Cisco VPN :: 2921 And 1941 EAP TLS Fragmentation Across VPN Tunnel
May 7, 2012
I am having an issue authenticating users via 802.1x/EAP-TLS across an IPSec tunnel. I am using route-based VPN with SVTI configuration on a 2921 and 1941. I have the following settings defined:
- Under the tunnel interfaces:
- MTU 1390
- MSS 1350
- PMTUD
- Under the ingress LAN interface
- route-map to set the DNF bit to 0
- On the RADIUS Server (2008 NPS)
- Framed-MTU: 1300
This had been working for months until I got a call last week about users not being able to authenticate to our secured SSID. I fired up wireshark and also used my client monitor tool in my wireless NMS to watch what is going on. I see all of the access-request and access-challenge exchanges, but the final exchange never happens. In both captures you can see messages with id's 77-81, but message id 82 isn't shown in the wireshark capture, only fragments are. In the client monitor capture you can see that message id 82 is 1726 bytes in length. Now, if I capture packets on my local LAN, the 1726 byte packet is properly fragmented and users can authenticate just fine.
I have scoured the Internet trying to find a setting that I must have missed, but I can't. I've tried adjusting the Framed-MTU, all the way down to 1100.
View 1 Replies
ADVERTISEMENT
Sep 23, 2012
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
View 4 Replies
View Related
May 16, 2011
Our out of band connections with the new routers (1941 & 2921) with the new IOS 15.0 are not working.
Here is our configs:
Router:
line aux 0 exec-timeout 3 0 modem InOut transport input all stopbits 1
Modem(D-Link):
at&fs0=1s2=127s37=9e1q1&c1&d2&s1&k0&r0&w
Here is an output of the debug command:
*May 17 05:02:14.206 UTC: TTY1: CTS went down on IDLE line*May 17 05:02:17.206 UTC: TTY1: CTS came up on IDLE line*May 17 05:02:22.206 UTC: TTY1: CTS went down on IDLE line*May 17 05:02:25.206 UTC: TTY1: DSR came up*May 17 05:02:25.206 UTC: tty1: Modem: IDLE->(unknown)*May 17 05:02:25.206 UTC: TTY1: EXEC creation*May 17 05:02:25.206 UTC: TTY1: create timer type 1, 30 seconds*May 17 05:02:25.674 UTC: TTY1: create timer type 10, 30 seconds*May 17 05:02:26.154 UTC: TTY1: pause timer type 10 (OK)*May 17 05:02:26.154 UTC: TTY1: resume timer type 10 (OK)*May 17 05:02:26.174 UTC: TTY1: pause timer type 10 (OK)*May 17 05:02:26.206 UTC: TTY1: DSR was dropped*May 17 05:02:26.206 UTC: TTY1: Set
[code]....
It goes into the handshake but then disconnects immediately.
View 1 Replies
View Related
Mar 28, 2012
i have one interesting problem with local PBR on 2921 router. Here is the case,On HQ site there is 2921 router with two directly connected ISP, and there is Branch which is connected to only one ISP. The configuration should be to connect HQ router to Branch router with two VTI tunnels, so that each tunnel on HQ site should be terminated on different ISP, and EIGRP will be monitoring each VTI status.The problem is on HQ site, there is only one way to specify router with LOCAL PBR configuration, so router should send on ISP1 terminated tunnel traffic to ISP1, and on ISP2 interface terminated tunnel traffic to ISP2.
As I know this configuratino should work, but I could't make it work on c2900-universalk9-mz.SPA.151-4.M4.bin IOS, and on c2900-universalk9-mz.SPA.152-2.T1.bin.
Here is simple config:
ISP1 ip is 1.1.1.1
ISP2 ip is 2.2.2.2
3.3.3.3 is Branch ip address.
!
ip vrf BRANCH
[code]....
when I configure one default static route, it starts workig, but both tunnels go with specified ISP, and also there is no vrf problem,when there is no any vrf config it also don't work. gre tunnels also dont work.
View 4 Replies
View Related
Jul 10, 2012
I followed:[URL]And my VPN connection is established on 2921.However when I successfully connected to the router via VPN, ipfoncfig shows default gateway being 255.0.0.0,My CISCO2921 GI0/0 has default 10.10.10.1 IP assigned, I want to access this interface with CISCO CP.
View 2 Replies
View Related
Sep 21, 2011
I am getting the following errow message while trying to create a VPN tunnel between an ASA5520 and a 2921 router. [code]
View 9 Replies
View Related
May 23, 2013
We set up a 1941 Router with the Cisco Configuration Professional Tool. The VPN Tunnel works and i get an IP Adress from the pool. But i cant reach any devices in the VLAN10 Network. Do i forget anything ?
Here is the config from the Router:
version 15.1
parser view CCP_Monitor
secret 5 $1$FnN7$Qr.mbJbPOuOH7Te6MD1.I0
commands configure include end
[Code].....
View 3 Replies
View Related
May 13, 2011
I have a Cisco 1941 router with the Security license running IOS c1900-universalk9-mz.SPA.151-4.M.bin. Is there a "tunnel bandwidth" command like with routers that have the Advanced IP Services license? My concern is being able to adjust the bandwidth to a value greater than 8 Mbps...
View 3 Replies
View Related
Aug 28, 2012
I am configuring a vpn ipsec tunnel with cisco isr 2921 router and Watchguard edge 1250e. I have the watchguard configured so I just need to make sure I have everything setup on the cisco side. At this point, there is no communication as I am not sure if I configured it correctly. Should I do the crypto map on g 0/0 or dialer 1?
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
[code]......
View 4 Replies
View Related
Mar 15, 2013
I'm trying to troubleshoot a random packet drop issue for an IPSec tunnel between two VTIs. For over a month, we didn't see any issue, and starting today, we have up to 30% packet loss across an IPSec tunnel.
After some analysis, I concluded that the packet loss happens somewhere on the path from the uc520 to the 2921. Packet counts show up correctly on the uc520 physical egress interface, but the packet count is low on the ingress interface on the 2921.
Pings outside the tunnel along the same path are fine.
I also cleared the tunnels on both ends and after they reestablished, the issue was still present.
Any pointers on finding where the packets get lost?
rr-hq-2921#ping 10.1.13.1 source g0/1 rep 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
[Code].....
View 3 Replies
View Related
Apr 18, 2013
We are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router. I am attempting to setup a GRE tunnel over IPsec back to the main office. The main office consists of a PIX515, a 2821 router, and a 2921 router.
There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices. The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well. The default route is to use the ASA. We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515. Right now I am not able to get the tunnel setup. It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls. I will show the output of that command below.
Main Office The external address 198.40.227.50. The loopback address 10.254.10.6 The tunnel address 10.2.60.1
Offsite Datacenter The external address 198.40.254.178 The loopback address 10.254.60.6 The tunnel address 10.2.60.2
The main office PIX515 Config :
PIX Version 7.2(2)
!
interface Ethernet0
mac-address 5475.d0ba.5012
nameif outside
security-level 0
ip address 198.40.227.50 255.255.255.240
[code]....
View 2 Replies
View Related
Mar 7, 2013
I have an IPSec tunnel configured on my Cisco 1941. The other device is an ZyXEL router.I can see the tunnel is up but there is no traffic.This comes out the show crypto ipsec sa
interface: Dialer1
Crypto map tag: CMAP_AVW, local addr 10.10.10.89
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.150.0/255.255.255.0/0/0)
current_peer 20.20.20.161 port 500
[code]....
View 3 Replies
View Related
Jun 16, 2011
I installed a 1941 router with an encrypted GRE tunnel yesterday. The router has ipbasek9 and securiyk9 licensed. Initially the router was running the image c1900-universalk9-mz.SPA.150-1.M5.bin and was working fine. The tunnel was up and passing traffic. I then upgraded the IOS to c1900- universal k9-mz.SPA.151-2.T2.bin and when I reloaded the router the tunnel was stuck in a reset/down state. I tried doing shut/no shut on the interface and reloading the router again, no change. Being under some time pressure to get the device back into production I rolled back to the previous IOS image and the tunnel worked fine again. Is there a known bug that causes this behavior? I have searched cisco.com but have not found one. [code]
View 1 Replies
View Related
Jul 16, 2012
what is a maximum number of configurable gre tunnel interfaces on CISCO2921-HSEC+/K9 router?
View 2 Replies
View Related
Feb 7, 2012
How do I disable fragmentation on a 2901 router? I want it to simply drop packets oversized packets.In my lab, I am trying to test various MTU issues. I'm trying to use a 2901 router to simulate the WAN equipment that my WAN provider would deploy in production. In production i'm expecting the WAN to only support an MTU of 1320 with no fragmentation at all.
View 2 Replies
View Related
Aug 9, 2011
I set the Cisco's AP settings with MTU size as 1200 bytes and the Fragmentation threshold to 256 bytes. Set up: I am using a WiFi enabled laptop connected to Cisco AP running an application pumping data of size 1400 bytes continuously to a Wireless node connected to the same Cisco AP over WiFi.
I am monitoring network activity on the same laptop using Wire shark.However,i cannot see 1400 bytes data getting fragmented. What is the concept of fragmentation and MTU size? Also,I would like to know how to change the AP settings so that i can see the data (1400 bytes)getting fragmented to small byte chunks.
View 1 Replies
View Related
Dec 5, 2012
I am setting up a IPSEC VPN tunnel between a Cisco 2921 and ASA 550x. [code]
View 6 Replies
View Related
Jan 9, 2011
i have a 7201 router with NPE-G2. i have a design which i have the option to send all the traffic through a GRE tunnel or a L2TPV3 tunnel.which method is more CPU consumption ?
View 1 Replies
View Related
Oct 17, 2012
I am using a Cisco RV110W (Firmware 1.2.09) in a branch and I would like to create a VPN Tunnel to another site that has a Cisco RV042 (firmware v4.2.1.02)
What would be the correct Configuration? the current configuration I am using is
in the RV042 i am using
Check Enable
Local Group Setup
Local Security Gateway Type : IP Only
IP Address : RV042 Pulbic IP address
[Code].....
View 3 Replies
View Related
Jul 24, 2012
Environment :linksys wrt300n v1.1 which can have ddwrt-mega. Willing to tunnel all lan's outbound traffic through an ssh tunnel.
View 2 Replies
View Related
Jan 23, 2012
There are a few situations were I'd like to be able to use the locally configured account on a device but still have ACS in place.I want to complete this WITHOUT adding the locally configured account into ACS.I have tried setting the advanced option under Identity for if an account is not found to "Continue" however this causes the account to be allowed as long as a password is typed (any password, as long as its not blank).
View 2 Replies
View Related
May 29, 2013
I want talk BGP with ISP though 200Mb/s WAN link by using Cisco Router 2921; and in the near future WAN link will be upgraded to 1Gb/s. Does Cisco Router 2921 has enough performance to do this task?
View 5 Replies
View Related
Nov 13, 2012
We have a CISCO 2921/K9 which has the securityk9 feature set (reflects Permanent under show version)
I thought that included SSL VPN, but doing a "show license all" it doesn't reflect that:
StoreIndex: 4 Feature: SSL_VPN Version: 1.0
License Type: EvalRightToUse
License State: Active, In Use
[Code].....
View 2 Replies
View Related
Jun 30, 2011
Using a Cisco 2921 router with an RPS 2300, I came across a table in the 2900 Hardware Installation Guide that I can hardly believe: table 5-3 seems to tell me that in order to back up ONE 2921 with RPS power, I will need an RPS with TWO 750 Watt or TWO 1150 Watt power supplies. Is it really true that I need to throw at least 1500 Watts of backup power at a router that has a main power supply of approx 300 W?
View 13 Replies
View Related
Oct 13, 2011
I need a router to connect to our ISP by BGP and in a future to a second ISP. Our ISP is going to provide us about 300.000 route entries by BGP. So router 2921 would be enough??? or should i go to a higher model?We are going to have 100Mbps with this ISP and probably in 3 months we'll have to double it. Also we'll need IPv6 support.I saw router performance [URL]f and it's has 480.000 PPS and 245 Mbps but for 64 bytes lenght packages. If the packets are bigger the throughput should be best I suppose... 1500 bytes about 5,5 Gbps. In the case you consider the model is sufficient, the flash or RAM should be increased?
View 4 Replies
View Related
Mar 7, 2013
why Cisco 2921 Gigaethernet 0/1 is not coming up ? I also tried to connect the interface to another SWITCH with no joy.
ME3400 (ISP's switch)<-------------MPLS link--------------> Cisco 2921 Gi0/1 >>>>>>>>>>Port not coming up
I tried connection between ME3400 (ISP's switch) and spare switch and the INTERFACE of spare switch was in UP/UP state .Troubleshooting I did so far on Interface Gi0/1
1> Changed ths speed/duplex manually and revert it back to auto
2>diable keepalive
3> Tried differnet LAN cable with no luck
4> Please see HIGHLIGHTED part (in red colour) of "Show controller Gi0/1" command
I am pasting some of the SHOW command output R2921_MMP#sh run int gi0/1Building configuration.[code]
View 8 Replies
View Related
May 16, 2013
I have a 2921 on Ethernet MPLS circuit. Problem is Voice has jitter at 60ms and no dropped packets from source to destination. How to reduce the jitter? Is the polices correct using Cisco recommended Nb = CAR x (1/8) x 1.5?
The PE is honoring the DSCP marked packets.
CE router 2921 QOS:
policy-map IFCQOS
class EF
priority 2048
[code]........
View 8 Replies
View Related
Feb 19, 2011
I am trying to set up a new router for training.I am attempting to my First BGP multihome.
The router is a 2921.We have a bonded t1 line and a metro ethernet connection
we have 2 /24 networks 1 /23 and 1 ipv6 /48 ,Behind the cisco router we have 3 Open BSD firewall Pairs, that are used to segment the networks into the production, development and my lab.
one of the /24 and the ipv6 block are veriably subneted, these are the routes that I am having troubles with.I am attempting to aggregrate the /24 and the ipv6 block to go out to the internet.
they show up in the routing table as advertised but you can not reach any hosts through the cisco router.
here is the bgp config
address-family ipv4
network 24.104.xxx.240 mask 255.255.255.240
network 204.17.xxx.0 mask 255.255.254.0
network 204.138.xxx.0
[Code]....
View 2 Replies
View Related
Jun 8, 2012
i need any one exact IOS from below list .can some provide me the link.
15.1(0.20)T
15.0(1)M1.4
15.1(24.6.26)PIL13
15.1(0.2.12)PIB13
15.1(1)XB1
15.1(0.0.10)PIL14
15.1(1.7.1)PIA13
15.1(1.7.1)PIA14
15.1(0.0.3)PIL15
View 1 Replies
View Related
Feb 12, 2013
I have a cisco 2921. I have 2 networks that has its own router
192.168.1.0 network is connected to watchguard firewall 192.168.9.0 network is connected to the cisco 2921 router.
I want to connect the 2 subnet using one of the interface of the cisco router. How I can get this work? It is not connected via vpn tunnel but we want to have LAN speed when accessing resources on both network. Each network is connected to a dell switch.
View 22 Replies
View Related
Feb 20, 2013
Is there a recommended number of GRE tunnels that Cisco 2921 ISR router with default configuration (512MB DDR2 ECC DRAM) can support?
View 5 Replies
View Related
May 8, 2011
i have a question regarding the monitor session command. I have following interfaces on my router:i want to monitor the traffic from the source interface Gi0/2 to the destination interface fa1/3,monitor session 1 source interface gigabitEthernet 0/2 brings this error message % Incomplete command.,monitor session 1 source interface gigabitEthernet 0/2?/ : <0-2>,i don't have any ports on the Gigabit Interfaces. Any ideas how to monitor traffic?
View 1 Replies
View Related
Mar 6, 2012
I have a lab setup and I want to test a point-to-point connection between two 2921 routers in a lab environment, without going through an ISP. I have a HWIC-1DSU-T1= in each of the routers. I have already configured ip addresses to the router interfaces, eDo I need to set any CLOCK RATE or BANDWIDTH commands or anything like that, since my traffic will not actually be going through an ISP during this lab test?
View 5 Replies
View Related
