Cisco VPN :: 2811 - IOS Tunnel Interface Keeps Going Down
Sep 7, 2011
I'm seeing on an IOS VPN Tunnel interface which keeps going down and then back up...
We have a Cisco 2811 acting as a VPN Hub router on the backbone, which connects to various client sites over VPN. Of the 7 VPNs configured so 6 work well and are generally trouble free. The VPN interface on the other VPN keeps going down ,multiple times throughout the day, just recently the client has been noticing loss of connectivity. The remote router is managed over the VPN so there is always some kind of traffic over it.
*Sep 7 06:40:53.631: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel111, changed state to down
*Sep 7 06:41:23.991: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel111, changed state to up
[Code]......
View 2 Replies
ADVERTISEMENT
Sep 23, 2012
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
View 4 Replies
View Related
Jan 10, 2011
ISP on each circuit cannot provide more than 3MB, so soon will get three circuit each of 3MB. ISP recommends to terminate all the links on Layer2 switch and have a trunk to the Router. I need all experts opinion on this proposed setup. We currently got 2811 with two GigaEthernet ports. We plan to have three GRE over IPSEC Tunnels (One tunnel for each circuit) to load balance/load Share/redundancy.
View 7 Replies
View Related
Jun 10, 2013
We have two Cisco 2811 Routers setup with a GRE tunnel that we would like to constrain the bandwidth on to replicate a satellite connectinon of 400 kbits. We tried the bandwidth command 400, but from what I understand that is only for routing metrics and not actual speed of the interface.
View 5 Replies
View Related
Aug 5, 2012
A multipoint GRE (mGRE) and IPSec tunnel is built between two routers. The topology of the device is briefied below:Configuration in End Router: This is a cisco 2811 router. Amoung 2 ethernet interface ,one is using for LAN and one is for WAN. In WAN part , we have configured mGRE (Tunnel1 and Tunnel 2)by creating sub-interface of the router. From the interface ,we terminating the link to MPLS cloud from there its pointing towards our core router.From End router we are advertising the path through EIGRP and from the cloud BGP advertisied to the core router.[code]
View 1 Replies
View Related
May 15, 2013
We are facing network heavy and slow performance at one of our remote site, we are using Cisco2800 series router with same IOS on either of the sites.Our WAN network is running on BGP with EIGRP configured and tunnels were configured on either of the sites. As part of the testing I have removed the tunnel to see the performance was ok from Head office to remote branch and the WAN network is getting heavy and slow down when we put the tunnel back in hub and spoke.
quick info
Cisco 2800 Series router
IOS: (C2800NM-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE
View 1 Replies
View Related
May 31, 2013
Attached is our network diagram showing the details of our remote office and the corporate side which are connected via private fiber. The workstation (10.10.102.84) can ping the 10.20.0.31 IP address of the PBX but not the .30 address and I know if we can’t ping it we can’t remotely manage it. The 2811 router, ASA 5510 and the 6509-E can ping both IP addresses on the PBX. The ASA logs the error "Denied ICMP type=0, from laddr 10.20.0.30 on interface inside to 10.10.102.84: no matching session" when the workstation pings the .30 address.
We changed the default gateway of the PBX from 10.20.0.2 to 10.20.0.1 (2811 router) and we were able to ping both IP addresses from the workstation but the SIP trunks from the Internet stopped working (they NAT to the .30 address). Because calls may be forwarded from the PBX to the corporate network (via IP phones) we will eventually need to change the default gateway to10.20.0.1 and still need the Internet SIP trunks.
My two questions are, how do we resolve the issue of pinging the .30 address from the workstation and then when the time comes how do we resolve the issue with the SIP traffic reaching the .30 address when we change the default GW of the PBX to the 10.20.0.1 address of the 2811 router.
View 9 Replies
View Related
Apr 14, 2012
I currently have a Cisco 2621 powering a network at our co-location facility... It's a simple setup and is working well. The colo provides a redundant HSRP uplink, so I have their two uplinks going into a Dell switch. From that Dell switch I have a uplink into FastEthernet0/0 on the 2621, configured with my routing network, and then FastEthernet0/1 gets an address from my block of routable IP. FastEthernet0/1 then plugs into another Dell switch where I have all my servers connected. The servers get public routable IP addresses and use the address on FastEthernet0/1 as their default gateway.
It's time to upgrade off the 2621, so I aquired a Cisco 2811 which has two FE interfaces, as well as a modular HWIC-4ESW switch. My question is, can I get rid of the Dell Switch A in the setup above and just use the internal switch on the 2811 to accomplish the same thing? And I if I did this, would my two uplinks from the colo plug into ports 1 and 2 of that HWIC, and then port 3 would physically connect into FE 0/0? Or can I logically do that via configuration in the Cisco? I'm not sure how all this works and haven't received the new router yet, so I thought I'd get a head start and reach out to the experts.
My second question is unrelated, but each port on the HWIC switch cannot be configured as a network interface right? I'm pretty sure they can't as they aren't considered network interfaces but just thought I'd ask.
View 11 Replies
View Related
Aug 29, 2012
I have a Cisco 2811 with fa 0/0 as my bearer, and a switch module for internal clients.
I have an issue with my fa 0/0 flapping, I want to move that ip configuration to fa 0/1
as this is a branch office I am reliant on the bearer port to give me coms so changing the IP addresses is difficult.
Has any one tried this with a TCL script?
View 4 Replies
View Related
Feb 22, 2012
I have this output from show interfaces command for the fastethernet interface on a 2811 router.
find the causes of the crc and the ignored input errors on the interface?
The interface configuration is:
interface FastEthernet0/0description VLANS_CHILE
no ip address
[Code]....
View 6 Replies
View Related
Mar 26, 2012
I have existing cisco 2811 (Version 12.4(3c)). I try to add a HWIC serial card into the router but the new HWIC is not detected. There is no new interfece shows up when i do show run. This HWIC is a new card just bought it.
View 7 Replies
View Related
Apr 20, 2012
I am trying to configure a newly installed HWIC-4ESW on a 2811 router to bridge to the FE 0/0 interface. Currently, I have a cheap switch connected to FE 0/0 which in turn connects to all the phones, however now I just want to connect all the phones to the HWIC and have it internally bridge to FE0/0 for the connectivity to CME, etc.
View 5 Replies
View Related
Apr 26, 2013
I have 2 Cisco routers , 1841 and 2811 , I need to setup site to site VPN , but i dont now some how it just does not seems to be working ,
Find attached the Configuration along with the
<----- 172.31.1.0/24----- DG:172.31.1.1>Cisco 2811<Dialer1 -----//Internet//----------Dialer1>Cisco1841---< DG:10.236.5.254-------------- 10.236.5.0/24--->
Find attached command executed on each router in the below order
1) show ver
2) Show run
3) show logging
4) show crypto ipsec sa
5) show crypto isakmp sa
Debugging enabled on routers are
1)Debug Crypto Isakmp
2) Debug Crypto Ipsec.
View 2 Replies
View Related
Oct 21, 2012
I am using ASA 5520 Image in GNS3, when i come in Configuration Mode and try to create Tunnel through command "interface Tunnel 0", but this command doesn't exist. I need this command to create Tunnel for GRE Lab.
View 2 Replies
View Related
Feb 12, 2012
Is this kind of configuration possible? Can the VPN tunnel go thru the Firewall to another interface (DMZ) on it? And not to end “outside” interface.I have DMZ network in ASA5510 interface and I like to end the L2L IPsec VPN tunnel on it. The tunnel mas go thru the ASA from Internet via outside to the end point DMZ interface. The traffic is decrypted to that interface. So the VPN L2L peer interface is the DMZ interface IP address, not the Outside interface IP address.
View 0 Replies
View Related
Aug 18, 2011
I have a asa and Cisco 2811, needs to build a site-to-site ip sec tunnel between them. Due to a requirement need to encrypt inside traffic, i need to apply on the inside interfaces on both devices to build the tunnel.
I don't see a problem but just want to check if it would work on terminating on Inside interfaces on both ip sec peers.
View 1 Replies
View Related
Jun 11, 2012
I working on a security solution using ASA firewall. Is it possible to setup a IPSec tunnels on each subinterface of a physical interface on ASA 5510?
View 3 Replies
View Related
Jun 5, 2012
I am preparing configuration (currently in lab) for Per-Tunnel QoS in DMVPN on ASR 1002F for one of our customers, and I came across one issue. According to restrictions for this feature, I cannot apply per-tunnel QoS in conjunction with interface based QoS. This means, I can provide shaping with hierarchical CBWFQ for each spoke, but I cannot guarantee anything on physical interface! What if there are services in native MPLS? I am also unable give reservations for BGP which is used on PE-CE link! How about monitoring spoke PE-CE links natively? I can only apply policy-map with class-default on physical interface. When I add anything related to queuing for that class (or any other non-default class) I get the message:
R1(config- pmap)class routing
R1(config- pmap-c)#bandwidth 16
service-policy with queuing features on sessions is not allowed in conjunction with interface based
[Code] ........
View 8 Replies
View Related
Nov 23, 2011
I have ip phones at the remote location that connect into the phone switch(it's a nortel cs1000 system) over the tunnel. Internal calls work just fine, however when somebody calls from the outside, or calls are made to the outside the connection is never finalized. Like if I call from my cell it rings the phones, but when I answer there is nothing but dead air.In the group policy for the tunnel, I gave the remote site FULL access to the phones vlan and vice versa...which obviously works since internal calls work fine. If I remove my group policy and give it the Default group policy which essentially gives that tunnel full access to everything since the tunnel is set to bypass interface ACLS, external calls work fine. So it's definitely related to the group policy.
The group policy is basicallyAllow remote site to X network/host on these ports no denies since it blocks whatever isn't specifically allowed. However since it can get the phone switch and it can get to the internet I'm not seeing why the calls aren't working.The only thing I can think of to try doing as well is remove the allow inbound traffic to bypass interface rules and treat it just like another vlan interface on the ASA. Create the rules on each interface for the remote site network etc and see if it works that way.
View 5 Replies
View Related
Jan 3, 2007
I have a Catalyst 3750 Metro running 12.2(25)EY4.Every time I add or remove an ipv4 address from a tunnel interface I have the following log:
Jan 4 10:42:19.088: %PLATFORM_HCEF-3-ADJ: Insane handle in add LT7
-Traceback= 25222C A81C70 A7B28C B08958 B28940 B2A2E0 B2A684 B9EFA4 B9F004 B9F684 B9F814 B9F99C B8E3BC BA1BD8 3DFA94 39BA3C
View 3 Replies
View Related
Aug 2, 2011
I've recently set up a LAN-2-LAN VPN tunnel to a 3rd party service provider who uses RFC 1918 private addressing internally and cannot perform NAT on their side of the tunnel. In order to avoid conflicts with our address space I've had to implement DNAT for the address on the 3rd party network that users at my end must access. The tunnel terminates at my end on the outside interface of an ASA-5550 running 8.4.2. While the ASA has 8 interfaces at security levels between 0 and 100, DNAT only need occur for traffic flowing from inside (100) to outside (0).
The following (redacted) addressing applies:
Address of the server on the 3rd party provider network: 192.168.2.155
Mapped address of server as seen on the network at my end: 10.168.2.155
I've currently implemented DNAT using object NAT as follows:
object network remote-server
host 192.168.2.155
nat (outside,inside) static 10.168.2.155
This works as expected, however in examples and discussion I've seen, it appears that the typical way to configure NAT for this scenario is with manual NAT as follows:
object network remote-server
host 192.168.2.155
object network remote-server-mapped
host 10.168.2.155
nat (inside,outside) source static any any destination static remote-server-mapped remote-server
Is there any reason why I should consider using the manual NAT method rather than the object NAT method in this scenario?Are there any technical reasons why using object NAT in this manner should be avoided?
View 1 Replies
View Related
Dec 3, 2012
I have two routers on my internal network.
10.10.199.106 is a Cisco ASA5510.
10.10.199.108 is a Sonicwall NSA 3500
The sonicwall handles our site to site VPN tunnels. The Cisco handles our client to site VPN connections.
I have a unit that points to 10.10.199.106 (Cisco) for internet access. All other clients on the network point to 10.10.199.108 (Sonicwall) for internet access.The device in question, a Synology NAS, is using 10.10.199.68 as it's IP address.
I'm trying to hit the web interface on the NAS from a remote site across our VPN tunnel. The IP scheme on the remote end of the VPN tunnel is 192.168.72.0/24.
Going through the VPN, I can hit every object on the network that uses .108 (Sonicwalll) as it's gateway. However, I cannot hit the unit that uses .106 (Cisco) as it's gateway.
I added a route statement (using ASDM) that routes all traffic destined to 192.168.72.0/24 to the Sonicwall so it can send it back down the VPN tunnel. If I'm understanding routing correctly, this should allow responses from NAS destined for 192.168.72.0/24 to go back down the VPN tunnel.
View 4 Replies
View Related
Feb 16, 2012
I have two Cisco 3845 routers which receive a multicast stram via a tunnel interface, i.e Tunnel163 (PIM Dense mode is enabled). These routers are both connected to a LAN segment (FastEthernet0/1/0) where receivers are. [code] Router1 is the assert winner (highest IP address), it sees igmp joins request, but it's pruning the interface. It happens sometimes and it lasts until I manually issue clear ip mroute.Unfortunately I cannot migrate to Sparse Mode.
View 15 Replies
View Related
Jan 29, 2013
We are using SRP527 routers with PPPoE ADSL connections. From the SRP527 we create an IPSec tunnel to our core routers (Cisco ASR). We are wanting to change the IPSec tunnels to L2TP, and I need to know if this can be done from the SRP527. I cannot find any L2TP configuration options in the setup options.Can the SRP527W act as an L2TP tunnel initiator over the ADSL PPPoE interface?
View 1 Replies
View Related
Mar 28, 2013
We use Cacti to get interfaces statistics of a ASR1002 router (version 03.04.02.S.151-3.S2).A new GRE tunnel has been created, but unfortunately we are not able to get basic interface average during the day.What is surprising is the fact the graphs are built on the night only.
It seems as soon as we exceed some level of Bandwidth (~ 700-800k) the tool does not get the information.The OID I try to get are ifHCInOctets (.1.3.6.1.2.1.31.1.1.1.6) and ifHCOutOctets (.1.3.6.1.2.1.31.1.1.1.10) and some other interface statistics for both 64 and 32 bits. [code]
View 2 Replies
View Related
Jan 9, 2011
i have a 7201 router with NPE-G2. i have a design which i have the option to send all the traffic through a GRE tunnel or a L2TPV3 tunnel.which method is more CPU consumption ?
View 1 Replies
View Related
Oct 17, 2012
I am using a Cisco RV110W (Firmware 1.2.09) in a branch and I would like to create a VPN Tunnel to another site that has a Cisco RV042 (firmware v4.2.1.02)
What would be the correct Configuration? the current configuration I am using is
in the RV042 i am using
Check Enable
Local Group Setup
Local Security Gateway Type : IP Only
IP Address : RV042 Pulbic IP address
[Code].....
View 3 Replies
View Related
Jul 24, 2012
Environment :linksys wrt300n v1.1 which can have ddwrt-mega. Willing to tunnel all lan's outbound traffic through an ssh tunnel.
View 2 Replies
View Related
Jan 23, 2012
There are a few situations were I'd like to be able to use the locally configured account on a device but still have ACS in place.I want to complete this WITHOUT adding the locally configured account into ACS.I have tried setting the advanced option under Identity for if an account is not found to "Continue" however this causes the account to be allowed as long as a password is typed (any password, as long as its not blank).
View 2 Replies
View Related
May 9, 2012
i have a 1841 cisco router and i recently purchased a 1 port HWIC wan interface card. My problem is that I cannot see the interface in my config file. Is there something i am missing?
View 8 Replies
View Related
May 1, 2012
I have a Cisco ASA 5505 and I have my internal and external interfaces configured but I currently cannot ping from the inside to an IP Address on the outside. I had this setup and working and I have another set of equirement that I am replacing that is working with my service provider so I know it is a configuration issue. When I ping 4.2.2.2 for example I get:
Destination host unreachable
Do I need to add a static route from my inside interface to my outside interfaces?
: Saved
:
ASA Version 8.2(5)
!
hostname pxasa
[Code].....
View 2 Replies
View Related
Apr 9, 2011
Is it possible to set up a WAN interface on a FastEthernet interface of a Cisco 877 Adsl Router ?Due to my ISP, i've to use an external VDSL modem and must connect it to my cisco 877 router (and leave it's adsl interface unused).But i don't know how to set up a wan port, other than the adsl interface itself (dialer0), on my cisco.
View 7 Replies
View Related
May 28, 2013
We are having Cisco ASA 5540 having Cisco Adaptive Security Appliance Software Version 8.0(5)23 at certain time of moment daily wer are facing latency and packetdrop wherin when I checked for ASA Interface which gives me " Input Errors" on outside interface ,so can any one tell me what are the causes to get input errors on cisco asa outisde interface.
View 2 Replies
View Related
