Cisco VPN :: 2800 / Tunnel Is Not Forming Between Hub And Spoke?
Jan 12, 2012
i am trying to set up a tunnel connection between twO 2800 routers A<->B
1) destination ip is-204.x.x.x-ROUTER A2) source ip is 166.x.x.22-ROUTER B The router B has the modem connected to GE0/1 whose interface ip is 166.x.x.22 The ip-forward-protocol nd is configured as below
ip route 204.x.x.x 255.255.255.255 166.x.x.21
Also tunnel 1 configuration,isakmp policy are configured properly when i run show crypto isakmp sa it shows MM_NO_STATE,i checked the preshared key on both ends and they are same.whenever i remove the ip address of the interface Ge0/0 and ip route i can ping the 166.x.x.21 which is the modem gateway.when i revert back the configuration to the above ,the ip 166.x.x.21 cannot be pinged,the dsl connection is live though.ways to fix this so that i can make this tunnel state to QM_IDLE?
View 1 Replies
ADVERTISEMENT
Apr 15, 2013
Cisco 2800, 12.4(23b) router has two VPN tunnels to other Cisco devices.
Authentication uses certificates from a PKI CA server. Under normal circumstances all works fine, both crypto sessions up.
After a power cycle (having first saved configs) however, the crypto sessions are stuck in DOWN-NEGOTIATING.
The certificate on the router still looks valid.
The only way to get the sessions back up is to renew the certificate, which seems strange as the existing one appeared to be still valid.
View 5 Replies
View Related
Feb 12, 2013
I' ve come across an weird ospf issue between my router connected via layer 2 service provider link, details as below.We have a base station router for satelite termination at service provider end connected via Layer 2 vlan link to a head end C3945, current interface for head end is a layer 2 vlan and layer 3 ip address lives under sub interface, config as below
-Head End router
-Cisco 33945
View 4 Replies
View Related
Mar 10, 2013
Just a little bit of info on the setup I am TRYING to run:
1) Laptop connected to my router via wireless
2) Xbox 360 connected via ethernet port to Laptop
3) Forming bridge between wireless and LAN to give 2 access to internet whilst 1 being able to maintain access.
Foreword: I've tried using ICS before hand because it was a simple alternative, had problems with it and got IP address errors on 2. When it did work, worked exactly how I wanted/need it to. (Was very un-reliable )
Goal: Have constant wireless access to 1 and be able to turn off/ on 2 and have access to internet without any problems.
Problem: So I am able to bridge the two connections just fine and I maintain internet on both, but when I turn off 2 the wireless drops and will stay at " Identifying" for hours and will either A) completely drop and not connect or B) stalls at identifying.
The way I have been able to get wireless back on 1 is to delete the bridge I formed and un-bridge my wireless. At that point my wireless comes back instantly and there are no problems. The thing is I don't want to have to repeat the process every time I want to use 2. With ICS it was " Plug and Play" when it worked and that's my goal. To plug in the ethernet cord via LAN and to be able to use 2.
View 1 Replies
View Related
Sep 20, 2011
Can i know cisco 2800 router can support how many site-to-site ipsec tunnel without vpn module?
View 2 Replies
View Related
Feb 18, 2012
I'm setting up a L2L VPN Hub and Spoke. I have 3 sites (1 HUB and 2 SPOKES).
HUB-----------SPOKE1
|
|
|
SPOKE 2
HUB and SPOKE 1 is okay. My problem was the communication between HUB and SPOKE 2. PING failed on both directions. BTW, I am simulating this only in GNS3. :-). The configuration for HUB and SPOKE 1 are the same also for HUB and SPOKE 2.
Here is my show isakmp sa and ipsec sa on HUB
ciscoasa# sh isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
[Code].....
View 4 Replies
View Related
Nov 19, 2011
suppose i have 2 hub location and one spoke and i want to config DMVPN between them and want to keep 1 HUB as active and 2nd HUb as passive then how its possible.
View 2 Replies
View Related
Aug 12, 2012
I currently have a "hub" ASA 5505 that links to 4 sites running 877 routers. From the hub network i can connect to all sites fine but what i would like to do is to almost compartmentalise the various VPN links into little clusters.The hub ASA 5505 basically provides IP telephony through the VPN's from a PBX allowing the users at the other end of the VPN to make outgoing calls and recieve incoming calls. However, a couple of the sites would like to be able to call between eachother internally via the hub. This obviously requires traffic to be allowed between their various networks. Currently when you attempt an internal call it rings but there is no audio either way. I assume this is due to access list restrictions. I am not even sure whether what I am trying to achieve is possible. I've attached the hub and 2 spokes below. The ideal end result would be interconnectivity between the two spokes via the hub, from reading up it would seem that its possible but i can't quite get my head around it! Would it involve using different subnet masks at the hub?
View 1 Replies
View Related
Jul 11, 2011
I want to build a "hub and spoke" topology for one of my clients. For the "HUB" , I'm planning to use an SA540, with a static public IP provided by a 4Mb SDSL. For the "spokes" (21 at the moment), I'm planning to use RV120. They will be behind a NAT, provided by a "SAGEM LIVEBOX", and a static public IP. The boss will connect to the HUB using Cisco VPN client, or quickVPN, and get access to all the spokes. Some spokes will have to connect to each other, via the HUB. I searched a long time on this forum and reading documentation, but I didn't find at the moment the answer to my question : is this topology suitable with the choosen hardwares ?
View 7 Replies
View Related
Mar 23, 2011
Imagine MPLS network. Total of 4 sites.
HQ-HUB is the only site with access to the Internet.
So if Site1 or Site2 or Site3 need to access the Internet, traffic will have to go through HQ-HUB and from there reach the Internet.I have routes 2851's on the spoke sites. Which command or mechanism you would explore in this case to make the spoke sites point to the HQ-HUB to reach the Internet?
Would you do this based on DNS settings or getting an access-list & static route defining when the spoke routers traffic need to go the internet, point to the HUB-HQ as the default?
View 3 Replies
View Related
Apr 7, 2011
I am having real problems trying to build resiliency into a hub and spoke frame relay scenario. I know the hub is a single point of failure. Is there any way to put some resilience into the network? There is 4 attached branch offices.
View 8 Replies
View Related
Mar 26, 2012
I'm trying to set-up 3 remote access groups on an ASA5520 running version 8.4(3) software so that remote clients connected via Cisco VPN Client can also access spoke networks which are also connected to the ASA. I've previously set this up on ASAs running v7.2 software without issue but don't seem to be able to do the same here and can't for the life of me figure out what's wrong!
I have set-up the 3 remote access groups:
Group 1 - subnet 192.168.1.48/28Group 2 - subnet 192.168.2.0/25Group 3 - subnet 192.168.3.0/25
My remote access user groups can all connect to the head office subnet (10.0.0.0/8) without issue. But only one of the groups (192.168.1.48/28) appears to be able to access the spoke sites (172.30.10.0/24 and 172.30.20.0/24) that I have set-up. However, I can't see what the difference is between the 3 groups I have configured so can't understand why it works ok for one group and not the others?
When I use the packet tracer, it tells me that the flow is being dropped at the VPN encryption phase but why is that? How can I find out more? Here's the relevant config on my ASA:
!same-security-traffic permit intra-interface!crypto dynamic-map remoteuser 5 set transform-set ESP-3DES-MD5crypto dynamic-map remoteuser 5 set security-association lifetime seconds 28800crypto dynamic-map remoteuser 5 set security-association lifetime kilobytes 4608000!crypto map outside_map 65000 ipsec-isakmp dynamic remoteuser!ip local pool pool1clients 192.168.1.49-192.168.50.54ip local pool pool2clients 192.168.2.1-192.168.2.126ip local pool pool3clients 192.168.3.1-192.168.3.126!access-list split-tunnel-pool1 standard permit 10.0.0.0 255.0.0.0 access-list split-tunnel-pool1 standard permit 172.30.10.0 255.255.255.0 access-list split-tunnel-pool1 standard permit 172.30.20.0 255.255.255.0 !access-list split-tunnel-pool2 standard permit 10.0.0.0 255.0.0.0 access-list split-tunnel-pool2 standard permit 172.30.10.0 255.255.255.0access-list split-tunnel-pool2 standard permit 172.30.20.0 255.255.255.0 !access-list
[code].....
View 12 Replies
View Related
Aug 9, 2011
Is there any suggested upper limit to a single EIGRP hub-and-spoke design (i.e. with a single central router)?
Router is a 2900 ISR
I'm vaguely aware of a similar design limitation with OSPF areas where no single area should contain more than 40 - 80 routers. Could be heresay...
View 13 Replies
View Related
Mar 25, 2013
Is there any suggested upper limit to a single EIGRP hub-and-spoke design (i.e. with a single central router)?Router is a 2900 ISR,I'm vaguely aware of a similar design limitation with OSPF areas where no single area should contain more than 40 - 80 routers.
View 8 Replies
View Related
Apr 14, 2013
I'm working on a new DMVPN configuration with one 3745 at the hub site and a 1941 the spoke. I have internet through gsm for the primary line at the spoke and a dsl line for backup on spoke.I have one tunnel interfaces on both the hub and the spoke.Currently my VPN tunnel is coming up fine , however we are planing to do an ISP failover at spoke side . since in the tunnel interface i can only define one "tunnel source interface" which is gsm cellular interface , i don;t know how to use my another ISP for the same tunnel interface as it will always initiate traffic from gsm.
do i have to create another tunnel interface with same hub site , or do i need another hub as backup? is their any other way to create loopback interface and initiate the traffic from that loopback?
View 1 Replies
View Related
Jan 9, 2011
i have a 7201 router with NPE-G2. i have a design which i have the option to send all the traffic through a GRE tunnel or a L2TPV3 tunnel.which method is more CPU consumption ?
View 1 Replies
View Related
Sep 23, 2012
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
View 4 Replies
View Related
Oct 17, 2012
I am using a Cisco RV110W (Firmware 1.2.09) in a branch and I would like to create a VPN Tunnel to another site that has a Cisco RV042 (firmware v4.2.1.02)
What would be the correct Configuration? the current configuration I am using is
in the RV042 i am using
Check Enable
Local Group Setup
Local Security Gateway Type : IP Only
IP Address : RV042 Pulbic IP address
[Code].....
View 3 Replies
View Related
Jul 24, 2012
Environment :linksys wrt300n v1.1 which can have ddwrt-mega. Willing to tunnel all lan's outbound traffic through an ssh tunnel.
View 2 Replies
View Related
Jan 23, 2012
There are a few situations were I'd like to be able to use the locally configured account on a device but still have ACS in place.I want to complete this WITHOUT adding the locally configured account into ACS.I have tried setting the advanced option under Identity for if an account is not found to "Continue" however this causes the account to be allowed as long as a password is typed (any password, as long as its not blank).
View 2 Replies
View Related
Aug 1, 2011
We've just discovered it seems the 2800 series aren't getting IOS 15.2?
We're running a 2851 for our CME and specifically want some features in CME 8.8...
End of Sale has been announced, but as it stands you can still purchase this router new today.
View 5 Replies
View Related
Oct 29, 2012
I have two CISCO 2800 routers tied together over a Metro Ethernet bewteen an HQ location and a Colocation facility. There are multiple subnets on both sides of the MAN. All things work in this regard.
I added two new Interfaces to the routers to create a VPN failover should the above MAN go down. I use IP SLA to track the MAN, then move to the VPN route when reachability is down.
I can source ping from one CISCO router Interface to the other, through the two interfaces to the Sonicwalls and reach the router interface of the CISCO on the other side of the VPN tunnel.
Problem: I can not ping any subnet behind the interface I ping through the Sonicwall VPN tunnel?
Example 2800 G0/2 interface 100.1.1.41 /30 through Sonicwal over Internet to other Sonicwall and out ot the G0/2 100.1.10.41 /30 interface on the other 2800 router. Ping is fine.
View 15 Replies
View Related
Dec 1, 2011
I am having an issue with a VPN tunnel in that we can only establish this from the VPN 3k side to the 2800 and not from the 2800 to the VPN 3k , the setup is as follows: [code] I am awaiting the logs from the VPN 3k but here is the debugs from the 2800. [code]
View 4 Replies
View Related
May 14, 2013
i hace a VPN configured between two Cisco ASAs, but I have a problem to reach a network behind a router 2800.
View 7 Replies
View Related
May 29, 2012
we have anew office and have a 2800 router as a WAN router it has a 3G card and a DSL link. We have a ASA which has to be configured to 2800 router. we want that ASA shd have a VPN link with pirmary site over DSL if DSL fails it shd automatically fall to 3G....what we really need and how it would be done interims of IP addressing do we need any special IP from service provider.?
View 2 Replies
View Related
Apr 17, 2013
I have configured the netflow to gathering flow from my cisco 2800 as below:
interface GigabitEthernet0/0
description ### To VNPT_FTTH_20M ###
no ip address
ip flow egress
ip route-cache flow
[Code]...
But i still not see users addresses(each individual hosts will go though) What and where i am configured wrong? I also attached here the map network.
View 5 Replies
View Related
Oct 17, 2012
want to ask something about configuration ruter 2800I already have a usb to DB9 | DB9 to RJ45but i have a problem like the image below
View 19 Replies
View Related
Dec 21, 2011
How to add a wic-2t card on router 2800
Had the card as follows
I want to know routr 2880, such as the following picture
View 1 Replies
View Related
Mar 20, 2012
I have a Cisco 2800 router. I have been noticing a lot of traffic to Pandora lately. At times my pipe is 25% music streaming and my router utilization can be quite high. Our web filtering is a hosted service that does not block all traffic depending on some of the ports. It is really designed for port 80 and 443 only.
We decided we want to block access to Pandora completely on both our primary internal LAN's and our Guest wireless LANs.
When I perform the ARIN lookup, I get these results for the IP range:
NetRange: 208.85.40.0 - 208.85.47.255
CIDR: 208.85.40.0/21
The CIDR notation does not make sense to me entirely. The IP range includes 8 class C networks. The /21 is a class b subnet of 255.255.248.0 or a router broadcast address for routing tables (depending on how you want to look at it). I was not sure if I could block the address based on the router CIDR range of if I had to use the individual classful IP ranges.
Should I block "208.85.40.0 0.0.7.255" in my ACL or should I create 8 entries to block the networks like this?
208.85.40.0 0.0.0.255
208.85.41.0 0.0.0.255
View 5 Replies
View Related
Sep 19, 2011
I am operating a 2800 series Cisco router. The router is working fine except that I am not able to SSH into the router. I have checked the running config with cisco's documentation and every line is correct. Prior to me getting this job they did an update and think they have corrupted the a certificate key for SSH.
Any command to generate just the SSH key and not all the other keys that would cause bigger connection issues.
View 1 Replies
View Related
Feb 23, 2012
I have 2 2800 series routers configured the same, but with different subnets. One works fine, the other the client can't obtain an IP, and hardcoded, cant ping.
I ran DHCP debug and I can see the router assigning the IP, and I see and ARP entry that matches the MAC of the client.
*Feb 24 11:33:55.915: DHCPD: Sending notification of DISCOVER:
*Feb 24 11:33:55.915: DHCPD: htype 1 chaddr 000a.e40c.d232
*Feb 24 11:33:55.915: DHCPD: remote id 020a0000ac10760101000078
[Code].....
View 3 Replies
View Related
Dec 28, 2010
We have a customer in the UK, who is starting to deploy ADSL2+ circuits for the new sites they are adding to their BT IPClear MPLS network.We want to standardise with a config for each site, but to date have found that we seem to be using a different config for each site. Some are configured using a dialer interface & some using a virtual template.
Why on some of the sites the virtual template method works & on others we have to configure a dialer interface. Also in regards to the speeds, what should we configure as bandwidth statements & also for traffic shaping. I know that the ADSL2+ circuits can operate at various speeds, but am i right in thinking these higher speeds are the clock rate of the line & with the BT IPClear product, the customer only gets the agreed/paid for bandwidth.
As this figure is different in both directions, when the traffic shaping is configured using vbr-rt command, is the amount entered based on the slower upstream bandwidth on the circuit.
View 7 Replies
View Related
Jan 10, 2011
Local LAN is connected with cisco 2800 router and SRX 210 Firewall, currently all LAN segment will go to my Data Center via ISP A and all internet traffic from LAN segment will go to internet via SRX firewall, there is no relation/connection between cisco router and SRX firewall. I have separate AS no. s for both the ISP
I am having attached scenario. based on current one I would like to do following.
1. I need to use PBR at LAN Switch ( its L3 Switch) such that in normal scenario - local VLAN traffic is equally distributed on both ISP.
2. dedicated internet traffic will flow through ISP B only and if WAN link of ISP B goes down, the internet traffic will pass through ISP A.
( in normal scenario, ISP A will utilized 100 % for LAN traffic to reach it to DC but once ISP B link goes down, the b/w of ISP A will be divided to route 50% traffic for LAN segment to DC and rest 50% traffic of LAN segment to internet)
View 2 Replies
View Related