Cisco VPN :: 1841 / L2L - Tunnel Does Not Getting Up From One Direction
Mar 13, 2012
We have configure a L2L vpn between Asa and 1841 router. We are facing this issue.The tunnel is not getting up from the 1841 site never. When we are trying to generate traffic from the ASA site the tunnel is up and we can see decryps and encryps packets.
Router 1841 Config:
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key * address 213.249.XX.XX
[code].....
View 4 Replies
ADVERTISEMENT
Aug 2, 2012
I have a IPSec tunnel that is working in one direction. Below is the router config from the side that can connect to the other side perfectly. I believe the issue is with this router as while I was waiting on delivery for the ASA I had an SRP527W sitting in it's place and had exactly the same problem.On one side I have a 887VA router and the other an ASA5505.The network behind the 887VA can access the remote site perfectly, backup services are traversing the link as are web interfaces for applications. In the other direction I can ping hosts but cannot connect. What else is interesting is if from the remote site I attempt to connect to a particular device that performs a port redirect the remote site browser gets so far as being redirected to port 5000 but then hangs.
I am seeing some very generic packet drop debug notices on the 887va on the NAT-ACL access list but I think this is as it should be as it is dropping the tunnel traffic from the NAT'ing.The config for the router is here, I will post the ASA config when I get to the other site shortly but I am convinced the issues is on this device, all the crypto configurations match.I have looked at the MTU's on each side, the path MTU on both sides is 1492. The asa does say the media MTU is 1500 but I believe that is the ADSL link so shouldnt matter?I even went so far as installing CCP and testing the VPN. It says the tunnel is up. It did state a failure:A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets. [code]
View 1 Replies
View Related
Apr 8, 2013
I have created the tunnel interface on cisco 1841 router. The tunnel is up but can't ping to it's interface ip, the ping drops.
R1#show ip int brief
Interface IP-Address OK? Method Status Protocol
Tunnel10 10.10.10.1 YES manual up up
[Code]......
View 4 Replies
View Related
May 16, 2011
I m trying to make the vpn session using m GRE tunnel between cisco 891/k9 and 1841 router.. there is the fixed ip add with the 1841 router, and another one doesnt have the static ip from the ISP, In this case, im going to use DMVPN, The problem is , after completing the configuration, the tunnel inteface of the 1841 router will be seen like this.
-status: reset
-protocol: down
View 1 Replies
View Related
Feb 17, 2012
I need to work with the full tunnel feature of the IOS SSL VPN using a Cisco 1841. Here is what I see...
-I login to the portal page and click the "Start" button for "Tunnel Connection (SVC)"
-Security Alert message "This page requires a secure connection which includes server authentication. The Certificate Issuer for this site is untrusted or unknown. Do you wish to proceed?" I click yes.
-Anyconnect says "Please wait while VPN connection is established"
-Anyconnect error "The certificate on the secure gateway is invalid. The VPN connect will not establish"
View 10 Replies
View Related
Oct 23, 2012
We are currently experiencing a problem on an IP SEC VPN tunnel that has all of us here completely stumped. We are hoping that one of you experts out there will be able to assist. Here are some basic details:
NETWORKS
An IPSEC site to site tunnel has been built between the two sites on different networks.
PIX 515E - MAIN SITE
Network 172.16.0.0/24
CISCO 1841 - REMOTE SITE
Network 172.16.99.0/24
ISSUE
All traffic flows over the VPN from the 172.16.99.0 network in the direction of the Pix, such as RDP, SIP etc. Pings will go in both directions across the tunnel. Other than the pings most traffic will NOT flow over the tunnel from the 172.16.0.0 network on the pix to the 172.16.99.0 network on the 1841. It would appear that something on the 1841 is blocking traffic coming in over the tunnel from the 172.16.0.0 network as we can not get a wire shark capture on a PC on the 172.16.99.0 network, other than the ICMP traces. Usually this is an access list problem but we have checked and double checked the configuration and can't see anything.
TROUBLESHOOTING SO FAR
1. Have tried inserting various access list changes to the tunnel on the 1841 to make specific reference to the 172.16.0.0 network.
2. Have tried various NAT entries.
3. Have removed and then recreated the VPN tunnel from a fresh start.
4. Have made the MTU 1400 on the inside interfaces on the Pix and the 1841.
The tunnel is fully up at all times and as we say can ping in both directions.
View 7 Replies
View Related
Jul 15, 2012
im trying to configure IpSEC over Gre tunnel, but the traffic pass unencrypted, i cant find why this is happening. Here are the confg of the two routers (1841)
OFICINA#sh run br
Building configuration...
Current configuration : 1281 bytes
!
version 12.4
service timestamps debug datetime msec
[Code].....
View 4 Replies
View Related
Oct 23, 2012
I have a 1841 router connected to an ISP (currently SDSL EFM 10Mbps through an ISP modem, the router and the model are connected with a FastEthernet interface). On another location I have a linux server.There is an ipsec tunnel (3des-sha esp) between the router and the linux server (actually done with a crypto mac).The router has a hierarchical QOS policy on the egress interface.When sending traffic from the network inside the router to the linux host without the ipsec tunnel, everything is working fine and throughput is correct.When sending traffic from the inside network to the linux host internal ip through the ipsec tunnel, some packets are lost and the traffic throughput decrease.When sending traffic through the tunnel in the reverse direction (from the linux host to the internal network), everything is fine.I looked at the QOS statistics and the dropped packets counters don't increase. I looked at the egress/ingress interface statistics and no packets dropped there.I lowered the MTU on the egress interface, but it didn't solve the problem. I played by sending various ping icmp packets size, but even small packets are sometimes lost.I tried to check the router CPU, but it seems relatively fine (<= 10%)I captured the traffic on both side, and I see the packets emitted, and then I can see that some of the esp packets of the corresponding side are not received, so it looks like the cisco router is the culprit. This 1841 router is running: 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(24)T4,How can I troubleshoot where and why those packets are lost?
View 0 Replies
View Related
Dec 15, 2010
I can ping across the tunnel from the pc's on either end of the tunnel, but I can't ping across the tunnel from the routers. If i ping using the source command using the LAN interface, the ping is successfull.
The reason i need this is for the remote router to be able to lookup the head office server for dns wins and ldap.
View 4 Replies
View Related
Apr 23, 2013
I have a strange issue where im able to get an ipsec tunnel from tha cisco 1841 to a linksys/cisco RV016 for about a minute and ping/encrypt packets across the lin for about a minute before it goes down. I tried various configuration and it all results in the tunnel coming up for a minute then going down. I'm not sure if im hitting a bug and on which decide of if im doing something wrong.
RV016 firmware 2.0.18
cisco 1841: C1841-ADVENTERPRISEK9-M), Version 12.4(24)T
my config
no crypto isakmp default policy
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
[code]....
View 3 Replies
View Related
Apr 7, 2011
I have an GRE Tunnel across my head office and remote site with multiple subnets using cisco 1841 routers.I can ping most of the devices on the remote side, but I can not ping certain devices.These devices respond to ping requests on the local LAN, but not through the WAN link. If I change the IP of device than it start responding. I am using same gateway and mask on these devices.The remote site is running classic STP on switches with distribution switch being the root bridge.
View 4 Replies
View Related
Mar 21, 2013
I have a setup where a spoke (cisco 1841) is sending a multicast feed to a hub (cisco 2951) via a DMVPN tunnel on the Internet. The feed arrives on interface fa0/0 of the cisco 1841 and is forwarded to the tunnel interface. It is about 160,000 kbit/s and 18 pps. This always looks the same:
cisco2951-1-hub#sh run int tu10
!
interface Tunnel10
description DMVPN TUNNEL
[Code]...
View 5 Replies
View Related
Feb 12, 2012
I'm trying to configure an IPSEC VPN + tunnel for multicast data. When the default gateway is set on the router (1841) it works fine but if I only set a route to the IPSEC peer via our gateway then the tunnel fails to come up. The end point is to a 3rd party. [code]
I found that if I add a static route for the tunnel destination via fa0/0, the public facing interface, the tunnel comes up..ip route 10.23.4.2 255. 255. 255. 255 FastEthernet0/0
and I can then ping the tunnel IP at the far end - 10.23.0.5.Why would that be? Is there a better way to do this without using a default route??
View 4 Replies
View Related
Apr 26, 2013
I have 2 Cisco routers , 1841 and 2811 , I need to setup site to site VPN , but i dont now some how it just does not seems to be working ,
Find attached the Configuration along with the
<----- 172.31.1.0/24----- DG:172.31.1.1>Cisco 2811<Dialer1 -----//Internet//----------Dialer1>Cisco1841---< DG:10.236.5.254-------------- 10.236.5.0/24--->
Find attached command executed on each router in the below order
1) show ver
2) Show run
3) show logging
4) show crypto ipsec sa
5) show crypto isakmp sa
Debugging enabled on routers are
1)Debug Crypto Isakmp
2) Debug Crypto Ipsec.
View 2 Replies
View Related
Jan 16, 2012
I'm using a couple of ASA5510's since a few years in a few datacenters, and I wonder about the following:
Usually the ASA's are positioned with the connectors facing to the back of the 19" cabinets, so one can easily connect the device to other networking-hardware. In many datacenters nowadays, cold-coridors are used, which results in a forced airflow through the cabinet, which is empowered by the fans in the servers itself. But the ASA's are permanently blowing air in the opposite direction, and are also taking the air from the part of the cabinet where the air is as hot as it gets.
Is it a good practice to open up the ASA and flip the fans 180 degrees to solve this?
View 3 Replies
View Related
Aug 19, 2012
I have to replace a 1230 with an 1262 AP.
All antennas have to be in the same direction on the AP and I guess when the old 1230 is working well the 1262 will be only better . Attached u see how I plan to mount the new AP versus the old one...
View 7 Replies
View Related
Jun 5, 2012
I'm very new to cisco devices but we recently acquired a catalyst 2911 device for our co-lo cabinet and I am trying to get a site-to-site vpn connection working between the facility and my offices network as well as a remote access VPN for me to use in case I have to fix something while outside of the office.
The office's gateway is 66.119.163.2 and the device is a TZ210 with it's LAN network being 192.168.1.0 /24
The co-los gateway is 204.244.50.254 and the device is an ASR 2911 with it's LAN network being 10.0.10.0 /24
The S2S VPN connection is up between the two locations and the 2911 device and the servers within it's LAN can ping and RDP to the office's machines. The office network can only ping the LAN interface IP on the 2911 which is 10.0.10.1 but not the servers in the network. the site-to-site VPN was set up with the CCP wizard.
How can I allow the 192.168.1.0/24 network to see the 10.0.10.1/24 network and why do I only currently see the gateway?
If need be I can post my running-config file with the preshare keys redacted.
View 8 Replies
View Related
Jan 14, 2013
I have lots of 857's routers in the field with mostly the latest OS - 12.4(15)T17 making ezVPN connections to a 2951 with 15.1(4)M5.All the 857's have lookback and vlan interfaces similar to :
interface Loopback0
ip address 50.43.8.1 255.255.255.255
ip tcp adjust-mss 1452
end
[code]....
Now lately for some or other reason we have instances where I can ping either the VLAN or the LOOPBACK interface, but not both. Or I have instances where the 2951 can ping all the interfaces on the 857, but the 857 can not ping the 2951. Or I have instances where the 2951 can not ping the 857, but the 857 can ping the 2951.The way I have been fixing this is either to add crypto ipsec client ezvpn SMS_VPN inside to the loopback interface, or if it is there already to remove it. This usually works for a few days, but then suddenly I have to reverse this again. If that does not work then I usually do lots of clear crypt sess and/or clear crypt ipsec client ezvpn on the 857, or clear crypt sess remote 857_ip_address from the 2951 and then suddenly it starts working again.
View 1 Replies
View Related
Apr 11, 2013
Using packet tracer I get an error saying:
Config
nat(inside) 1.0.0.0.0.0.0.0.0
match ip inside andy inside any
dynamic translaion to pool 1 (matching global)
translate_hits=45236,untranslate_hits=0
I cannot access my polycom unit on 172.20.16.8 via 10.20.60.8 below is my results of show run Result of the command: "show run"
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa-stt
domain-name stt.vidol.gov
enable password qXcSIHaSa9B75GQC encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
[code]....
View 1 Replies
View Related
Jul 20, 2013
If a copy a file from my desktop to my laptop, the speed is usually 3 or 4 times faster than if I go in the other direction.
Desktop is connected to the router by a cable, laptop is wifi.
If I connect the laptop with a cable, speeds are fast both directions.
Router is a wrt54gl with dd-wrt. Both machines running Win7
Why would this happen? How can I identify the problem and fix it?
View 2 Replies
View Related
Aug 15, 2011
We are experiencing a high amount of retries in one direction between two 1310 bridges with external yagi antennas. What would this indicate? Here is a copy of the linktest:
POOR (102% retries) Time Strength(dBm) SNR SNR Retries
msec In Out In Out In Out
Sent :5000, Avg 5 - 66 - 64 31 45 Tot: 56 10149
[Code]....
View 2 Replies
View Related
Dec 27, 2011
I know some business routers need to be registered to have certain functions work. I have gone through the knowledge base and there seem to be a few with my issues. Sadly I have been doing IT since 86 and playing with larger Cisco boxes for over a decade. So that's a little of my back ground, I also have a MCSE (W2K), A plus, Net Plus etc... so I know its got to be something stupid that I missed or something wrong with router. It was purchased new just before the holidays and I tried calling the posted Cisco number and the auto phone wanted a PO agreement before it would connect me. OK so alI need to do is Port forward two ports (3389, and 82) same ports internal and wan side. The internal is being sent to two different IP address, one per port config. So I did set up the UPNP, set up the service as enabled, and really looked in the knowledge base to see if I was missing something. So I left the site although just before I left I set up the remote admin login from the wan side. This does not even pick up, There is no other firewall between the device and the internet except for the T1 dmark.
This is a RV 08 new router so need a phone number for small business cisco for new products. I miss those good ole days where everything you needed to open and forward a port was located in one area in a router firmware setup.
View 2 Replies
View Related
May 21, 2013
I have NM-16ESW card installed in one of my 3845 router. Below is the sh inventory output
NAME: "16 Port 10BaseT/100BaseTX EtherSwitch", DESCR: "16 Port 10BaseT/100BaseTX EtherSwitch"
PID: NM-16ESW , VID: V01 , SN: FOC11482484
NAME: "Gigabit(1000BaseT) module for EtherSwitch NM", DESCR: "Gigabit(1000BaseT) module for EtherSwitch NM"
PID: GE-DCARD-ESW , VID: V01 , SN: FOC11454FW6
Is the Gig port available here can be used for uplink?I found following comment at
[URL]...
"GE-DCARD-ESW: This optional 1000BaseT Gigabit Ethernet port for NM-16ESW and NMD-36-ESW can be used for a gigabit connection for a file server or for intra-chassis stacking of the Cisco EtherSwitch module. Stacking is supported in Cisco IOS release 12.2(11)T and beyond"
View 1 Replies
View Related
Nov 15, 2012
I have 1x Cisco 6509 with Sup2 and MSFC2 and it is running on IOS (c6k222-jk9sv-mz.122-17d.SXB11). I have following policy map :
Policy Map VOIP
Class IP PHONE
priority percent 75
and the following command on each interface: service-policy output VOIP those configuration are working fine on SUP2 with MSFC2 but last week I tried to upgrade the SUP2 to SUP32 on the switch and upgrade the IOS to the latest version (s3223-adventerprisek9-mz.122-33.SXJ4) but when I try to put service-policy output VOIP on each physical interface I am getting the following error:
"Priority command is not supported in output direction for this interface" and when I try to add service-policy output VOIP on a V LAN interface I am getting following error:
MQC features are not supported in output direction for this interface. Will I need to change something after upgrading to SUP32..
View 3 Replies
View Related
Jun 1, 2012
For the purpose of a remote backup between 2 QNAP NAS devices, I have setup a site to site VPN using 2 Cisco RV220W routers. Although VPN connects just fine, I can only access Network B from network A, but not the other way around. I believe it could be related to ip ranges/subnets.IPSec VPN connects successfully (IPSec SA Established)From network A I can connect to any device on network B (qnap smb, ssh, cisco web interface, printer, laptops, etc)From network B, I can ping any device on network A, I can access the cisco web interface from network A, and nothing else. If I try to access the web interface for the qnap on network A from a device in network B, no luck, it seems to hang. I also tried issuing a wget command from the qnap (ssh) on network B to fetch the web interface of the qnap on network A, and it says connected, but then hangs. I've tried lots of different settings (creating static routes, dynamic routes, changing subnets, etc), but without any luck.
View 0 Replies
View Related
Jan 9, 2011
i have a 7201 router with NPE-G2. i have a design which i have the option to send all the traffic through a GRE tunnel or a L2TPV3 tunnel.which method is more CPU consumption ?
View 1 Replies
View Related
Sep 23, 2012
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
View 4 Replies
View Related
Oct 17, 2012
I am using a Cisco RV110W (Firmware 1.2.09) in a branch and I would like to create a VPN Tunnel to another site that has a Cisco RV042 (firmware v4.2.1.02)
What would be the correct Configuration? the current configuration I am using is
in the RV042 i am using
Check Enable
Local Group Setup
Local Security Gateway Type : IP Only
IP Address : RV042 Pulbic IP address
[Code].....
View 3 Replies
View Related
Jul 24, 2012
Environment :linksys wrt300n v1.1 which can have ddwrt-mega. Willing to tunnel all lan's outbound traffic through an ssh tunnel.
View 2 Replies
View Related
Jan 23, 2012
There are a few situations were I'd like to be able to use the locally configured account on a device but still have ACS in place.I want to complete this WITHOUT adding the locally configured account into ACS.I have tried setting the advanced option under Identity for if an account is not found to "Continue" however this causes the account to be allowed as long as a password is typed (any password, as long as its not blank).
View 2 Replies
View Related
Feb 1, 2013
I am putting an pre-labbed DMVPN Hub config onto a production 1841. We had to upgrade the IOS to support protection with NAT so the current IOS we're running is c1841-adventerprisek9-mz.124-25g.bin.I can paste the configuration in fine (via the tunnel interfaces) and the router accepts it however the 'show dmvpn', 'debug dmvpn' and other related commands don't work. I have checked the IOS feature navigator and it definitely shows that DMVPN phase 1 and 2 are supported in this image.
View 5 Replies
View Related
Nov 17, 2012
I have a 1841 router and I can ping the f/0 port from my pc. However when i try to console to it, it is not showing up anything but a blinking cursor. I tried all different baud rates on my teraterm but still not luck. I picked the baud rate disconnected and reconnected everytime and still nothing. Then I tried to telnet to it using teraterm but it would just open a console window and then close.
View 10 Replies
View Related
Apr 28, 2013
a have a router CISCO 1841 and I configured a NAT inside from the router to the firewall like this :ip nat inside source static firewall_adresse public_adresse and its work fine and when a added it I do this command "wr" to save the configuration and I restarted the router many times and it still work fine,but in the last five months this NAT does not exsit twice and I must add it a gain.
View 7 Replies
View Related
