are in the AD.The local site topology is like this:
 
PC - AP - WLC - ACS - AD
 
Authentication method is PEAP(EAP-MSCHAPv2) and all user have the certificate company installed. The OS in the client users is Windows 7.Users was working fine but some users reports intranet disconnections. I see in the ACS log  many "22056 Subject not found in the applicable identity store(s)." and "24415 User authentication against Active Directory failed since user's account is locked out" alarms.I believed it was because user wasn´t in the AD data base, but some times the same user is authenticated successfull and other i see the "22056...." or "24415...." alarms.
 
I switched the role for ACS primary to works as secundary and we see the same alarms.

View 2 Replies View Related

Cisco Switching/Routing :: Nexus 5596UP Dual-sided VPC Design With Dual Connected

Feb 19, 2012

I would like to make a design with 4 Nexus 5596UP. 2 of them equipped with Layer 3 Expansion Module  so they can serve as core layer and the other 2 Nexus used as Layer 2 for aggregation server layer.The 2 Nexus in the core layer will run HSRP and will peer with ISP via BGP for Internet connection The 2 Nexus in the aggregation layer will be configured as layer 2 device and have FEX and switches connected to them.What I am ensure of is how the vpc and port-channel configuration should look like between the 4 nexus. What I was thinking is to run vpc between the 2 Nexus in the aggregation layer and between the 2 Nexus in the core layer. Than I was thinking of connecting each Nexus in the aggragtion layer to both Nexus in the core layer using port-channel and vice-versa.

View 3 Replies View Related

Cisco :: Dual SSID (with Dual VLAN) On AiroNet 1130?

Dec 17, 2012

how to change our wireless setup. Currently, we have 2 Cisco AiroNet 1130 WAP's in the office that go directly into the 2 POE ports on our Cisco ASA 5500. These WAP's have 1 SSID and are using WEP for security. After demonstrating the flaws of WEP to my boss, he has agreed that we should use something more secure and I've suggested WPA. We want visitors to our office to be able to hop on our wireless but on a separate guest SSID with WEP.
 
I'd like the internal SSID to route to the ASA and take the default route to the internet (it will be our new fiber connection once it's installed in a couple weeks). The default route is whichever connection is working since our ASA 5500 will fail over when it detects an outage.
 
I'd like the guest SSID to route to the ASA and then go over our existing cable connection. This connection will be our backup once the fiber connection is installed. Since we won't be using it very often, but will be paying for it, I advised that we send all guest wireless traffic over this connection since 50/5 is plenty for guests.
 
The current SSID (which will be the internal SSID) has no VLAN. We do currently have a few VLANS on our network, one for voice (.42) and one for data (.100) and the default (.0). What device to I create the VLAN on (Cisco 5500?) and how to I setup the WAP? I need very basic instructions to start and I'm also trying to do this without causing downtime if possible.
 
I've attached a diagram of what it should look like. Red indicates our internal network and Blue indicates the guest network. I can send screenshots as well.

View 2 Replies View Related

Cisco WAN :: Dual MPLS Routers Connected To Dual N5K Core

Mar 29, 2012

I wanted to ask a question about the diagram I have included.  We are bringing up 2 MPLS WAN connections and would like some specifics on the best design.  We are using BGP to the providers.  From there we have big questions.  We can run BGP internal and are licensed to do so on the N5K's.  The N5Ks are currently using HSRP for inside LAN clients as default gateway.  We want to load balance and provide redundant routes using a dynamic approach.  Should we use BGP internal utilizing the connections between the routers?  Should we use HSRP on the routers?  How best to get the routes to the N5K and should we be considering this?

View 5 Replies View Related

Cisco Routers :: VPN Configuration For Dual WAN On Dual RV042

Feb 21, 2013

I run 2 RV042 V1 for home and office with Gateway to Gateway VPN connection with single WAN connection in use. Everything works like a charm!
 
I was even able to create VPN connection with 2 WAN connection on one Router and 1 WAN connection on another with Smart link failover and VPN Tunel Backup.
 
I got problem though when i tried more complex connection diagram. [URL]
 
So basically I now have 2 ISP connections on each point with Static IPs and I'd like VPN Connection to be alive for ALL 4 options automatically with failovers (smart links) And tunel backups but i'm not sure if that's ever possible with my equipment.

View 2 Replies View Related

Cisco WAN :: 861 Router And DMVPN

Nov 24, 2011

There use to be Cisco 851 routers, but lately these routers are replaced with Cisco 861-K9 routers, and these 861 routers doesn't support DMVPN, instead 851 use to be.

Is there any license file we can upload in 861 router for DMVPN capability, if yes may i know the SKU # for that. We have some customers having 6-7 locations and they are planning to have 2 more locations, we implement already DMVPN in there network, if we go with the 87X or 88X router there price is almost double the price of 861.

View 1 Replies View Related

Cisco :: 1941 / IP SLA In Combination With DMVPN?

Sep 5, 2012

I have a problem with my routers (cisco 1941)I'm running a DMVPN network (Hub and spoke)All the hubs are connected to the 2 hubs. With 4 tunnels. (each hub has 2 interfaces to the spokes. the spokes only have one interface to the hubs, so I splitted them and so I now have 4 dmvpn tunnels). one of the interfaces on a hub malfuntioned and because of that the customers had problems with logging in and sending packets. I made this kind of structure because of when one of the tunnels failed the spoke could use the 3 others... BUT, what happened here was that the spoke still tried to use all 4 of the tunnels and because of that I had 25% package loss!So this didn't work. Now I read about IP SLA, but I was wondering of this could work? (I cannot test it on spare routers, and I don't want to implement it and risking a total network failure...) and how to configure it. Should I make 4 different sla processes which I should all 4 track? And when I make the ip routes, how should I make or configure it so that 1 of the tunnels/interfaces fails that the spoke would addapt the routes?

View 1 Replies View Related

Cisco VPN :: 877 / DMVPN NAT And Port Forwarding?

Sep 11, 2012

I have a setup with two Cisco 877's – 1 for the hub and 1 for the  spoke. The hub has a static WAN IP and the spoke has a dynamic WAN IP.  The two sites are tunneled with DMVPN and cert auth for connections via  Cisco VPN Client (terminating on hub router). All routes between the two  sites work fine – I can see through both ends via LAN IPs and tunnel  IPs. I can connect externally through Cisco VPN Client and RDP into PC's  on the spoke end via local IPs.
 
My issue is: I want a port forward on the hub router, pointing to the  IP (172.16.1.X) of a device on the spoke end. So using the WAN IP of  the hub router, I can reach a host on the spoke side. At this point I  cannot get this to work and feel it's related to a NATing issue. Here is  my current config for both sites:
 
HUB Router:
 
!crypto pki server vpn-ca database level names issuer-name CN=*** CA,OU=*** Services,O=*** lifetime crl 336 lifetime certificate 7305 lifetime ca-certificate 7305 lifetime enrollment-request 1000 database url nvram! 
crypto pki trustpoint vpn-server enrollment url http://172.16.0.1:80 usage ike serial-number none fqdn none ip-address ***WAN IP*** revocation-check crl rsakeypair vpn-server 2048 auto-enroll 70 regenerate! 
crypto pki trustpoint vpn-ca revocation-check crl rsakeypair vpn-ca!

[code]....

View 1 Replies View Related

Cisco :: DMVPN Network - Hub Router Support?

Jun 27, 2011

I am trying to spec out some routers for a small DMVPN network.I was thinking 2801's for my hub routers.will these run DMVPN out of the box or do they need additional hardware modules?according to the below linkyou need a "AIM-VPN/SSL-2" module in order for it to work, but then according to"The Cisco 2800 Series supports IPSec Digital Encryption Standard (DES), Triple DES (3DES), Advanced Encryption Standard (AES) 128, AES 192, and AES 256 cryptology without consuming an AIM slot."

View 1 Replies View Related

Cisco :: Maximum Vpn Connections In A DMVPN Solution

Sep 9, 2011

Building a dmvpn network with 2911 hub router.Anyone have a clue how many simultaneous vpn connections can be used? The amount of transferred data is very small.

View 1 Replies View Related

Cisco :: Config DMVPN Between 2 Hub Location And One Spoke?

Nov 19, 2011

suppose i have 2 hub location and one spoke and i want to config DMVPN between them and want to keep 1 HUB as active and 2nd HUb as passive then how its possible.

View 2 Replies View Related

Cisco VPN :: Is It Possible To Run DMVPN On 7606 Without Ipsec Module

Apr 16, 2011

We have  7606 router without any ipsec module on it,so i check the ios and it has all commands in interface tunnel for configuring the dmvpn multipoint tunnel and also protection profile for ipsec! so i have this question: do we can run dmvpn between this router and our wan routers wich are 3845.

View 2 Replies View Related

Cisco WAN :: 1500 / What Router To Chose For DmVPN

Sep 10, 2012

What router would you choose to setup 1500 dmvpn tunnels (mGRE/ipsec)? so this router will be my hub and the hub will have 1500 tunnels.this router with this many tunnels will have to be able to provide excellent service to all spokes/tunnels.the spokes will mainly use the tunnels for business, transfering small files and some email I would say they may transfer 500megabyte of data per day but that's the absolute maximum.

View 4 Replies View Related

Cisco VPN :: 3825 Series DMVPN Scalability

May 31, 2011

I have three Hub routers that I'm wanting to compare DMVPN scalabiltiy capabilities (3825 versus 3945 and 3845).  I know it must be there somewhere and I'm just not looking in the right place.  But I've read and read and read about DMVPN designs and I'm not finding anything.  This is turning into a time killer. What are the DMVPN limitations of these three routers are?

View 6 Replies View Related

Cisco VPN :: 65335 DMVPN Crypto Map Priority

Feb 27, 2013

New to the forum and not much Cisco IOS experience let alone on the security side of things. I know how to navigate the IOS and can do basic switching and routing just fine. My company currently has a DMVPN setup w/ about 10 tunnels going back to the hub. We have 4 more sites they want me to setup and I keep getting stuck at the crypto maps. I have been reading about VPN's, DMVPN's , etc. for days now but can't find any examples of how we are configured. The priority of our crypto maps start at 65536 and go up. Default max is 65335 from what I have read, and I cannot assign a priority that high statically. [code]

View 3 Replies View Related

Cisco VPN :: Configuring DMVPN With 2 ASR1006 Routers

Jun 7, 2011

I'm trying to configure and DMVPN architecture with two routers ASR1006 to server a bank remote offices, one ASR in CO building and the other in CA building (CO: Operational Center; CA: Recovery Center).Each ASR have two LAN connections to internal network and two WAN links to remote office.  Each WAN links belongs to differents provider.Each remote office has a router with two WAN links connected to that WAN providers.We are configuring the DMVPN considering two primary tunnels in the CO building and two failover tunnels in CA building.We made the configuration (schemas and configuration attached) but we only get two tunnels up at a time.  We cannot ping from office router to four tunnels interfaces in both hubs.

We made some test disabling some tunnels and we could get communication only with two tunnels interfaces. We got communication through tunnels when we have just two.We want to have the four tunnels for high availability. We would like to know how to troubleshoot and make a design review because the examples and documentations are very limited.

View 1 Replies View Related

Cisco VPN :: 2901 Router - DMVPN Is Not Working

Apr 15, 2013

Trying to setup a DMVPN on out existing equipment that is currently running all point to point vpn connections. basicly its not working. my best guess is something with the config is interfering but i'm not sure the remote router (881) is always comming back with MM_NO_STATE and the main router(2901) is either MM_NO_STATE or MM_SETUP. 

I added the config for the 881, 2901 and a debug crypto isakmp and debug crypto ipsec from both routers. I have verified the Keys are correct and it is not blocking port 500. if i issue a sh crypto isakmp policy they are the same on both routers.  if you need me to post anything else i will, one note i removed the configs that were part of the point to point tunnls on the 2901 router.        

View 3 Replies View Related

Cisco :: 7200 - DMVPN / QoS / Multicast Support

Apr 1, 2012

Is DMVPN supported on  Cisco 7200 XVR NPE-400, and would the NPE-400 module support QoS, multicast etc. I found an old doc mentioning DMVPN and this specific module.

View 1 Replies View Related

Cisco VPN :: Recommended IOS For DMVPN 3900 Series

Jan 1, 2013

I am setting up a DMVPN between several dozen sites using 2800, 2900 and 3900 series ISRs.  The DMVPN Design Guide recommends current 12.4 or 12.4T IOS, but the DG was last updated in July 2008.  I cannot seem to find any recommendations newer than this.  I'm hoping Cisco or the community can give me an updated recommendation.

View 5 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved