Solved: Re: C4221 not initializing VPN Tunnel.

MarcelSmal · ‎08-04-2022

Hey guys,

I hope the community can give me some assistance.

I am working on a concept with the following hardware an ISR4221 router that is functioning as my main router with 2 DSL lines to the ISP's network. One for internet and one for a wan connection.
For redundancy I have a C1117-4PLTE that is used for the site to site tunnel over the internet to a firewall.

I attached a network diagram to help understand what I am trying to achieve.

I want the ISR4221 router to start the negotiation of the site to site tunnel as soon as the main dsl connection is lost. The other DSL is only for internet access. But for some reason the ISR4221 router is not initiating the tunnel once the dsl line fails.
I tested this concept with a fibre connection as my primary connection and a dsl as a secondary connection and it is working fine but with this setup it is not working.

What do I need to change in my config to get this working?

Please see the config in the attachements below.

C1117-4PLTE is the 4G router and is only a internet router.
ISR4221 router is my primary router and if the main dsl connections are in this router.

The two devices dont have a support contract so I cant open a TAC case, I hope someone out there can assist me with this issue.

MarcelSmal · ‎08-09-2022

Hi @MHM Cisco World and @Rob Ingram thank you for the handy links and ideas. It seemed that even creating a dynamic crypto map did not work. As the issue we had was with the simcard. After getting a new simcard and with a public static IP the tunnel was established between the ISR4221 and the Firewall on our test site.

View solution in original post

Rob Ingram · ‎08-04-2022

@MarcelSmal you haven't attached your configuration....but you can use FlexVPN Client to define a primary peer and a secondary, combine this with SLA tracking to detect failure of the primary ISP. Example:

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/116413-configure-flexvpn-00.html

MarcelSmal · ‎08-04-2022

Hi Rob,

I though it was attached. Let me try again.

Rob Ingram · ‎08-04-2022

@MarcelSmal not entirely clear of the full picture by looking at the configuration and your description. The 4221 has 2 ISP links, but only 1 is used for VPN connectivity, when that fails traffic is routed via VLAN995 to the C1117 router, which should establish a connection via 4G?

The 4221 has a DSL link a default route via the DSL link? - there is only 1 default route in the running-configuration, is the default route for the ISP learnt via DHCP?

When the ISP link is down on the 4221, is traffic actually routed via Gi0/0/0.995 (ip route 0.0.0.0 0.0.0.0 10.7.2.2)?

Does DPD clear down the old IPSec SA?

MarcelSmal · ‎08-05-2022

@Rob Ingram

"not entirely clear of the full picture by looking at the configuration and your description. The 4221 has 2 ISP links, but only 1 is used for VPN connectivity, when that fails traffic is routed via VLAN995 to the C1117 router, which should establish a connection via 4G?" Yes that is correct.

The 4221 has two DSL lines. I removed the routes for testing so that I can only failover to the VPN tunnel and will add them later once the VPN is working correctly. The primary line is DSL and connects to a WAN it gets its IP address via DHCP correct and the other DSL is used for guest internet access and only internet.

Then I have a C1117 that is only used for backup purposes for 4g and the 4221 should initialize a vpn tunnel over the C1117 4G connection once the primary link fails.

@MHM Cisco World I had IP SLA setup removed it to test the VPN.

Rob Ingram · ‎08-05-2022

@MarcelSmal so the configuration you provided is just current state, not intended state. You've removed IP SLA to test, do you now have 2 default routes (one learnt via DHCP and the other static)?

Have you confirmed all traffic routed via the C1117?

Have you turned on IKE debugging to confirm whether the tunnel is even attempted to be built?

MarcelSmal · ‎08-05-2022

@Rob Ingram It is the current state and not the intended state. I removed the IP SLA and just to create a vpn tunnel over the C1117. I can confirm that all traffic is routed via the C1117 router. I have internet and can ping the firewall on the other side where I want to make the tunnel to. However when you turn on the debugging on the C4221 to confirm whether the tunnel is being built there are no messages and terminal monitor is active.

MHM Cisco World · ‎08-04-2022

see below my comment

MHM Cisco World · ‎08-05-2022

C4221-C1117

you use Public IP of C1117 (cellular Interface) to connect to ASA OUT which is also public

the issue is you need dynamic Crypto map in ASA not static crypto map since the public i of C117 is always change.

MarcelSmal · ‎08-05-2022

@MHM Cisco World that seems like an interesting idea. To try and create this. The firewall we have is not a ASA but a Watchguard Firewall so need to build it on this Firewall but there is a option to create a dynamic tunnel in watchguard.

MHM Cisco World · ‎08-05-2022

sorry but this is issue here, dynamic Crypto use when one side is static (usually hub) and other side is dynamic Peer (usually Spoke).
if you config FW with public IP but the cellular Interface get another public IP how the IPsec establish ?

MarcelSmal · ‎08-05-2022

I will check this out on Monday and and see if this was the issue.

MarcelSmal · ‎08-09-2022

Hi @MHM Cisco World and @Rob Ingram thank you for the handy links and ideas. It seemed that even creating a dynamic crypto map did not work. As the issue we had was with the simcard. After getting a new simcard and with a public static IP the tunnel was established between the ISR4221 and the Firewall on our test site.

MHM Cisco World · ‎08-09-2022

You are so so welcome Friend.