Jump to content
Sign in to follow this  
sailr

Cisco Experts - Need HELP here

Recommended Posts

Hi Cisco dudes

I need some help regarding the cisco 1700 series router and Dynamic Multipoint VPN using hub and spoke network.

 

The scenario is such:

We have one hub and two spokes at two remote sites all connectd via Dynamic VPN over ADSL lines. The tunnels are are up and running. I can ping remote machines using their internal(LAN) ip adds. we can even telnet over it. However when I try and ping using larger packets sizes about 1400, it times out, also i canot use remote desktop connection or print over the vpn.

 

I have tries seting the MTU and fragmentation before-encryption options but nothng seems to work.

 

I am convinced that now only a Cisco head solve this problem. If you have any idea pls email me and I can send you the complete running config of the router.

 

Thankyou all

Sail

Share this post


Link to post
Share on other sites

Well, Dynamic Multipoint VPN (DMVPN ) actually uses 3 technology or protocols. GRE tunnels basically tunnels, IPSec ( security within IP ) and Next Hop Resolution Protocol ( NHRP).

It sounds like ( since u can ping with smaller data size) but u cannot with bigger packets ) ur Next Hop Resolution Protocol or NHRP is messed up or not configured right. If u dont mind sending the router configuration, could u post it here. that certainly helps.

Share this post


Link to post
Share on other sites

Ok here's the running config for the hub and spoke. Pls note that ACL no 111 in one of the config does not exist but is being used by one of the interface. Ignore that error.

 

HUB's running config

-------------------------------------

 

!version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname c1721

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret 5 xxxxxxxxxxxxxxxxxxxxx

!

username xxxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxxx

clock timezone Europe/London 0

clock summer-time Europe/London date Mar 30 2003 1:00 Oct 26 2003 2:00

no aaa new-model

ip subnet-zero

no ip source-route

!

!

!

!

ip tcp synwait-time 10

ip domain name yourdomain.com

no ip bootp server

ip cef

ip audit notify log

ip audit po max-events 100

ip ssh time-out 60

ip ssh authentication-retries 2

no ftp-server write-enable

no scripting tcl init

no scripting tcl encdir

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key keykeykey address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac

crypto ipsec transform-set SDM_TRANSFORMSET_2 esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set SDM_TRANSFORMSET_1

!

crypto ipsec profile SDM_Profile2

set transform-set SDM_TRANSFORMSET_2

!

interface Tunnel0

bandwidth 1000

ip address 10.10.6.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication DMVPN_NW

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 360

delay 1000

tunnel source Dialer1

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile SDM_Profile2

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

description $FW_INSIDE$$ETH-LAN$

ip address 192.168.245.1 255.255.255.0

ip access-group 122 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

no ip mroute-cache

speed auto

no cdp enable

hold-queue 100 out

!

interface Dialer1

ip address hhh.hhh.hhh.hhh 255.255.255.254

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname xxxxxxxxxx@xxxxxx.com

ppp chap password 7 xxxxxxxxxxxxx

hold-queue 224 in

!

router eigrp 1

network 10.10.6.0 0.0.0.255

network 192.168.245.0

no auto-summary

!

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source static tcp 192.168.245.20 25 interface Dialer1 25

ip nat inside source static tcp 192.168.245.100 22 yyyyyyyyyyyyyyy 22 extendable

ip nat inside source static tcp 192.168.245.34 3389 yyyyyyyyyyyyyyyy 3389 extendable

ip nat inside source static tcp 192.168.245.20 3389 yyyyyyyyyyyyyyyy 3389 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip http authentication local

ip http secure-server

!

!

!

logging trap debugging

access-list 102 permit ip 192.168.245.0 0.0.0.255 any

no cdp run

end

---------------------------------------------------

Spokes' config in the next post

 

Share this post


Link to post
Share on other sites

Spoke's config

-------------------------------------------------------

 

 

 

 

SPOKE's running config

----------------------------------------------------------

 

 

!version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname c1701

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx

!

username xxxxxx privilege 15 password 7 xxxxxxxxxxxxxxx

clock timezone PCTimeZone 0

no aaa new-model

ip subnet-zero

no ip source-route

!

!

ip dhcp excluded-address 192.168.36.1 192.168.36.9

ip dhcp excluded-address 192.168.36.20 192.168.36.254

!

ip dhcp pool sdm-pool1

network 192.168.36.0 255.255.255.0

default-router 192.168.36.1

dns-server 212.158.192.3 212.158.192.2

lease 0 2

!

!

ip tcp synwait-time 10

ip domain name sb.com

no ip bootp server

ip cef

ip audit notify log

ip audit po max-events 100

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh break-string

no ftp-server write-enable

no scripting tcl init

no scripting tcl encdir

!

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key keykeykey address hhh.hhh.hhh.hhh

!

!

crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set SDM_TRANSFORMSET_1

!

!

!

!

!

interface Tunnel0

bandwidth 1000

ip address 10.10.6.3 255.255.255.0

ip mtu 1400

ip nhrp authentication DMVPN_NW

ip nhrp map 10.10.6.1 hhh.hhh.hhh.hhh

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs 10.10.6.1

ip nhrp registration no-unique

delay 1000

tunnel source Dialer1

tunnel destination hhh.hhh.hhh.hhh

tunnel key 100000

tunnel protection ipsec profile SDM_Profile1

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

shutdown

no cdp enable

!

interface FastEthernet0

description $FW_INSIDE$$ETH-LAN$

ip address 192.168.36.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

no ip mroute-cache

speed auto

no cdp enable

hold-queue 100 out

!

interface Dialer1

ip address negotiated

ip access-group 111 in

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname xxxxxx

ppp chap password 7 xxxxxxx

hold-queue 224 in

!

router eigrp 1

network 10.10.6.0 0.0.0.255

network 192.168.36.0

no auto-summary

!

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source static tcp 192.168.36.10 3389 123.123.123.123 3389 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip http authentication local

no ip http secure-server

!

!

!

logging trap debugging

access-list 102 remark SDM_ACL Category=18

access-list 102 permit ip 192.0.0.0 0.255.255.255 any

dialer-list 1 protocol ip permit

no cdp run

!

!

control-plane

!

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 4000 1000

scheduler interval 500

!

end

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.