Cisco WAN :: 2921 / VTI Tunnel On Two Different ISP?
Mar 28, 2012
i have one interesting problem with local PBR on 2921 router. Here is the case,On HQ site there is 2921 router with two directly connected ISP, and there is Branch which is connected to only one ISP. The configuration should be to connect HQ router to Branch router with two VTI tunnels, so that each tunnel on HQ site should be terminated on different ISP, and EIGRP will be monitoring each VTI status.The problem is on HQ site, there is only one way to specify router with LOCAL PBR configuration, so router should send on ISP1 terminated tunnel traffic to ISP1, and on ISP2 interface terminated tunnel traffic to ISP2.
As I know this configuratino should work, but I could't make it work on c2900-universalk9-mz.SPA.151-4.M4.bin IOS, and on c2900-universalk9-mz.SPA.152-2.T1.bin.
Here is simple config:
ISP1 ip is 1.1.1.1
ISP2 ip is 2.2.2.2
3.3.3.3 is Branch ip address.
!
ip vrf BRANCH
[code]....
when I configure one default static route, it starts workig, but both tunnels go with specified ISP, and also there is no vrf problem,when there is no any vrf config it also don't work. gre tunnels also dont work.
View 4 Replies
ADVERTISEMENT
May 7, 2012
I am having an issue authenticating users via 802.1x/EAP-TLS across an IPSec tunnel. I am using route-based VPN with SVTI configuration on a 2921 and 1941. I have the following settings defined:
- Under the tunnel interfaces:
- MTU 1390
- MSS 1350
- PMTUD
- Under the ingress LAN interface
- route-map to set the DNF bit to 0
- On the RADIUS Server (2008 NPS)
- Framed-MTU: 1300
This had been working for months until I got a call last week about users not being able to authenticate to our secured SSID. I fired up wireshark and also used my client monitor tool in my wireless NMS to watch what is going on. I see all of the access-request and access-challenge exchanges, but the final exchange never happens. In both captures you can see messages with id's 77-81, but message id 82 isn't shown in the wireshark capture, only fragments are. In the client monitor capture you can see that message id 82 is 1726 bytes in length. Now, if I capture packets on my local LAN, the 1726 byte packet is properly fragmented and users can authenticate just fine.
I have scoured the Internet trying to find a setting that I must have missed, but I can't. I've tried adjusting the Framed-MTU, all the way down to 1100.
View 1 Replies
View Related
Jul 10, 2012
I followed:[URL]And my VPN connection is established on 2921.However when I successfully connected to the router via VPN, ipfoncfig shows default gateway being 255.0.0.0,My CISCO2921 GI0/0 has default 10.10.10.1 IP assigned, I want to access this interface with CISCO CP.
View 2 Replies
View Related
Sep 21, 2011
I am getting the following errow message while trying to create a VPN tunnel between an ASA5520 and a 2921 router. [code]
View 9 Replies
View Related
Aug 28, 2012
I am configuring a vpn ipsec tunnel with cisco isr 2921 router and Watchguard edge 1250e. I have the watchguard configured so I just need to make sure I have everything setup on the cisco side. At this point, there is no communication as I am not sure if I configured it correctly. Should I do the crypto map on g 0/0 or dialer 1?
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
[code]......
View 4 Replies
View Related
Mar 15, 2013
I'm trying to troubleshoot a random packet drop issue for an IPSec tunnel between two VTIs. For over a month, we didn't see any issue, and starting today, we have up to 30% packet loss across an IPSec tunnel.
After some analysis, I concluded that the packet loss happens somewhere on the path from the uc520 to the 2921. Packet counts show up correctly on the uc520 physical egress interface, but the packet count is low on the ingress interface on the 2921.
Pings outside the tunnel along the same path are fine.
I also cleared the tunnels on both ends and after they reestablished, the issue was still present.
Any pointers on finding where the packets get lost?
rr-hq-2921#ping 10.1.13.1 source g0/1 rep 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
[Code].....
View 3 Replies
View Related
Apr 18, 2013
We are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router. I am attempting to setup a GRE tunnel over IPsec back to the main office. The main office consists of a PIX515, a 2821 router, and a 2921 router.
There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices. The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well. The default route is to use the ASA. We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515. Right now I am not able to get the tunnel setup. It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls. I will show the output of that command below.
Main Office The external address 198.40.227.50. The loopback address 10.254.10.6 The tunnel address 10.2.60.1
Offsite Datacenter The external address 198.40.254.178 The loopback address 10.254.60.6 The tunnel address 10.2.60.2
The main office PIX515 Config :
PIX Version 7.2(2)
!
interface Ethernet0
mac-address 5475.d0ba.5012
nameif outside
security-level 0
ip address 198.40.227.50 255.255.255.240
[code]....
View 2 Replies
View Related
Jul 16, 2012
what is a maximum number of configurable gre tunnel interfaces on CISCO2921-HSEC+/K9 router?
View 2 Replies
View Related
Dec 5, 2012
I am setting up a IPSEC VPN tunnel between a Cisco 2921 and ASA 550x. [code]
View 6 Replies
View Related
Jan 9, 2011
i have a 7201 router with NPE-G2. i have a design which i have the option to send all the traffic through a GRE tunnel or a L2TPV3 tunnel.which method is more CPU consumption ?
View 1 Replies
View Related
Sep 23, 2012
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
View 4 Replies
View Related
Oct 17, 2012
I am using a Cisco RV110W (Firmware 1.2.09) in a branch and I would like to create a VPN Tunnel to another site that has a Cisco RV042 (firmware v4.2.1.02)
What would be the correct Configuration? the current configuration I am using is
in the RV042 i am using
Check Enable
Local Group Setup
Local Security Gateway Type : IP Only
IP Address : RV042 Pulbic IP address
[Code].....
View 3 Replies
View Related
Jul 24, 2012
Environment :linksys wrt300n v1.1 which can have ddwrt-mega. Willing to tunnel all lan's outbound traffic through an ssh tunnel.
View 2 Replies
View Related
Jan 23, 2012
There are a few situations were I'd like to be able to use the locally configured account on a device but still have ACS in place.I want to complete this WITHOUT adding the locally configured account into ACS.I have tried setting the advanced option under Identity for if an account is not found to "Continue" however this causes the account to be allowed as long as a password is typed (any password, as long as its not blank).
View 2 Replies
View Related
May 29, 2013
I want talk BGP with ISP though 200Mb/s WAN link by using Cisco Router 2921; and in the near future WAN link will be upgraded to 1Gb/s. Does Cisco Router 2921 has enough performance to do this task?
View 5 Replies
View Related
Nov 13, 2012
We have a CISCO 2921/K9 which has the securityk9 feature set (reflects Permanent under show version)
I thought that included SSL VPN, but doing a "show license all" it doesn't reflect that:
StoreIndex: 4 Feature: SSL_VPN Version: 1.0
License Type: EvalRightToUse
License State: Active, In Use
[Code].....
View 2 Replies
View Related
Jun 30, 2011
Using a Cisco 2921 router with an RPS 2300, I came across a table in the 2900 Hardware Installation Guide that I can hardly believe: table 5-3 seems to tell me that in order to back up ONE 2921 with RPS power, I will need an RPS with TWO 750 Watt or TWO 1150 Watt power supplies. Is it really true that I need to throw at least 1500 Watts of backup power at a router that has a main power supply of approx 300 W?
View 13 Replies
View Related
Oct 13, 2011
I need a router to connect to our ISP by BGP and in a future to a second ISP. Our ISP is going to provide us about 300.000 route entries by BGP. So router 2921 would be enough??? or should i go to a higher model?We are going to have 100Mbps with this ISP and probably in 3 months we'll have to double it. Also we'll need IPv6 support.I saw router performance [URL]f and it's has 480.000 PPS and 245 Mbps but for 64 bytes lenght packages. If the packets are bigger the throughput should be best I suppose... 1500 bytes about 5,5 Gbps. In the case you consider the model is sufficient, the flash or RAM should be increased?
View 4 Replies
View Related
Mar 7, 2013
why Cisco 2921 Gigaethernet 0/1 is not coming up ? I also tried to connect the interface to another SWITCH with no joy.
ME3400 (ISP's switch)<-------------MPLS link--------------> Cisco 2921 Gi0/1 >>>>>>>>>>Port not coming up
I tried connection between ME3400 (ISP's switch) and spare switch and the INTERFACE of spare switch was in UP/UP state .Troubleshooting I did so far on Interface Gi0/1
1> Changed ths speed/duplex manually and revert it back to auto
2>diable keepalive
3> Tried differnet LAN cable with no luck
4> Please see HIGHLIGHTED part (in red colour) of "Show controller Gi0/1" command
I am pasting some of the SHOW command output R2921_MMP#sh run int gi0/1Building configuration.[code]
View 8 Replies
View Related
May 16, 2013
I have a 2921 on Ethernet MPLS circuit. Problem is Voice has jitter at 60ms and no dropped packets from source to destination. How to reduce the jitter? Is the polices correct using Cisco recommended Nb = CAR x (1/8) x 1.5?
The PE is honoring the DSCP marked packets.
CE router 2921 QOS:
policy-map IFCQOS
class EF
priority 2048
[code]........
View 8 Replies
View Related
Feb 19, 2011
I am trying to set up a new router for training.I am attempting to my First BGP multihome.
The router is a 2921.We have a bonded t1 line and a metro ethernet connection
we have 2 /24 networks 1 /23 and 1 ipv6 /48 ,Behind the cisco router we have 3 Open BSD firewall Pairs, that are used to segment the networks into the production, development and my lab.
one of the /24 and the ipv6 block are veriably subneted, these are the routes that I am having troubles with.I am attempting to aggregrate the /24 and the ipv6 block to go out to the internet.
they show up in the routing table as advertised but you can not reach any hosts through the cisco router.
here is the bgp config
address-family ipv4
network 24.104.xxx.240 mask 255.255.255.240
network 204.17.xxx.0 mask 255.255.254.0
network 204.138.xxx.0
[Code]....
View 2 Replies
View Related
Jun 8, 2012
i need any one exact IOS from below list .can some provide me the link.
15.1(0.20)T
15.0(1)M1.4
15.1(24.6.26)PIL13
15.1(0.2.12)PIB13
15.1(1)XB1
15.1(0.0.10)PIL14
15.1(1.7.1)PIA13
15.1(1.7.1)PIA14
15.1(0.0.3)PIL15
View 1 Replies
View Related
Feb 12, 2013
I have a cisco 2921. I have 2 networks that has its own router
192.168.1.0 network is connected to watchguard firewall 192.168.9.0 network is connected to the cisco 2921 router.
I want to connect the 2 subnet using one of the interface of the cisco router. How I can get this work? It is not connected via vpn tunnel but we want to have LAN speed when accessing resources on both network. Each network is connected to a dell switch.
View 22 Replies
View Related
Feb 20, 2013
Is there a recommended number of GRE tunnels that Cisco 2921 ISR router with default configuration (512MB DDR2 ECC DRAM) can support?
View 5 Replies
View Related
May 8, 2011
i have a question regarding the monitor session command. I have following interfaces on my router:i want to monitor the traffic from the source interface Gi0/2 to the destination interface fa1/3,monitor session 1 source interface gigabitEthernet 0/2 brings this error message % Incomplete command.,monitor session 1 source interface gigabitEthernet 0/2?/ : <0-2>,i don't have any ports on the Gigabit Interfaces. Any ideas how to monitor traffic?
View 1 Replies
View Related
Mar 6, 2012
I have a lab setup and I want to test a point-to-point connection between two 2921 routers in a lab environment, without going through an ISP. I have a HWIC-1DSU-T1= in each of the routers. I have already configured ip addresses to the router interfaces, eDo I need to set any CLOCK RATE or BANDWIDTH commands or anything like that, since my traffic will not actually be going through an ISP during this lab test?
View 5 Replies
View Related
Apr 3, 2012
I have a 2921 router, with UCK9 services on it. I've installed a VWIC2-2MFT but the system is not seeing it. I've been told there is a command required to enable the card, is this true? I've always done most of my UC work on the 2800 range and never had to run an enable command, it just saw the card.
View 5 Replies
View Related
Nov 3, 2012
I have recently upgraded my company's network significantly, and in the process removed our Cisco edge routers and firewalls (gasp!), and replaced them with another vendor who gave a better price point for the router.However, i was only able to get ONE edge router, whereas before I had two, so I want to recycle one of my old 2921's as a cold standby (in case the brown sticky stuff hits the rotating air distribution blades, and $other-vendor router dies).Trouble is, the 2921 does not, I believe, have sufficient system resources to take the full routing table we're getting from our two ISP's.What I would like to ask is people's thoughts on the best method for me to configure the BGP setup on the 2921 to do the following:
-Accept the default route from each ISP and discard *everything* else in the route table
-Modify our advertisement (ad prepend) out the "secondary" ISP to reduce the priority of traffic coming in over this link.
-Configure the OUTBOUND priorities so that the "primary" link is used by preference for outgoing traffic (which will effectively shut down the secondary link for outbound traffic
View 6 Replies
View Related
Apr 9, 2012
from todays morning my 2921 is restarting about one time per two hours:
uptime is 1 minute
System returned to ROM by bus error at PC 0x23A49808, address 0x0 at 15:45:07 CET Tue Apr 10 2012
[Code].....
View 2 Replies
View Related
Jun 4, 2012
We recently purchased a Cisco 2921 router to be our edge device for a small satellite office (24 users). In addition, to the router we purchased a vwic3-2mft-t1/e1 module. Now the surprise, we ordered a bonded T1, I thought we were getting frame-relay circuits from Verizon, but someone ordered a 3M IMA circuit. I am new to configuring serial connections, and had planned out a frame-relay configuration. With that said, I have the following questions:
1. Can I setup a working serial connection to Verizon using the installed ATM circuit and the 2921 and vwic3-2mft-t1/e1 card I have? If not, what do I need in conjunction with the 2921?
2. With the frame-relay configuration, I enable controllers, configured the MFR interface and sub-interface, and serials. How much different is setting up serial ATM connections?
View 2 Replies
View Related
Mar 29, 2010
I have a 2921 series router w 15.1M series IOS. The platform has HWIC-2SHDSL module installed, which is used for point-to-point G.SHDSL connectivity. When I apply a service-policy on atm pvc, after 10 to 20 minutes I lose IP connectivity on ATM interface and tunnel interface also goes to down state. If I remove the service policy on ATM PVC IP connectivty returns back.
Interestingly I use exactly the same config on 2821 platform (w. WIC-1SHDSL installed) and I do not live such an issue on that platform.I tried to carry the Qos config on to Tunnel interface with shaping enabled and "no qos-preclassify" command issued, but the result is the same.
policy-map MetroDSL-llq
class sna-dsl
bandwidth percent 10
class netbios-dsl
bandwidth percent 10
[code]....
View 3 Replies
View Related
Jun 13, 2012
We have multiple sites that have either fiber 20mb d/u or cable 50/10 d/u. Recently we have upgraded our head end router to a 2921 security based router and noticed that no matter if we are sending or receiving the most we can push is 1.6Mb. I would expect this number to be at least 8Mb for uploading and at least 18mb for downloading from other sites.I have included parts of my config and screen shots of bandwidth usage for troubleshooting. [code]
View 3 Replies
View Related
Feb 13, 2013
how to enable the SFP module on cisco 2921?
View 3 Replies
View Related
