Cisco VPN :: 2951 / VPN Tunnel Dropping?
Jan 7, 2013
We have approx. 40 branch offices that connect to our core IOS Firewall (2951) over ipsec VPN Tunnel. One particular site has been facing issues over the past few days. This site will sporadically drop it's VPN Tunnel and reestablish after a few seconds. If I run debug crypto ipsec and crypto isakmp on the site that is dropping, it is constantly going through the DPD process. If I run these same commands on another site, they seem to run DPD at all.
Here is some of the output I am seeing on the site that is failing.
Jan 8 11:18:38.873 AST: %FW-6-DROP_PKT: Dropping tcp session 111.222.3.106:50083 96.16.47.144:80 due to Stray Segment with ip ident 54856 tcpflags 0x5004 seq.no 2154004347 ack 0
Jan 8 11:18:46.061 AST: ISAKMP (4028): received packet from 111.222.255.106 dport 500 sport 500 Global (I) QM_IDLE
Jan 8 11:18:46.061 AST: ISAKMP: set new node -1497488895 to QM_IDLE
Jan 8 11:18:46.061 AST: ISAKMP:(4028): processing HASH payload. message ID = 2797478401
Jan 8 11:18:46.061 AST: ISAKMP:(4028): processing SA payload. message ID = 2797478401
[code]....
View 2 Replies
ADVERTISEMENT
Apr 11, 2011
We have just installed our first 2951 router, and were suprised to see in our Netflow collector that Tunnel interfaces appeared even though we did not configure any, I have seen other posts talking about PIM tunnel when using Multicast, but we dont use multicast and the tunnel is GRE questions are, where do these interfaces come from? how do they pick up an IP address? can we shut them down? IOS is 150-1.M4 loopback interface ip address is 172.16.224.238 ( tunnel source) see output from sh int below
Tunnel0 is up, line protocol is up Hardware is Tunnel Interface is unnumbered. Using address of Tunnel1 (172.16.0.1) MTU 17912 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 99/255, rxload 1/255 Encapsulation TUNNEL, loopback not
[Code]......
View 6 Replies
View Related
Dec 12, 2012
We have approx 40 branch offices - all of which are connected to a single core site over VPN Tunnels using various gear. At one particular site, we are having issues with the tunnel dropping sporadically throughout the day - some days it happens 10 times, some days it happens none. This just randomly started happening two weeks ago, without any changes taking place. Since it started happening, I have upgraded the code to latest versions, but still the issue persists. This particular site has a 2901 and connects back to a 2951.
Below is the output from:
debug crypto ipsec
debug crypto isakmp
[code].....
View 1 Replies
View Related
Jul 3, 2011
I have a ASA 5505 VPN Concentrator using ADSM 5.2 connecting to a BEFSX41 router. Its a pretty simple set up that has been working for years. However, over the past several weeks the VPN tunnel is consistently dropping every day or two, however both side are able to ping the internet at all times. My current work around is to manually log into the BEFSX41 router and re-connect the VPN tunnel, which simply connects immediately. The tunnel will stay up for about a day or two until it reliably drops the tunnel connection. Every time the tunnel drops I get an alert with an error message: [code] After doing searches about what this error means, all I can find is that its supposed to mean there is a problem with the encryption keys. I have checked the keys many times over and everything is the same. I find it odd that nothing has changed in almost 2 years.
I have 10 other VPN connections that are always up at never have any problems. I have the same make/model router connected to other offices with no problems. I have swapped the router twice, and each time I get the same symptoms.
View 1 Replies
View Related
May 15, 2013
I have our main site using a Cisco 5510 running 8.4.2 code and a remote site using a Cisco 5505 running 8.4.2 code. The main site has a T1 and the remote site is using a DSL connection. About every other day I have to reset the connection at the remote site. The process that I have found that works is to remove the nat statement, clear the cry ips sa and then add back the nat statement. The connection usually comes back up and a few minutes. I am trying to see what is causing this to drop.
View 5 Replies
View Related
Dec 12, 2012
We have a Cisco ASA and recently purchased a cisco small business srp527 router. It is connected to our ADSL2 connection and is working fine. I have configured the device with an ipsec tunnel using an ike profile and the tunnel is created successfully with packets traversing the tunnel. However packets are being dropped intermittently, with no cause. The link is currently not being utilised, there is no load on the network however when I ping Google and any address subject to the rules of the tunnel i notice that a single packet is dropped every now and then.
View 0 Replies
View Related
Jan 9, 2011
i have a 7201 router with NPE-G2. i have a design which i have the option to send all the traffic through a GRE tunnel or a L2TPV3 tunnel.which method is more CPU consumption ?
View 1 Replies
View Related
Sep 23, 2012
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
View 4 Replies
View Related
Oct 17, 2012
I am using a Cisco RV110W (Firmware 1.2.09) in a branch and I would like to create a VPN Tunnel to another site that has a Cisco RV042 (firmware v4.2.1.02)
What would be the correct Configuration? the current configuration I am using is
in the RV042 i am using
Check Enable
Local Group Setup
Local Security Gateway Type : IP Only
IP Address : RV042 Pulbic IP address
[Code].....
View 3 Replies
View Related
Mar 6, 2012
our customer has a server farm in a data center.At the moment the farm has connectivity with only one ISP but sometimes it has service discontinuity.Customer wants to become AS and having two ISP connectivity for backup purposes.He needs to evaluete two cisco routers to use at AS edge with BGP.At the moment he says that the throughputh with the server farm is max 15Mbps and in the future he thinks that it will not increase.We think about cisco2951 routers with 2GB ram.Is cisco 2951 adeguate for this task ?
View 3 Replies
View Related
Jan 25, 2011
I have the situation with my new Cisco 2951 router. It has only one module on board - SM-D-ES3-48-P. I don't know what is wrong but I can't see any information about this module. When I connect my laptop to any port it's become green, but it's still green even after I disconnect PC from this port. Sh ip int brief command shows only built-in gigabit interfaces. I also connect my second PC to the router by console to monitor any changes when I connect or disconnect laptop to the module's ports. [code]
View 3 Replies
View Related
Mar 22, 2011
I'm setting up IPsec for a DMVPN between a 2811 and 2951s in a test lab. I have enabled IPsec on the hub (2811) but I am unable to do so on either of the 2951s. After researching, it seems that I may have the incorrect IOS for this, but I am at a loss which IOS I should be using. Currently the 2951s are on "c2951-universalk9-mz.SPA.151-2.T2.bin".
View 1 Replies
View Related
Jul 24, 2012
Environment :linksys wrt300n v1.1 which can have ddwrt-mega. Willing to tunnel all lan's outbound traffic through an ssh tunnel.
View 2 Replies
View Related
Jan 23, 2012
There are a few situations were I'd like to be able to use the locally configured account on a device but still have ACS in place.I want to complete this WITHOUT adding the locally configured account into ACS.I have tried setting the advanced option under Identity for if an account is not found to "Continue" however this causes the account to be allowed as long as a password is typed (any password, as long as its not blank).
View 2 Replies
View Related
Aug 15, 2012
We have an old 3725 router with a HSSI card connected to a DL3100, which in turn is connected to a subrate DS3 circuit. The plan is to replace the router with a new 2951 router and a NM-T3/E3 card.After the router was replaced, I configured the NM but the circuit remained dow/down. I'm sure it has to do with the fact that the DS3 circuit is channelized but I'm not sure how to configure this module to be channalized. Here is the configuration that I placed on the router: [code]
View 4 Replies
View Related
May 30, 2011
We recently purchased the Cisco Router 2951 router with the IOS 15.0. I have tried to put in my VIC2-4FXO card in it. When I did show invetery, it detected the card.[code] When I tried to configure the voice port by typing voice port, it shows % Invalid input detected at '^' marker. I have tried to reset the cad and replace with another one.
View 3 Replies
View Related
Jan 10, 2010
setting up IPsec for a DMVPN between a 2811 and 2951s in a test lab. I have enabled IPsec on the hub (2811) but I am unable to do so on either of the 2951s. After researching, it seems that I may have the incorrect IOS for this, but I am at a loss which IOS I should be using. Currently the 2951s are on "c2951-universalk9-mz.SPA.151-2.T2.bin" and the only crypto options.
View 9 Replies
View Related
Nov 6, 2011
I recently installed a 2951 with a security plus license..I hate it (security featuers not router) and would like to put the asa back in place.how to integrate the asa with the 2951, I believe I need to run it in multi context mode.
View 3 Replies
View Related
Jun 27, 2011
How to get a WLC on a SRE up and running. I have a WLC installed and running on a 2951 SRE connected to a L3 switch in a lab.
I've tried to follow the Cisco document:
[URL]...
My wireless clients could only receive a DHCP allocated IP address for the 55.XX subnets defined on the wireless lan controller and SRE (shown on page 12 of the pdf). All traffic seemed to be routed via the native vlan of the inside router trunk interface and all DHCP requests arriving at my DHCP server were from 55.XX. Because of this I didn't see the point of trunking
so I've changed it to a point to point routed connection, created a 55.XX DHCP scope on my DHCP server for the wireless clients and all routing works fine.I found the document rather misleading.
View 1 Replies
View Related
Dec 27, 2011
configuring my Cisco 2951 router. There are three routed interfaces that I need to configure: one for the internal LAN, the second for another private subnet that connects to a Data Centre and the third for the WAN connection. I have configured the Ge0/0 interface as the LAN interface with the internal network 10.17.0.0/24. I have also configured my WAN interface Ge0/1 for internet connectivity. Now, I need to configure the third interface Ge0/2 that will connect to the Data Centre. This will be a private point to point switched ethernet link. The Data Centre will host a secondary domain controlller. So, I want it to be on the same network as the internal LAN, i.e., 10.17.0.0/24. I want to be able to see all other devices that will be located at the Data Centre just like I would see all devices connected to the internal LAN.The problem I am facing is that Cisco 2951 does not allow me to configure two routed interfaces to be on the same subnet. Is there any way to work around this problem and configure both the internal LAN and the Data Centre private network to be on the same subnet.
View 6 Replies
View Related
Oct 17, 2012
I currently have a 50Mbps Internet Connection provided by an ethernet handoff for hosting some webservers. We are looking at adding an additional 10Mbps Internetn connection and route BGP between the two. For the 50Mbps connection, i'm using a Cisco 2951 router. I also have another 2951 router to terminate the 10Mbps connection. Does these router have enough horsepower to fully route BGP?
View 1 Replies
View Related
Jul 19, 2012
I'm just double checking here because I saw one doc that didn't mention the 2900 on the data sheet but, I ve seen the 2900 listed with on others. I don't see the 2900s listed in this with the interface.
[URL]
View 6 Replies
View Related
Feb 9, 2012
configuring my Cisco 2951 router with Z0ne-based firewall. This is the scenario I would like to configure.
I have two ftp servers,S1 and S2, behind the router which needs to be accessed by two groups of users, G1 and G2, from the outside, i.e., from the internet.
I have two public IP addresses, 152.12.164.203 and 152.12.164.204. The WAN interface of the router is configured with IP address 152.12.164.203. G1 needs to access S1 on 152.12.164.203 and G2 needs to access S2 on 152.12.164.204.
What are the steps in configuring the router if I need the above scenario to be implemented?
View 5 Replies
View Related
Apr 11, 2012
We have 50 Mb Comcast cable conencted to 2951. There is another conenction to AT&T 20 Mb circuit which goes thru' an ASA 5510. Path to Internet is as below. [code]
As long as Comcast is up, 2951 sends Internet traffic out to Comcast and uses AT&T via ASA for backup.When traffic goes over Comcast, users complain about slow speed out to Internet. If we force traffic to AT&T via ASA, speed issue goes away.
We don't see any issue on 2951 router in terms of CPU or memory util.WHat can cause slow speed despite the fact that router resources are not maxed out and Comcast circuit has 150% more capacity than AT&T?
View 8 Replies
View Related
Dec 14, 2011
I have a new Cisco 2951 router and I am trying to configure it for external users to connect to an internal ftp server. I created a firewall and added rules so as to allow ftp connections from the outside to the internal ftp server. I configured NAT so as to allow incoming connections through the router. I have been unsuccessful so far in trying to make this ftp connection work.I am using a zone-based firewall and for the particular ftp rule, the action is inspect so as to allow stateful inspection of packets.
View 3 Replies
View Related
Jun 29, 2012
One of the route maps doesnt want to work, all the other are fine -
route-map vlan23-out permit 40
match ip address 123
set ip next-hop 87.194.168.1
If it take the ip policy off interface gi0/0.123 the client can access the internet OK but over the wrong ISP?As soon as i add the policy all internet stops
View 3 Replies
View Related
Jan 2, 2013
I'm attempting to set up a detector that fires when an application is seen. I've set up the flow monitor
2951-HQ#sho flow monitor AppWatch cache
Cache type: Normal
Cache size: 4096
[code]....
I'm runnig c2951-universalk9-mz.SPA.152-3.T2.bin
View 3 Replies
View Related
Nov 28, 2012
Can Cisco2951 work as an MPLS router. If yes what will be needed to make it function as an MPLS router? Else which alternative router can function as an MPLS router.
View 1 Replies
View Related
Feb 5, 2012
I have a Cisco 2951 Router on which I configured routes for Zone-Based Firewall. I have a FTP server inside my network and I have allowed hosts from the internet to connect to it through the router. They, are however not able to connect or they are connecting but they cannot transfer files. I checked the logs on the router and the error message is as follows:
%FW-6-DROP_PKT: Dropping tcp session xx.xx.xx.xx:21 xx.xx.xx.xx:21766 on zone-pair ccp-zp-out-in class FTPInbound due to Invalid Seq# with ip ident 0
View 7 Replies
View Related
Jul 25, 2011
I have talked to two Cisco Reps via our distributor and explained our network to them both and asked for suggested equipment. Our infrastructure has 4 circuits coming into the data center from our remote sites. Two of the circuits are cat5 and two are DS3. I want to use two routers to support two circuits each (cat5 and DS3). Each circuit is around 30Mb servicing around 13 locations with T1 connections, 55 locations in total. They suggested at a minimum the cisco 2951 model because we are utilizing one NM-1T3/E3 module in each router, and suggested getting the cisco 3925 model to cover future growth. I asked for a data sheet that has suggested models of routers for the bandwidth of the incoming pipes. The technicians said they would email this information over but twice now I have not received it and cannot find this information anywhere online. We currently have a cisco 2851 utilizing one NM-1T3/E3 module and they purchased a cisco 2911 to replace this unit.
View 2 Replies
View Related
Dec 15, 2011
Purchased and configured 2951 router based on Telco specs that required T3/DS3 card with coax connection for MPLS. When telco showed up to install DS3 they handed me a UTP copper connection.... Can I use one of the Gigabit ethernet connections on the 2951 as my MPLS interface into the provider's cloud?
View 2 Replies
View Related
Apr 25, 2013
I have a site to site ipsec tunnel setup between an ASA5510 and a 2951 Router. The ASA 5510 is on a 10.x subnet with a few vlans behind it. There are also 7 other ASA5505 that connect to this box with ipsec.
The 2951 is on a 10.x subnet with multiple vlans behind it (10.x and 192.x subnets).
When I had ACL to allow traffic from 10.20.0.0 (ASA) to 192.168.111.0 (2951 - voice vlan) the connection comes online and is stable.
The minute I add any of the following, the connection drops off with Phase 2 errors: 10.20.0.0 to 10.1.200.0 10.20.1.0 to 10.1.1.0
I can add a second 10.20.0.0 to 192.168.10.0 with no problem at all. The issue only seems to occur when attempting to add traffic from 10 to 10 on the tunnel.
View 2 Replies
View Related
Aug 20, 2012
I am looking to setup a solution for backing up a Metro Ethernet connection on a 2951 using an 1841 and 2 T1's in a Multilink. The Metro E will be primary, and if the BGP peer goes down, I want it to switchover to the 1841. Can it be done and is there an example of the BGP setup to work off of?
View 1 Replies
View Related
