I don't see anything that stands out. Adding that command to the cell interface should not cause other traffic to fail unless traffic is attempting to be routed out the cell when the interface comes up. If I were you I would just open up a TAC case. These Cellular interfaces can be very tricky.

Will do....thanks again for your insight!

-Fred

Chris,

When I remove the 'ip address negotiated' from the cellular int 0/0/0 then remove the 'ip nat inside source list nat-cell interface Cellular0/0/0 overload' then connectivity is restored immediately.  Ideas?  Just trying to t/s a little more so I have a bunch of info to provide.

More in depth....

Added the nat statement left...waited....change ip address negotiated then eventually the cell profile 3 became active....even though the primary interface was still up. Seemed to start flapping.  Curious...at least headed in the right direction at this point just need to figure out.  By the way the Verizon APN on profile 3 was set to static not VZWINTERNET.   I was never given a static IP by them.  I might try to change profile 3 over to VZWINTERNET and see what happens then.  Anyway I guess figure out how to have the cell interface only come up on failure of primary interface might stop the falling of the interface?

A static APN is different than a static IP. The APN is just basically the gateway for the cellular network. IP address negotiated is basically DHCP but not technically since it is assigned via PPP.

So I got an IP using the following APN last night for the first time with it set to

NE01.vzwstatic

The funny this is when I got the SIM card the rep never said anything about nor did I pay for a static which I believe this is when you are suppose use APN.  Every document I have read even from Cisco regarding the LTE 4g module says the APN should be:

vzwinternet

Totally confused now because trying different things last night seemed to have gotten an IP from the cell network but then disappeared.

You can have 2 NAT statements correct for 2 different interfaces right but in doing additional reading some say that the first statement is the one the router pays attention to and even if there is a second it ignores it. 

I am attaching the updated config for you to take a peek at.....

!
! Last configuration change at 21:43:21 EDT Tue Aug 25 2015 by cisco
! NVRAM config last updated at 21:43:21 EDT Tue Aug 25 2015 by cisco
!
version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.155-3.M.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$nueg$QZd6E4mnpkyKEADDw5Cru0
!
aaa new-model
!
!
aaa authentication login local_access local
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
clock timezone EST -5 0
clock summer-time EDT recurring
!
!
!
!
!
!
no ip source-route
!
!
!
ip dhcp excluded-address 10.7.20.1 10.7.20.120
!
ip dhcp pool LAN
 import all
 network 10.7.20.0 255.255.255.0
 dns-server 71.243.0.12 71.250.0.12
 default-router 10.7.20.1
!
ip dhcp pool Dell Precision Workstation 690 Wireless
 host 10.7.20.7 255.255.255.0
 client-identifier 001e.c144.4823
 client-name PW690
 lease infinite
!
ip dhcp pool Ceton InfiniTV
 host 10.7.20.8 255.255.255.0
 client-identifier 0100.222c.ffff.ff
 client-name Ceton
 lease infinite
!
ip dhcp pool Dell Precision Mobile 4500 LAN
 host 10.7.20.9 255.255.255.0
 client-identifier 015c.260a.03f8.18
 client-name M4500_E
 lease infinite
!
ip dhcp pool Dell Precision Mobile 4500 Wireless
 host 10.7.20.10 255.255.255.0
 client-identifier 0024.d737.684c
 client-name M4500_W
 lease infinite
!
ip dhcp pool Dell Inspiron 1018 Wireless
 host 10.7.20.11 255.255.255.0
 client-identifier 1c65.9d9f.a663
 client-name I1018_W
 lease infinite
!
ip dhcp pool WHS
 host 10.7.20.16 255.255.255.0
 client-identifier 0100.155d.0230.05
 client-name WHS
 lease infinite
!
ip dhcp pool MacBook Pro 1
 host 10.7.20.27 255.255.255.0
 client-identifier 6c40.089d.c6d6
 client-name MACPRO1
 lease infinite
!
ip dhcp pool MacBook Pro 2
 host 10.7.20.29 255.255.255.0
 client-identifier 2cbe.08ef.a5c0
 client-name MACPRO2
 lease infinite
!
ip dhcp pool Verizon VMS-1100 Media Server
 host 10.7.20.40 255.255.255.0
 client-identifier 01cc.65ad.d677.64
 client-name VMS1100
 lease infinite
!
ip dhcp pool Verizon IPC-1100_1
 host 10.7.20.41 255.255.255.0
 client-identifier 011c.1b68.8cfd.60
 client-name IPC1100_1
 lease infinite
!
ip dhcp pool Verizon IPC-1100_2
 host 10.7.20.42 255.255.255.0
 client-identifier 011c.1b68.8cfb.38
 client-name IPC1100_2
 lease infinite
!
ip dhcp pool Verizon IPC-1100_3
 host 10.7.20.43 255.255.255.0
 client-identifier 011c.1b68.8cfb.05
 client-name IPC1100_3
 lease infinite
!
ip dhcp pool Verizon 4G Network Extender
 host 10.7.20.44 255.255.255.0
 client-identifier 0100.1632.965b.67
 client-name 4GNETXTDR
 lease infinite
!
ip dhcp pool Verizon MOCA Adapter Interface
 host 10.7.20.45 255.255.255.0
 client-identifier 0100.2662.d0a7.fd
 client-name MOCA_INT
 lease infinite
!
ip dhcp pool Chamberlain MyQ Internet Gateway
 host 10.7.20.93 255.255.255.0
 hardware-address 6452.9901.ff91
 client-name MYQ
 lease infinite
!
ip dhcp pool Honeywell RedLink Internet Gateway
 host 10.7.20.95 255.255.255.0
 hardware-address 00d0.2d25.c005
 client-name REDLINK
 lease infinite
!
ip dhcp pool Panasonic CF-53
 host 10.7.20.96 255.255.255.0
 client-identifier e8b1.fca2.780d
 client-name CF53
 lease infinite
!
!
!
no ip bootp server
ip name-server 71.243.0.12
ip name-server 71.250.0.12
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip ips config location flash:ips retries 1
ip ips notify SDEE
ip ips name IOS-IPS
!
ip ips signature-category
  category all
   retired true
   enabled false
  category ios_ips basic
   retired false
   enabled true
!
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
 match ipv4 source address
 match ipv4 destination address
 match application name
 collect interface output
 collect counter bytes
 collect counter packets
 collect timestamp absolute first
 collect timestamp absolute last
!
!
flow monitor application-mon
 cache timeout active 60
 record nbar-appmon
!
parameter-map type inspect global
 max-incomplete low 18000
 max-incomplete high 20000
 nbar-classify
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 60 "OK"
password encryption aes
cts logging verbose
!
license udi pid CISCO1921/K9 sn FGL18182393
license boot module c1900 technology-package datak9
!
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network diskstation_dst_net
 any
!
object-group network diskstation_src_net
 any
!
object-group service diskstation_svc
 tcp source range 5000 5001 range 5000 5001
!
object-group network energy_detective_dst_net
 any
!
object-group network energy_detective_src_net
 any
!
object-group service energy_detective_svc
 tcp source eq 1080 eq 1080
 tcp source eq 1080 eq 1443
 tcp source eq 1443 eq 1080
 tcp source eq 1443 eq 1443
!
object-group network lan_dst_net
 any
!
object-group network lan_src_net
 any
!
object-group service lan_svc
 ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
 10.7.20.0 255.255.255.0
!
object-group network mobile_net_extender_dst_net
 any
!
object-group network mobile_net_extender_src_net
 any
!
object-group service mobile_net_extender_svc
 tcp source eq 4125 eq 4125
 tcp source eq 4125 range 5443 5444
 tcp source range 5443 5444 eq 4125
 tcp source range 5443 5444 range 5443 5444
!
object-group network rdp_server_dst_net
 any
!
object-group network rdp_server_src_net
 any
!
object-group service rdp_server_svc
 tcp source eq 3389 eq 3389
!
object-group network vpn_remote_subnets
 any
!
   FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
   50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
   006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
   2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
   F3020301 0001
  quit
!
!
!
!
!
controller Cellular 0/0
 lte modem link-recovery rssi onset-threshold -110
 lte modem link-recovery monitor-timer 20
 lte modem link-recovery wait-timer 10
 lte modem link-recovery debounce-count 6
no cdp run
!
track 1 ip sla 1 reachability
!
ip tcp synwait-time 10
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
 match protocol msnmsgr
 match protocol ymsgr
class-map type inspect match-all energy_detective
  description TED Energy Monitor
 match access-group name energy_detective_acl
class-map type inspect match-all rdp_server
  description Remote Desktop Protocol
 match access-group name rdp_server_acl
class-map type inspect match-all lan
  description Outbound
 match access-group name lan_acl
class-map type inspect match-all mobile_net_extender
  description Verizon Network Extender
 match access-group name mobile_net_extender_acl
class-map type inspect match-all diskstation
  description Synology DiskStation
 match access-group name diskstation_acl
!
policy-map type inspect LAN-WAN-POLICY
 class type inspect lan
  inspect
 class type inspect INTERNAL_DOMAIN_FILTER
  inspect
 class class-default
  drop log
policy-map type inspect WAN-LAN-POLICY
 class type inspect energy_detective
  inspect
 class type inspect mobile_net_extender
  inspect
 class type inspect diskstation
  inspect
 class type inspect rdp_server
  inspect
 class type inspect INTERNAL_DOMAIN_FILTER
  inspect
 class class-default
  drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
 service-policy type inspect LAN-WAN-POLICY
zone-pair security WAN-LAN source WAN destination LAN
 service-policy type inspect WAN-LAN-POLICY
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip virtual-reassembly in
 shutdown
!
interface GigabitEthernet0/0
 description PrimaryWANDesc_FiOS
 ip address dhcp
 ip nat outside
 ip ips IOS-IPS in
 ip virtual-reassembly in
 zone-member security WAN
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description Home LAN
 ip address 10.7.20.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow monitor application-mon input
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 zone-member security LAN
 load-interval 30
 duplex auto
 speed auto
 no mop enabled
!
interface Cellular0/0/0
 description BackupWANDesc_LTE
 no ip address         <---- This will be ip address negotiated but for t/s I changed
 no ip unreachables
 ip nbar protocol-discovery
 ip flow monitor application-mon input
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 zone-member security LAN
 encapsulation slip
 load-interval 30
 dialer in-band
 dialer string lte
 dialer-group 1
 async mode interactive
!
ip forward-protocol nd
!
ip http server
ip http upload enable path flash:
ip http upload overwrite
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
no ip ftp passive

ip nat inside source list nat-cell interface Cellular0/0/0 overload    <----This is not in the config right now
ip nat inside source list nat-list interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 253
ip route 8.8.8.8 255.255.255.255 GigabitEthernet0/0
!
ip access-list extended diskstation_acl
 permit object-group diskstation_svc object-group diskstation_src_net object-group diskstation_dst_net
ip access-list extended energy_detective_acl
 permit object-group energy_detective_svc object-group energy_detective_src_net object-group energy_detective_dst_net
ip access-list extended lan_acl
 permit object-group lan_svc object-group lan_src_net object-group lan_dst_net
ip access-list extended mobile_net_extender_acl
 permit object-group mobile_net_extender_svc object-group mobile_net_extender_src_net object-group mobile_net_extender_dst_net
ip access-list extended nat-cell
 permit ip object-group local_lan_subnets any
 deny   ip any any
ip access-list extended nat-list
 permit ip object-group local_lan_subnets any
 deny   ip any any
ip access-list extended rdp_server_acl
 permit object-group rdp_server_svc object-group rdp_server_src_net object-group rdp_server_dst_net
!
ip sla 1
 icmp-echo 8.8.4.4 source-interface GigabitEthernet0/0
 frequency 1800
ip sla schedule 1 life forever start-time now
logging trap debugging
dialer-list 1 protocol ip permit
!
!
!
!
!
control-plane
!
!
banner incoming ^CCisco 1921 K9/Security^C
banner login ^C

  *** UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED ***
             For Authorized Offical Use Only
        You must have explicit permission to access
    or configure this device.  All activities performed
      on this device are logged, and violations of
           this policy may be reported to law
                 enforcement authorities.
         There is no right to privacy on this device. ^C
!
line con 0
 login authentication local_access
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line 0/0/0
 script dialer lte
 modem InOut
 no exec
line vty 0 4
 access-class 23 in
 privilege level 15
 login authentication local_access
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 131.107.13.100 prefer source GigabitEthernet0/0
!
end

Your config looks fine. We have multiple nat statements for each interface we NAT to. Here is ours:

ip nat inside source route-map RM_NAT_CELL interface Cellular0/0/0 overload
ip nat inside source route-map RM_NAT_LAN interface GigabitEthernet0/1 overload
ip nat inside source route-map RM_NAT_SAT interface GigabitEthernet0/2 overload

instead of directly calling an access-list in our NATs, we just use a route-map which then calls the access-list. All of the NAT statements/interfaces are using the same ACL to define which traffic to NAT.

By the way, our APN is vzwinternet and we do not have a statically defined one.

P.S. It looks like based on your config that you work in DoD.

Changed APN profile 3 over to vzwinternet.

I like your idea on this.  Have not done this before using routes.  Explanation or easy way to configure?

Removed the ACL nat-cell out of the config to start I guess is a good place to begin. I am guessing but I should remove the NAT statement for G0/0?

I wouldn't change your config, just add that extra NAT statement and use the same source list ACL for both.

So I try to add that additional NAT statement for the cellular interface and not matter what the config does not take it.  Basically it only takes one statement and that is it.  Weird.  I also have now tries using CCP Express v3.1.1 to do the same.  There it says when you enable NAT from the primary interface that it will enable NAT on both interfaces but the CLI in the GUI does not show the same.  I am trying everything to figure this out.....looks like a TAC job now.

So after some additional digging found the following.  You cannot do 2 NAT statement without using route-map.

Adding the following to the config:

ip nat inside source route-map NAT1 interface GigabitEthernet0/0 overload
ip nat inside source route-map NAT2 interface Cellular0/0/0 overload

route-map NAT2 permit 10
 match ip address 100
 match interface Cellular0/0/0

route-map NAT1 permit 10
 match ip address 100
 match interface GigabitEthernet0/0

access-list 100 permit ip 10.7.20.0 0.0.0.255 any

Seems now that I can get the cellular interface to come up on profile 3 and it becomes active.

The next issue as it seems the cellular interface comes up when the primary WAN goes down but flaps using the ip sla configuration.  Although I get an IP address from the wireless network via the APN vzwinternet.  I have to figure out why that is but at least making progress.

I didn't know that you couldn't have two NAT statements without using a route-map. We also tried using an SLA in our config but we experienced the same flapping problem. We just decided not to use the SLA. Let me know if you figure out how to get the SLA to work!

Here is a question you might be able to shed some light on.  When I do a show arp, I not only get address for LAN but I get many from all different addresses but all the same MAC.  I believe it should only show the internal LAN.  Something miss configured or missing?

Fixed the ARP problem by changing the following commands:

ip nat inside source route-map NAT1 interface GigabitEthernet0/0 overload
ip nat inside source route-map NAT2 interface Cellular0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 dhcp

Now the ARP table only show internal LAN.

I am working on the SLA portion now to figure out a ay to make this work.