Re: VPN and CEF

Itzamna44 · ‎10-26-2010

Hi All.

I have Cisco 2921, two ISP, NAT, LoadBalancing, VPN.

When i turn on CEF (ip cef) , Vpn-client do not access local LAN, only loopback.

With "no ip cef" everithing work fine.

It is normal?

And one more question: How to configure cisco (whith my functionality) for accounting whith NetFlow?

Thanks.

Marcin Latosiewicz · ‎10-26-2010

Albert,

Theory goes, router should work better with CEF enabled ;-)

So behavior you're describing is definetly not the correct one.

Please open a TAC service request for this or if you can't check with newer IOS and if that does not help go via TAC.

Marcin

DmytroSoloviov · ‎12-09-2010

Our customer has the same problem that consists of incompatibility of "ip route-cache cef" interface command and VPN Client access to network connected to that interface... So, customer should choose between remote access VPN and netflow accounting functionalities. He has chosen the first.

Albert, have you found the solution from TAC?..

DmytroSoloviov · ‎12-09-2010

I've found the answer by myself surfing the forum...

So, for us the solution was to change the code

crypto dynamic-map RA_MAP_DYNAMIC 10
set transform-set RA_TS
set isakmp-profile VPNCLIENT_P1_PROFILE
reverse-route

to this one (see reverse-route string):

crypto dynamic-map RA_MAP_DYNAMIC 10
set transform-set RA_TS
set isakmp-profile VPNCLIENT_P1_PROFILE
reverse-route remote-peer x.x.x.x

where x.x.x.x - our default GW.

After we changed the "reverse-route" string we obtained the ability to painlessly enable "ip route-cache cef" on an internal/external interfaces and netflow finally started to export the flow data to collector. It was like a mirracle .

Hope this helps, guys.

Itzamna44 · ‎12-13-2010

Thanks.

What is x.x.x.x? It is ip address of outgoing interface? Or Local LAN?

DmytroSoloviov · ‎12-13-2010

x.x.x.x - is the default gateway for our 2921 device...

I can add that the same address is in "ip route" command:

ip route 0.0.0.0 0.0.0.0 x.x.x.x