Solved: Setting up backup 4g LTE and DMVPN

T_tow · ‎03-06-2018

Hello,

I'm trying to set up 4g lte as a back with DMVPN eigrp capability. I'm not sure if my failover is active but my problem right now is my tunnel is up/down. Thought I'd configured everything right and my cell int is up up but it's not coming up right now on the spoke or the hub.

Francesco Molino · ‎03-07-2018

Hi

For next time, please share outputs in text files, it's better when you want to review all posts :-)

On your Hub, is tunnel 5 the Hub tunnel for DMVPN?

Your hub tunnel should looks like:

interface Tunnel1

ip address x.x.x.x x.x.x.x

ip nhrp authentication xxxx ==> If you want to have nhrp authentication

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip nhrp redirect

ip tcp adjust-mss 1360

tunnel source xxxxxx ==> Source is the interface on which crypto is going to be negotiated. Usually it's your WAN interface

tunnel mode gre multipoint

tunnel key xxxx ==> Key for tunnel

tunnel protection ipsec profile DMVPN-PROFILE1

Then you have your spoke config. Your config looks good, and you also have another way of doing it:

interface Tunnel1

ip address 10.254.254.30 255.255.255.0

ip nhrp authentication xxxxxx

ip nhrp map 10.254.254.1 xx.xx.xx.xx

ip nhrp map multicast xx.xx.xx.xx

ip nhrp network-id 11

ip nhrp nhs 10.254.254.1

ip nhrp shortcut

ip tcp adjust-mss 1360

tunnel source xxxxxxxx

tunnel mode gre multipoint

tunnel key xxxxx

tunnel protection ipsec profile DMVPN-PROFILE1

!

Just a question, to be sure we're on the same page. Why would you use tunnel vrf INET-PUBLIC1?

When you setup this and create the same crypto policies on both end, let me know if that come up or not? If not, shut your tunnels, launch debug crypto isakmp and debug crypto ipsec. Put those outpouts from spoke and hub in text files and share them with us.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎03-06-2018

Hi

Can you share your config please?

Did you do some debug crypto? If yes can you share them? If not can you run them and share the output?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

T_tow · ‎03-06-2018

Missed your reply. Give me one second.

T_tow · ‎03-06-2018

!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
! card type command needed for slot/bay 0/1
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authorization console
aaa authorization exec default group tacacs+ local
!
!
!
!
!
!
aaa session-id common
clock timezone CDT -6 0
clock summer-time CDT recurring
!
ip vrf INET-PUBLIC1
rd 100:1
!
!
!

no ip domain lookup
ip domain name
ip dhcp excluded-address
!
ip dhcp pool VOICE
network 10.x.x.x 255.255.255.128
default-router 10.x.x.1
domain-name
option 150 ip 10.x.x.x
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
flow record NetFlow-to-Orion
match ipv4 tos
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect interface output
collect counter bytes long
collect counter packets long
!
!
flow exporter NewFlow-to-Orion
destination 10.x.x.x
source GigabitEthernet0/0/0
transport udp
!
!
flow monitor NetFlow-to-Orion
cache timeout active 60
record NetFlow-to-Orion
!
!
!
!
!
chat-script script LTE "" "AT!CALL1" TIMEOUT 30 "OK"
!
!
!
!
!
!
!
!
!
!
!
voice-card 0/4
no watchdog
!
license udi pid ISR4451-X/K9 sn FOC214675UN
!
spanning-tree extend system-id
!
username admin privilege 15 secret 5 $1$O9k1$ZfXH7/DQAyBRW2yVodQrH1
!
redundancy
mode none
!
!
!
!
controller Cellular 0/2/0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
!
vlan internal allocation policy ascending
!
track 234 ip sla 1 reachability
!
!
crypto keyring DMVPN-KEYRING1 vrf INET-PUBLIC1
pre-shared-key address 0.0.0.0 0.0.0.0 key (#)
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 16
crypto isakmp key 12 address (PUBLIC ADDRESS) no-xauth
crypto isakmp keepalive 30 5
crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC1
keyring DMVPN-KEYRING1
match identity address 0.0.0.0 INET-PUBLIC1
!
!
crypto ipsec transform-set LAN_VPN esp-aes 256
mode tunnel
no crypto ipsec nat-transparency udp-encapsulation
!
crypto ipsec profile DMVPN-PROFILE1
set transform-set LENA_LAN_VPN
set isakmp-profile FVRF-ISAKMP-INET-PUBLIC1
!
!
!
crypto map LAN_VPN 10 ipsec-isakmp
! Incomplete
set peer (HUB PUB ADDRESS)
! access-list has not been configured yet
set transform-set LAN_VPN
match address VPN-GRE

!
interface Loopback0
description GRE LOOPBACK FOR CRYPTO BINDING
ip address 10.X.X.X 255.255.255.255
ip pim sparse-mode
!
interface Tunnel1
description GRE over VPN to TULSA
bandwidth 2000
ip address 10.X.X.X 255.255.255.252
no ip redirects
ip mtu 1400
ip pim dr-priority 0
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication 12345
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp nhs (HUB PRIVATE ADDRESS) nbma (HUB PUB ADDRESS)
ip nhrp registration no-unique
ip nhrp shortcut
ip nhrp redirect
ip tcp adjust-mss 1360
if-state nhrp
keepalive 10 3
tunnel source Cellular0/2/0
tunnel mode gre multipoint
tunnel key 2
tunnel vrf INET-PUBLIC1
tunnel protection ipsec profile DMVPN-PROFILE1
!
interface GigabitEthernet0/0/0
description LINK TO CORE
no ip address
media-type sfp
negotiation auto
!
interface GigabitEthernet0/0/0.10
encapsulation dot1Q 10
ip address 10.X.X.X 255.255.255.0
ip helper-address 10.X.X.X
!
interface GigabitEthernet0/0/0.20
encapsulation dot1Q 20
ip address 10.X.X.X 255.255.255.128
!
interface GigabitEthernet0/0/1
description LENA WAN UPLINK
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.800
description LENA REGIONAL - COX TAG 800
encapsulation dot1Q 800
ip address 10.X.X.X 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface Cellular0/2/0
description INET4G FAILOVER VPN
bandwidth 2000
ip vrf forwarding INET-PUBLIC1
no ip address
no ip unreachables
ip access-group ACL-INET-PUBLIC-4G in
shutdown
dialer in-band
dialer idle-timeout 30
dialer watch-group 1
pulse-time 1
ip virtual-reassembly
!
interface Cellular0/2/1
no ip address
!
interface Service-Engine0/4/0
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Dialer2
!
!
router eigrp 100
network 10.X.X.X 0.0.0.255
network 10.X.X.X 0.0.0.255
network 10.X.X.X 0.0.0.3
redistribute static
!
ip local policy route-map track-primary-if
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 track 234
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0 254
ip route vrf INET-PUBLIC1 0.0.0.0 0.0.0.0 Cellular0/2/0
ip ssh version 2
ip scp server enable
!
!
ip access-list extended ACL-INET-PUBLIC-4G
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit udp any any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit udp any any gt 1023 ttl eq 1
ip access-list extended VPN-GRE
!
ip sla 1
icmp-echo 10.X.X.X source-interface GigabitEthernet0/0/1
threshold 1000
timeout 1000
frequency 15
ip sla schedule 1 life forever start-time now
access-list 99 permit 10.X.X.X
access-list 99 deny any log
dialer watch-list 1 ip 127.0.0.255 255.255.255.255
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
!
snmp-server community LE-Solarwinds RO 99
snmp-server location LaPorte SHELL Data Center
snmp-server contact Tulsa IT x1194
snmp-server host 10.62.80.52 version 2c LE-Solarwinds
!
tacacs-server host 10.X.X.X
tacacs-server directed-request
!
!
!
control-plane
!
!
!
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
exec-timeout 0 0

logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0

transport input all
line vty 5 15
transport input all
!
event manager applet ACTIVATE-4G
event track 234 state down
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "interface cellular0/2/0"
action 4 cli command "no shutdown"
action 5 cli command "end"
action 99 syslog msg "Primary Link Down - Activating 4G interface"
event manager applet DEACTIVATE-4G
event track 234 state up
action 1 cli command "enable"
action 2 cli command "configure terminal"
action 3 cli command "interface cellular0/2/0"
action 4 cli command "shutdown"
action 5 cli command "end"
action 99 syslog msg "Primary Link Restored - Deactivating 4g interface"
!
end

T_tow · ‎03-06-2018

not really sure how to run the debug crypto?

Francesco Molino · ‎03-06-2018

I see only 1 tunnel with cellular as source interface. You said it was backup cell for dmvpn but don't see any other tunnel.

Bring up the cell interface and run debug crypto isakmp and crypto ipsec.

Share please the config of dmvpn on hub.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

T_tow · ‎03-06-2018

Sorry about that I meant we have EIGRP over the WAN and that's our primary link. Wanted to set up 4G as the backup with the DMVPN over 4G.

Configs coming in a sec but with the I put in debug crypto isakmp then went to my cell int. but am I looking for log info??? is that the wrong command?

Francesco Molino · ‎03-06-2018

You need to issue the command term mon when connected through ssh to see debug logs

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

T_tow · ‎03-06-2018

HUB DMVPN
!
boot-start-marker
boot-end-marker
!
!
vrf definition IWAN-TRANSPORT-1
!
address-family ipv4
exit-address-family
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$..j3$SM3Z6ncA.bBagMB3Jwgcw/
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authorization console
aaa authorization exec default group tacacs+ local
!
!
!
!
!
aaa session-id common
clock timezone CST -6 0
clock summer-time CDT recurring
!
!
!
!
!
!
!
!
!

no ip domain lookup
ip domain name

!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4351/K9 sn FDO20520LDQ
license accept end user agreement
!
username admin secret 5 $1$EFdT$XYKF.6edGk1iKd5LZNawn0
!
redundancy
mode none
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 16
crypto isakmp key 12345 address 96.x.x.x no-xauth
crypto isakmp key 12345 address 50.x.x.x no-xauth
crypto isakmp key 12345 address 173.x.x.x no-xauth
crypto isakmp key 12345 address 64.x.x.x no-xauth
crypto isakmp key 12345 address 164.x.x.x no-xauth
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set LENA_LAN_VPN esp-aes 256
mode transport
!
!
!
crypto map LAN_VPN 10 ipsec-isakmp
set peer 50.x.x.x
set transform-set LAN_VPN
match address VPN-GRE-BB
crypto map LAN_VPN 20 ipsec-isakmp
set peer 96.x.x.x
set transform-set LAN_VPN
match address VPN-GRE-HC
crypto map LAN_VPN 30 ipsec-isakmp
set peer 173.x.x.x
set transform-set LAN_VPN
match address VPN-GRE-HOU
crypto map LAN_VPN 40 ipsec-isakmp
set peer 64.x.x.x
set transform-set LAN_VPN
match address VPN-GRE-POINTCOMFORT
crypto map LENA_LAN_VPN 50 ipsec-isakmp
set peer 64.x.x.x
set transform-set LAN_VPN
match address VPN-GRE-MONACA
crypto map LAN_VPN 60 ipsec-isakmp
! Incomplete
set transform-set LAN_VPN
match address VPN-GRE-laporte
!
!
!
!
!
!
!
interface Loopback1
description GRE LOOPBACK FOR CRYPTO BINDING
ip address 10.x.x.x 255.255.255.255
!
interface Tunnel1
description GRE over VPN
bandwidth 56
ip address 10.x.x.x 255.255.255.252
ip mtu 1460
ip tcp adjust-mss 1360
qos pre-classify
keepalive 10 3
tunnel source Loopback1
tunnel destination 10.x.x.x
tunnel key 2
!
interface Tunnel2
description GRE over VPN
bandwidth 56
ip address 10.x.x.x 255.255.255.252
ip mtu 1460
ip tcp adjust-mss 1360
qos pre-classify
keepalive 10 3
tunnel source Loopback1
tunnel destination 10.x.x.x
tunnel key 2
!
interface Tunnel3
description GRE over VPN
bandwidth 56
ip address 10.x.x.x 255.255.255.252
ip mtu 1460
ip tcp adjust-mss 1360
qos pre-classify
keepalive 10 3
tunnel source Loopback1
tunnel destination 10.x.x.x
tunnel key 2
!
interface Tunnel4
description GRE over VPN
bandwidth 56
ip address 10.x.x.x 255.255.255.252
ip mtu 1460
ip tcp adjust-mss 1360
qos pre-classify
keepalive 10 3
tunnel source Loopback1
tunnel destination 10.x.x.x
tunnel key 2
!
interface Tunnel5 (SETUP IN QUESTION)
description GRE over VPN
bandwidth 56
ip address 10.x.x.x 255.255.255.252
ip mtu 1460
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip tcp adjust-mss 1360
qos pre-classify
keepalive 10 3
tunnel source Loopback1
tunnel destination 10.x.x.x
tunnel key 2
!
interface GigabitEthernet0/0/0
description LENA WAN VPN LAN
ip address 10.x.x.x 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/1
description COX INTERNET CRYPTO INT
ip address 64.x.x.x 255.255.255.224
negotiation auto
crypto map LAN_VPN
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
!
router eigrp 100
network 10.69.x.x 0.0.0.0
network 10.69.x.x 0.0.0.255
network 10.69.x.x 0.0.0.3
network 10.69.x.x 0.0.0.3
network 10.69.x.x 0.0.0.3
network 10.69.x.x 0.0.0.3
network 10.69.x.x 0.0.0.3
network 10.69.x.x 0.0.0.3 (SETUP IN QUESTION)
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 64.x.x name LENA_LAPORTE_VPN_RTR01 (SETUP IN QUESTION)
ip route 4.x.x.x 255.255.255.255 64.X.X.X name EXTERNAL_TEST_HOST
ip route 10.x.x.x 255.255.255.255 64.X.X. name ROUTE_TABLE_INJECTION
ip route 10.x.x.x 255.255.255.255 64.x.x.x name ROUTE_TABLE_INJECTION
ip route 10.69.x.x 255.255.255.255 64.x.x.x name ROUTE_TABLE_INJECTION
ip route 10.x.x.x 255.255.255.255 64.x..xx name ROUTE_TABLE_INJECTION
ip route 10.x.x.x 255.255.255.255 64.x.x.x name ROUTE_TABLE_INJECTION
ip route 10.x.x.x 255.255.255.255 64.x.x.x name ROUTE_TABLE_INJECTION (SETUP IN QUESTION)
ip route 50.x.x.x 255.255.255.255 64.x.x.x name LENA_BB_VPN_RTR01
ip route 64.x.x.x 255.255.255.255 64.x.x.x name LENA_POINTCOMFORT_VPN_RTR01
ip route 96.6x.x.x 255.255.255.255 64.x.x.x name LENA_HC_VPN_RTR01
ip route 164.x.x.x 255.255.255.255 64.x.x.x name LENA_MONACA_VPN_RTR01
ip route 173.x.x.x 255.255.255.255 64.x.x.x name LENA_HOU_VPN_RTR01
!
!
ip access-list extended VPN-GRE-BB
permit gre host 10.x.x.x host 10.x.x.x log
ip access-list extended VPN-GRE-HC
permit gre host 10.69.x.x. host 10.69.x.x log
ip access-list extended VPN-GRE-HOU
permit gre host 10.x.x. host 10.69.x.x log
ip access-list extended VPN-GRE-LAPORTE (SETUP IN QUESTION)
permit gre host 10.x.x. host 10.69.x.x log
ip access-list extended VPN-GRE-MONACA
permit gre host 10.69.x.x. host 10.69.x.x. log
ip access-list extended VPN-GRE-POINTCOMFORT
permit gre host 10.69.x.x. host 10.69.x.x. log
ip access-list extended VPN-GRE-laporte
!
access-list 99 permit 10.x.x.x
access-list 99 deny any log
!
snmp-server community LE-Solarwinds RO 99

snmp-server host 10.x.x.x version 2c LE-Solarwinds
!
tacacs-server host 10.x.x.x
tacacs-server directed-request
tacacs-server key 7 14240B0601013E393D
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
!
end

Francesco Molino · ‎03-07-2018

Hi

For next time, please share outputs in text files, it's better when you want to review all posts :-)

On your Hub, is tunnel 5 the Hub tunnel for DMVPN?

Your hub tunnel should looks like:

interface Tunnel1

ip address x.x.x.x x.x.x.x

ip nhrp authentication xxxx ==> If you want to have nhrp authentication

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip nhrp redirect

ip tcp adjust-mss 1360

tunnel source xxxxxx ==> Source is the interface on which crypto is going to be negotiated. Usually it's your WAN interface

tunnel mode gre multipoint

tunnel key xxxx ==> Key for tunnel

tunnel protection ipsec profile DMVPN-PROFILE1

Then you have your spoke config. Your config looks good, and you also have another way of doing it:

interface Tunnel1

ip address 10.254.254.30 255.255.255.0

ip nhrp authentication xxxxxx

ip nhrp map 10.254.254.1 xx.xx.xx.xx

ip nhrp map multicast xx.xx.xx.xx

ip nhrp network-id 11

ip nhrp nhs 10.254.254.1

ip nhrp shortcut

ip tcp adjust-mss 1360

tunnel source xxxxxxxx

tunnel mode gre multipoint

tunnel key xxxxx

tunnel protection ipsec profile DMVPN-PROFILE1

!

Just a question, to be sure we're on the same page. Why would you use tunnel vrf INET-PUBLIC1?

When you setup this and create the same crypto policies on both end, let me know if that come up or not? If not, shut your tunnels, launch debug crypto isakmp and debug crypto ipsec. Put those outpouts from spoke and hub in text files and share them with us.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

T_tow · ‎03-07-2018

Hey got it up. My hub tunnel was missing a few things, nhrp, wrong mtus etc. With the ios i am running the commands I was trying to add, like enapsulation slip, were default so that's why they weren't an option. Guess this cool script I had to automatically engage the 4G when the primary is down won't be needed since the dmvpn tunnel is going over the 4G.

Thanks again

Francesco Molino · ‎03-07-2018

Glad that everything works fine now.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question