problem with the configuration of the 881g

witek99 · ‎08-08-2018

Hello.

I have a problem with the configuration of the 881g. The problem is when i connect by fastetethernet and try ping my tunel i loos 50% of pings but from router the ping is 100% successful. Could someone look at my configuration?

Julio E. Moisa · ‎08-08-2018

Hi

Try modifying the MTU value of the tunnel:

ip mtu 1476

ip tcp adjust-mss 1436

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

witek99 · ‎08-08-2018

I've made changes, but the result is the same.

Julio E. Moisa · ‎08-08-2018

Have you verified the cable used on the fast ethernet port, try ping the IP address under the fast ethernet port from your computer and verify if you lose packets.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

witek99 · ‎08-08-2018

Ofcourse i try with other cable, FE port, and even computer, always the same result.

Julio E. Moisa · ‎08-08-2018

Try configuring the fast ethernet port as switchport mode access

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

witek99 · ‎08-08-2018

I made new Vlan99 end make on fastethernet 2
switchport access vlan 99
but no chenge on ping.

Julio E. Moisa · ‎08-08-2018

it should be over VLAN 1, based on your configuration all the FA interfaces have default configuration, what is your ip address on the computer? In some cases the antivirus or window firewall can be a problem.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Georg Pauwen · ‎08-08-2018

Hello,

what does your topology look like ? What are the tunnels connecting to, and what traffic do you want to send over the tunnels ?

Post a brief schematic drawing of what your network looks, or should look, like...

chrihussey · ‎08-08-2018

Hello,

1- When you ping from the router are you using the Vlan 1 interface as source? If not please do so and relay back the results.

2- Can you provide the output of "show crypto session detail" when you do.

3- Not the problem, but it's bugging me, your access list 100 is in the wrong order. The permit allows what the next instance denies. If you doin't want 10.250.99.0/24 accessing any other 10.x.x.x network, then the deny needs to happen first.

Thanks

witek99 · ‎08-08-2018

1 - No, I just do ping adres in my network. Sorry but i just beginning on cisco and even dont no how to do it.
2 - Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect

Interface: Cellular0
Session status: DOWN
Peer: 11.11.11.11 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit 47 host 44.44.44.44 host 11.11.11.11
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

Interface: Cellular0
Session status: DOWN
Peer: 22.22.22.22 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit 47 host 44.44.44.44 host 22.22.22.22
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

Interface: Dialer1
Uptime: 18:07:23
Session status: UP-ACTIVE
Peer: 11.11.11.11 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 11.11.11.11
Desc: (none)
Session ID: 0
IKEv1 SA: local 44.44.44.44/500 remote 11.11.11.11/500 Active
Capabilities:(none) connid:2003 lifetime:07:06:36
IPSEC FLOW: permit 47 host 44.44.44.44 host 11.11.11.11
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 51462 drop 1230 life (KB/Sec) 4249900/396
Outbound: #pkts enc'ed 53279 drop 0 life (KB/Sec) 4250016/396

Interface: Dialer1
Session status: DOWN
Peer: 22.22.22.22 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit 47 host 44.44.44.44 host 22.22.22.22
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

Georg Pauwen · ‎08-09-2018

Hello,

which IP address are you actually pinging ? You have two tunnels, one is a backup...

witek99 · ‎08-09-2018

I ping 10.250.0.1. Exactly

Georg Pauwen · ‎08-09-2018

Where is that IP address located, that is, what network does that IP address belong to ?

chrihussey · ‎08-09-2018

In addition to George's question, what are you trying to NAT?