cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1977
Views
0
Helpful
26
Replies

pppoe connection between two sites but no tunnel establish.

jomo frank
Level 1
Level 1

Hello Expert,

I have a hub router an three spoke connct together using ppoe connections.

I am  to [ping all the wan interfaces of my remote (spokes) from the hub , but i am unable to establlish a tunnel between

the hub and repte site.

I went thru the configuration of both hub and spoke compraing key and access list etc.

I include the hub and spoke for your guidance.

 

Regards


 

26 Replies 26

Hello Rick,
I am lost to explain why the eigrp is working but I have an extract from

sh crypto isakmp dia error.

Hello Rick,
I configure another spoke router (production) to same hub as mention in my first post and the eigrp tunnel was establish and passing traffic.
I tried comparing the two spokes to see why one was working and the other was not working but the only different was access rule 106 that was applied to dialer interface.
I would be grateful if you can compare the two  spoke configuration what is missing.
I am very puzzle with one.

Regards

The output of sh crypto isakmp dia error is interesting. I note that there are error messages involving negotiation with both .55 and .32. I am not sure what the precise cause of the error messages was. But I do not think that they represent any permanent or fatal errors, mostly because we have output that shows that the negotiation was ultimately successful and that the tunnel did come up.

 

I do note the number of traceback messages that are shown in that output. A traceback is always a sign of a software error. So there is something going on in that software that is problematic. I can not say for sure whether the software problem is related to the problem with this tunnel, but my opinion is that the software problem is not causing the issue with this tunnel. But you might consider upgrading the version of code to eliminate these errors.

 

HTH

 

Rick

 

 

 

HTH

Rick

Of the two configurations that you posted for spokes, can you clarify which is the one that works and which is the one that does not work?

 

I have analyzed both of the spoke configs that you posted. There is another difference between them other than acl 106 on the dialer. On the config for Kitty-2 there is access list 101 on the vlan interface. That access list permits traffic only from 2 hosts in the subnet of vlan 1. And it permits that traffic only to destination 172.24.10.0. I am not sure where that network is but it does not appear to be on the hub. I believe that this access list may be the source of your problem.

 

HTH

 

Rick

HTH

Rick

Hello Rick,

I have great news I was able to get the traffic to go thru the tunnel 192.168.19.0 , by remove the crypto maps from the tunnels as per your suugestion,
I must mentioned I was reluctant to do this for simple reason I have a few gre point to point connections with the crypto map on the tunnel and on the wan interface and they are working.
I am now kind of baffled how the traffic was passing thru the various tunnels for the other locations that are confiured with the crypto map on both the tunnel and the wan interface.

Two quick questons:-
(1) Why having the crypto maps on the tunnel interface cause the problem?
(2) Should I remove the crypto maps on all the other routers in production or should I just leave same and ensure going forward that the crypto is not on the tunnel interface.

I would like to thank you for the prompt responses and your patience examining all my post in detail to arrive at a solution.

Regards

crypto-map is outdated technic to make p2p vpn. Use VTI insted.

Some time ago you must have the same crypto-map on gre and physical interfaces. But in general it depends on IOS. You should look throught configuration guide for the feature and IOS version.

Thanks for the update telling us that the problem is, in fact, having the crypto map configured on the tunnel interface. I know that in old versions of IOS that Cisco required the crypto map on both the tunnel interface and the physical interface. Then Cisco made a change and required the crypto map only on the physical interface. At that point it allowed the crypto map on the tunnel interface but did not require it. And it appears that in some more recent versions of code putting the crypto map on the tunnel is a problem. 

 

I am guessing that for this tunnel at least one of the routers is running code more recent that what is running on other routers in your network and that would explain why it is ok on some but is a problem on others. I would certainly suggest that going forward as you configure GRE tunnels with encryption that you put the crypto map only on the physical interface. As far as what to do with existing configurations that have the crypto map on both interfaces, there is one viewpoint that says if it is not broken then do not fix it. This would suggest leaving the crypto map on the tunnels on routers where it is not a problem. But my suggestion would be to go through your configs removing the crypto map from the tunnel interfaces. Otherwise there may be a time when you do a code upgrade on a router and suddenly its tunnel will stop working. It is your choice whether to change the existing tunnels or to leave them alone.

 

HTH

 

Rick

HTH

Rick

Hello Georg,

This is live network .
Regards

Hello.

 

remove the crypto maps from the tunnel interfaces...

Hello,

 

I saw that Richard already suggested removing the crypto maps from the tunnels...

 

Either way, if this is a live network, what are you trying to accomplish ? Without NAT, you have no Internet connectivity. You can either use NAT only at the hub, or you can split tunnel the traffic and have site to site traffic traverse the VPN, while Internet traffic goes out through the dialer interfaces...

Hello Georg,
You are saying that only if I need internet traffic then I need to configure nat?
The reason I ask this question was sone suggest I have to inculde the two nat entries in my router configuation.


I only need site to site connection traverse the VPN.
Regards

If you only need site to site traffic and no Internet connectivity for your LAN clients, then you don't need NAT.

Review Cisco Networking for a $25 gift card