Hello,

try and enable auto SIM:

https://www.cisco.com/c/en/us/td/docs/routers/access/1100/software/configuration/xe-16-7/cisco_1100_series_swcfg_xe_16_7_x/cisco_1100_series_swcfg_chapter_01011.html#task_gdw_bgk_cfb

Thanks but that's not the cause of the problem. auto-sim is already active. The service provider is recognised and shown as active with the

show cellular 0/2/0 firmware

command:

Idx Carrier FwVersion PriVersion Status
1 ATT 02.24.05.06 002.027_000 Inactive
2 BELL 02.24.05.06 001.005_000 Inactive
3 GENERIC 02.24.05.06 002.026_000 Inactive
4 ROGERS 02.24.05.06 001.005_000 Inactive
5 SPRINT 02.26.01.00 002.029_000 Inactive
6 TELUS 02.24.05.06 001.005_000 Inactive
7 US-Cellular 02.24.05.06 000.003_000 Inactive
8 VERIZON 02.24.05.06 002.034_000 Inactive
9 VODAFONE 02.24.03.00 001.001_000 Active

Hello,

post the full configuration of the router. Also make sure that the line:

dialer-list 1 protocol ip permit

is in your configuration.

Attached is my anonomised config...

Current configuration : 9398 bytes
!
! Last configuration change at 09:50:56 UTC Tue Nov 12 2019
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname MyRouter
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 123456789
!
aaa new-model
!
!
aaa authentication fail-message ^C
************************************
* *
* Incorrect Username or Password *
* *
* Access Denied *
* *
************************************
^C
aaa authentication password-prompt P:
aaa authentication username-prompt U:
aaa accounting connection h323 start-stop group radius
!
!
!
!
!
!
aaa session-id common
!

ip vrf Internet
rd 0:0
!
!
no ip domain lookup
ip domain name mydomain.net
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
vtp mode transparent
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-1023063293
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1023063293
revocation-check none
rsakeypair TP-self-signed-1023063293
!
!

!
license udi pid C1113-8PLTEEAWE sn FGL23361223
license accept end user agreement
license boot level securityk9
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree uplinkfast
!
!
username magadmin secret 5 123456789
!
redundancy
mode none
!
!
!
!
controller Cellular 0/2/0
lte sim data-profile 9 attach-profile 9 slot 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
controller VDSL 0/3/0
!
!
vlan internal allocation policy ascending
!
vlan 368
name ssshhh-LAN
!
vlan 500
name Admin-LAN
!
vlan 600
name Main-LAN
!
vlan 700
name WLAN
!
vlan 800
name VoIP
!
vlan 900
name CCTV
!
vlan 950
name Biometric
!
!
crypto keyring Internet vrf Internet
pre-shared-key address 0.0.0.0 0.0.0.0 key 123456789
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 999
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 123456789 address 0.0.0.0
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set mag1 esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set mag0 esp-aes 256 esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile mag0
set transform-set mag0
!
crypto ipsec profile mag1
set transform-set mag1
!
!
!
!
!
!
!
!
interface Tunnel0
description description **Europe DMVPN**
bandwidth 2000
ip address 10.10.10.236 255.255.254.0
no ip redirects
ip mtu 1400
ip nbar protocol-discovery
ip nhrp authentication 8jFueFGI
ip nhrp map multicast 1.1.1.1
ip nhrp map 10.10.10.1 1.1.1.1
ip nhrp map multicast 2.2.2.2
ip nhrp map 10.10.10.2 2.2.2.2
ip nhrp map multicast 2.2.2.2
ip nhrp network-id 100
ip nhrp holdtime 360
ip nhrp nhs 10.10.10.1
ip nhrp nhs 10.10.10.2
ip tcp adjust-mss 1260
delay 1000
tunnel source Cellular0/2/0
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile mag1 shared
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
switchport access vlan 600
switchport trunk allowed vlan 1,2,500,600,700,800,900,950,1002-1005
spanning-tree portfast
!
interface GigabitEthernet0/1/1
switchport access vlan 600
spanning-tree portfast
!
interface GigabitEthernet0/1/2
switchport access vlan 600
spanning-tree portfast
!
interface GigabitEthernet0/1/3
switchport access vlan 600
spanning-tree portfast
!
interface GigabitEthernet0/1/4
switchport access vlan 600
spanning-tree portfast
!
interface GigabitEthernet0/1/5
switchport access vlan 600
spanning-tree portfast
!
interface GigabitEthernet0/1/6
switchport access vlan 600
spanning-tree portfast
!
interface GigabitEthernet0/1/7
switchport trunk native vlan 368
switchport trunk allowed vlan 1,2,500,600,700,800,900,950,1002-1005
switchport mode trunk
!
interface Wlan-GigabitEthernet0/1/8
!
interface Cellular0/2/0
ip address negotiated
ip nat outside
dialer in-band
dialer idle-timeout 0
dialer-group 1
pulse-time 1
!
interface Cellular0/2/1
no ip address
shutdown
!
interface ATM0/3/0
no ip address
atm oversubscribe factor 2
no atm enable-ilmi-trap
!
interface Ethernet0/3/0
no ip address
no negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan600
description xxxx
ip address 10.10.20.1 255.255.255.224
shutdown
no autostate
!
!
!
router eigrp 500
network 10.1.20.0 0.0.0.31
network 10.10.10.0 0.0.1.255
eigrp stub connected summary
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0
ip ssh version 2
!
!
!
dialer-list 1 protocol ip permit
!
!
!
!
!
!
control-plane
!
banner exec ^C
***All activities on this device are recorded for security purposes***
^C
banner login ^C
***************************************************************
* This device is soley for the use of authorised persons *
* only. Unauthorised use of this device is strictly *
* forbidden. All use of this system is logged and monitored *
* and unauthorised access will be acted upon. *
* *
***************************************************************
^C
!
line con 0
login authentication old
transport input none
stopbits 1
line vty 0 4
exec-timeout 30 0
transport preferred ssh
transport input telnet ssh
transport output telnet ssh
line vty 5 15
transport preferred ssh
transport input telnet ssh
transport output telnet ssh
!
!
!
!
!
!
end

Hello,

the configuration looks good. You might want to take the 'ip nat outside' off the interface, since you are not using NAT.

What if you add the two lines in bold to the Cellular ?

interface Cellular0/2/0
ip address negotiated
--> no ip nat outside
dialer in-band
dialer idle-timeout 0
dialer-group 1
pulse-time 1
async mode interactive
routing dynamic

I removed the NAT, but it made no difference. The other commands suggested can't be configured on the interface. It looks like they're no longer supported.

The chat-script is also not supported on the ISR C1000 cellular controller.

Hello,

the strange thing is that you get a response, but only after manually pinging 8.8.8.8.

You could try and offload the config from the physical cellular interface to a dialer interface, not sure if that makes a difference...

Unfortunately external dialer is also no longer supported on the new LTE controllers. Cisco is a bit short on examples on how to get this to work. I've done everything I can that I can see and I'm stumped.

Hello,

the only other command I can find in the references is:

pulse-time 1

on the Cellular interface.

In the output of 'show cellular 0/2/0 all

what is the 'Current RSSI value' ? Ideally that should be lower than -125

The RSSI value is -63dBm. I can play around with the pulse-time parameter, but I'm not quite sure how it works for testing purposes.

Hello,

the RSSI is way within the acceptable range. Maybe an option is to delete all profiles and create a new one manually ?

I opened a TAC with Cisco for this and from the correspondence I'm starting to suspect that this behaviour is by design. That is, the cellular interface won't apply for a dhcp address unless someone attempts to connect to the internet. This is probably to conserve the bandwidth on the contract. It makes sense, but this "feature" doesn't work if the cellular interface is used as the source interface for a DMVPN tunnel.

The router will bring up the interface for any routed IP traffic to the internet, but not for the DMVPN ipsec tunnel, which makes these routers unsuitable for use as a DMVPN spoke site.

Hello,

looking at the FAQ linked below:

What VPN technologies are supported on the ISR 1000 Series?
The 1000 Series supports the following VPN technologies: FlexVPN,
Dynamic Multipoint VPN (DMVPN), and Group Encrypted Transport
VPN (GETVPN).

Still it could be that in combination with LTE, it behaves that way. I am curious to know what TAC's final say is...

https://www.cisco.com/c/dam/en/us/products/collateral/routers/1000-series-integrated-services-routers-isr/q-and-a-c67-739639.pdf