Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
971
Views
5
Helpful
4
Replies

ZEN Tunnels up, line protocols down.

Mozambique
Level 1
Level 1

‎01-22-2021 12:02 PM - edited ‎03-24-2022 12:23 AM

 
Labels:
0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎01-22-2021 02:50 PM

Hello,

 

what equipment (ASA/IOS Router) is this on ? Post the confg you have...

0 Helpful

Mozambique
Level 1
Level 1
In response to Georg Pauwen

‎01-22-2021 03:33 PM - edited ‎03-24-2022 04:48 AM

/

Georg Pauwen
VIP
VIP
In response to Mozambique

‎01-23-2021 04:21 AM

Hello,

 

this is a partial configuration, do you have the full configuration ? I have pulled the below ikev2 configuration from the zScaler website:

 

crypto ikev2 proposal <Proposal Name>
encryption aes-cbc-256
integrity sha1
group 14
!
crypto ikev2 policy <Policy Name>
match fvrf any
proposal <Proposal Name>
!
crypto ikev2 keyring <Key Ring Name>
peer <Peer 1 Name>
address <Primary VPN IP Address>
pre-shared-key <Pre-Shared Key>
peer <Peer 2 Name>
address <Backup VPN IP Address>
pre-shared-key <Pre-Shared Key>
!
crypto ikev2 profile <IKEv2 Profile 1 Name>
match identity remote address <Primary VPN IP Address>
identity local email <FQDN>
authentication remote pre-share
authentication local pre-share
keyring local <Key Ring Name>
lifetime 86400
no config-exchange request
crypto ikev2 profile <IKEv2 Profile 2 Name>
match identity remote address <Backup VPN IP Address>
identity local email <FQDN>
authentication remote pre-share
authentication local pre-share
keyring local <Key Ring Name>
lifetime 86400
no config-exchange request
!
crypto ikev2 dpd 10 5 periodic
!
crypto ikev2 nat keepalive 20
!
crypto ipsec transform-set <Transform Set Name> esp-null esp-sha-hmac
mode tunnel
!
crypto ipsec fragmentation after-encryption
!
crypto ipsec profile <IPSec Profile 1 Name>
set security-association lifetime seconds 28800
set security-policy limit 1
set transform-set <Transform Set Name>
set ikev2-profile <IKEv2 Profile 1 Name>
crypto ipsec profile <IPSec Profile 2 Name>
set security-association lifetime seconds 28800
set security-policy limit 1
set transform-set <Transform Set Name>
set ikev2-profile <IKEv2 Profile 2 Name>
!
interface <Primary Tunnel Interface>
ip unnumbered <WAN Interface>
ip mtu <MTU>
ip tcp adjust-mss 1360
tunnel source <WAN Interface>
tunnel mode ipsec ipv4
tunnel destination <Primary VPN IP Address>
tunnel protection ipsec profile <IPSec Profile 1 Name> ikev2-profile <IKEv2 Profile 1 Name>
interface <Backup Tunnel Interface>
ip unnumbered <WAN Interface>
ip mtu <MTU>
ip tcp adjust-mss 1360
tunnel source <WAN Interface>
tunnel mode ipsec ipv4
tunnel destination <Backup VPN IP Address>
tunnel protection ipsec profile <IPSec Profile 2 Name> ikev2-profile <IKEv2 Profile 2 Name>
!
access-list <ACL Number> permit ip any any
!
access-list <ACL Number> permit tcp any any eq 80
access-list <ACL Number> permit tcp any any eq 443
!
access-list <ACL Number> deny ip any <Exempted Server IP>
access-list <ACL Number> permit tcp any any eq 80
access-list <ACL Number> permit tcp any any eq 443
!
route-map <Route Map Name> permit 1
match ip address <ACL Number>
set interface <Primary Tunnel Interface> <Backup Tunnel Interface>
!
interface <WAN Interface>
description $ES_WAN$
ip address 10.96.19.244 255.255.255.0
ip access-group 100 in
ip access-group 100 out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface <LAN Interface>
ip address 172.17.0.128 255.255.255.0
ip access-group 100 in
ip access-group 100 out
ip nat inside
ip virtual-reassembly in
ip policy route-map <Route Map Name>
!
track 1 ip sla 1 state
delay down 180 up 180
track 2 ip sla 2 state
delay down 180 up 180
ip route <Primary Global ZIA Public Service Edge IP Address> 255.255.255.255 <Primary Tunnel Interface> permanent
ip route <Backup Global ZIA Public Service Edge IP Address> 255.255.255.255 <Backup Tunnel Interface> permanent
ip sla 1
http raw http://<Primary Global ZIA Public Service Edge IP Address>:80
http-raw-request
GET http://gateway.<Zscaler Cloud>.net/vpntest HTTP/1.0\r\n
User-Agent: Cisco IP SLA\r\n
end\r\n
\r\n
exit
threshold 300
timeout 5000
ip sla schedule 1 life forever start-time now
ip sla 2
http raw http://<Backup Global ZIA Public Service Edge IP Address>:80
http-raw-request
GET http://gateway.<Zscaler Cloud>.net/vpntest HTTP/1.0\r\n
User-Agent: Cisco IP SLA\r\n
end\r\n
\r\n
exit
threshold 300
timeout 5000
ip sla schedule 2 life forever start-time now
ip sla reaction-configuration 1 react rtt threshold-value 300 1 threshold-type consecutive 3
ip sla reaction-configuration 2 react rtt threshold-value 300 1 threshold-type consecutive 3

0 Helpful

Mozambique
Level 1
Level 1
In response to Georg Pauwen

‎01-23-2021 10:56 AM - edited ‎03-24-2022 04:49 AM

/

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card