Migrating 2821 to ASR 1001-x

rodadkins701 · ‎03-06-2018

I recently migrated a 2821 to ASR 1001-x, and am having some problems. The issue is we have a firewall in the architecture that is supporting a ptp vpn, and the tunnel will not stay up (it was previously working). I am unsure if a license needs to be applied to the ASR to allow it pass encrypted traffic. For context, I reconfigured the NAT config to use PAT (overload) and a single IP. I really need someone to look over my configs to see if anything egregious is evident in the new config. I have sanitized the old & new configs and am attaching them. Thank you in advance for any help with this issue, I presently have an unhappy customer.

chrihussey · ‎03-06-2018

Just a thought, you are overloading on a single IP yet you give it a /30 mask. Perhaps a host mask?

ip nat pool natpool1 106.XXX.YYY.2 106.XXX.YYY.2 prefix 32

I would assume that if you configured anything that required a license it would have notified you during the process.

Hope this helps

rodadkins701 · ‎03-06-2018

I've checked for network conflicts, and haven't seen anything overlapping. It's strange, whenever I shut/no shut GigabitEthernet0/0/1, the tunnel comes up for about a minute, passes traffic, then goes down. It almost feels like an IP conflict issue, but I can't find one. Thanks for your input sir.

chrihussey · ‎03-06-2018

Hmm, can you explain this part of the configuration:

!
ip nat inside source static 10.200.1.1 106.XXX.YYY.125
!

So 10.200.1.1 from G0/0/2 is supposed to get NAT'ed to the secondary IP of the G0/0/1 interface?

That might be the issue.

rodadkins701 · ‎03-06-2018

No, 10.200.1.2 is bound to G0/0/2, not 10.200.1.1, that is bound to the FW. For further context, I am adding a sanitized diagram. I have to admit, I walked into this env. blind, given limited time to discover/implement/troubleshoot the solution... fun times... Thanks for your help, much obliged.

chrihussey · ‎03-06-2018

Thanks for the diagram.

Sorry to be redundant but 10.200.1.1 is getting NAT'ed to 106.XXX.YYY.125, which I assume is the secondary IP of the G0/0/1 interface which is also a NAT inside interface. That looks like a conflict to me (could be wrong). I see it worked basically the same way on the old router, but not sure if that makes it right.

The fact that the tunnel comes up when G0/0/1 is shut tells me that there is something there.

Could you try changing the prefix on the natpool1 to /32 and static NAT the tunnel to 106.XXX.YYY.3?

rodadkins701 · ‎03-06-2018

Unfortunately, the system is live and I can't make changes w/o a maint. window. Other than that, is there anything you, or anyone else looking at this thread, can see might be the issue? What about the cef config? Does this have to be applied to interfaces? I put the config ip cef distributed, and nothing shows in the config. I was wondering if that might be affecting traffic... Thanks again for all of the input.

chrihussey · ‎03-06-2018

The cef is probably part of the default config, so that's why you don't see it. Try the "sh ip cef summ" to verify it is running.

Also, after making changes do "clear ip nat translation * " to clear all dynamic translations so you are starting with a clean slate.

Other than that, perhaps a debug of the NAT may provide some answers.

Regards