I have a setup where a spoke (cisco 1841) is sending a multicast feed to a hub (cisco 2951) via a DMVPN tunnel on the Internet. The feed arrives on interface fa0/0 of the cisco 1841 and is forwarded to the tunnel interface. It is about 160,000 kbit/s and 18 pps. This always looks the same:
cisco2951-1-hub#sh run int tu10
!
interface Tunnel10
description DMVPN TUNNEL
[Code]...
If I monitor a trunkport on the rootbridge in both directions I get Duplicate Multicast Packets on the perticular VLAN. The first guess is, that this is worked as designed and not a IOS Bug (Platform CAT6500 SUP720 IOS 12.2(33)SXI9 ) Until know I only found an old Cisco press link from 2002 with this subject.
View 2 Replies View RelatedIs DMVPN supported on Cisco 7200 XVR NPE-400, and would the NPE-400 module support QoS, multicast etc. I found an old doc mentioning DMVPN and this specific module.
View 1 Replies View RelatedI am exploring the possibility of having Cisco 1841's (or higher) at multiple sites. Each router will support 2 x ADSL connections (HWIC-1ADSL cards). My plan is to set up a DMVPN Full Mesh Tunnel on the first ADSL interface on each router and have RIP route these subnets, this will be for my Voice traffic only.
Further more I would like to set up a second IPSEC VPN tunnel between the head site and all other sites (the sites do not require direct communication for data purposes). This will route via static/weighted routes.
Any similar set up or sample configurations?
whether or not you can also run parallel DMVPN full mesh tunnels on a Cisco 1841 as this would be the other option.
the only restrictions are that the ADSL links cannot be upgraded to SHDSL etc.
I have a Dual-Hub DMVPN with PKI dep[oyment infrastructure and with 2 Hub on Cisco 1811 and Spokes on Cisco 1841. When I enter the 'subject-name' parameter (pki trustpoint configuration mode) on a Spoke routers, one of two Tunnel is up, but the second Tunnel is not up. ISAKMP-negotiation select the rsa-sig-mode is correctly. If I select pre-shared-mode or if i remove 'subject-name' from Spokes, DMVPN work is fine!
In what there can be a problem?
Configuration example:
1. HUB:
crypto pki trustpoint TRUSTPOINT-CA1
enrollment mode ra
enrollment url http://.../certsrv/mscep/mscep.dll
password ...
[ code]....
i have a general Question regarding buildings SA´s between two peers.Can I establish more than one SA between two Peers with the same IP Address?Actually I have 3 DMVPN´s running in parallel in different VRF´s using the same SA.They have all the same IPSEC encryption AES256.Now I need to reduce the encryption to 3DES in one of the three DMVPN´s.Is that possible or do I need a differnet IP Address so that the SA Pair is unique?Thats how I stared, with a Phase 2 failure that it is not acceptable.
crypto keyring preshared
pre-shared-key address x.x.x.x key ....ncvnbxcnbLsaYiKtxc4ex4U99Tn...
pre-shared-key address x.x.x.x key ....qerqwerJLsaYiKtxc4ex4U99Tn...
pre-shared-key address 0.0.0.0 0.0.0.0 key ....JLsaYiKtxewrc4ex4U99Tn...
[code]....
We have a 6 spoke DMVPN setup. Five of the six spokes work fine. On the 6th spoke, a 2911, we have created a Tunnel0. Other spokes and the hubs can ping it's ip, but it can't ping itself. When we do a show interface it shows the Tunnel 0 is up, but the protocol is down. What does that mean?
View 4 Replies View RelatedScenario:
Central Router (WAN: 1.1.1.1) <--> Internet <--> (WAN: Dynamic IP) Branch RouterTunnel 172.31.254.1/26 Tunnel 172.31.254.9/26
Central router is a Cisco 1811 running IOS c181x-advipservicesk9-mz.151-4.M.bin.Branch router is a Cisco 1941 running IOS c1900-universalk9-mz.SPA.151-4.M.bin.
When I do a Ping test directly from the branch to central router over the Internet I have no packet loss:
branch#ping 1.1.1.1 source GigabitEthernet 0/0 repeat 1000Type escape sequence to abort.Sending 1000, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:Packet sent with a source address of 192.168.0.100!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!(...)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Success rate is 100 percent (1000/1000), round-trip min/avg/max = 40/41/60 msbranch#
When doing a Ping test over the DMVPN tunnel (which is using the WAN IP as source) I see packetloss.
branch#ping 172.31.254.1 source Tunnel 3 repeat 1000Type escape sequence to abort.Sending 1000, 100-byte ICMP Echos to 172.31.254.1, timeout is 2 seconds:Packet sent with a source address of 172.31.254.9!!!!!!!!!!.!!!!!!!!!!.!.!!!!!!.!!!!!..!!!!!!..!!!!!!!!.!!.!!!!!.!!!!!!!!!!!!.!!!!!.!!!.!!!!!!!!!!!..!!!!.!.!.!!!!!.!!!!!!!!!.!..!!!.!.!!!!!.(...)!!!!!!.!!!.!!!!.!!!!.!.!!.!!!!!!!!!!!!!!!.!!.!!!!!!!!!.!!!.!!.!.!!!!!...!!!!!!!!!!..!!!!!!Success rate is 79 percent (795/1000), round-trip min/avg/max = 40/43/568 msbranch#
Central:
interface Tunnel0 description Testing (DMVPN) bandwidth 10000 ip address 172.31.254.1 255.255.255.192 no ip redirects ip mtu 1400 ip nhrp authentication testing ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp holdtime 600 ip nhrp redirect ip tcp adjust-mss 1360 no ip split-horizon eigrp 1 tunnel source FastEthernet1 tunnel mode gre multipoint tunnel key 100003 tunnel bandwidth transmit 10000 tunnel bandwidth receive 10000 tunnel protection ipsec profile secure_profile shared
Branch:
interface Tunnel3 description Testing (DMVPN) bandwidth 2000 ip address 172.31.254.9 255.255.255.192 no ip redirects ip mtu 1400 ip nhrp authentication testing ip nhrp map multicast 1.1.1.1 ip nhrp map 172.31.254.1 1.1.1.1 ip nhrp network-id 1 ip nhrp holdtime 300 ip nhrp nhs 172.31.254.1 ip nhrp shortcut ip nhrp redirect ip tcp adjust-mss 1360 no ip split-horizon eigrp 1 delay 1000 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 100003 tunnel bandwidth transmit 2000 tunnel bandwidth receive 2000 tunnel protection ipsec profile secure_profile shared
Crypto parameters on both central and branch routers:
crypto isakmp policy 1 authentication pre-share
crypto ipsec transform-set secure_transform-set esp-3des esp-sha-hmac mode transport
crypto ipsec profile secure_profile set transform-set secure_transform-set
I disabled CEF on both the central and branch routers and no success. The EIGRP neighborship appears to be stable.
So in our DMVPN network, we have this Cisco 3845 hub router that is connected via a DS3 to the Internet, and our spoke sites usually have a broadband connection that typically have a maximum of 1Mbps upload capacity. We are getting ready to add a few more sites to our network that are connected to the Internet with 10Mbps upload speeds (and 50Mbps download). Spoke site routers are usually 800 series ISRs. We have seen spikes of 8-10Mbps on the hub router so far. So the question is that a site with 10Mbps upload speed transmit to the full capacity over a DMVPN tunnel or is it limited by other factors? What are those factors?
View 4 Replies View RelatedI am having a hard time trying to configure DMVPN with the tunnel being sourced via a loopback interface. All routers are Cisco 886 routers which don't have L3 ports.That is why I used SVI interfaces, and have configured the L2 ports (Fa0, Fa1, etc.) with the command switchport access vlan.The problem is that I am receiving Invalid SPI error's only on the Hub router and I have no clue what could be the problem, because they use exactly the same parameters for IPsec. [code]
View 1 Replies View RelatedWe are facing network heavy and slow performance at one of our remote site, we are using Cisco2800 series router with same IOS on either of the sites.Our WAN network is running on BGP with EIGRP configured and tunnels were configured on either of the sites. As part of the testing I have removed the tunnel to see the performance was ok from Head office to remote branch and the WAN network is getting heavy and slow down when we put the tunnel back in hub and spoke.
quick info
Cisco 2800 Series router
IOS: (C2800NM-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE
One of the customers has deployed Cisco 7609S in their infrastructure for Branch/RO connectivity. When we tried to configure per-tunnel QoS with DMVPN for MPLS connected sites, we came to know that Cat 6500 and Cisco 7600 series routers don't support this feature.
Now, we are looking for suitable replacement of Cisco 7609S. I found a document for configuring above feature on Cisco ASR 1000 series routers, but it has many restrictions always.
We are now looking for
(a) suitable platform in the league of Cisco 7609S which support above feature.
(b) suitable technology replacement of DMVPN with minimum restrictions.
I need to configure multicast between 2 Csico 5540's lan to lan ipsec tunnel for a Voip application.
View 2 Replies View RelatedWe have a Cisco ASA and recently purchased a cisco small business srp527 router. It is connected to our ADSL2 connection and is working fine. I have configured the device with an ipsec tunnel using an ike profile and the tunnel is created successfully with packets traversing the tunnel. However packets are being dropped intermittently, with no cause. The link is currently not being utilised, there is no load on the network however when I ping Google and any address subject to the rules of the tunnel i notice that a single packet is dropped every now and then.
View 0 Replies View RelatedI have two Cisco 3845 routers which receive a multicast stram via a tunnel interface, i.e Tunnel163 (PIM Dense mode is enabled). These routers are both connected to a LAN segment (FastEthernet0/1/0) where receivers are. [code] Router1 is the assert winner (highest IP address), it sees igmp joins request, but it's pruning the interface. It happens sometimes and it lasts until I manually issue clear ip mroute.Unfortunately I cannot migrate to Sparse Mode.
View 15 Replies View RelatedI setup a GRE tunnel between two cisco 1800 & 1900 routers. I can't received multicast.
Here is a copy of my configs:
R3#Building configuration...
Current configuration : 1238 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname R3!boot-start-markerboot-end-marker!logging message-counter syslog!no aaa new-modeldot11 syslogip source-route!ip cefip multicast-routing no ipv6 cef!multilink bundle-name authenticated!archivelog config hidekeys! interface Loopback0ip address 10.0.0.3 255.255.255.255!interface Tunnel0ip address 192.168.24.2 255.255.255.252ip pim sparse-modetunnel source Loopback0tunnel destination 10.0.0.1!interface FastEthernet0/0ip address 10.0.3.1 255.255.255.0ip pim sparse-modeduplex autospeed auto!interface FastEthernet0/1ip address 192.168.23.2 255.255.255.252ip pim sparse-modeduplex autospeed auto!interface Serial0/0/0no ip addressshutdownno fair-queueclock rate 2000000! router eigrp 1network 10.0.0.3 0.0.0.0network 10.0.3.1 0.0.0.0network 192.168.23.2 0.0.0.0no auto-summary!ip forward-protocol ndno ip http serverno ip http secure-server!control-plane!line con 0line aux 0line vty 0 4exec-timeout 5 0privilege level 15no login!scheduler allocate 20000 1000end
[code]....
In fact i receive traffic on a one client per vlan basis (traffic is PPPoE), i receive all this traffic on a router, collecting all these vlan on a bridge where the pppoe packets are treated.When I use a transeiver to convert operator fiber arrival to my router copper media interface, i have no problem....
When I use dot1q-tunnel to make the same on my 3750, packets seems to be corrupted.I get PPPoE timeouts and packet loss, not regulary, totally stochastic...
I made dozen of tests and different settings, without success I first thougt of MTU issues. [code] I made tests with system MTU and/or system jumbo MTU above 1500, without success.I didn't found any known caveats on 3750 running Version 12.2(25r)SEE4 related to dot1q-tunnel.
I have created the tunnel interface on cisco 1841 router. The tunnel is up but can't ping to it's interface ip, the ping drops.
R1#show ip int brief
Interface IP-Address OK? Method Status Protocol
Tunnel10 10.10.10.1 YES manual up up
[Code]......
We have configure a L2L vpn between Asa and 1841 router. We are facing this issue.The tunnel is not getting up from the 1841 site never. When we are trying to generate traffic from the ASA site the tunnel is up and we can see decryps and encryps packets.
Router 1841 Config:
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key * address 213.249.XX.XX
[code].....
I m trying to make the vpn session using m GRE tunnel between cisco 891/k9 and 1841 router.. there is the fixed ip add with the 1841 router, and another one doesnt have the static ip from the ISP, In this case, im going to use DMVPN, The problem is , after completing the configuration, the tunnel inteface of the 1841 router will be seen like this.
-status: reset
-protocol: down
I need to work with the full tunnel feature of the IOS SSL VPN using a Cisco 1841. Here is what I see...
-I login to the portal page and click the "Start" button for "Tunnel Connection (SVC)"
-Security Alert message "This page requires a secure connection which includes server authentication. The Certificate Issuer for this site is untrusted or unknown. Do you wish to proceed?" I click yes.
-Anyconnect says "Please wait while VPN connection is established"
-Anyconnect error "The certificate on the secure gateway is invalid. The VPN connect will not establish"
We are currently experiencing a problem on an IP SEC VPN tunnel that has all of us here completely stumped. We are hoping that one of you experts out there will be able to assist. Here are some basic details:
NETWORKS
An IPSEC site to site tunnel has been built between the two sites on different networks.
PIX 515E - MAIN SITE
Network 172.16.0.0/24
CISCO 1841 - REMOTE SITE
Network 172.16.99.0/24
ISSUE
All traffic flows over the VPN from the 172.16.99.0 network in the direction of the Pix, such as RDP, SIP etc. Pings will go in both directions across the tunnel. Other than the pings most traffic will NOT flow over the tunnel from the 172.16.0.0 network on the pix to the 172.16.99.0 network on the 1841. It would appear that something on the 1841 is blocking traffic coming in over the tunnel from the 172.16.0.0 network as we can not get a wire shark capture on a PC on the 172.16.99.0 network, other than the ICMP traces. Usually this is an access list problem but we have checked and double checked the configuration and can't see anything.
TROUBLESHOOTING SO FAR
1. Have tried inserting various access list changes to the tunnel on the 1841 to make specific reference to the 172.16.0.0 network.
2. Have tried various NAT entries.
3. Have removed and then recreated the VPN tunnel from a fresh start.
4. Have made the MTU 1400 on the inside interfaces on the Pix and the 1841.
The tunnel is fully up at all times and as we say can ping in both directions.
im trying to configure IpSEC over Gre tunnel, but the traffic pass unencrypted, i cant find why this is happening. Here are the confg of the two routers (1841)
OFICINA#sh run br
Building configuration...
Current configuration : 1281 bytes
!
version 12.4
service timestamps debug datetime msec
[Code].....
I have a 1841 router connected to an ISP (currently SDSL EFM 10Mbps through an ISP modem, the router and the model are connected with a FastEthernet interface). On another location I have a linux server.There is an ipsec tunnel (3des-sha esp) between the router and the linux server (actually done with a crypto mac).The router has a hierarchical QOS policy on the egress interface.When sending traffic from the network inside the router to the linux host without the ipsec tunnel, everything is working fine and throughput is correct.When sending traffic from the inside network to the linux host internal ip through the ipsec tunnel, some packets are lost and the traffic throughput decrease.When sending traffic through the tunnel in the reverse direction (from the linux host to the internal network), everything is fine.I looked at the QOS statistics and the dropped packets counters don't increase. I looked at the egress/ingress interface statistics and no packets dropped there.I lowered the MTU on the egress interface, but it didn't solve the problem. I played by sending various ping icmp packets size, but even small packets are sometimes lost.I tried to check the router CPU, but it seems relatively fine (<= 10%)I captured the traffic on both side, and I see the packets emitted, and then I can see that some of the esp packets of the corresponding side are not received, so it looks like the cisco router is the culprit. This 1841 router is running: 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(24)T4,How can I troubleshoot where and why those packets are lost?
View 0 Replies View RelatedI can ping across the tunnel from the pc's on either end of the tunnel, but I can't ping across the tunnel from the routers. If i ping using the source command using the LAN interface, the ping is successfull.
The reason i need this is for the remote router to be able to lookup the head office server for dns wins and ldap.
I have a strange issue where im able to get an ipsec tunnel from tha cisco 1841 to a linksys/cisco RV016 for about a minute and ping/encrypt packets across the lin for about a minute before it goes down. I tried various configuration and it all results in the tunnel coming up for a minute then going down. I'm not sure if im hitting a bug and on which decide of if im doing something wrong.
RV016 firmware 2.0.18
cisco 1841: C1841-ADVENTERPRISEK9-M), Version 12.4(24)T
my config
no crypto isakmp default policy
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
[code]....
I have an GRE Tunnel across my head office and remote site with multiple subnets using cisco 1841 routers.I can ping most of the devices on the remote side, but I can not ping certain devices.These devices respond to ping requests on the local LAN, but not through the WAN link. If I change the IP of device than it start responding. I am using same gateway and mask on these devices.The remote site is running classic STP on switches with distribution switch being the root bridge.
View 4 Replies View RelatedI'm trying to configure an IPSEC VPN + tunnel for multicast data. When the default gateway is set on the router (1841) it works fine but if I only set a route to the IPSEC peer via our gateway then the tunnel fails to come up. The end point is to a 3rd party. [code]
I found that if I add a static route for the tunnel destination via fa0/0, the public facing interface, the tunnel comes up..ip route 10.23.4.2 255. 255. 255. 255 FastEthernet0/0
and I can then ping the tunnel IP at the far end - 10.23.0.5.Why would that be? Is there a better way to do this without using a default route??
Why do we need MP-BGP (and not BGP) to exchange multicast prefixes between multicast domains?
View 2 Replies View RelatedI try to pass multicast traffic between two vrf on the same 3750 switch. I have IP services IOS and sdm template routing.
here is my config:
ip routing
!
ip vrf vpn2
rd 1:1
mdt default 232.1.1.1
route-target export 1:1
route-target import 1:1
[code]....
Now I'm stuck - I don't know what to do to pass multicast traffic. Do I have any chance to run this config on 3750 chassis?Perhaps "Configuring Multicast VPN Extranet Support" document will be useful, but it concerns Catalyst 6500? [URL]
I have 2 Cisco routers , 1841 and 2811 , I need to setup site to site VPN , but i dont now some how it just does not seems to be working ,
Find attached the Configuration along with the
<----- 172.31.1.0/24----- DG:172.31.1.1>Cisco 2811<Dialer1 -----//Internet//----------Dialer1>Cisco1841---< DG:10.236.5.254-------------- 10.236.5.0/24--->
Find attached command executed on each router in the below order
1) show ver
2) Show run
3) show logging
4) show crypto ipsec sa
5) show crypto isakmp sa
Debugging enabled on routers are
1)Debug Crypto Isakmp
2) Debug Crypto Ipsec.
I'm seeing a TON of traffic in my ASA logs (via ASDM) indicating the following:"Duplicate TCP SYN from inside: (valid internal address of one of our laptops)/50164 to inside: (address on our other subnet, still trying to trace it)/9100 with different initial sequence number"This looks like an attack to me, likely someone's downloaded something they shouldn't have and got an infected laptop. Why it's trying to "call home" to something inside our network is what puzzles me, though.Is there any VALID reason I would see these sort of messages in my log?
View 3 Replies View RelatedWe have LMS 4.2 installed and added devices;Now if for example a device is not reachable we get two messages with same failure ;only the component name is different
- one event with "dns" in component name
- one with "dns(ip)" in component name
dns == hostname
