07-27-2021 12:48 AM
Hi All!
You have all been so helpful in the past and helped me on my learning journey, would you be able to help me out of a pickle this time?
I have a C921-4PLTEGB with an EE unlimited data sim inserted. It appears to be connected to the cellular network with a good signal.
rtr-h000706#sh cell 0 all Hardware Information ==================== Modem Firmware Version = SWI9X07Y_02.28.03.03 000 Modem Firmware built = 2019/05/21 03:33:04 Device Model ID: WP7607 International Mobile Subscriber Identity (IMSI) = 234304187782873 International Mobile Equipment Identity (IMEI) = 351732090719645 Integrated Circuit Card ID (ICCID) = 8944303432926954100 Mobile Subscriber Integrated Services Digital Network-Number (MSISDN) = 07904957342 Factory Serial Number (FSN) = V3109585860610 Modem Status = Online Current Modem Temperature = 43 deg C PRI SKU ID = 1103508, PRI version = 002.068_000, Carrier = Generic OEM PRI version = 001.006 Profile Information ==================== Profile password Encryption level: 7 Profile 1 = ACTIVE* ** -------- PDP Type = IPv4 PDP address = 10.241.18.229 Access Point Name (APN) = everywhere Authentication = CHAP Username: eesecure Password: 1404170819162F Primary DNS address = 109.249.185.228 Secondary DNS address = 109.249.185.229 * - Default profile ** - LTE attach profile Data Connection Information =========================== Profile 1, Packet Session Status = ACTIVE Cellular0: Data Transmitted = 31030 bytes, Received = 8540 bytes IP address = 10.241.18.229 Primary DNS address = 109.249.185.228 Secondary DNS address = 109.249.185.229 Profile 2, Packet Session Status = INACTIVE Profile 3, Packet Session Status = INACTIVE Profile 4, Packet Session Status = INACTIVE Profile 5, Packet Session Status = INACTIVE Profile 6, Packet Session Status = INACTIVE Profile 7, Packet Session Status = INACTIVE Profile 8, Packet Session Status = INACTIVE Profile 9, Packet Session Status = INACTIVE Profile 10, Packet Session Status = INACTIVE Profile 11, Packet Session Status = INACTIVE Profile 12, Packet Session Status = INACTIVE Profile 13, Packet Session Status = INACTIVE Profile 14, Packet Session Status = INACTIVE Profile 15, Packet Session Status = INACTIVE Profile 16, Packet Session Status = INACTIVE Network Information =================== Current System Time = Sun Jan 6 16:20:34 1980 Current Service Status = Normal Current Service = Packet switched Current Roaming Status = Home Network Selection Mode = Automatic Network = EE Mobile Country Code (MCC) = 234 Mobile Network Code (MNC) = 30 Packet switch domain(PS) state = Attached Registration state(EMM) = Registered EMM Sub State = Normal Service Tracking Area Code (TAC) = 10935 Cell ID = 2821127 Negotiated network MTU = 1500 Radio Information ================= Radio power mode = online LTE Rx Channel Number = 3350 LTE Tx Channel Number = 21350 LTE Band = 7 LTE Bandwidth = 20 MHz Current RSSI = -77 dBm Current RSRP = -103 dBm Current RSRQ = -7 dB Current SNR = 18.2 dB Physical Cell Id = 0x199 Number of nearby cells = 1 Idx PCI (Physical Cell Id) -------------------------------- 1 409 Radio Access Technology(RAT) Preference = AUTO Radio Access Technology(RAT) Selected = LTE Modem Security Information ========================== Card Holder Verification (CHV1) = Disabled SIM Status = OK SIM User Operation Required = None Number of CHV1 Retries remaining = 3 Cellular Firmware List ========================== Idx Carrier FwVersion PriVersion Status 1 GENERIC 02.28.03.03 002.068_000 Active Firmware Activation mode : AUTO FOTA Information ================ FOTA server poll timer (mins) = Disable FOTA server connection retry value = 0 FOTA status = Please re-configure FOTA poll timer SMS Information =============== Incoming Message Information ---------------------------- SMS stored in modem = 4 SMS archived since booting up = 0 Total SMS deleted since booting up = 0 Storage records allocated = 25 Storage records used = 4 Number of callbacks triggered by SMS = 0 Number of successful archive since booting up = 0 Number of failed archive since booting up = 0 Outgoing Message Information ---------------------------- Total SMS sent successfully = 0 Total SMS send failure = 0 Number of outgoing SMS pending = 0 Number of successful archive since booting up = 0 Number of failed archive since booting up = 0 Last Outgoing SMS Status = SUCCESS Copy-to-SIM Status = 0x0 Send-to-Network Status = 0x0 Report-Outgoing-Message-Number: Reference Number = 0 Result Code = 0x0 Diag Code = 0x0 0x0 0x0 0x0 0x0 SMS Archive URL = Error Information ================= No crash info to display Modem Crashdump Information =========================== WIC type is 00 Cellular0 is WP76XX based Modem crashdump logging: off Packet drop stats ================= Source IP violation stats: Could not retrieve the stats now. Retry later.
However my VPN connection back to our HQ will not establish. I have compared the config on this device with a currently active device and they are identical.
Current configuration : 4741 bytes ! version 15.8 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname rtr-h000706 ! boot-start-marker boot-end-marker ! ! enable secret 5 $1$BGhi$dRAhi2D16TQsmruuEhHo5/ ! aaa new-model ! ! aaa authentication login default local aaa authentication enable default enable aaa authorization exec default local ! ! ! ! ! ! aaa session-id common clock timezone gmt 0 0 clock summer-time gmt recurring ! ! ! ! ! ! ! ! ! ! ! ip domain name x.local ip name-server 10.11.2.5 ip cef ipv6 unicast-routing ipv6 cef ! multilink bundle-name authenticated ! chat-script lte "" "AT!CALL" TIMEOUT 20 "OK" ! ! license udi pid C921-4PLTEGB sn PSZ25161BLZ ! ! object-group network x-IPs host x.x.x.x host x.x.x.x ! username x privilege 15 secret 5 $1$xyQI$80qrxxxxaWbOsWCvr/ username x privilege 2 secret 5 $1$xs4K$xxxxGKe2AjBEe0FL. username x privilege 2 secret 5 $1$zs.K$E./AxxxS2PweIgGMwP7pT. ! redundancy ! crypto ikev2 proposal Prop-HQ-VPN encryption aes-cbc-256 integrity sha256 group 21 ! crypto ikev2 policy POL-HQ-VPN proposal Prop-HQ-VPN ! crypto ikev2 keyring keyring-1 peer x-hq address x.x.x.x pre-shared-key local xxxx pre-shared-key remote xxxx ! ! ! crypto ikev2 profile PROFILE-HQ-VPN match identity remote address x.x.x.x 255.255.255.255 identity local fqdn rtr-h000706.x.local authentication remote pre-share authentication local pre-share keyring local keyring-1 ! no crypto ikev2 diagnose error crypto ikev2 dpd 500 50 on-demand no crypto ikev2 certificate-cache ! ! controller Cellular 0 lte sim data-profile 1 attach-profile 1 lte modem crash-action boot-and-hold ! ! crypto logging ikev2 ! crypto isakmp policy 1 encr aes 256 hash sha256 authentication pre-share group 21 crypto isakmp keepalive 10 periodic ! crypto ipsec security-association lifetime seconds 86400 ! crypto ipsec transform-set TS-HQ-VPN esp-aes 256 esp-sha256-hmac mode tunnel ! crypto ipsec profile PROFILE-ipsec set pfs group21 set ikev2-profile PROFILE-HQ-VPN ! ! ! crypto map CMAP-x-HQ 1 ipsec-isakmp set peer x.x.x.x set security-association lifetime seconds 86400 set transform-set TS-HQ-VPN set ikev2-profile PROFILE-HQ-VPN match address VPN-TRAFFIC ! ! ! ! ! interface Cellular0 ip address negotiated encapsulation slip dialer in-band dialer idle-timeout 0 dialer string lte dialer-group 1 ipv6 address autoconfig async mode interactive crypto map CMAP-x-HQ ! interface GigabitEthernet0 switchport access vlan 115 no ip address ! interface GigabitEthernet1 switchport access vlan 115 no ip address ! interface GigabitEthernet2 switchport access vlan 115 no ip address ! interface GigabitEthernet3 switchport access vlan 115 no ip address ! interface GigabitEthernet4 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet5 no ip address shutdown duplex auto speed auto ! interface Vlan1 no ip address shutdown ! interface Vlan115 ip address 10.11.115.254 255.255.255.0 ip helper-address 10.11.202.1 no ip proxy-arp ip nbar protocol-discovery ip tcp adjust-mss 1452 load-interval 30 ! no ip forward-protocol nd no ip http server ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip route 0.0.0.0 0.0.0.0 Cellular0 ! ip access-list extended LOCKDOWN-IN permit udp any any eq bootps permit udp any any eq bootpc permit gre object-group x-IPs any permit esp object-group x-IPs any permit ahp object-group x-IPs any permit ip object-group x-IPs any ip access-list extended VPN-TRAFFIC permit ip 10.11.115.0 0.0.0.225 any ! dialer-list 1 protocol ip permit ! ! snmp-server community x-ro RO snmp-server location x snmp-server contact Group IT snmp-server chassis-id rtr-h000706 ! ! ! control-plane ! privilege exec level 2 show startup-config privilege exec level 2 show banner motd ^C ************************************************************* * * * This device is owned and managed by x. * * Unauthorized access is strictly prohibited. * * * ************************************************************* ^C ! line con 0 privilege level 15 line 3 script dialer lte no exec rxspeed 100000000 txspeed 50000000 line vty 0 4 exec-timeout 1440 0 privilege level 15 transport input ssh line vty 5 15 exec-timeout 1440 0 privilege level 15 transport input ssh ! scheduler allocate 20000 1000 ntp server ntp.x.local source Cellular0 ! end
Is there anything that stands out here that would prevent it from connecting?
rtr-h000706#sh cry sess Crypto session current status Interface: Cellular0 Session status: DOWN Peer: x.x.x.x port 500 IPSEC FLOW: permit ip 10.11.115.0/255.255.255.30 0.0.0.0/0.0.0.0 Active SAs: 0, origin: crypto map rtr-h000706# *Jul 27 07:41:34.747: ISAKMP-ERROR: (0):No peer struct to get peer descriptionshow crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status IPv6 Crypto ISAKMP SA rtr-h000706#show crypto ipsec sa interface: Cellular0 Crypto map tag: CMAP-HGL-HQ, local addr 10.241.18.229 protected vrf: (none) local ident (addr/mask/prot/port): (10.11.115.0/255.255.255.30/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer x.x.x.x port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 10.241.18.229, remote crypto endpt.: x.x.x.x plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Cellular0 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: rtr-h000706#show crypto engine connection active Crypto Engine Connections ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
This is the only error message that I am getting that I can see.
Can anyone suggest where I start with this?
rtr-h000706# *Jul 27 07:41:34.747: ISAKMP-ERROR: (0):No peer struct to get peer description
Thanks in advance wonderful people!
Solved! Go to Solution.
07-27-2021 02:29 AM
The wildcard mask looks incorrect in your ACL, I assume it should be 0.0.0.255?
ip access-list extended VPN-TRAFFIC permit ip 10.11.115.0 0.0.0.225 any
This crypto ACL configuration needs to be the mirror of the peer's configuration.
Change the wildcard mask, clear crypto isakmp, clear ipsec sa and try again. Provide the output of "show crypto ipsec sa" if the changes does not work.
07-27-2021 02:13 AM
- Check if this thread can help :
M.
07-27-2021 02:29 AM
The wildcard mask looks incorrect in your ACL, I assume it should be 0.0.0.255?
ip access-list extended VPN-TRAFFIC permit ip 10.11.115.0 0.0.0.225 any
This crypto ACL configuration needs to be the mirror of the peer's configuration.
Change the wildcard mask, clear crypto isakmp, clear ipsec sa and try again. Provide the output of "show crypto ipsec sa" if the changes does not work.
07-27-2021 05:43 AM
@Rob Ingram OMG you just solved 2 days of troubleshooting in one line!
I had indeed fat fingered the subnet mask, I changed it to 0.0.0.255 and cleared the session, it immediately sprang into action!
Thank you so much, you are my hero!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide