i have 2 routers, 2821 and 2811. they are connected via GRE over IPsec, and all of the traffic from 2821 is being routed to 2811 with a default route to its tunnel interface. 2821 needs to access internet through 2811 valid ip address, my question is that how should i nat the traffic on 2811 so that 2821 can access the internet?
View 1 RepliesWe have cisoc 2821 at one of branch and created five sub inetrfaces for different vlans.Output of Show interface shows very frequent increase in the input error count.I have changed the physical cable and switch port on the other side.But still error rate is increasing.When the traffic is less error rate is low but with high traffic it is increasing drastically.My router process is very less(4%) only.What could be possible reason. [code]
View 8 Replies View Relatedi have a 7201 router with NPE-G2. i have a design which i have the option to send all the traffic through a GRE tunnel or a L2TPV3 tunnel.which method is more CPU consumption ?
View 1 Replies View RelatedWe have around 20 VPN tunnel via Cisco Router 2821 (Intranet) and around 30 VPN tunnel via Cisco ASA (Internet) with 3rd Parties/Vendors.I wanna know if there is any monitoring tools from Cisco or any others providers who can give me information/trend report about VPN tunnel Up/Down time, Volumns of Traffic, Protocols etc.
View 2 Replies View RelatedSo i am trying to test out a vpn config to establish an IPSEC tunnel between our 2821 and a snapgear product. I have the tunnel built, it comes up but I am not able to pass traffic between the two networks. The 2821 end is 10.30.254.x and the snapgear end is 10.30.200.x I thought it was an issue with the acl, but that looks like it is allowing communication between the two subnets. I know I am missing something simple, but I can not for the life of me find it.
urrent configuration : 7866 bytes
!
! Last configuration change at 17:49:21 Chicago Mon Oct 24 2011 by admin
version 15.1
service timestamps debug datetime msec
[Code]....
we have a DMVPN Phase 2 setup in a hub and spoke design using a single head end device (Cisco 2821) and 30 spokes the majority of which are 1801's, all spokes have the same configuration and underlying transport (DSL). DSL circuits are terminated directly on the ISR.
We have a strange issue where by one of the spokes drops the tunnel every 4 or 6 minutes almost down to the second as per the output from "crypto logging session" This seems to vary between both time frames.
EEYSRO01# sh logg | include CRYPTO-5-SESSION_STATUS
Jun 10 12:48:36.624: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 213.**.**.**:500 Id: 213.**.**.**
Jun 10 12:49:06.697: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 213.**.**.**:500 Id: 213.**.**.**
Jun 10 12:52:36.718: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 213.**.**.**:500 Id: 213.**.**.**
Jun 10 12:52:37.030: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 213.**.**.**:500 Id: 213.**.**.**
[code]....
We also have other errors that proceed to the tunnel Up/Down events
Jun 10 14:35:15.716: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x2000820
Jun 10 14:35:15.716: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x1000820
Environment :linksys wrt300n v1.1 which can have ddwrt-mega. Willing to tunnel all lan's outbound traffic through an ssh tunnel.
View 2 Replies View RelatedWe are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router. I am attempting to setup a GRE tunnel over IPsec back to the main office. The main office consists of a PIX515, a 2821 router, and a 2921 router.
There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices. The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well. The default route is to use the ASA. We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515. Right now I am not able to get the tunnel setup. It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls. I will show the output of that command below.
Main Office The external address 198.40.227.50. The loopback address 10.254.10.6 The tunnel address 10.2.60.1
Offsite Datacenter The external address 198.40.254.178 The loopback address 10.254.60.6 The tunnel address 10.2.60.2
The main office PIX515 Config :
PIX Version 7.2(2)
!
interface Ethernet0
mac-address 5475.d0ba.5012
nameif outside
security-level 0
ip address 198.40.227.50 255.255.255.240
[code]....
I have a 2821 router with two T1 WICs and have the need to route FTP down one T1 and all other TCP traffic down another T1. All traffic is going to the same remote IP address. The remote sites are in different states, and I assume that the remote subnet is being bridged between the states. It's kind of a weird set up, but it's not my design.
Anyway, can I use a route map to split off FTP traffic to host A and send it down one T1 and have the rest of the IP traffic to host A go down the other T1? I also need to be able to have all traffic use one T1 in case the other T1 goes down.
My first thought was to static all IP down T1-1, then route map FTP traffic down T1-2, then have a floating static for all IP traffic down T1-2 with a higher metric. But something would have to track the T1 interfaces and I'm not sure if route maps or static routes can do that. Any thoughts on this?
i've configured Cisco VPN CLient on a router 2821, and it is working fine.I could access inside resourses normally>the problem is that when i connect with VPN i lost connectivity to internet? What is wrong with my configuration? Below the running config of the router.
CISCO2821#sh run
Building configuration...
Current configuration : 5834 bytes
!
version 12.4
[Code].....
i want to monitor interface traffic in/out by eem and the if the values is overer than some value i will change the policy. for example my router is 2821 is have 2 fastEthernet port , i want to monitor the traffic on fasE1/0 if traffic over than 80Mbps i will change some configuration ( example: change next-hop on static route) for via traffic to interface fasE1/1 for reduce the traffic on interface fasE1/0?
View 6 Replies View RelatedI have a Cisco 2821 with ios Version 12.4(21). On that router I have a WAN link that is 550mbit dual. The interface is 1000FD so i need to shape my output traffic to max 550mbit - otherwise my ISP policing is dropping the traffic.
I've looked at this document url... and i'm trying to use this interface command:traffic-shape rate
But the router wont accept rate value 550000000 that should be 550mbit in bits/s
Is it not possible to shape the traffic to 550mbit on the 2821 router?
I'm using a Cisco 2821 router to provide temporary Internet access for a private network of about 300 users for a conference at a hotel. The hotel has provided me a public IP address for the WAN side. On the LAN side I have a 10.x.x.x /8 subnet with the router providing DHCP and NATing (overload) across the WAN interface.
Users can pick up an IP address and access the web. Light web pages such as Google tend to load without issue, however if a user does something that takes more time, such as streaming a Youtube trailer or opening an RDP session, the connection will freeze.
It doesn't appear to be related to bandwidth availability. Pings return on average 10-15 ms. However, I will get a request time out about every 10th continual ping. Steaming video will load about 4-6 seconds worth of data, then will appear to freeze without dropping. Doing something like speedtest.net will send a large amount of data then will hang, without ever ending the conversation.
This doesn't happen when I plug a laptop directly into the hotel public Internet line. They also don't have issues with their network similar to this.
I do not have any ACLs, etc. loaded. The router is basically wide open as far as I can tell. I don't see the router resources getting used much at all.
I have hooked up to the Cisco 2821 router a T1 on Serial and Cable Modem to GigEth0/1 and I want to split outbound traffic so that all regular users will use G0/1 interface for web traffic and the rest of the traffic stays with the T1. I am having an issue where the users on the network are not able to use the internet when using the following config:
!
interface GigabitEthernet0/0.10
description Data
encapsulation dot1Q 50
[Code].....
MPLS customer with 4 T1s in a multilink. If one of the T1s drops there is a brief delay in traffic picking back up and I actually lose packets from premise back to CO. You can see this loss both with pinging across the circuit and with techs on either end running JPerf. It can take as long as 6 seconds for the reconvergence to actually happen on the multilink and traffic picks back up. In my experience this is normal behavior for Mulitlinks
I'd also like to note that it is indeed much quicker reconvergence when you physically pull the T1, any of the T1s, rather than administratively shutting down one of them and I understand that the hardware is quicker than software and that's a good thing, obviously. I've tried this with and without ppp mulitlink fragment disabled on either end and every other combo between the two. Each of the 4 serial interfaces are on line timing and I tried free-running just on the off chance that it could imrpove the loss, but it gets worse.....back to line timing. I've even tried this on other CPE platforms like two different versions of Adtran CPEs and I get the same thing. Currently I have a new 2821 CPE in place and still get the same thing. Still see a brief amount of traffic loss up to 6-7 seconds or so at times.
7600 side:
interface Multilink592
ip vrf forwarding ******************
ip address *************************
load-interval 30
no peer neighbor-route
ppp multilink
ppp multilink group 592
ppp multilink fragment disable
no cdp enable
service-policy output VPN-TEMPLATE-2(code)
On a 2821 Router with 15.1(3)T1
I have an IPSec VPN and NAT configured. Return traffic from an internal NAT host seems to be blocked by the WAN inbound ACL. What is the proper way to allow return traffic from the Internet for this internat NAT host? Note: As a test, removing the deny entry on the WAN ACL allows return traffic.
Currently I have users that connect with the Cisco VPN client to our PIX 515e. Our corporate network is also directly connected to our partners network, sharing common address space. I want to be able allow our VPN users to connect to certain resources on their network. Since they already have routing for our address space, can I allow the VPN to only NAT traffic to certain destination addresses with a local IP address on our network? That way the partner's network does not have to change any routing since they would see the source address as a local IP on our network.
View 1 Replies View RelatedWe've got a cisco 2821 router which periodically stops routing all traffic. It seems to happen about once every 2 weeks, and I can't find anything that could be causing it. There are no entries in the log and the router stays up and running but requires a restart to begin processing traffic again. We're running 12.4(13r)T11.Any thoughts, or troubleshooting steps to track this down?
View 7 Replies View RelatedI try to make a gre tunnel with 2 cisco routers 2901, ping responds between tunnel ip's ends, but I don't have pings from the pc's inside the networks. [code]
View 7 Replies View RelatedI try to make a gre tunnel with 2 cisco routers 2901, ping responds between tunnel ip's ends, but I don't have pings from the pc's inside the networks.
[code]....
i am curently troubleshooting a ipsec l2l VPN between
1. ASA 7.2(4) to SSG-140
2. Cisco 871W to SSG-140
In both scenario's the tunnel is nicely established, and traffic goes into the tunnel, but nothing comes out. All encap's, but no decap's
It seems like a routing issue, but we can not find anything on both sites.
So maybe i m running into a (known) issue between cisco VPN equipment and the SSG-140?
Could it be a proxy-id issue? Cause they configure stuff like 10.1.1.0/24 and i configure 10.1.1.0 0.0.0.255
is it possible to tunnel all TCP traffic to UDP under port 137?
View 1 Replies View RelatedWe just migrated from a single 5510 to a dual (failover) 5520, It seems that everything is working except the remote VPN. We can establish a tunnel and authenticate as local users, (going to LDAP when all is working) but no traffic is passing. I know I am overlooking something but cant see it. [code]
View 12 Replies View RelatedI have set up an ipsec tunnel between a Cisco ASA 5505 and a Fortigate 80c. The tunnel is set up as I execute pings from inside behind ASA to inside behind FG, however I cannot get connectivity to hosts behind the Fortigate (traffic is allowed through policies configured on the FG). What I noticed in packet tracer is that traffic is dropped at the step 'Vpn lookup' To troubleshoot I have configured a test ('fake') vpn connection through the vpn wizard and get the same result in packet tracer. I run 8.4 software on the ASA and this is part of the relevant config.
View 1 Replies View RelatedI have set a tunnel between Cisco pix 6.3 and Cisco Router 7200. Show Isakmp sa showing below detail on Pix
Total : 1
Embryonic : 0
dst src state pending created
xx6.x71.x29.x68 x2.1x7.52.1x1 QM_IDLE 0 0
Is tunnel is UP ? Traffice is not going throgh the tunnel . why ?
I have a two RV042 VPN Router, I successfully connected the IPSEC tunnel. I cannot route Traffic in the tunnel. See the diagram.
MAIN Network
10.252.x.x
-------------->
FIREWALL
a.a.a.1
INTERNET
RV042a WANa <<------------------------------->> WANb RV042b
a.a.a.2 b.b.b.b
In this manner the network of b.b.b.b wil connect to the Main Network 10.252.x.x, unfortunately I can't pass traffic to RV042b going to RV042a. Everytime I trace the route, the traffic goes outside the Internet not to RV042a.
I've a asa 5510 on the main site and different ASA 5505 on secundary sites for VPN tunneling between the sites. The problem is that the tunnels are acomplished but no traffic is going over them. What am i doing wrong? For the moment there is a ASA 5505 on the main site managing the tunnels but I want the 5510 to take over the job.
View 5 Replies View RelatedI need to route traffic to DMZ (and internal) from the branch office thru the IPSec tunnel. How do I manage that with my Cisco 881?
View 1 Replies View RelatedI'm station overseas and it's really hard to access certain websites and servie like Netflix or ESPN. What I had created was GRE tunnel from my Home "A" to my current location "B" and route my traffic from point A to B using 2 cisco 1700 routers ( and It was working great) but now I can't use GRE nomore. I still have PIX and ASA on both sides and I was trying to do that over VPN tunnel but I can't ping VPN tunnel gateway( basicly what was next hoop in GRE) on the other end ( which is the main problem why I can't route traffic to remote site). I was wondering if I can still do the same thing over VPN tunnel that I did with GRE tunnel.
View 1 Replies View RelatedI'm trying to setup a VPN between an RV042 V3 and an RV082 V2 router. They get connected but no traffic gets through the tunnel. I tried with and without firewall,DPD, Keepalive, forward secrecy but nothing worked. What should I do? I don't want to throw out the V2 routers. V3 to V3 connects fine.
View 1 Replies View RelatedTwo 5505 ASA's for a customer main site and a local office. I have the tunnel up. But I'm unable to pass traffic across it.
Main Site:
ASA Version 7.2(4)
!
hostname Town
enable password iNbSyJZ1ffmb9kn1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
[code]....
We've created an ipsec VPN tunnel between our ASA5510 (8.3) and a Pix firewall (not sure of the specific version, etc).
The tunnel works fine, except for timing at times (traffic only goes through a few times a day), and a wierd problem with all traffic being allowed even though I'm only allowing specific ports (SFTP, SQL Server 1433) from a network at the client site to a specific server in our Data center.
I was surprised that I could RDP into the server, as well as telnet any other port exposed on this server from the client site. Now as I write this i realize that I did not check whether any of our other data center servers can be reached via the tunnel.....
Not having set up many VPN tunnels before using ASA (only Checkpoint - Checkpoint before this), I'm wondering whether i need to include another rule in the VPN tunnel cryptomap to deny all other traffic from their network to our network, or whether there's a global config I need to add a rule to.
I am moderately conversant in the command line, but because of my lack of Cisco VPN tunnel experience I did use the ASDM site-to-site VPN tunnel wizard to set the tunnel up. Not sure if there were any defaults i would have to override using that method.
I have a Site to Site IPSEC VPN Tunnel created with ASDM wizard.
Cisco ASA-5505
Peer A: x.x.x.x
Lan A: 192.168.0.0 255.255.255.0
Fortinet FortiGate-50b
Peer B: y.y.y.y
Lan B: 192.168.23.0 255.255.255.0
I start traffic from LAN B with a ping (or telnet it doesn't matter) that receive no reply but tunnel goes up fine.
"show isakmp sa" seems ok (says "State : MM_ACTIVE")
"show ipsec sa" seems ok but all #pkts are zero
try ftp, telnet from LAN B to LAN A systems but no one work. "show ipsec sa" all #pkts are zero As soon as I generate traffic from LAN A to LAN B these works (with tunnel already up) also traffic from LAN B to LAN A works.Obviously if I end VPN and start tunnel making traffic from LAN A all work fine bidirectionally, LAN A reach LAN B and LAN B reach LAN A.No msg logged in either two appliance.
Seems a very strange problem because seems not related to Phase1 or Phase2 already established.Traffic (routing ?) start works only after at least one packet goes from LAN A to LAN B.No msg logged in either two appliance.Problems begun in ASA version 8.0(4) ASDM version 6.1(3) and remain/continue after upgrade to ASA Version 8.4(1) ASDM version 6.4(1).