Cisco VPN :: 2800 / Tunnel Is Not Forming Between Hub And Spoke?
Jan 12, 2012
i am trying to set up a tunnel connection between twO 2800 routers A<->B
1) destination ip is-204.x.x.x-ROUTER A2) source ip is 166.x.x.22-ROUTER B The router B has the modem connected to GE0/1 whose interface ip is 166.x.x.22 The ip-forward-protocol nd is configured as below
ip route 204.x.x.x 255.255.255.255 166.x.x.21
Also tunnel 1 configuration,isakmp policy are configured properly when i run show crypto isakmp sa it shows MM_NO_STATE,i checked the preshared key on both ends and they are same.whenever i remove the ip address of the interface Ge0/0 and ip route i can ping the 166.x.x.21 which is the modem gateway.when i revert back the configuration to the above ,the ip 166.x.x.21 cannot be pinged,the dsl connection is live though.ways to fix this so that i can make this tunnel state to QM_IDLE?
I' ve come across an weird ospf issue between my router connected via layer 2 service provider link, details as below.We have a base station router for satelite termination at service provider end connected via Layer 2 vlan link to a head end C3945, current interface for head end is a layer 2 vlan and layer 3 ip address lives under sub interface, config as below
Just a little bit of info on the setup I am TRYING to run:
1) Laptop connected to my router via wireless 2) Xbox 360 connected via ethernet port to Laptop 3) Forming bridge between wireless and LAN to give 2 access to internet whilst 1 being able to maintain access.
Foreword: I've tried using ICS before hand because it was a simple alternative, had problems with it and got IP address errors on 2. When it did work, worked exactly how I wanted/need it to. (Was very un-reliable )
Goal: Have constant wireless access to 1 and be able to turn off/ on 2 and have access to internet without any problems.
Problem: So I am able to bridge the two connections just fine and I maintain internet on both, but when I turn off 2 the wireless drops and will stay at " Identifying" for hours and will either A) completely drop and not connect or B) stalls at identifying.
The way I have been able to get wireless back on 1 is to delete the bridge I formed and un-bridge my wireless. At that point my wireless comes back instantly and there are no problems. The thing is I don't want to have to repeat the process every time I want to use 2. With ICS it was " Plug and Play" when it worked and that's my goal. To plug in the ethernet cord via LAN and to be able to use 2.
I'm setting up a L2L VPN Hub and Spoke. I have 3 sites (1 HUB and 2 SPOKES).
HUB-----------SPOKE1 | | | SPOKE 2
HUB and SPOKE 1 is okay. My problem was the communication between HUB and SPOKE 2. PING failed on both directions. BTW, I am simulating this only in GNS3. :-). The configuration for HUB and SPOKE 1 are the same also for HUB and SPOKE 2.
Here is my show isakmp sa and ipsec sa on HUB
ciscoasa# sh isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1
suppose i have 2 hub location and one spoke and i want to config DMVPN between them and want to keep 1 HUB as active and 2nd HUb as passive then how its possible.
I currently have a "hub" ASA 5505 that links to 4 sites running 877 routers. From the hub network i can connect to all sites fine but what i would like to do is to almost compartmentalise the various VPN links into little clusters.The hub ASA 5505 basically provides IP telephony through the VPN's from a PBX allowing the users at the other end of the VPN to make outgoing calls and recieve incoming calls. However, a couple of the sites would like to be able to call between eachother internally via the hub. This obviously requires traffic to be allowed between their various networks. Currently when you attempt an internal call it rings but there is no audio either way. I assume this is due to access list restrictions. I am not even sure whether what I am trying to achieve is possible. I've attached the hub and 2 spokes below. The ideal end result would be interconnectivity between the two spokes via the hub, from reading up it would seem that its possible but i can't quite get my head around it! Would it involve using different subnet masks at the hub?
I want to build a "hub and spoke" topology for one of my clients. For the "HUB" , I'm planning to use an SA540, with a static public IP provided by a 4Mb SDSL. For the "spokes" (21 at the moment), I'm planning to use RV120. They will be behind a NAT, provided by a "SAGEM LIVEBOX", and a static public IP. The boss will connect to the HUB using Cisco VPN client, or quickVPN, and get access to all the spokes. Some spokes will have to connect to each other, via the HUB. I searched a long time on this forum and reading documentation, but I didn't find at the moment the answer to my question : is this topology suitable with the choosen hardwares ?
HQ-HUB is the only site with access to the Internet.
So if Site1 or Site2 or Site3 need to access the Internet, traffic will have to go through HQ-HUB and from there reach the Internet.I have routes 2851's on the spoke sites. Which command or mechanism you would explore in this case to make the spoke sites point to the HQ-HUB to reach the Internet?
Would you do this based on DNS settings or getting an access-list & static route defining when the spoke routers traffic need to go the internet, point to the HUB-HQ as the default?
I am having real problems trying to build resiliency into a hub and spoke frame relay scenario. I know the hub is a single point of failure. Is there any way to put some resilience into the network? There is 4 attached branch offices.
I'm trying to set-up 3 remote access groups on an ASA5520 running version 8.4(3) software so that remote clients connected via Cisco VPN Client can also access spoke networks which are also connected to the ASA. I've previously set this up on ASAs running v7.2 software without issue but don't seem to be able to do the same here and can't for the life of me figure out what's wrong!
My remote access user groups can all connect to the head office subnet (10.0.0.0/8) without issue. But only one of the groups (192.168.1.48/28) appears to be able to access the spoke sites (172.30.10.0/24 and 172.30.20.0/24) that I have set-up. However, I can't see what the difference is between the 3 groups I have configured so can't understand why it works ok for one group and not the others?
When I use the packet tracer, it tells me that the flow is being dropped at the VPN encryption phase but why is that? How can I find out more? Here's the relevant config on my ASA:
!same-security-traffic permit intra-interface!crypto dynamic-map remoteuser 5 set transform-set ESP-3DES-MD5crypto dynamic-map remoteuser 5 set security-association lifetime seconds 28800crypto dynamic-map remoteuser 5 set security-association lifetime kilobytes 4608000!crypto map outside_map 65000 ipsec-isakmp dynamic remoteuser!ip local pool pool1clients 192.168.1.49-192.168.50.54ip local pool pool2clients 192.168.2.1-192.168.2.126ip local pool pool3clients 192.168.3.1-192.168.3.126!access-list split-tunnel-pool1 standard permit 10.0.0.0 255.0.0.0 access-list split-tunnel-pool1 standard permit 172.30.10.0 255.255.255.0 access-list split-tunnel-pool1 standard permit 172.30.20.0 255.255.255.0 !access-list split-tunnel-pool2 standard permit 10.0.0.0 255.0.0.0 access-list split-tunnel-pool2 standard permit 172.30.10.0 255.255.255.0access-list split-tunnel-pool2 standard permit 172.30.20.0 255.255.255.0 !access-list
Is there any suggested upper limit to a single EIGRP hub-and-spoke design (i.e. with a single central router)?Router is a 2900 ISR,I'm vaguely aware of a similar design limitation with OSPF areas where no single area should contain more than 40 - 80 routers.
I'm working on a new DMVPN configuration with one 3745 at the hub site and a 1941 the spoke. I have internet through gsm for the primary line at the spoke and a dsl line for backup on spoke.I have one tunnel interfaces on both the hub and the spoke.Currently my VPN tunnel is coming up fine , however we are planing to do an ISP failover at spoke side . since in the tunnel interface i can only define one "tunnel source interface" which is gsm cellular interface , i don;t know how to use my another ISP for the same tunnel interface as it will always initiate traffic from gsm.
do i have to create another tunnel interface with same hub site , or do i need another hub as backup? is their any other way to create loopback interface and initiate the traffic from that loopback?
i have a 7201 router with NPE-G2. i have a design which i have the option to send all the traffic through a GRE tunnel or a L2TPV3 tunnel.which method is more CPU consumption ?
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
I am using a Cisco RV110W (Firmware 1.2.09) in a branch and I would like to create a VPN Tunnel to another site that has a Cisco RV042 (firmware v4.2.1.02)
What would be the correct Configuration? the current configuration I am using is
in the RV042 i am using
Check Enable Local Group Setup Local Security Gateway Type : IP Only IP Address : RV042 Pulbic IP address
There are a few situations were I'd like to be able to use the locally configured account on a device but still have ACS in place.I want to complete this WITHOUT adding the locally configured account into ACS.I have tried setting the advanced option under Identity for if an account is not found to "Continue" however this causes the account to be allowed as long as a password is typed (any password, as long as its not blank).
I have two CISCO 2800 routers tied together over a Metro Ethernet bewteen an HQ location and a Colocation facility. There are multiple subnets on both sides of the MAN. All things work in this regard.
I added two new Interfaces to the routers to create a VPN failover should the above MAN go down. I use IP SLA to track the MAN, then move to the VPN route when reachability is down.
I can source ping from one CISCO router Interface to the other, through the two interfaces to the Sonicwalls and reach the router interface of the CISCO on the other side of the VPN tunnel.
Problem: I can not ping any subnet behind the interface I ping through the Sonicwall VPN tunnel?
Example 2800 G0/2 interface 100.1.1.41 /30 through Sonicwal over Internet to other Sonicwall and out ot the G0/2 100.1.10.41 /30 interface on the other 2800 router. Ping is fine.
I am having an issue with a VPN tunnel in that we can only establish this from the VPN 3k side to the 2800 and not from the 2800 to the VPN 3k , the setup is as follows: [code] I am awaiting the logs from the VPN 3k but here is the debugs from the 2800. [code]
we have anew office and have a 2800 router as a WAN router it has a 3G card and a DSL link. We have a ASA which has to be configured to 2800 router. we want that ASA shd have a VPN link with pirmary site over DSL if DSL fails it shd automatically fall to 3G....what we really need and how it would be done interims of IP addressing do we need any special IP from service provider.?
I have a Cisco 2800 router. I have been noticing a lot of traffic to Pandora lately. At times my pipe is 25% music streaming and my router utilization can be quite high. Our web filtering is a hosted service that does not block all traffic depending on some of the ports. It is really designed for port 80 and 443 only.
We decided we want to block access to Pandora completely on both our primary internal LAN's and our Guest wireless LANs.
When I perform the ARIN lookup, I get these results for the IP range:
The CIDR notation does not make sense to me entirely. The IP range includes 8 class C networks. The /21 is a class b subnet of 255.255.248.0 or a router broadcast address for routing tables (depending on how you want to look at it). I was not sure if I could block the address based on the router CIDR range of if I had to use the individual classful IP ranges.
Should I block "208.85.40.0 0.0.7.255" in my ACL or should I create 8 entries to block the networks like this?
I am operating a 2800 series Cisco router. The router is working fine except that I am not able to SSH into the router. I have checked the running config with cisco's documentation and every line is correct. Prior to me getting this job they did an update and think they have corrupted the a certificate key for SSH.
Any command to generate just the SSH key and not all the other keys that would cause bigger connection issues.
I have 2 2800 series routers configured the same, but with different subnets. One works fine, the other the client can't obtain an IP, and hardcoded, cant ping.
I ran DHCP debug and I can see the router assigning the IP, and I see and ARP entry that matches the MAC of the client.
We have a customer in the UK, who is starting to deploy ADSL2+ circuits for the new sites they are adding to their BT IPClear MPLS network.We want to standardise with a config for each site, but to date have found that we seem to be using a different config for each site. Some are configured using a dialer interface & some using a virtual template.
Why on some of the sites the virtual template method works & on others we have to configure a dialer interface. Also in regards to the speeds, what should we configure as bandwidth statements & also for traffic shaping. I know that the ADSL2+ circuits can operate at various speeds, but am i right in thinking these higher speeds are the clock rate of the line & with the BT IPClear product, the customer only gets the agreed/paid for bandwidth.
As this figure is different in both directions, when the traffic shaping is configured using vbr-rt command, is the amount entered based on the slower upstream bandwidth on the circuit.
Local LAN is connected with cisco 2800 router and SRX 210 Firewall, currently all LAN segment will go to my Data Center via ISP A and all internet traffic from LAN segment will go to internet via SRX firewall, there is no relation/connection between cisco router and SRX firewall. I have separate AS no. s for both the ISP
I am having attached scenario. based on current one I would like to do following.
1. I need to use PBR at LAN Switch ( its L3 Switch) such that in normal scenario - local VLAN traffic is equally distributed on both ISP. 2. dedicated internet traffic will flow through ISP B only and if WAN link of ISP B goes down, the internet traffic will pass through ISP A.
( in normal scenario, ISP A will utilized 100 % for LAN traffic to reach it to DC but once ISP B link goes down, the b/w of ISP A will be divided to route 50% traffic for LAN segment to DC and rest 50% traffic of LAN segment to internet)
