05-13-2020 02:56 AM
We have recently decided to create an OOB management solution using a 4g SIM with Public IP
However we ran into issues where Public IP was not pingable and we could not ping the internet.
After a reboot the Public IP is reachable but now the LTE profile is in INACTIVE stateCellular Profile InactiveCellular Profile InactiveAPN
I have recreated the profile and re-attached it to the slot the IM is in (SLOT 0) but there is no change.
Does anyone have any ideas?
Solved! Go to Solution.
05-14-2020 12:53 AM
Hello,
can you try the simplified configuration below (important parts marked in bold) without the Loopback and the IP address being negotiated with SLIP ?
Last configuration change at 19:32:36 UTC Wed May 13 2020 by net_admin
!
version 16.11
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname dub1-00-oob-wgw1
!
boot-start-marker
boot system flash bootflash:isr4200-universalk9_ias.16.11.01a.SPA.bin
boot-end-marker
!
!
enable secret XXXXXXXXXXXXX
enable password XXXXXXXXXXX
!
no aaa new-model
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
ip domain name XXXXXXX
!
login on-success log
!
subscriber templating
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 60 "OK"
!
crypto pki trustpoint SLA-TrustPoint
enrollment terminal
revocation-check crl
!
crypto pki trustpoint TP-self-signed-691021271
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-691021271
revocation-check none
rsakeypair TP-self-signed-691021271
!
crypto pki certificate chain SLA-TrustPoint
crypto pki certificate chain TP-self-signed-691021271
!
license udi pid ISR4221/K9 sn XXXXXXXX
license smart url default
license smart transport smart
license smart privacy hostname
license smart privacy version
diagnostic bootup level minimal
!
spanning-tree extend system-id
memory free low-watermark processor 75394
!
usernameXXXXXXXXXX privilege 15 XXXXXXXXXXXXX
!
redundancy
mode none
!
controller Cellular 0/1/0
lte sim data-profile 2 attach-profile 2 slot 0
lte modem dm-log rotation
lte modem link-recovery monitor-timer 30
lte modem link-recovery wait-timer 30
lte modem link-recovery debounce-count 20
profile id 2 apn JTFIXEDPUBLIC authentication none pdn-type ipv4
!
interface Loopback0
ip address x.x.x.x - oob
ip nat inside
!
interface Loopback1
ip address Public Ip assigned by MNO /32
ip nat outside
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
ip address X.X.X.X - MGMT A
ip nat inside
negotiation auto
!
interface Cellular0/1/0
bandwidth 2000000
ip address negotiated
encapsulation slip
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer-group 1
pulse-time 1
!
interface Cellular0/1/1
no ip address
shutdown
!
interface Async0/2/0
no ip address
async mode interactive
!
interface Async0/2/1
no ip address
async mode interactive
!
interface Async0/2/2
no ip address
async mode interactive
!
interface Async0/2/3
no ip address
async mode interactive
!
interface Async0/2/4
no ip address
async mode interactive
!
interface Async0/2/5
no ip address
async mode interactive
!
interface Async0/2/6
no ip address
async mode interactive
!
interface Async0/2/7
no ip address
async mode interactive
!
interface Async0/2/8
no ip address
async mode interactive
!
interface Async0/2/9
no ip address
async mode interactive
!
interface Async0/2/10
no ip address
async mode interactive
!
interface Async0/2/11
no ip address
async mode interactive
!
interface Async0/2/12
no ip address
async mode interactive
!
interface Async0/2/13
no ip address
async mode interactive
!
interface Async0/2/14
no ip address
async mode interactive
!
interface Async0/2/15
no ip address
async mode interactive
!
ip forward-protocol nd
no ip http server
ip http secure-server
--> ip nat inside source list 2 interface Cellular 0/1/0 overload
--> ip route 0.0.0.0 0.0.0.0 Cellular 0/1/0
ip route X.X.X.X 255.255.255.0 XXXXX - VPN
ip route X.X.X.X 255.255.255.0 XXXXX - MGMT
ip route X.X.X.X 255.255.255.0 XXXXXXX - VON
ip route X.X.X.X 255.255.255.0 XXXXXX - VPN
!
ip access-list standard 1
permit any
ip access-list standard 2
permit any
dialer-list 1 protocol ip permit
!
tacacs-server host XXXXX
tacacs-server XXXXXX
tacacs-server XXXXXXXXXXXXXXXX
!
control-plane
!
line con 0
login local
transport input none
stopbits 1
line aux 0
stopbits 1
line 0/2/0 0/2/15
login local
no exec
transport input all
stopbits 1
line vty 0 4
exec-timeout 30 0
login local
transport input ssh
transport output ssh
!
end
05-14-2020 01:37 AM
Adding the ip address negotiated has brought the profile up.
The original Idea was to have the interface set to a static /32 but I see now that this won't work.
I will review again with MNO.
I would just like to say thank you very much for all your help over the last 2 days
05-13-2020 03:04 AM
Hello,
can you post the running configuration of your ISR 4221 ?
05-13-2020 03:08 AM
Hello,
I had a similar post a couple of years ago, what helped back then was entering the command below, you might want to give that a try:
ISR4221#cellular 0 lte plmn search
05-13-2020 03:43 AM
Hi,
Thanks for the command
At this moment I am connected on the mgmt network, when i run cellular 0/1/0 lte plmn search
It gives me
Please shutdown all the interfaces manually and re-enter this command.
Unfortunately i can't shut all interfaces at this moment because I am not connected via console.
05-13-2020 03:36 AM - edited 05-13-2020 03:54 AM
Hi have posted the relavant running config below:
controller Cellular 0/1/0
lte sim data-profile 2 attach-profile 2 slot 0
lte modem dm-log rotation
lte modem link-recovery monitor-timer 30
lte modem link-recovery wait-timer 30
lte modem link-recovery debounce-count 20
profile id 2 apn JTFIXEDPUBLIC authentication none pdn-type ipv4
!
!
!
!
!
!
!
!
interface Loopback0
ip address 1X.X.X.X 255.255.255.255 (for oob)
ip nat inside
!
interface Loopback1
ip address X.X.X.X 255.255.255.255 - this is public IP assigned (/32 reason for the ip unnumbered under cellular 0/1/0)
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
ip address X.X.X.X 255.255.255.0 (this is mgnt network)
ip nat inside
negotiation auto
!
interface Cellular0/1/0
bandwidth 2000000
ip unnumbered Loopback1
ip nat outside
dialer in-band
dialer idle-timeout 0
dialer-group 1
pulse-time 1
ip nat inside source list 2 interface Cellular0/1/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/1/0
ip access-list standard 1
permit any
ip access-list standard 2
permit any
dialer-list 1 protocol ip permit
******please note that we have no internet connectivity from the device, which i think is related to INACTIVE profile**********
05-13-2020 03:47 AM
Hello,
post the full running config (sh run) not just snippets. What does your chat script look like ? Try the one below:
chat-script lte "" "AT!CALL" TIMEOUT 60 "OK"
Also, post the output of:
show cellular 0/2/0 profile
For the NAT access list, 'permit any' is usually not a good idea, try and specify the exact address space, e.g.:
access-list 2 permit 192.168.1.0 0.0.0.255
05-13-2020 04:01 AM
Here is the complete config:
Current configuration : 8468 bytes
!
! Last configuration change at 10:52:50 UTC Wed May 13 2020 by net_admin
!
version 16.11
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname dub1-00-oob-wgw1
!
boot-start-marker
boot system flash bootflash:isr4200-universalk9_ias.16.11.01a.SPA.bin
boot-end-marker
!
!
enable secret XXXXXXXXXXXXX
enable password XXXXXXXXXXXXX
!
no aaa new-model
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
ip domain name cubictelecom.com
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment terminal
revocation-check crl
!
crypto pki trustpoint TP-self-signed-691021271
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-691021271
revocation-check none
rsakeypair TP-self-signed-691021271
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
XXXXXXXXXXXXXXXXXXXXX
!
license udi pid ISR4221/K9 sn XXXXXXX
license smart url default
license smart transport smart
license smart privacy hostname
license smart privacy version
diagnostic bootup level minimal
!
spanning-tree extend system-id
memory free low-watermark processor 75394
!
!
!
username xxxxxxxxxxxxxx
!
redundancy
mode none
!
controller Cellular 0/1/0
lte sim data-profile 2 attach-profile 2 slot 0
lte modem dm-log rotation
lte modem link-recovery monitor-timer 30
lte modem link-recovery wait-timer 30
lte modem link-recovery debounce-count 20
profile id 2 apn JTFIXEDPUBLIC authentication none pdn-type ipv4
!
!
!
!
!
!
!
!
interface Loopback0
ip address x.x.x.x for OOB
ip nat inside
!
interface Loopback1
ip address X.X.X.X - Public IP assigned by telecom
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
ip address x.x.x.x - MGMT
ip nat inside
negotiation auto
!
interface Cellular0/1/0
bandwidth 2000000
ip unnumbered Loopback1
ip nat outside
shutdown
dialer in-band
dialer idle-timeout 0
dialer-group 1
pulse-time 1
!
interface Cellular0/1/1
no ip address
shutdown
!
interface Async0/2/0
no ip address
async mode interactive
!
interface Async0/2/1
no ip address
async mode interactive
!
interface Async0/2/2
no ip address
async mode interactive
!
interface Async0/2/3
no ip address
async mode interactive
!
interface Async0/2/4
no ip address
async mode interactive
!
interface Async0/2/5
no ip address
async mode interactive
!
interface Async0/2/6
no ip address
async mode interactive
!
interface Async0/2/7
no ip address
async mode interactive
!
interface Async0/2/8
no ip address
async mode interactive
!
interface Async0/2/9
no ip address
async mode interactive
!
interface Async0/2/10
no ip address
async mode interactive
!
interface Async0/2/11
no ip address
async mode interactive
!
interface Async0/2/12
no ip address
async mode interactive
!
interface Async0/2/13
no ip address
async mode interactive
!
interface Async0/2/14
no ip address
async mode interactive
!
interface Async0/2/15
no ip address
async mode interactive
!
ip forward-protocol nd
no ip http server
ip http secure-server
ip nat inside source list 2 interface Cellular0/1/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/1/0
ip route x.x.x.x 255.255.255.0 .x.x.x.x - VPN
ip route x.x.x.x 255.255.255.0 x.x.x.x - MGMT
ip route x.x.x.x 255.255.255.0 x.x.x.x - VPN2
ip route x.x.x.x 255.255.255.0 x.x.x.x
!
!
!
ip access-list standard 1
permit any
ip access-list standard 2
permit any
dialer-list 1 protocol ip permit
!
!
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key 7 xxxxxxxxxxxxxxxxxxxxxxxx
!
!
control-plane
!
!
line con 0
login local
transport input none
stopbits 1
line aux 0
stopbits 1
line XXX XXXX
login local
no exec
transport input all
stopbits 1
line vty 0 4
exec-timeout 30 0
login local
transport input ssh
transport output ssh
!
!
!
!
!
!
end
05-13-2020 04:13 AM
Also here is the cellular 0/1/0 profile output
dub1-00-oob-wgw1#show cellular 0/1/0 profile
Profile password Encryption level = 7
Profile 1 = INACTIVE
--------
PDP Type = IPv4
Access Point Name (APN) = XXXXXXX - this is internal APN
Authentication = None
Profile 2 = INACTIVE* **
--------
PDP Type = IPv4
Access Point Name (APN) = JTFIXEDPUBLIC
Authentication = None
* - Default profile
** - LTE attach profile
Configured default profile for active SIM 0 is profile 2.
05-13-2020 04:35 AM - edited 05-13-2020 04:40 AM
Hello
@Dunner1991 wrote:
dub1-00-oob-wgw1#show cellular 0/1/0 profile
Profile password Encryption level = 7
Any chance you missing authentication for this profile, does your provider require it?
05-13-2020 04:40 AM
Hi @paul driver
We didn't set up any authentication for this profile, as no username or password for APN was provided (told us we just needed to configure the APN) by the MNO
Previously before we rebooted the device the profile was in ACTIVE state
Profile password Encryption level = 7
Profile 2 = ACTIVE* **
--------
PDP Type = IPv4
PDP address = X.X.X.X - Public IP assigned by MNO
Access Point Name (APN) = JTFIXEDPUBLIC
Authentication = None
Primary DNS address = 8.8.8.8
Secondary DNS address = 8.8.4.4
* - Default profile
** - LTE attach profile
But now we can't get the profile back to this state
05-13-2020 04:52 AM - edited 05-13-2020 04:56 AM
Hello
If the same profile config exists after a reload of the rtr, You could try re-inserting the sim and check that it isnt locked with the provider? <--- sh cellular 0/2/0 secuirty
05-13-2020 05:07 AM
HI @paul driver
I have reloaded the router
This is the output from show cellular 0/1/0 security
Unfortunately, I can't change the SIM slot as it is located on our DC (no access under current restrictions)
Thanks,
Mark
05-13-2020 04:44 AM
Hello,
stupid question maybe, but are you sure you have (sufficient) 4G coverage in your area ?
Either way, try and recreate the profile, just to make sure you don't have some sort of typo in there:
cellular 0/1/0 lte profile create 2
05-13-2020 04:50 AM
Sorry, I saw in your original post that you already did recreate the profile before...
Try and put the 'ip nat outside' on the Loopback as well:
interface Loopback1
ip address X.X.X.X - Public IP assigned by telecom
--> ip nat outside
That said, do you really need the loopback ? Can you use a dialer ?
05-13-2020 05:01 AM
I will add the ip nat outisde to the loopback now.
I added the loopback because I couldn't assign the Public IP /32 to the cellular 0/1/0 interface
I read in another discussion that the best way to do it was create a loopback and use the ip unnumbered loopback 1 under the cellular 0/1/0 int
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide