Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
779
Views
0
Helpful
3
Replies

IPSEC Problem

s.g.shanker
Level 1
Level 1

‎04-17-2011 08:42 PM - edited ‎03-04-2019 12:06 PM

Hello,

I have a problem with IPSEC.

My branch office router has two terminations

1.ethernet based termination TO INTERNET terminated to GIG(0/0).

2.3G connection to internet.

I have configured an IPSEC Tunnel to the head office.. I want the tunnel to be established across the Ethernet when that is plugged into the GIG0/0 interface and it should be given preference to the 3g connection. When I unplug the Ethernet termination the tunnel should be established over the 3G connection. Currently the tunnel gets established over the Ethernet connection. But when I unplug the Ethernet connection it is not switching over to 3G connection. It establishes tunnel via 3G only after rebooting the router. Both the 3G and Ethernet interface gets Dynamic IP. So I have configured a IP SLA so that it generates an interesting traffic. Please find the configs below. Can someone help me on why the tunnel is not switching back  AUTOMATICALLY to 3G when ehternet connection is removed.

Thanks.

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXX
!
boot-start-marker
boot system flash://c2900-universalk9-mz.SPA.151-1.T.bin/
boot-end-marker
!
enable secret 5 xxxx
!
aaa new-model
!
!

!
!
!
!
!
aaa session-id common
!
clock timezone AWST 8
!
no ipv6 cef
no ip source-route
no ip gratuitous-arps
ip cef
!
!
ip dhcp excluded-address 10.180.100.129 10.180.100.137
ip dhcp excluded-address 10.180.100.250 10.180.100.254
ip dhcp excluded-address 10.180.100.1 10.180.100.9
ip dhcp excluded-address 10.180.100.122 10.180.100.126
!
ip dhcp pool Voice
   network 10.180.100.0 255.255.255.128
   default-router 10.180.100.126
   option 150 ip 10.180.255.113
!
ip dhcp pool Data
   network 10.180.100.128 255.255.255.128
   default-router 10.180.100.254
   dns-server 10.180.49.25 10.180.49.102
   domain-name xxxx
!
!
no ip bootp server

ip name-server 10.180.49.25
ip name-server 10.180.49.102

!
multilink bundle-name authenticated
!
!
!
!
!
chat-script telstra "" "ATDT*99*1#" TIMEOUT 30 "CONNECT"
!
!
voice-card 0
!
!
voice call send-alert
voice rtp send-recv
!
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
  bind control source-interface GigabitEthernet1/0.101
  bind media source-interface GigabitEthernet1/0.101
!
voice class codec 10
codec preference 1 g711ulaw
codec preference 2 g711alaw
!
!
!
!
voice translation-rule 1
rule 1 /^691/ /086213691/
!
!
voice translation-profile PSTN-Outbound
translate calling 1
!
!
license udi pid CISCO2911/K9 sn FHK1439F386
hw-module pvdm 0/0
!
hw-module sm 1
!
!
!
archive
log config
  logging enable
  logging size 1000
  hidekeys
username cisco password 7 14141B180F0B
!
redundancy
!
!
!
!
controller Cellular 0/0
!
ip ssh version 2
!
class-map match-all Voice-Payload
match ip dscp ef
class-map match-all Voice-Signalling
match ip dscp cs3
class-map match-all Business_Critical
match ip dscp af31
!
!
policy-map OIAB_Policy
class Voice-Payload
    priority percent 50
class Voice-Signalling
    bandwidth percent 5
class Business_Critical
    bandwidth percent 35
class class-default
    fair-queue
     random-detect
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key x.x.x.x address x.x.x.x(head office IP)
!
!
crypto ipsec transform-set STRONGAES esp-aes 256 esp-sha-hmac
!
crypto map vpn 5 ipsec-isakmp
description *** VPN via TELSTRA-ISP to PERTH DATA CENTRE ***
set peer x.x.x.x
set transform-set STRONGAES
match address vpnToDC_WA
!
!
!
!
!
interface Loopback0
description MANAGEMENT IP ADDRESS
ip address 10.180.255.113 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
!
interface GigabitEthernet0/0
description ***To Service Provider***
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
service-policy output OIAB_Policy
!
interface GigabitEthernet0/1
no ip redirects
no ip unreachables
no ip proxy-arp
duplex full
speed 1000
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
!
interface GigabitEthernet1/0
description ***VIRTUAL INTERFACE TO ES MODULE***
ip unnumbered Loopback0

!
interface GigabitEthernet1/0.101
description Voice VLAN 101
encapsulation dot1Q 101
ip address 10.180.100.126 255.255.255.128
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
!
interface GigabitEthernet1/0.102
description Data VLAN 102
encapsulation dot1Q 102 native
ip address 10.180.100.254 255.255.255.128
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
!
interface Cellular0/0/0
no ip address
ip virtual-reassembly
encapsulation ppp
load-interval 60
dialer in-band
dialer pool-member 1
dialer-group 1
async mode interactive
crypto map vpn
service-policy output OIAB_Policy
!
interface Cellular0/0/1
no ip address
encapsulation ppp
!
interface Dialer1
description ***To Service Provider***
bandwidth 2000
ip address negotiated
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string telstra
dialer persistent
dialer-group 1
ppp chap hostname OIAB01291101
ppp chap password 7 14141B180F0B
ppp chap refuse
ppp ipcp dns request
crypto map vpn
service-policy output OIAB_Policy
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10
ip route 0.0.0.0 0.0.0.0 Dialer1 20
ip tacacs source-interface Loopback0
!
ip access-list extended vpnToDC_WA
permit ip host 10.180.255.113 10.180.0.0 0.0.255.255
permit ip 10.180.71.56 0.0.0.7 10.180.0.0 0.0.255.255
permit ip 10.180.100.0 0.0.0.127 10.180.0.0 0.0.255.255
permit ip 10.180.100.128 0.0.0.127 10.180.0.0 0.0.255.255
!
ip radius source-interface Loopback0
ip sla 1
icmp-echo 10.180.54.1 source-ip 10.180.100.126
threshold 1000
timeout 1000
frequency 30
ip sla schedule 1 life forever start-time now
logging source-interface Loopback0
logging 10.180.54.133
access-list 101 remark Traffic 2B Optimised
access-list 101 permit tcp any any
access-list 101 remark Local Steelhead
access-list 101 deny   ip 10.180.71.56 0.0.0.7 any
access-list 101 deny   ip any 10.180.71.56 0.0.0.7
dialer-list 1 protocol ip permit
!
!
!
!
!
tftp-server flash:term65.default.loads
tftp-server flash:jar45sccp.8-5-3TH1-6.sbn
tftp-server flash:cnu45.8-5-3TH1-6.sbn
tftp-server flash:apps45.8-5-3TH1-6.sbn
tftp-server flash:dsp45.8-5-3TH1-6.sbn
tftp-server flash:cvm45sccp.8-5-3TH1-6.sbn
tftp-server flash:SCCP45.8-5-3S.loads
tftp-server flash:term45.default.loads
tacacs-server host 10.180.54.33 key 7 054A083F72546E0D140C19
tacacs-server host 10.180.54.34 key 7 0345553B55170148430017
tacacs-server timeout 15
tacacs-server directed-request
!
!
control-plane
!
!
!
!
!
dial-peer voice 100 voip
description Inbound Calls
session protocol sipv2
incoming called-number .
voice-class codec 10
!
dial-peer voice 200 voip
description PSTN Calls
translation-profile outgoing PSTN-Outbound
preference 1
destination-pattern 0T
session protocol sipv2
session target ipv4:10.180.54.1
voice-class codec 10
dtmf-relay sip-notify rtp-nte
dtmf-interworking rtp-nte
!
dial-peer voice 300 voip
description INTERNAL Calls to Extensions 6xxx
preference 1
destination-pattern 6...
session protocol sipv2
session target ipv4:10.180.54.1
voice-class codec 10
dtmf-relay sip-notify rtp-nte
dtmf-interworking rtp-nte
no vad
!
dial-peer voice 400 voip
description INTERNAL Calls to Extensions 6xxx
preference 2
destination-pattern 6...
session protocol sipv2
session target ipv4:10.180.138.129
voice-class codec 10
dtmf-relay sip-notify rtp-nte
dtmf-interworking rtp-nte
no vad
!
dial-peer voice 500 voip
description INTERNAL Calls to Extensions 31xx and 32xx
preference 1
destination-pattern 3...
session protocol sipv2
session target ipv4:10.180.54.1
voice-class codec 10
dtmf-relay sip-notify rtp-nte
dtmf-interworking rtp-nte
!
dial-peer voice 600 voip
description INTERNAL Calls to Extensions 31xx and 32xx
preference 2
destination-pattern 3...
session protocol sipv2
session target ipv4:10.180.138.129
voice-class codec 10
dtmf-relay sip-notify rtp-nte
dtmf-interworking rtp-nte
!
dial-peer voice 700 voip
description PSTN Calls
translation-profile outgoing PSTN-Outbound
preference 2
destination-pattern 0T
session protocol sipv2
session target ipv4:10.180.138.129
voice-class codec 10
dtmf-relay sip-notify rtp-nte
dtmf-interworking rtp-nte
!
!
dial-peer inbound selection sip-trunk
!
!
gatekeeper
shutdown
!
!
telephony-service
max-ephones 58
max-dn 300
ip source-address 10.180.255.113 port 2000
no service directed-pickup
timeouts interdigit 5
load 7945 SCCP45.8-5-3S
load 7965 SCCP45.8-5-3S
time-zone 42
date-format dd-mm-yy
max-conferences 8 gain -6
web admin system name admin password cisco
dn-webedit
transfer-system full-consult
transfer-pattern ....
secondary-dialtone 0
create cnf-files version-stamp Jan 01 2002 00:00:00
!
!
ephone-dn  1  dual-line
number 6911
label Remote Kit 1 - Phone 1 6911
description 0862136911
name Remote Kit 1 - Phone 1
hold-alert 30 originator
!
!
ephone-dn  2  dual-line
number 6912
label Remote Kit 1 - Phone 2 6912
description 0862136912
name Remote Kit 1 - Phone 2
hold-alert 30 originator
!
!
ephone-dn  3  dual-line
number 6913
label Remote Kit 1 - Phone 3 6913
description 0862136913
name Remote Kit 1 - Phone 3
hold-alert 30 originator
!
!
ephone-dn  4  dual-line
number 6914
label Remote Kit 1 - Phone 4 6914
description 0862136914
name Remote Kit 1 - Phone 4
hold-alert 30 originator
!
!
ephone  1
device-security-mode none
mac-address 0025.8416.5D78
username "6911" password null
type 7965
button  1:1
!
!
!
ephone  2
device-security-mode none
mac-address 0026.0BD9.A004
username "6912" password null
type 7945
button  1:2
!
!
!
ephone  3
device-security-mode none
mac-address 0026.0BD9.9DAC
username "6913" password null
type 7945
button  1:3
!
!
!
ephone  4
device-security-mode none
mac-address 0026.0BD7.4539
username "6914" password null
type 7945
button  1:4
!
!

Labels:
0 Helpful
3 Replies 3

sean_evershed
Level 7
Level 7

‎04-17-2011 10:41 PM

This link may help, see example 3

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6815/config_guide_eem_configuration_for_cisco_integrated_services_router_platforms.html

Please remember to rate all posts that are helpful.

0 Helpful

s.g.shanker
Level 1
Level 1
In response to sean_evershed

‎04-17-2011 10:50 PM

Thanks for the link sean. But i am not using NAT in the brach office end as all the NAT is done on the H

ead Office ASA where the tunnel is terminated.The example says to use

EEM to clear the NAT table but i am not using it on my end. What else can i do.

Thanks.

0 Helpful

Kasiraman S
Level 1
Level 1
In response to s.g.shanker

‎04-18-2011 12:47 AM

Hi Gomathi,

Can you enable debug crypto isakmp and unplug the ethernet cable to see if the IKE phase initiates or not during the ethernet outage and post the result.


Thanks,
Kasi

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card