sailr 0 Report post Posted July 20, 2004 Hi Cisco dudes I need some help regarding the cisco 1700 series router and Dynamic Multipoint VPN using hub and spoke network. The scenario is such: We have one hub and two spokes at two remote sites all connectd via Dynamic VPN over ADSL lines. The tunnels are are up and running. I can ping remote machines using their internal(LAN) ip adds. we can even telnet over it. However when I try and ping using larger packets sizes about 1400, it times out, also i canot use remote desktop connection or print over the vpn. I have tries seting the MTU and fragmentation before-encryption options but nothng seems to work. I am convinced that now only a Cisco head solve this problem. If you have any idea pls email me and I can send you the complete running config of the router. Thankyou all Sail Quote Share this post Link to post Share on other sites
Limitation//Moon 0 Report post Posted July 20, 2004 Dude, I feel like this is your homework Quote Share this post Link to post Share on other sites
linuxuser 0 Report post Posted July 20, 2004 Well, Dynamic Multipoint VPN (DMVPN ) actually uses 3 technology or protocols. GRE tunnels basically tunnels, IPSec ( security within IP ) and Next Hop Resolution Protocol ( NHRP). It sounds like ( since u can ping with smaller data size) but u cannot with bigger packets ) ur Next Hop Resolution Protocol or NHRP is messed up or not configured right. If u dont mind sending the router configuration, could u post it here. that certainly helps. Quote Share this post Link to post Share on other sites
Limitation//Moon 0 Report post Posted July 20, 2004 lol...give all your configuration like rs said. I may have to enter google, which you already should have. However I luv to see problem Quote Share this post Link to post Share on other sites
sailr 0 Report post Posted July 21, 2004 Ok here's the running config for the hub and spoke. Pls note that ACL no 111 in one of the config does not exist but is being used by one of the interface. Ignore that error. HUB's running config ------------------------------------- !version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname c1721 ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 debugging logging console critical enable secret 5 xxxxxxxxxxxxxxxxxxxxx ! username xxxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxxx clock timezone Europe/London 0 clock summer-time Europe/London date Mar 30 2003 1:00 Oct 26 2003 2:00 no aaa new-model ip subnet-zero no ip source-route ! ! ! ! ip tcp synwait-time 10 ip domain name yourdomain.com no ip bootp server ip cef ip audit notify log ip audit po max-events 100 ip ssh time-out 60 ip ssh authentication-retries 2 no ftp-server write-enable no scripting tcl init no scripting tcl encdir ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key keykeykey address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac crypto ipsec transform-set SDM_TRANSFORMSET_2 esp-3des esp-sha-hmac ! crypto ipsec profile SDM_Profile1 set transform-set SDM_TRANSFORMSET_1 ! crypto ipsec profile SDM_Profile2 set transform-set SDM_TRANSFORMSET_2 ! interface Tunnel0 bandwidth 1000 ip address 10.10.6.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication DMVPN_NW ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 360 delay 1000 tunnel source Dialer1 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile SDM_Profile2 ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no ip mroute-cache no atm ilmi-keepalive pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto ! interface FastEthernet0 description $FW_INSIDE$$ETH-LAN$ ip address 192.168.245.1 255.255.255.0 ip access-group 122 out no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip route-cache flow no ip mroute-cache speed auto no cdp enable hold-queue 100 out ! interface Dialer1 ip address hhh.hhh.hhh.hhh 255.255.255.254 ip nat outside encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname xxxxxxxxxx@xxxxxx.com ppp chap password 7 xxxxxxxxxxxxx hold-queue 224 in ! router eigrp 1 network 10.10.6.0 0.0.0.255 network 192.168.245.0 no auto-summary ! ip nat inside source list 102 interface Dialer1 overload ip nat inside source static tcp 192.168.245.20 25 interface Dialer1 25 ip nat inside source static tcp 192.168.245.100 22 yyyyyyyyyyyyyyy 22 extendable ip nat inside source static tcp 192.168.245.34 3389 yyyyyyyyyyyyyyyy 3389 extendable ip nat inside source static tcp 192.168.245.20 3389 yyyyyyyyyyyyyyyy 3389 extendable ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server ip http authentication local ip http secure-server ! ! ! logging trap debugging access-list 102 permit ip 192.168.245.0 0.0.0.255 any no cdp run end --------------------------------------------------- Spokes' config in the next post Quote Share this post Link to post Share on other sites
sailr 0 Report post Posted July 21, 2004 Spoke's config ------------------------------------------------------- SPOKE's running config ---------------------------------------------------------- !version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname c1701 ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 debugging logging console critical enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx ! username xxxxxx privilege 15 password 7 xxxxxxxxxxxxxxx clock timezone PCTimeZone 0 no aaa new-model ip subnet-zero no ip source-route ! ! ip dhcp excluded-address 192.168.36.1 192.168.36.9 ip dhcp excluded-address 192.168.36.20 192.168.36.254 ! ip dhcp pool sdm-pool1 network 192.168.36.0 255.255.255.0 default-router 192.168.36.1 dns-server 212.158.192.3 212.158.192.2 lease 0 2 ! ! ip tcp synwait-time 10 ip domain name sb.com no ip bootp server ip cef ip audit notify log ip audit po max-events 100 ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh break-string no ftp-server write-enable no scripting tcl init no scripting tcl encdir ! ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key keykeykey address hhh.hhh.hhh.hhh ! ! crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac ! crypto ipsec profile SDM_Profile1 set transform-set SDM_TRANSFORMSET_1 ! ! ! ! ! interface Tunnel0 bandwidth 1000 ip address 10.10.6.3 255.255.255.0 ip mtu 1400 ip nhrp authentication DMVPN_NW ip nhrp map 10.10.6.1 hhh.hhh.hhh.hhh ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 10.10.6.1 ip nhrp registration no-unique delay 1000 tunnel source Dialer1 tunnel destination hhh.hhh.hhh.hhh tunnel key 100000 tunnel protection ipsec profile SDM_Profile1 ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no ip mroute-cache no atm ilmi-keepalive pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto ! interface BRI0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown no cdp enable ! interface FastEthernet0 description $FW_INSIDE$$ETH-LAN$ ip address 192.168.36.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip route-cache flow no ip mroute-cache speed auto no cdp enable hold-queue 100 out ! interface Dialer1 ip address negotiated ip access-group 111 in ip nat outside encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname xxxxxx ppp chap password 7 xxxxxxx hold-queue 224 in ! router eigrp 1 network 10.10.6.0 0.0.0.255 network 192.168.36.0 no auto-summary ! ip nat inside source list 102 interface Dialer1 overload ip nat inside source static tcp 192.168.36.10 3389 123.123.123.123 3389 extendable ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server ip http authentication local no ip http secure-server ! ! ! logging trap debugging access-list 102 remark SDM_ACL Category=18 access-list 102 permit ip 192.0.0.0 0.255.255.255 any dialer-list 1 protocol ip permit no cdp run ! ! control-plane ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 login local transport output telnet line aux 0 login local transport output telnet line vty 0 4 privilege level 15 login local transport input telnet ssh line vty 5 15 privilege level 15 login local transport input telnet ssh ! scheduler allocate 4000 1000 scheduler interval 500 ! end Quote Share this post Link to post Share on other sites