Cisco 1921 / 4GLTE EHWIC - Primary Int G0/0 and Backup Cellular 0/0/0 Issues

screch101 · ‎08-24-2015

Hello,

I am looking for some help solving a problem with a Cisco 1921 and the Verizon 4G EHWIC card. I have configured the router and it is working and was looking to add the 4G as a backup to the primary connection G0/0. The cell interface is at Cellular0/0/0. If I add the following command ip address negotiated to the cellular interface then the G0/0 basically stops working and I loose all internet connectivity until that startment is removed. I don't understand why this is occurring. Any help would be appreciated. The only item I can think of is adding the additional something with NAT not configured correctly for that interface. Does not seem that the cellular interface "dials" when the G0/0 interface goes down. I have researched and have tried many different changes but nothing is fixing this issue. The firmware is up to date on the modem and the IOS is 15.5.3. Thanks in advance for any advice. Below is the snippet of the config with sections removed to keep size down that does not pertain I believe. Also included below is the cellular interface info.

version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.155-3.M.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
!
aaa new-model
!
!
aaa authentication login local_access local
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
clock timezone EST -5 0
clock summer-time EDT recurring
!
!
!
!
!
!
no ip source-route
!
!
!
ip dhcp excluded-address 10.7.20.1 10.7.20.120
!
ip dhcp pool LAN
import all
network 10.7.20.0 255.255.255.0
dns-server 71.243.0.12 71.250.0.12
default-router 10.7.20.1
!
!
!
no ip bootp server
ip name-server 71.243.0.12
ip name-server 71.250.0.12
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip ips config location flash:ips retries 1
ip ips notify SDEE
ip ips name IOS-IPS
!
ip ips signature-category
category all
   retired true
   enabled false
category ios_ips basic
   retired false
   enabled true
!
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
multilink bundle-name authenticated
!
chat-script lte "" "AT3CALL" TIMEOUT 60 "OK"
password encryption aes
cts logging verbose
!
crypto pki trustpoint TP-self-signed-2901148831
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2901148831
revocation-check none
rsakeypair TP-self-signed-2901148831
!
!
license udi pid CISCO1921/K9 sn XXXXXXXXX
license boot module c1900 technology-package datak9
!
!

!
object-group network local_lan_subnets
10.7.20.0 255.255.255.0
!

!
username XXXXX privilege 15 secret 5
username XXXXX privilege 12 secret 5
!
redundancy
!
!
!
!
!
controller Cellular 0/0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
no cdp run
!
ip tcp synwait-time 10
!
!
policy-map type inspect LAN-WAN-POLICY

policy-map type inspect WAN-LAN-POLICY
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
zone-pair security WAN-LAN source WAN destination LAN
service-policy type inspect WAN-LAN-POLICY
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly in
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_FiOS
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip ips IOS-IPS in
ip virtual-reassembly in
zone-member security WAN
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description Home LAN
ip address 10.7.20.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nbar protocol-discovery
ip flow monitor application-mon input
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security LAN
load-interval 30
duplex auto
speed auto
no mop enabled
!
interface Cellular0/0/0
description BackupWANDesc_LTE
no ip address
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
async mode interactive
!
ip forward-protocol nd
!
ip http server
ip http upload enable path flash:
ip http upload overwrite
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
no ip ftp passive
ip nat inside source list nat-list interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 253
ip route 8.8.8.8 255.255.255.255 GigabitEthernet0/0
!
logging trap debugging
dialer-list 1 protocol ip permit
!
!
!
!
!
control-plane
!
!
banner incoming ^CCisco 1921 K9/Security^C
banner login ^C

*** UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED ***
             For Authorized Offical Use Only
        You must have explicit permission to access
    or configure this device. All activities performed
      on this device are logged, and violations of
           this policy may be reported to law
                 enforcement authorities.
         There is no right to privacy on this device. ^C
!
line con 0
login authentication local_access
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 0/0/0
script dialer lte
modem InOut
no exec
line vty 0 4
access-class 23 in
privilege level 15
login authentication local_access
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 131.107.13.100 prefer source GigabitEthernet0/0
!
end

Cellular Info Below:

Cellular 0/0/0 Interface Info

show cellular 0/0/0 network

Current System Time = Mon Aug 24 2:57:48 2015
Current Service Status = Normal
Current Service = Packet switched
Current Roaming Status = Home
Network Selection Mode = Automatic
Network = Verizon Wireless
Mobile Country Code (MCC) = 311
Mobile Network Code (MNC) = 480
Packet switch domain(PS) state = Attached
Registration state(EMM) = Registered
EMM Sub State = Normal Service
Tracking Area Code (TAC) = 14595
Cell ID = 14598913

show cellular 0/0/0 radio

Radio power mode = ON
LTE Rx Channel Number = 5230
LTE Tx Channel Number = 23230
LTE Band = 13
LTE Bandwidth = 10 MHz
Current RSSI = -83 dBm
Current RSRP = -116 dBm
Current RSRQ = -17 dB
Current SNR = -2.0 dB
Radio Access Technology(RAT) Preference = AUTO
Radio Access Technology(RAT) Selected = LTE

show cellular 0/0/0 profile

Profile password Encryption level: 7

Profile 1 = INACTIVE **
--------
PDP Type = IPv4
Access Point Name (APN) = vzwinternet
Authentication = None

Profile 2 = INACTIVE
--------
PDP Type = IPv4v6
Access Point Name (APN) = vzwadmin
Authentication = None

Profile 3 = INACTIVE*
--------
PDP Type = IPv4
Access Point Name (APN) = vzwinternet
Authentication = None

Profile 4 = INACTIVE
--------
PDP Type = IPv4v6
Access Point Name (APN) = vzwapp
Authentication = None

Profile 5 = INACTIVE
--------
PDP Type = IPv4
Access Point Name (APN) =
Authentication = None

* - Default profile
** - LTE attach profile

show cellular 0/0/0 security

Card Holder Verification (CHV1) = Disabled
SIM Status = OK
SIM User Operation Required = None
Number of CHV1 Retries remaining = 3

show cellular 0/0/0 all

Hardware Information
====================
Modem Firmware Version = SWI9600M_03.05.10.06ap
Modem Firmware built = 2012/11/12 15:07:45
Hardware Version = 10
Device Model ID: MC7750
Package Identifier ID: MC7750_03.05.10.06_00_vzw_033.011_000
International Mobile Subscriber Identity (IMSI) = 311480039061020
International Mobile Equipment Identity (IMEI) = 990000820070961
Integrated Circuit Card ID (ICCID) = 89148000000384557279
Mobile Subscriber Integrated Services
Digital Network-Number (MSISDN) = 7745030447
Current Modem Temperature = 34 deg C
PRI SKU ID = 9900853, PRI version = 00.05, Carrier = 5

Profile Information
====================
Profile password Encryption level: 7

Profile 1 = INACTIVE **
--------
PDP Type = IPv6
Access Point Name (APN) = vzwims
Authentication = None

Profile 2 = INACTIVE
--------
PDP Type = IPv4v6
Access Point Name (APN) = vzwadmin
Authentication = None

Profile 3 = INACTIVE*
--------
PDP Type = IPv4
Access Point Name (APN) = vzwinternet
Authentication = None

Profile 4 = INACTIVE
--------
PDP Type = IPv4v6
Access Point Name (APN) = vzwapp
Authentication = None

Profile 5 = INACTIVE
--------
PDP Type = IPv4
Access Point Name (APN) =
Authentication = None

* - Default profile
** - LTE attach profile

Data Connection Information
===========================
Profile 1, Packet Session Status = INACTIVE
Profile 2, Packet Session Status = INACTIVE
Profile 3, Packet Session Status = INACTIVE
Profile 4, Packet Session Status = INACTIVE
Profile 5, Packet Session Status = INACTIVE
Profile 6, Packet Session Status = INACTIVE

Network Information
===================
Current System Time = Mon Aug 24 3:1:8 2015
Current Service Status = Normal
Current Service = Packet switched
Current Roaming Status = Home
Network Selection Mode = Automatic
Network = Verizon Wireless
Mobile Country Code (MCC) = 311
Mobile Network Code (MNC) = 480
Packet switch domain(PS) state = Attached
Registration state(EMM) = Registered
EMM Sub State = Normal Service
Tracking Area Code (TAC) = 14595
Cell ID = 14598913

Radio Information
=================
Radio power mode = ON
LTE Rx Channel Number = 5230
LTE Tx Channel Number = 23230
LTE Band = 13
LTE Bandwidth = 10 MHz
Current RSSI = -83 dBm
Current RSRP = -117 dBm
Current RSRQ = -17 dB
Current SNR = -3.3 dB
Radio Access Technology(RAT) Preference = AUTO
Radio Access Technology(RAT) Selected = LTE

Modem Security Information
==========================
Card Holder Verification (CHV1) = Disabled
SIM Status = OK
SIM User Operation Required = None
Number of CHV1 Retries remaining = 3

GPS Information
==========================

GPS Info
-------------
GPS Feature: enabled
GPS Port Selected: Dedicated GPS port
GPS State: GPS disabled

SMS Information
===============
Incoming Message Information
----------------------------
SMS stored in modem = 23
SMS archived since booting up = 0
Total SMS deleted since booting up = 0
Storage records allocated = 25
Storage records used = 23
Number of callbacks triggered by SMS = 0
Number of successful archive since booting up = 0
Number of failed archive since booting up = 0

Outgoing Message Information
----------------------------
Total SMS sent successfully = 0
Total SMS send failure = 0
Number of outgoing SMS pending = 0
Number of successful archive since booting up = 0
Number of failed archive since booting up = 0
Last Outgoing SMS Status = SUCCESS
Copy-to-SIM Status =     0x0
Send-to-Network Status = 0x0
Report-Outgoing-Message-Number:
Reference Number =     0
Result Code =          0x0
Diag Code =            0x0 0x0 0x0 0x0 0x0

SMS Archive URL =

Error Information
=================

This command is not supported on this platform.

Modem Crashdump Information
===========================
Modem crashdump logging: off

Chris Russo · ‎08-24-2015

I have played a lot with these interfaces and if the interface drops when getting your IP it could be a NAT issue. The reason the interface drops is because of something called an IP source violation. If the provider sees traffic coming in through the cell interface that isn't properly NATed, the connection will drop. What you can do is create an access-list denying all inside traffic from traversing the cell interface. Btw, where is your NAT ACL for your "nat-list"? Also, I noticed that none of your cellular profiles are active. Try enabling the interface again using an ACL to block RFC 1918 IPs from going out of the interface and let me know what happens. I've had to troubleshoot these a lot... Here is an example of our config.

interface Cellular0/0/0
description To Verizon Cellular Network
ip address negotiated
no ip unreachables
ip nat outside
ip virtual-reassembly in
encapsulation slip
load-interval 30
shutdown
dialer in-band
dialer idle-timeout 0
dialer enable-timeout 6
dialer string ltescript
dialer watch-group 1
async mode interactive

chat-script ltescript "" "AT!CALL1" TIMEOUT 20 "OK"
chat-script lte "" "AT!CALL" TIMEOUT 60 "OK"

dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer-list 1 protocol ip permit

ip nat inside source route-map NAT-CELL interface Cellular0/0/0 overload

P.S. I haven't included the route-map or ACLs for the NAT config

screch101 · ‎08-24-2015

Thanks for responding I appreciate the insight. I was going to add the following statement to my config thinking this might be part of the problem because it is not included. Your info kind of validates my thoughts on the NAT issue.

ip nat inside source list nat-list interface Cellular0/0/0 overload

I have not manged to get any of the profiles to show active that is another item that I cannot figure out so far. This has been frustrating. The interface is a backup ONLY to G0/0. Would the profile become active once the G0/0 interface goes down?

Thanks for help in this situation. I appreciate it.

-Fred

Chris Russo · ‎08-24-2015

Yes you need to make sure you NAT out of the cellular interface as well. AT least one of the profiles should show active once your connection to the cellular network is established regardless if G0/0 is up or down.

screch101 · ‎08-24-2015

So adding that ip nat statement is for sure. As far as the dial portion of the config do I need to add that? I don't have any of the 3 below statements in my config.

dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1

I do have the following included.

chat-script lte "" "AT1CALL" TIMEOUT 60 "OK" - Changed this to profile 1 instead of 3

controller Cellular 0/0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6

line 0/0/0
script dialer lte
modem InOut
no exec

dialer-list 1 protocol ip permit

Chris Russo · ‎08-24-2015

It's my understanding that the dialer watch list will basically keep the cellular interface up at all times, instead of just connecting when establishing a "call". Adding those 3 dialer watch-list commands definitely won't hurt.

screch101 · ‎08-24-2015

Do I really need it up all the time if it is a backup just in case the other interface goes down?

Chris Russo · ‎08-24-2015

We have ours up all the time and we are using it as a backup connection as well. We just have the cell connection as a default floating static route with a higher AD than our primary interface. The choice is up to you.

screch101 · ‎08-25-2015

Thanks for help on this. Do I have to create a new ACL for NAT for that interface. I have not done many still learning in and outs of CLI. What is you recommendation on setting this up. My current ACL's are below.

ip access-list extended diskstation_acl
permit object-group diskstation_svc object-group diskstation_src_net object-group diskstation_dst_net
ip access-list extended energy_detective_acl
permit object-group energy_detective_svc object-group energy_detective_src_net object-group energy_detective_dst_net
ip access-list extended lan_acl
permit object-group lan_svc object-group lan_src_net object-group lan_dst_net
ip access-list extended mobile_net_extender_acl
permit object-group mobile_net_extender_svc object-group mobile_net_extender_src_net object-group mobile_net_extender_dst_net
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
deny ip any any
ip access-list extended rdp_server_acl
permit object-group rdp_server_svc object-group rdp_server_src_net object-group rdp_server_dst_net
!

What would the command be to set this correctly. I am guessing after the ACL is set then I should add the below:

ip nat inside source list nat-cell interface Cellular0/0/0 overload

Once again thanks for your help on this. Great expertise on this. Seems like you have had a lot of experience with this.

-Fred

screch101 · ‎08-25-2015

Hello Chris,

Well I had a chance to work on this and here is what happens...you can correct me when and wherever I made a mistake,

I added the following ACL..I think I did it correctly.

Extended IP access list nat-cell
10 permit ip object-group local_lan_subnets any
20 deny ip any any

This below is the current one:

Extended IP access list nat-list
10 permit ip object-group local_lan_subnets any
20 deny ip any any

Added to the Cellular0/0/0: ip address negotiated

Then added the following command:

ip nat inside source list nat-cell interface Cellular0/0/0 overload

Once that was added I lose all internet connectivity until removed?

What am I doing wrong. I did not get profile to go active. I also did not try adding dialer statements but that will be next.

Any suggestions?

Thanks.

Chris Russo · ‎08-25-2015

Can you be more specific when you say "loose all internet connectivity"? Does this mean that your primary connection drops when you add the ip address negotiated command? I would manually shut down your primary connection and attempt troubleshooting the cellular interface until you establish connectivity through the cell. Just to be safe I would also at an ACL that denies all private IP address space from exiting the cell interface in order to avoid an IP source violation.

screch101 · ‎08-25-2015

I try to ping anything inside IOS and it fails and hence it looks like no connectivity to "outside".

Chris Russo · ‎08-25-2015

I'm not sure what you mean by that. It may be time to open up a TAC case.

screch101 · ‎08-25-2015

Basically it seems like the G0/0 interface stops passing any traffic.I will do that as it seems something weird is going on. Thanks for all the help.

Chris Russo · ‎08-25-2015

Yeah it shouldn't do that since you have a weighed route pointing to the cell interface. The cell interface coming up should not cause G0/0 to not pass traffic.