Cisco VPN :: 2901 VPN Tunnels Struggling To Start On Reload
Jun 10, 2013
I've got my Cisco 2901 with Security license setup and running (seemlingly) great ... However, with one issue that's scaring me a little bit.After a reload or power-on, the router starts up and begins trying to negotiate the three VPN connections. All three connections are to SonicWALL routers (1 NSA-2400 and 2 TZ-100), and those are configured with "Keep Alive" enabled.The problem that I'm having is that the VPN connections do not come up. When I do a 'show crypt session', it shows all IKEv1 SA as DOWN-NEGOTIATING. It will stay this way indefinitely. The only thing I can do that works is to log into each respective SonicWALL, disable the particular VPN policy, then re-enable -- and then it works no problem.
The only thing I can think of that might be affecting the success would be the "Keep Alive" enabled on the SonicWALLs ... But at this point, I'd rather not disable that until I know more about what may be the cause. (Definitely can't take down a tunnel or play around during production hours for testing.) There is some random stuff in there too, as I was attempting to provide access for myself when remote through VPN. Here is my current running configuration. [Code]
In our project, we had to configure PAGP between catalyst cisco 3110. there is no problem in configuration of PAGP and everythin is ok,and channel is up.but after reload cisco, chanel can not be up and between switches all packet are in loop between 2 switches.in order to solve this probelm I have to shutdown all port and again create chanel for every port.
I have cisco router 3925 and i add install HWIC-4ESW, as i sew on cisco documents you can hot swap the hwic without reload the router but i it's not working at all. How to do it ?
I have two ASA 5540 working in Active/Standby mode. After I've upgraded them to 8.2.3 ver. I have the following issue: once a day presently active device arbitary reloadI have no err in show version and in syslogs:11:15:50 ASA : %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.0.36/512 gaddr 10.0.0.16/0 laddr 1011:15:58 ASA : %ASA-1-104001: (Primary) Switching to ACTIVE - HELLO not heard from mate.
From PEC training - Cisco says to perform a proper ASR 1004 shutdown by executing 'reload' , then wait for bootstrap message to appear, then [before commencement of unpacking of the IOS] turn off the power switch. IS THIS ACCURATE. Anyone have any doc related to the recommended POWER DOWN process on the ASR 1004. We have a UPS cutover coming up and I want to be ready to power down and restart the new ASR 1004s we have - properly.
I've just purchased a new Cisco 881.I'm using NAT NVI for my inbound static mappings. However, regardless of the fact that the config is saved to nvram, after a reload of the router, the NAT mappings are setup as traditional inside/outside mappings. This means that inbound connections in to the router on the required services fail, until someone logs on to the router and re-applies the NVI mappings.
Here's a sanitised version of my startup-config:
! ! Last configuration change at 20:20:15 UTC Tue Dec 11 2012 by xxx version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption
Something strange is happening to my Cisco 1941W. Every time I reboot the router i loose the running configuration of the service-module (Access Point module). The weird thing is that the router's configuration remain the same. I made sure i save the configuration by issuing the wr command on the service module console but still happens. My router's current IOS version is 15.0(1)M1 and my AP's is 12.4(21a)JA1.
I also did another test by making sure the startup-configuration was identical to the running configuration and when I reload the router still happens.
SSH has been enabled on our one and only 4507 switch for several months and working fine. A few weeks ago the switch had to be reloaded and when it was back online I couldn't SSH to it. When I connected via the console and typed "show ip ssh" it came back saying I needed to generate the keys. Did that and it starting working again. The same switch had to turned off and on the other day due to a power down in the server room and when it came back the same thing happened again!!
The version of IOS is: cat4000-i5k91s-mz.122.20.EW
We had an power shutdown activity last week, due to which one of the core switch was turned off and ON .After the core switch was turned ON, we had found some of the ACLs missing which were bounded in VLANs. We had given write command before this power shutdown activity.We need to find the root cause for the same.
I have a cable from an SFP module in a WS-C3750-48P with 12.2(55)SE1 running to a Gigabit port on a Cisco WLC. After the switch recovers from a power failure, the gigabit autonegotiation fails. The cure is a long drive to unplug and reseat the SFP. Note this happens at too many similar sites for this to be a loose connection. Interface shutdown then 'no shutdown' is not sufficient. The state is 'line protocol is down (not connected)'. Interface is configured for switchport mode trunk (auto speed, auto duplex). Command 'switchport nonegotiate' makes no difference. Is there a more powerful command than 'shutdown' which might toggle the interface signals? Is there some way of resetting the SFP? sh int gi 1/0/1 displays 'media type is 10/100/1000BaseTX SFP' and zero packets received.
Recently, we had a 3750X stack of 9 switches reload with no information as to why. Our syslog server received no spurious errors regarding the cause nor did the location lose power. The UPS to which it is attached logged no glitches relating to power. Other cisco devices (router, other switches not in the stack) did not reload. No one was in the MDF during this time. We self insure these line of switches so a TAC case is not an option at this time. Any forensic tools that I could try in an attempt to narrow down the cause.
Last night, the C6509-E do a unexpected reload. In the crashinfo, I can see that the last error message before the reload, was as follows: %C6K_ PLATFORM-SP-2-PEER_RESET: SP is being reset by the RP
I consulted the cisco website about this error message and what I found was the following:C6K_PLATFORM-2.
I've been having a problem with a brand new SG300-10 switch that I posted about yesterday. I checked the firmware and it was at 1.0.0.27 and the lastest is 1.1.0.73. So I backed up the current firmware and loaded the 1.1.0.73 version and it seem to be CLI based only, with no web GUI.
If so is there an easy way to reload the 1.0.0.27 using the CLI? There is nothing in the CLI docs that I can see unless it's buried.
The release notes for 1.1.0.73 don't say it's CLI only either, maybe something just went wrong but the CLI seems to be functional.
I have Build a 5508-HA Cluster (7.4.100.0) , hat to reboot this cluster due to Licens install.After the reboot atleast one of the SSIDs was not broadcasting anymore, even the checkbox was checked.
What did I do:
Installed the Licenses @ Freiday 12:00 @17:15 reload active WLC, wait till controller is up again (a few minutes pingable) @17:25 force failover to first controller. check a few SSIDs but not all, those who where check are ok. @monday 07:00 clients complaining not seeing the SSID (some where connected)
i have problem with device. The device Nexus7000 C7010 with System version: 4.2(1) is suddenly reload .this is cause from sh system reset-reason
CORE1-7010# sh system reset-reason ----- reset reason for Supervisor-module 6 (from Supervisor in slot 6) --- 1) At 493933 usecs after Thu Jul 19 08:47:07 2012 Reason: Reset triggered due to HA policy of Reset Service: netstack hap reset Version: 4.2(1)
I don't have a USB to serial adapter handy, and was wondering if had success breaking to the Rommon prompt during system reload (boot sequence) using the USB console on a Cisco 1941 router?
Our costumers has implemented 2 AIR-WLC4402-50-K9 with Software Release 7.0.98.0, the wireless infrastructure consist in 2 Root-Mesh-LAP and 8 Mesh connect over-the-air to deploy outdoor coverage.
All the LAP are Aironet 1520 Series Mesh Access Points with equipped with 3 antennas for 2.4GHz and 1 antenna for 5GHz (backhaul).For one year all seems to be ok, yesterday after a power outage of one Mesh-Root-LAP, 5 Mesh-Lap continues reload each 10-12 minutes, on the WLC Log you can see event like a reboot from AP Console, on the LAP console i can capture this event before the reload:
Log on LAP Mesh %DOT11-6-GEN_ERROR: Error on Dot11Radio0 - Not Beaconing for too long - Current 0 Last 0 %SYS-5-RELOAD: Reload requested by Dot11 driver. Reload Reason: Radio Not Beaconing for too long .... LWAPP-5-CHANGED: CAPWAP changed state to DOWN AP1780-Mesh uptime is 11 hours, 10 minutes System returned to ROM by power spike %DOT11-6-GEN_ERROR: Error on Dot11Radio0 - Not Beaconing for too long - Current 0 Last 0%SYS-5-RELOAD: Reload requested by Dot11 driver. Reload Reason:Radio Not Beaconing for too long ....*Sep 1 16:05:43.399: %LWAPP-5-CHANGED: CAPWAP changed state to DOWN
What does it mean? That the beacon signal trasmitted from Root-Mesh-LAP cannot reach the Mesh-Lap and so the Mesh-LAP force a reload?Where we should search the cause? In the power instability or in a interference on the 5GHz radio interface?
On one of mesh Lap I found a strange reason for a releoad:AP1780-Mesh uptime is 11 hours, 10 minutesSystem returned to ROM by power spike
Log on WLC Log System Time Trap 0 Thu Sep 1 17:31:11 2011 AP Disassociated. Base Radio MAC:00:22:be:41:33:00 1 Thu Sep 1 17:31:11 2011 AP's Interface:1(802.11a) Operation State Down: Base Radio MAC:00:22:be:41:33:00 Cause=Heartbeat Timeout Status:NA 2 Thu Sep 1 17:31:11 2011 AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:00:22:be:41:33:00 Cause=Heartbeat Timeout Status:NA [Code]....
I have searched and searched the web, contacted my ISP, and my router manufacturer and have not come up with a solution to this problem. Plain and Simple, quite often when I am trying to load any webpage, I have to press the refresh button to display the page (sometimes more than once). i live in Phnom Penh, Cambodia (from the U.S.)and just recently got internet service from an ISP named "Digi." This ISP uses PPPoE, which for some reason was a problem with my Apple Airport Express (worked well a few days, then the internet stopped working from DNS errors). I bought a new wireless router directly from Digi, which is a TP-Link (model TL-WR841N). Upon hooking up the router to the modem, the internet worked, but this new problem started forming, needing to reload pages several times. Side note: my internet speed is 3mbps so it's not an issue of speed.
What I have tried: First, I tried several websites to see if it occurred on more than a couple it does. Second, I tried different browsers and different devices. The problem persisted on Safari, Chrome, and Firefox on my Macbook Pro. I deleted cookies and chaches to no avail. I have never installed extensions and have them disabled anyway. This problem also occurs on my iPad and iPhones. I then thought it may be my new router, but upon connecting my Macbook Pro directly to the modem, the problem, yet again, still persisted. I have rebooted the modem with still no change. I contacted my ISP, who said that on their end, everything seemed to work fine. Upon searching the internet, all I've found is suggestions to change my browser (check); delete cookies, caches, and disable extensions (check); or change my DNS servers address to public oneslike 8.8.8.8, 8.8.4.4., or 4.2.2.2(double check). Still, these solutions have given me no luck, and it is still frustrating to have to reload webpages, especially when it's a login page.
We have a backup sup 720 which has a 2 gigabit ethernet though port channel, to another chassis. Suddenly UDLD detected an error and got into err disable, then this err disable didn't let the interface set to DOWN, and created a switch loop, then our Supervisor reloaded. I'd like to know what could have caused this reload. In my opinion could have a been the switch loop, but also I've been checking from the output interpreter the show tech and might have been a bug, the only one that could match in IOS version 12.2(33)SXH, is this one: url...
We're going to disable err-disable next time I guess and recover the link manually, apart from that what could have made the sup for crash and reload?
Suffered a big outage on the network, the fix was to reload the module 3 on the 6509 switch, we had these errors on the log %CONST_DIAG-SW1_SP-3-HM_PORT_TEST_FAIL: Switch 1 Module 3 TestUnusedPortLoopback Port(s)[24,46] failed. System operation continues.in the end, we reloaded the card and it was all ok. is there anything I can do to check the card / or any deeper logs? would that error cause the card to crash?
I have two ACE-4710 in active/standby mode, running code A3(2.2). Four contexts are configured. Both devices were functional without problem, until I reload the standby unit. After reload, the standby unit completely lost its configuration with exception of the FT vlan and the FT peer configuration in the Admin context... Both units recognized each-other and I can still ping the primary unit on the FT vlan, but nothing else. Contexts are lost and interfaces are shutdown! Nothing changed at the software level, both devices run exactly the same image and the same licences are installed (it worked well before the reload).
So, I decided to reconfigure the basics on the standby unit in order to trigger a config sync from the primary. And here arrives the problem : I reconfigure the FT vlan, the FT peer, I check the peer state and everything is OK.
Then, I try to ping the primary unit from the standby unit with success :
switch/Admin# ping 192.168.16.1 Pinging 192.168.16.1 with timeout = 2, count = 5, size = 100 .... Response from 192.168.16.1 : seq 1 time 0.000 ms
I have about 30 remote EZVPN 1811 routers that never come up after a firewall reload for about an hour. I have watched the EZVPN remotes and they believe they still have an IPSEC SA and they never attempt to reconnect until their IKE SA times out. Is there any way I can change this behavior so that the remotes will more rapidly recognize that their SA is invalid and negotiate a new one?
Our router suddenly reloaded. Below are the crashinfo obtained:
1st crashinfo:
7606_Router#more sup-bootflash:crashinfo_20120604-02260500:00:05: %PFREDUN-6-ACTIVE: Initializing as ACTIVE processor 00:00:05: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. 00:00:05: %PFREDUN-6-ACTIVE: Initializing as ACTIVE processor 00:00:05: %SYS-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output.
[code]....
We are running s72033-advipservicesk9_wan-mz.122-18.SXF9
I have a problem with the Cisco 881 router at one of our customers.It seems that after a "no shutdown" has been given on the Vlan interface, it still goes back to "administratevly down" after a reboot.So when I restart the router I always have to manually "no shutdown" the Vlan interface to come back up.While rebooting the router it also gives the following info in the console screen every time which is strange:
new interface Vlan1 placed in "shutdown" state.We tried several different firmware releases.
Replacing the router with a new Cisco 881 router did not work either. After they sent back the old Cisco 881 router we tested it here and there were no problems, we weren't able to replicate the problem.The configuration we use for the router is correct, we use it for hundreds of customers, so that can't be it either.The customer uses a fortinet firewall behind the router. Could it be that something inside the LAN of the customer that triggers the Vlan to shut down?
I recently upgraded the flash and the RAM on one of my ASA 5505 lab machines. The flash was upgraded from 128 to 512MB and the RAM was also upgraded from 256 to 512MB. I am using asa845-k8.bin. The firewall boots and runs file until you issue the reload command. The system shuts down but never reloads.
I have a Catalyst 4500 WS-C4506 and S-X4516-10GE Supervisor running under IOS 12.2(52)SG IP BASE SSH. After having installed IOS 12,2(53)SG i wanted to schedule a reload. After entering the reload at command I get the message %Reload in Progress and nothing happens.
I am trying to create a Script to reload my cisco 1941 router when a ping test has failed.I am using IP SLA to ping and tracking snmp oid. What I want to do is to stop the router from reloading after 4 times if the ping test is still failing . But when the ping are successful again to restart the applet. I have the reload configured but cannot figure out how to do the rest. [code]
