03-22-2016 12:47 PM - edited 03-05-2019 03:37 AM
HI I need some help. We have a 1811 using a 100mb broadband connection. This is our main connection and we have 2 PTP VPN's (multipoint gre's) on this connection. Recently got a small 20mb fiber connection and we would like to move just our PTP VPN to this connection, so all traffic to internet goes thru the 100mb and all private goes in the tunnel attached to the fiber. The issue I have right now is that the only way the fiber interface responds to a ping is if I change the default route to the fiber connection. When I move the tunnel source on the router to the new interface and point the other end point to the new IP the tunnels will not come up while leaving the default route to the 100mb connection. Please any advice would be appreciated on how to accomplish this task. Soon we will be changing this router to an ASA 5508 if that makes any difference.
Thanks,
Marley
03-22-2016 01:59 PM
Marley
A few things in your description are not clear to me. You describe the VPNs as PTP but then you tell us they are multipoint GRE. Please help me understand what type of VPN these are and how they are configured. In particular I am trying to understand whether you have a route to the remote peer address (typical of PTP VPN) or whether the remote peer has a route to you and initiates traffic to you (typical of NHRP and DMVPN).
It would also be helpful if you would provide some understanding of what static routes you have configured and what routing protocol (if any) you are running.
HTH
Rick
03-22-2016 02:14 PM
Sorry for the confusion I have DMVPN tunnels and here are my routes
ip route 0.0.0.0 0.0.0.0 173.165.198.126
ip route 10.5.1.0 255.255.255.0 11.11.11.2
ip route 10.6.1.0 255.255.255.0 11.11.11.3
ip route 172.20.2.0 255.255.255.0 11.11.11.3
ip route 192.168.10.0 255.255.255.0 11.11.11.3
ip route 192.168.12.0 255.255.255.0 11.11.11.2
and here is the tunnel config
interface Tunnel0
description $FW_INSIDE$
bandwidth 100000
ip address 11.11.11.1 255.255.255.0
ip access-group 107 in
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1360
no ip split-horizon eigrp 100
delay 1000
tunnel source FastEthernet1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile2
03-23-2016 09:36 AM
Hi Richard,
Please let me know if you need more information to help find a solution. I appreciate your help.
Thanks,
Marley
03-23-2016 12:08 PM
Marley
I wonder if the issue is due to asymmetric path where packet from remote arrives on the new fiber interface and the response is sent using the existing broadband interface. I wonder if it would help to configure Policy Based Routing and set it up that DMVPN traffic had a next hop that was out the new fiber interface.
HTH
Rick
03-23-2016 12:40 PM
I have tried policy based routing I created the following
interface Vlan100
ip address 192.168.1.1 255.255.255.0
ip policy route-map test
and
route-map test permit 10
match ip address 120
set ip next-hop x.x.x.x
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
and when I do a ping to 4.2.2.2 from vlan100 interface no reply.
Also when I do a ping from the fiber interface to 4.2.2.2 I get no reply.
I am a little confused as to why the ping from the fiber interface to the outside world does not get a reply.
I have plugged in my laptop to the fiber connection and was able to surf the internet.
Thanks,
Marley
03-23-2016 02:12 PM
Marley
The config for PBR looks ok to me. It does occur to me to wonder when you are attempting to ping using the new fiber interface whether you have configured address translation for that traffic? When you are using DMVPN you would not need to translate that traffic. But especially for a ping from 192.168.1.? to a public address would need translation.
Am I understanding correctly that from a command prompt on the router you tried a ping to 4.2.2.2 and it did not work? How did you make sure that the ping used the fiber interface as its outbound interface? Are you able to ping from the command prompt on the router to the next hop address for the fiber interface?
HTH
Rick
03-24-2016 12:12 PM
I don't have nat on the fiber or vlan 100 interface I am just trying to ping 4.2.2.2 as the outside world. I am using the ping command with extended commands and using the fiber interface as the source address, I am assuming that would force thru the fiber connection. I get no reply from 4.2.2.2. I can ping the next hop of the fiber.
I have also used ping with extended and set vlan100 as the source with PBR nad no reply from 4.2.2.2
I will try setting up nat.
Thanks,
Marley
03-24-2016 12:58 PM
Marley
I would suggest a test about the ping. Configure a static route for the specific host 4.2.2.2 with the fiber interface next hop and then try your ping again. It would also be interesting to try an extended traceroute to 4.2.2.2 specifying the fiber address as the source and see if it tells us how the traffic exits the router.
Can you tell me how you set up PBR when you tried to use PBR on your ping traffic? Having PBR configured on interface vlan 100 and using vlan 100 as the source will not get PBR to control that traffic. To control traffic that is generated from the router itself you need local PBR and not the interface based PBR.
If you do set up nat for the fiber interface you will want to exempt the DMVPN traffic from translation but to translate traffic that is not DMVPN.
HTH
Rick
04-19-2016 12:47 PM
Hi Rick,
I wanted to come back to this to let you know I ended up keeping the router and the ASA. I am using the router to keep DMPVPN on the fiber connection since DMPVPN it is not supported on the ASA and using the ASA for internet connection.
Thank you for trying to help me.
Marley
04-19-2016 01:03 PM
Marley
Thank you for the update. I am glad that you have got it working. Using the router for DMVPN and the ASA for Internet sounds like a reasonable solution.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide