2621 router w/ 2 adsl wics, ipsec, hangs...

tprendergast · ‎04-26-2005

Hi,

I've got a 2621 running 12.3 with the full ipsec set so I can run ADSL lines with IPSEC tunneling into our main offices. This is a standard branch office setup for us.

The problem currently is with a new office needing 2 DSL lines because the upstream avialable is only 256k. I want to have both DSL lines running ipsec tunnels to the main office, and split route most all traffic through DSL1 with the exception being DSL2 sending all the voice over IP traffic (which is on a specific vlan subnet). This will force anyone doing file transfers and such over the first line and prevent them from impeding the quality of voice traffic without needing us to seriously QoS down the rest of the traffic.

The problem is when I set up the second Dialer as it's own dialer pool member, the whole thing pretty much shuts up and has to be reset. Can someone help me get the right config for this, as it is somewhat urgent? I've cut the config up a bit and show it as where it stands now. I had to back out of the second dialer pool config. Both lines terminate their ipsec at the same router in the main office, so I'm only using one crypto map.

Some things that bug me:

When in the same dialer pool, I set encapsulation aal5mux ppp dialer on one dialer and then the ios defaults the other two protocol ppp dialer. This cannot be changed unless I move it to the second pool. The first dsl line stops working if I do this and then the whole router is offline. I'm working at this remotely with a guy onsite who can reset the router for me occasionally. This whole thing is a little difficult to fiddle with if I keep getting locked out and lose all internet connectivity at the site.

Thanks!

Tim

<config attached, obfuscated for security reasons>.

Richard Burts · ‎05-02-2005

First I offer a comment about working remotely and making changes that may lock you out of the router: scheduled reload is your friend ! As you start your session making configuration changes enter this command :

reload in 30

(or some other number of minutes that seems appropriate). This will schedule a reload in 30 minutes. If you have locked yourself out of the router then the reload will remove the changes and restore your connectivity. If 25 minutes goes by and you are still connected you can enter the same command again to get another 30 minites of working time. Or if you are finished and still connected then you can use the command:

reload cancel

which will cancel the scheduled reload.

This has saved me many times when doing maintenance on remote routers.

In looking at the excerpt of config that you posted, I expected to see Policy Based Routing, which is the best way that I know to send most traffic to one outbound interface and send VOIP to a different interface. I did not see PBR. I am not clear whether it is there and you did not include it, or whether it is not there. I am guessing that it is not there. So my other suggestion is to try configuring Policy Based Routing to send VOIP to the other outbound interface.

Try it and let us know if it works.

HTH

Rick

HTH

Rick

tprendergast · ‎05-02-2005

Hey Rick, thanks for taking a shot at it.. points awarded for your effort.

No PBR yet. I'm starting from the beginning here to have 2 functional ADSL tunnels into the company prior to using PBR as a solution. Ideally, using our own voice vlan, I can create priority routes for the voice traffic giving them the full capacity of one outbound line at any point with the same effectiveness. I will also maintain redundancy as a nice side effect.

However, the main issue still remains. How do I get both ADSLs functional without being locked out?

-Tim

Richard Burts · ‎05-03-2005

Tim

ok - here is another shot at it.

I am not clear from your description whether you have it functioning correctly with one tunnel and have a problem with getting the second tunnel, or whether there is difficulty in getting the first tunnel to work. Can you clarify?

I think there is a question about placement of crypto maps. In earlier versions of IOS the crypto map had to be placed on both the tunnel interface and the outgoing interface. In recent versions of IOS the crypto map is needed on the outgoing interface but no longer needed on the tunnel interface. I note that in the config that you posted the crypto map is applied only to the tunnel interface and not on the outbound interface. Is that really the way it is on the router?

I can see why you need two GRE tunnels but I wonder if you really need two IPSec peering relationships and two instances in the crypto map. I have made a few modifications in the IPSec config that you posted to combine so that one instance of the crypto map can work on both tunnels:

!

crypto isakmp policy 4

authentication pre-share

crypto isakmp key fakekey address 2.2.1.1

crypto ipsec transform-set fakeVPN esp-des esp-sha-hmac

!

crypto map vpn 105 ipsec-isakmp

desc ipsec to main office router

set peer 2.2.1.1

set transform-set fakeVPN

match address tunnel105

!

ip access-list extended tunnel105

permit gre host 4.4.4.3 host 2.2.1.1

permit gre host 4.4.8.3 host 2.2.1.1

!

try this on the router, apply it to the appropriate interfaces and let us know what happens.

HTH

Rick

HTH

Rick

tprendergast · ‎05-03-2005

Let me address the first inquiry -- yes, the first tunnel works fine. When attempting to bring the second tunnel online (second ADSL for that matter), the router locks me out indicating that somehow the first interface lost connectivity or responsiveness.

Yes, the crypto map is placed on the tunnel interface for *all* of our ipsec tunnels running between ~8 offices. For the sake of conformity I've set this system up in a similar fashion until I have time to re-evaluate our solution later on. Eventually, this office will move to MPLS over DSL and reduce the need for these tunnels.

I'll see if we can use the same cryptomap for both tunnels and update the peer as well to allow both tunnels under the same acl and map.

I will make sure to utilize the command you referenced to reload in 30 or whatever in case I do end up locking myself out of this router. I will need to wait a few hours until that office is empty prior to performing any maintenance, at which point I will post back here.

Is there anything else I may have been unclear about that could help? Sometimes typing things out while fresh in my brain produces a bunch of roundabout information for people trying to help. :)

-Tim

Richard Burts · ‎05-03-2005

Tim

It is good to know that the first tunnel works. It is interesting that bringing up the second ADSL locks it up. So I took a closer look at the ATM interfaces and notice that both of the interfaces claim the same pvc:

pvc 0/38

I would assume that each interface should have a unique pvc. Are both of the ADSL from the same provider? What info did the provider give you about the connections?

HTH

Rick

HTH

Rick

tprendergast · ‎05-03-2005

I ordered 2 separate lines, with a DSL package on each from BT with static IPs. They are from different class C's and on their own dedicated lines.

I have forwarded a question on to their DSL support team, however, to double-check the information. The emails provided to me when setting up the accounts did both have the 0/38 pvc.

-Tim

Richard Burts · ‎05-03-2005

Tim

It will be interesting to know how they reply. It seems to me that if you are requesting two different circuits that each circuit should have a unique identifier. I wonder how often they sell two circuits to the same customer on the same machine and whether they might have overlooked this factor in their provisioning.

Please let us know what they say and how this issue gets resolved.

HTH

Rick

HTH

Rick