Cisco WAN :: 7200 / 2921 With VTI IPsec
May 20, 2013
We have a Cisco 7204 G1 running c7200-advipservicesk9-mz.122-33.SRE7.bin and we're having a lot of difficulties getting a VTI working to a Cisco 2921 with adv. security. I've ruled out that the 2921 is at fault by successfully establishing a VTI to another 2921 and a 7200 running a different IOS release.
We see the tunnel come up, but when I sent a ping from the 2921 to the 7204 there isn't a reply. When I look at the results on the 7204 from a 'sh crypto engine connection active', I see the decrypt counters increase, but I don't see the Encrypt counters increase as it's trying to reply to the ping. I'm not sure if this is because there is an issue with the encryption or whether there might be a more fundamental issue with the router not replying to the pings.
I've tried the following IOS releases (c7200-advipservicesk9-mz.122-33.SRE7 & c7200-advipservicesk9-mz.122-33.SRE6) and they all behave the same way - this makes me think it might be a config issue rather than and IOS bug which is what I first thought. c7200-advipservicesk9-mz.122-33.SRE7.bin.
sh crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP Address
1 Tu10 IPsec 3DES+SHA 0 31 10.5.5.1
2 Tu10 IPsec 3DES+SHA 19 0 10.5.5.1
1001 Tu10 IKE SHA+3DES 0 0 10.5.5.1
Here is a copy of my config on the 7204 - the other end (Cisco 2921) is configured in the same way.
crypto isakmp policy 1
encr 3des
authentication pre-share
[code].....
View 16 Replies
ADVERTISEMENT
Apr 20, 2011
I have a Cisco 7200 and need to establish L2TP over IPSEC session with a Draytek Fly200. Draytek must use L2TP over IPSEC to provide LAN-to-LAN connectivity. IPSEC phase 1 and 2 is ok, L2TP tunnel is also established, but on cloned virtual-access IPCP negotiation is not completed:
*Sep 16 09:50:36.911: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
L2X_ADJ: Vi3:midchain adj reqd for ip 0.0.0.0, cid 0
*Sep 16 09:50:38.911: Vi3 IPCP: O CONFREQ [REQsent] id 2 len 10
*Sep 16 09:50:38.911: Vi3 IPCP: Address 192.168.176.2 (0x0306C0A8B002)
*Sep 16 09:50:38.911: Vi3 IPCP: Event[Timeout+] State[REQsent to REQsent]
I think my VPDN configuration from Cisco side is not correct, but I cannot find configuration examples for this kind of solution.
View 8 Replies
View Related
Apr 5, 2013
I am facing a problem when configuring the ipsec vpn on my 7200 router. [code]
View 5 Replies
View Related
Jan 23, 2013
I´ve try to configure a VPN IPSEC between a Cisco 7200 and Juniper ISG2000.The tunnel looks like good but when a ping is sending, I´ve packets lost and getting the next error:IPSEC(epa_des_crypt): decrypted packet failed SA identity check.My configuration en both sites is the follow: [code] What is the possible problem here. mea be in the Cisco 7200 configuration or in ISG Configuraton??
View 4 Replies
View Related
Aug 28, 2012
I am configuring a vpn ipsec tunnel with cisco isr 2921 router and Watchguard edge 1250e. I have the watchguard configured so I just need to make sure I have everything setup on the cisco side. At this point, there is no communication as I am not sure if I configured it correctly. Should I do the crypto map on g 0/0 or dialer 1?
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
[code]......
View 4 Replies
View Related
Sep 28, 2011
I have one Cisco ISR 2921 with VPN module. I'd like to be able to use it in order to "virtual-ice" independent instances for ipsec tunneling.
What I need is something like Asa security contexts, but the problem with Asa contexts is that don't support Vpns.
I'd like to use something like independent crypto maps, so if I need to take one down, or reconfigure, I need the others to keep working. It'll be for a production environment that must be up 99.9999
View 1 Replies
View Related
Mar 15, 2013
I'm trying to troubleshoot a random packet drop issue for an IPSec tunnel between two VTIs. For over a month, we didn't see any issue, and starting today, we have up to 30% packet loss across an IPSec tunnel.
After some analysis, I concluded that the packet loss happens somewhere on the path from the uc520 to the 2921. Packet counts show up correctly on the uc520 physical egress interface, but the packet count is low on the ingress interface on the 2921.
Pings outside the tunnel along the same path are fine.
I also cleared the tunnels on both ends and after they reestablished, the issue was still present.
Any pointers on finding where the packets get lost?
rr-hq-2921#ping 10.1.13.1 source g0/1 rep 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
[Code].....
View 3 Replies
View Related
Apr 18, 2013
We are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router. I am attempting to setup a GRE tunnel over IPsec back to the main office. The main office consists of a PIX515, a 2821 router, and a 2921 router.
There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices. The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well. The default route is to use the ASA. We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515. Right now I am not able to get the tunnel setup. It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls. I will show the output of that command below.
Main Office The external address 198.40.227.50. The loopback address 10.254.10.6 The tunnel address 10.2.60.1
Offsite Datacenter The external address 198.40.254.178 The loopback address 10.254.60.6 The tunnel address 10.2.60.2
The main office PIX515 Config :
PIX Version 7.2(2)
!
interface Ethernet0
mac-address 5475.d0ba.5012
nameif outside
security-level 0
ip address 198.40.227.50 255.255.255.240
[code]....
View 2 Replies
View Related
May 11, 2013
currently I have a Cisco 2921 router and I have one active site-to-site VPN connection through the internet.my question is; how I can create another Ipsec site-to-site VPN connection ? I have to keep the 1st VPN connection active.
View 11 Replies
View Related
Dec 5, 2012
I am setting up a IPSEC VPN tunnel between a Cisco 2921 and ASA 550x. [code]
View 6 Replies
View Related
Apr 29, 2013
I tried any type of combination and just couldn't make it works. Only PPTP works well. Whether Apple iOS IPSec VPN is supported or not?
View 11 Replies
View Related
Nov 3, 2012
I want to use chanelized POS PA in 7200 router. I want to know can I use chanelized PA for both chanelized and non-chanelized OC3/STM1? Does the both chanelized and non-chanelized feature is supported on chanelized module or I have to use other module?
View 1 Replies
View Related
Feb 24, 2012
I ran across this today on a 7200 that when all the vty lines are filled, and dont release, you enter clear line vty x and it is supposed to release the line. Well in some versions it doesn't work.
Here is the work around I found. clear tcp line vty x
View 3 Replies
View Related
Apr 16, 2012
I want to monitor my 7200's CPU packets per second rate.Any command i can run to show this?Or any MIB so I can poll this? 7200 NPE-G1 can handle 1mpps. And i want to verify the actual rate.
View 1 Replies
View Related
May 20, 2013
I want to know a number of maximum tcp connection at same time on interface of my 7200 router, how I'll do that?
View 3 Replies
View Related
Dec 11, 2012
I am having issues with frequent bgp flaps on the Cisco 7200 series router from past 1 week. I have raised a ticket with ISP but couldn't get any resolution from them as the flap is for about 2min.When ever we see BGP flap, we are not able to ping the remote end IP, Also at that point we drops on the interface connected to ISP.
View 1 Replies
View Related
Sep 27, 2011
I was recently given a Cisco 7200 VXR and told to erase the stored configurations in it. how to do erasing of Cisco 7200 stored config else I might have to delete them line by line.
View 4 Replies
View Related
Dec 15, 2010
We have network consisting of approx. 8 7200's running LNS/MPLS/BGP and we provide predominantly private networks to clients(Majority of client networks are a mix of Ethernet tails and DSL).We have received a request from one client to support multicast - Having never implemented multicast, have a few questions:
1. Is is supported/possible to provide multicast within a vrf on 7200's?(From initial investigations, it appears to be)
2. Is it possible to only enable mutilcast in a vrf(i.e. not globally)?
3. Any recommended guides/best pratices?(Googling has revealed nothing really that is similiar to what we want to do)4. What are the potential ramifications?(Resource overhead, Security implications, anything else?)
View 1 Replies
View Related
Mar 23, 2013
I am planning to provide a redudnt link to our customer. The setup as below:
One link over wireless while the other link over wired link, I want to make sure that I should maintain the same public IP addresses for the customer therefore, I am looking for L2 failover for my customer.
If the wireless down the customer should migrated to wired and vis versa. I have 7200 CISCO Router as Core.
View 3 Replies
View Related
Mar 7, 2011
I am trying to configure a dynamic failover with IP SLA on a Cisco 7200 using 12.2(33) IOS. I would like to have something similar as the following configuration:
ip sla monitor 1type echo protocol ipIcmpEcho x.x.x.xfrequency 3ip sla monitor schedule 1 life forever start-time now!!track 10 rtr 1 reachability
access-list 101 permit icmp any host X.X.X.X echo!route-map LOCAL_POL permit 10 match ip address 101 set ip next-hop Y.Y.Y.Y set interface Null0!ip local policy route-map LOCAL_POL
!
ip route XX.XX.XX.XX 255.255.255.0 YY.YY.YY.YY track 10ip route XX.XX.XX.XX 255.255.255.0 ZZ..ZZ.ZZ.ZZ 254
My questions are the following
Question 1: What is the equivalent of ip sla monitor in 12.3 for dynamic failover with IPsla Should I used
ip sla ethernet-monitor 1 type echo domain name ?
or
ip sla 1 path echo X.X.X.X or ethernet mpid echo domain name or icmp-echo time out 1000 frequency 3 threhsold 2
I do not know if I have to used ethernet-monitor or ip sla. What is the domain name and the mpid associated to the ethernet-monitor ip sla.In the case where I have to used ip sla 1, shoud I used a path-echo, ethernet mpdi or icmp-echo for dynamic failover
Question 2: In 12.3, what is the equivalent to ip sla monitor schedule 1 life forever start-time now.I have found thec command ip sla schedule 1 start now but it does not seems that we could configure the duration.
Question 3: Should I also enable ip sla responder
View 2 Replies
View Related
Apr 19, 2012
I have a 7200 router with a 12.2.(46a) IOS and I am trying to activate Netflow on a subinterface. From the documentation of Cisco, I should be able to do it since the ios 12.2.(14)S but the command is unavailable.
[URL]
I have tried also to enter the command in the subinterface directly but it doesn't recognize it.
View 2 Replies
View Related
Apr 10, 2012
I have two 7204VXR with NPE-G2 and 1Gb of ram. One router has 2 eBGP peers and the other has 3. The routers receive all internet routes from the 5 peers and send 2 internal routes. There is an iBGP peering between both routers. On all peers I have a route-map to send only our routes.
All was working fine since a couple of months when I suddenly saw an increase of memory on one of the router (router B), 1 hour later the memory was 100% and router crash and reboot. The other router (router A) with the same hardware capacity, same ram and same amount of routes was working good. After router B restart, I shut all eBGP peering on it, keeping only iBGP with router A, ram used was the same as router A (about 50% used) but CPU was about 30% used by process Router BGP whereas router A which has active traffic and active eBGP is only 20% and bgp process i almost 0%. Restarting peers one by one on router B cause the same issue, increase of memory then crash, even with only one peer.
What I suspected :
- A peer on router B but I can't isolate one because the problem appears with each taken one by one
- Not enough memory, but router A has the same number of routes and don't have any problem
- IOS version ? same on both 12.4.(15)T1
- Why process router BGP use 30% on router B when all eBGP peers are shut except iBGP and no traffic pass.
- A routing loop but I only send internal routes to peers and only have one iBGP session with no sync nor redistribution with an IGP
Of course I can't run any debu ip bgp on routers as the number of routes is very large (300K).
View 1 Replies
View Related
Feb 9, 2011
OSPF-4-ERRRCV: Received invalid packet: Bad LLS Checksum with one of our tunnels
View 1 Replies
View Related
Nov 30, 2012
My router is running with BGP (One eBGP and One IBGP session). I have filterdown the BGP roting table by using prefix-List and default route to upstream router.But still found the CPU process is high (80%/80% with 60MB traffic).
Sh Proc CPU
-------------------
CPU utilization for five seconds: 88%/88%; one minute: 87%; five minutes: 87%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
[Code].....
View 5 Replies
View Related
Aug 28, 2012
I am having a weird issue with my Cisco 7200 router. From the router i am able to ping and reach out to the internet but from the client i am able to reach out to the internet but unable to ping I am not sure where is the issue but when i traceroute to it my packets are dropped at my routers interface. All my pings from the client time out. I checked the Access list to make sure ICMP is not blocked. Following is my running conf
ip audit notify log
ip audit po max-events 100
ip ssh break-string ~
ipv6 unicast-routing
no ftp-server write-enable
[code]....
View 2 Replies
View Related
Jan 2, 2011
My company has a spare 7200 VXR, originally planned to be placed on our TDM network. This plan was not followed through, but I'd like to switch it's function to work as a core router on our BGP network. I'd like for this 7200 to be able to handle full routes from our eBGP peer, something the SUP module in my 6500 isn't capable of doing. What kind of SUP module should i look at replacing this 7200 VXR with?
View 5 Replies
View Related
Jul 30, 2012
I'm using PA-SON-OC3 on 7200VXR (NPE-G1). I want to upgrade the link to OC12 with same wavelenght. I found PA-SRP-OC12SMI for this purpose but I'm not sure about compatiblity.
View 2 Replies
View Related
Nov 28, 2012
Primary optical link between CPE and PE, and backup 3G/ADSL link between CPE and PE.I am considering link failure detection on primary link (after which backup link should take over). Which method is the least CPU intesive:
1) BGP protocol between CPE and PE
2) RIP protocol between CPE and PE
3) BFD on static routes on PE
Is there difference in terms of CPU load between above mentioned methods or they are more or less the same?Hardver platforms are sup720 BXL and Cisco 7200 G2.
View 4 Replies
View Related
Mar 1, 2011
how many GRE tunnels (without IPSEC) can 7206 router supported. I have low bandwidth 2000 links & i want to configure GRE tunnels for them.
View 1 Replies
View Related
Nov 17, 2011
I have set a tunnel between Cisco pix 6.3 and Cisco Router 7200. Show Isakmp sa showing below detail on Pix
Total : 1
Embryonic : 0
dst src state pending created
xx6.x71.x29.x68 x2.1x7.52.1x1 QM_IDLE 0 0
Is tunnel is UP ? Traffice is not going throgh the tunnel . why ?
View 1 Replies
View Related
Feb 26, 2011
what does VXR and S means in these series?
View 1 Replies
View Related
Mar 12, 2013
In my Lab environment in GNS I have connected two 7200 series router through fastethernet on router A I have given IP adress 192.168.10.54 and router B I have given IP address 192.168.10.53 and default route as 0.0.0.0 0.0.0.0 192.168.10.53 and when I run the command on router A it shows result as follows "C 192.168.10.52/24 is directly connected ,Fast ethernet 2/0".
So I need to know why it's showing the result of .52 at last why not .53 or .54 at last what is the reason it's showing .52 which I have not mentioned in my IP address.
View 5 Replies
View Related
Jul 2, 2012
What are the rough figures that a NPE-G2 is able to hold for the BGP routing table?
378475 network entries using 51472600 bytes of memory 378482 path entries using 21194992 bytes of memory 63008/63003 BGP path/bestpath attribute entries using 8065024 bytes of memory BGP using 82975730 total bytes of memory
Are these 3 memories different memory allocated or are they are a sub-set of each other? If a NPE-G2 has 1GB RAM, does it mean that the routing table limit is depending on the RAM availability?
View 1 Replies
View Related
