06-11-2013 11:47 AM
Hello there,
So, I've got my Cisco 2901 with Security license setup and running (seemlingly) great ... However, with one issue that's scaring me a little bit.
After a reload or power-on, the router starts up and begins trying to negotiate the three VPN connections. All three connections are to SonicWALL routers (1 NSA-2400 and 2 TZ-100), and those are configured with "Keep Alive" enabled.
The problem that I'm having is that the VPN connections do not come up. When I do a 'show crypt session', it shows all IKEv1 SA as DOWN-NEGOTIATING. It will stay this way indefinitely. Even a 'clear crypt sa' will not help. The only thing I can do that works is to log into each respective SonicWALL, disable the particular VPN policy, then re-enable -- and then it works no problem.
What am I doing wrong? It is very confusing to me right now, since there truly seems to be nothing out of the ordinary. The only thing I can think of that might be affecting the success would be the "Keep Alive" enabled on the SonicWALLs ... But at this point, I'd rather not disable that until I know more about what may be the cause. (Definitely can't take down a tunnel or play around during production hours for testing.)
Also, for those who read this, please advise if there is anything else I may have done incorrectly. There is some random stuff in there too, as I was attempting to provide access for myself when remote through VPN (which is another task I need help with, for another post at another time). Here is my current running configuration:
(Note, I have changed the IP addresses and other random information.)
!
! No configuration change since last restart
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 5 ##############################
enable password ##############
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login user-auth local
aaa authorization exec default local
aaa authorization network group-auth local
!
!
!
!
!
aaa session-id common
!
ip cef
!
!
!
!
!
!
no ip bootp server
ip domain name mydomain.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint tp-ss-cert
enrollment selfsigned
subject-name cn=Router-SSCert
revocation-check none
rsakeypair tp-ss-cert
!
!
crypto pki certificate chain tp-ss-cert
certificate self-signed 01
######## ######## ######## ######## ######## ######## ######## ########
######## ######## ######## ######## ######## ######## ######## ########
######## ######## ######## ######## ######## ######## ######## ########
######## ######## ######## ######## ######## ######## ######## ########
######## ######## ######## ######## ######## ######## ######## ########
######## ######## ######## ######## ######## ######## ######## ########
######## ######## ######## ######## ######## ######## ######## ########
######## ######## ######## ######## ######## ######## ######## ########
######## ######## ######## ######## ######## ######## ######## ########
######## ######## ######## ######## ######## ######## ######## ########
######## ######## ######## ######## ######## ######## ######## ########
######## ######## ######## ######## ######## ######## ######## ########
######## ######## ######## ######## ######## ######## ######## ########
######## ######## ######## ######## ######## ######## ######## ########
######## ######## ######## ######## ######## ######## ######## ########
######## ######## ######## ######## ######## ######## ######## ########
######## ######## ######## ######## ######## ######## ######## ########
######## ######## ######## ##
quit
license udi pid CISCO2901/K9 sn FTX#######S
!
!
username adminuser privilege 15 password 0 ##############
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key ########## address 1.1.1.1
crypto isakmp key ########## address 2.2.2.2
crypto isakmp key ########## address 3.3.3.3
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map vpn-tunnels 101
set transform-set strong
!
!
crypto map vpn-tunnels 1 ipsec-isakmp
description Tunnel to Site 1
set peer 1.1.1.1
set transform-set strong
match address 100
crypto map vpn-tunnels 2 ipsec-isakmp
description Tunnel to Site 2
set peer 2.2.2.2
set transform-set strong
match address 104
crypto map vpn-tunnels 3 ipsec-isakmp
description Tunnel to Site 3
set peer 3.3.3.3
set transform-set strong
match address 105
!
!
!
!
!
interface Embedded-Service-Engine0/0
ip address 10.0.1.1 255.255.255.0
shutdown
!
interface GigabitEthernet0/0
ip address 10.0.1.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
ip address 179.9.9.106 255.255.255.0 secondary
ip address 179.9.9.107 255.255.255.0 secondary
ip address 179.9.9.108 255.255.255.0 secondary
ip address 179.9.9.109 255.255.255.0 secondary
ip address 179.9.9.110 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
crypto map vpn-tunnels
!
ip forward-protocol nd
!
no ip http server
ip http access-class 2
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool general-use 179.9.9.110 179.9.9.110 prefix-length 24
ip nat inside source route-map in-to-out-rmap pool general-use overload
ip nat inside source static tcp 10.0.1.13 25 179.9.9.107 25 route-map no-internal-nat extendable
ip nat inside source static tcp 10.0.1.13 587 179.9.9.107 587 route-map no-internal-nat extendable
ip nat inside source static tcp 10.0.1.13 993 179.9.9.107 993 route-map no-internal-nat extendable
ip nat inside source static tcp 10.0.1.13 21 179.9.9.108 21 route-map no-internal-nat extendable
ip nat inside source static tcp 10.0.1.13 80 179.9.9.108 80 route-map no-internal-nat extendable
ip nat inside source static tcp 10.0.1.13 443 179.9.9.108 443 route-map no-internal-nat extendable
ip nat inside source static tcp 10.0.1.32 443 179.9.9.109 443 route-map no-internal-nat extendable
ip route 0.0.0.0 0.0.0.0 179.9.9.1
!
ip sla auto discovery
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 2 permit 10.0.1.0 0.0.0.255
access-list 10 permit 10.0.1.1
access-list 20 deny 10.0.0.0 0.255.255.255
access-list 20 permit any
access-list 100 permit ip 10.0.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 101 permit tcp 10.0.0.0 0.255.255.255 host 10.0.1.1 eq 22
access-list 101 permit tcp 10.0.0.0 0.255.255.255 host 10.0.1.1 eq www
access-list 101 permit tcp 10.0.0.0 0.255.255.255 host 10.0.1.1 eq 443
access-list 101 permit tcp 10.0.0.0 0.255.255.255 host 10.0.1.1 eq cmd
access-list 101 permit udp 10.0.0.0 0.255.255.255 host 10.0.1.1 eq snmp
access-list 101 deny tcp any host 10.0.1.1 eq telnet
access-list 101 deny tcp any host 10.0.1.1 eq 22
access-list 101 deny tcp any host 10.0.1.1 eq www
access-list 101 deny tcp any host 10.0.1.1 eq 443
access-list 101 deny tcp any host 10.0.1.1 eq cmd
access-list 101 deny udp any host 10.0.1.1 eq snmp
access-list 101 permit ip any any
access-list 102 permit ip 10.0.1.0 0.0.0.255 any
access-list 103 deny ip 10.0.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 103 deny ip 10.0.1.0 0.0.0.255 10.1.3.0 0.0.0.255
access-list 103 deny ip 10.0.1.0 0.0.0.255 10.2.0.0 0.0.255.255
access-list 103 deny ip 10.0.1.0 0.0.0.255 10.5.5.0 0.0.0.255
access-list 103 permit ip 10.0.1.0 0.0.0.255 any
access-list 104 permit ip 10.0.1.0 0.0.0.255 10.1.3.0 0.0.0.255
access-list 105 permit ip 10.0.1.0 0.0.0.255 10.2.0.0 0.0.255.255
access-list 105 permit ip 10.0.1.0 0.0.0.255 10.5.5.0 0.0.0.255
access-list 106 permit ip host 10.0.1.1 any
access-list 106 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 106 permit ip 10.0.0.0 0.255.255.255 any
!
route-map in-to-out-rmap permit 1
match ip address 103
!
route-map no-internal-nat permit 10
match ip address 106
!
!
snmp-server community public RO
snmp-server location Datacenter
snmp-server contact Router Admin
snmp-server enable traps entity-sensor threshold
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
access-class 10 in
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 1 in
exec-timeout 30 0
password ##############
transport preferred ssh
transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 10.0.1.11 source GigabitEthernet0/0
!
end
06-23-2013 11:23 AM
So much for trying to fix it. Seems there was no issue. After the first handful of tests had trouble, all subsequent production 'reloads' worked great. No idea what the issue was.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide