03-13-2012 08:32 AM - edited 03-04-2019 03:38 PM
I have a 2911 with two serial interfaces.... The problem is when I plug in the second carrier into the router the first one "drops". By drops I mean I can't access the interface from the outside. It still shows up/up on the router. I have this working on two of my other remote offices and I'm diggging through the code pulling my hair out trying to figure out what I'm doing wrong. Any ideas? I've got the route maps in place like below.
route-map sec-nat permit 10 match ip address 100 match interface Serial0/0/0:0
! route-map prim-nat permit 10 match ip address 100 match interface Serial0/0/1:0
ip nat inside source route-map prim-nat interface Serial0/0/1:0 overload
ip nat inside source route-map sec-nat interface Serial0/0/0:0 overload
03-13-2012 01:19 PM
Anthony,
Can you please post the configuration of your router? Also when the first one "drops" are you still receiving anything on that interface, ie: routing updates or responses to pings? Are these circuits internet T1's or point-to-point T1's?
Thanks,
Kimberly
03-13-2012 02:11 PM
Here's the relevent parts of my config.... When the line "drops" I can no longer access it from the outside. I want to be able to ssh into both lines at any given time to check router configs. My PTP vpn tunnels also do not work when this happens. These are two internet t1 circuits.
interface Serial0/0/0:0
description Level 3 CktID
ip address 4.29.115.17 255.255.255.252
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map SDM_CMAP_1
!
!
interface Serial0/0/1:0
description Global Crossing CktID xxx
ip address 67.17.161.219 255.255.255.254
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map SDM_CMAP_1
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map prim-nat interface Serial0/0/1:0 overload
ip nat inside source route-map sec-nat interface Serial0/0/0:0 overload
ip route 0.0.0.0 0.0.0.0 67.17.161.209 180
ip route 0.0.0.0 0.0.0.0 4.29.115.18 190
ip route 128.242.119.39 255.255.255.255 67.17.161.220
ip route 192.168.0.0 255.255.0.0 67.17.161.220
ip route 204.93.111.211 255.255.255.255 67.17.161.220
ip route 204.93.111.215 255.255.255.255 67.17.161.220
The above routes I have all going over the Global Crossing circuit at the moment. If these lines were both active I would have a couple of these tunnels going over the L3 lines
03-13-2012 08:36 PM
Anthony
I do not have a good understanding of your environment, and if I understood it better I might be able to give better advice. But based on what I understand so far here are my comments and suggestions.
I see that there are crypto maps on both of the serial interfaces (and in fact it seems to be the same crypto map on both serial interfaces). It might help a bit if we could see how the crypto map is configured.
I see that there are two static default routes configured and that each static default route has an administrative distance configured, which makes them into floating static routes and the Global Crossings route has the better administrative distance. So when both interfaces are active the static default route that is preferred is the Global Crossings route. So no traffic would be sent out the L3 interface. This is probably why those VPN tunnels do not work.
HTH
Rick
03-14-2012 07:41 AM
Richard - here's my cryptomap. Basically I want both of these interfaces reachable from the outside. If I put different administrative distances is that going to kill that possibility?
crypto map SDM_CMAP_1 2 ipsec-isakmp
description tunnel to DC1
set peer A.B.C.D
set transform-set ESP-3DES-SHA1
match address 102
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to DC2
set peer W.X.Y.Z
set transform-set ESP-3DES-SHA1
match address 101
03-16-2012 06:51 PM
Anthony
When you configure different administrative distances then only one of the routes will be in the routing table at any one time. And it would seem that this is what is preventing both peers from working.
Am I correct in assuming that peer A.B.C.D should connect over one of these links and that W.X.Y.Z should connect over the other link? If so then it might help make things work to put in host specific static routes in addition to the static default routes so that A.B.C.D is reached over the correct link and that W.X.Y.Z is reached over the correct link.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide