vikrantambhore
asked on
CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.XX.XX
Hello,
I have one hub and 2 sites . We are using IPSEC + DMVPN. I get these kinds of errors normally however everything was working fine ,I used to get these messages earlier too but this time they are in a high number, All isworking fine, but Constantly getting error on HUB router from only branch approx within hour, & then VPN got Down%CRYPTO-4-IKMP_BAD_MES SAGE: IKE message from XX.XX.XX.XX failed its sanity check or is malformed
then when i cleared crypto sa & clear crypto isakmp then it will work fine for while, but again & again it's happening
can anyone help me? When i look sh crypto isakmp sa, i saw VPN is Up, but I am unable to ping that remote router,
I have attached configuration of HUB & Spoke
SPOKE.txt
I have one hub and 2 sites . We are using IPSEC + DMVPN. I get these kinds of errors normally however everything was working fine ,I used to get these messages earlier too but this time they are in a high number, All isworking fine, but Constantly getting error on HUB router from only branch approx within hour, & then VPN got Down%CRYPTO-4-IKMP_BAD_MES
then when i cleared crypto sa & clear crypto isakmp then it will work fine for while, but again & again it's happening
can anyone help me? When i look sh crypto isakmp sa, i saw VPN is Up, but I am unable to ping that remote router,
I have attached configuration of HUB & Spoke
:17:34.846: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.
58.37 failed its sanity check or is malformed
012282: Jan 10 04:18:48.573: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.
XX.XX failed its sanity check or is malformed
012283: Jan 10 04:19:49.255: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.
XX.XX failed its sanity check or is malformed
012284: Jan 10 04:21:51.052: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC pa
cket has invalid spi for destaddr=XX.XX.XX.XX, prot=50, spi=0x80CEE739(2161043
257), srcaddr=XX.XX.XX.XX
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.XX.XX failed its sanity check or is malformed
HUB.txtSPOKE.txt
ASKER
Hi Mike,
Thanks for your quick reply, I think i didn't change anythink about VPN although not 100% sure if i did,
But We need to fix this issue,
I used Lifetime 28800 under every policy, but have same issue,
Please let me know if U need any log ?
which log u need ?
Regards
Vikrant
Thanks for your quick reply, I think i didn't change anythink about VPN although not 100% sure if i did,
But We need to fix this issue,
I used Lifetime 28800 under every policy, but have same issue,
Please let me know if U need any log ?
which log u need ?
Regards
Vikrant
Why so many policys?
At any point can you ping across the link?
What are the models and what software version?
Like to see the log of when it stops routing and begins renegociating
Mike
At any point can you ping across the link?
What are the models and what software version?
Like to see the log of when it stops routing and begins renegociating
Mike
ASKER
Hi Mike,
I am using UC520 on HUB & 877 for Spoke, I have attached Software details of Both router,
Now everything is working fine, but I know i will happened in 1 hrs, Crypto ISAKMP Error debugging is on both router, i will post when will have this issue again,
Bro about policy I am not sure which is in use,
but I know I configured DMVPN in last month that time i used policy 20, I think rest is for EZVPN
I request to you pls help me until solve this issue
HUB.txt
SPOKE.txt
I am using UC520 on HUB & 877 for Spoke, I have attached Software details of Both router,
Now everything is working fine, but I know i will happened in 1 hrs, Crypto ISAKMP Error debugging is on both router, i will post when will have this issue again,
Bro about policy I am not sure which is in use,
but I know I configured DMVPN in last month that time i used policy 20, I think rest is for EZVPN
I request to you pls help me until solve this issue
HUB.txt
SPOKE.txt
ASKER
One more question is there anyway for knowing which policy is in used & for what ?
ASKER
Bro I am getting Below error on HUB Router but VPN IS UP & All Application are working fine
ISAKMP:(2907): IPSec policy invalidated proposal wi
th error 256
071687: Feb 3 06:33:50.044: ISAKMP:(2907): IPSec policy invalidated proposal wi
th error 256
071688: Feb 3 06:33:50.060: ISAKMP:(2907): IPSec policy invalidated proposal wi
th error 256
071689: Feb 3 06:33:50.060: ISAKMP:(2907): IPSec policy invalidated proposal wi
th error 256
071690: Feb 3 06:33:50.060: ISAKMP:(2907): IPSec policy invalidated proposal wi
th error 256
ISAKMP:(2907): IPSec policy invalidated proposal wi
th error 256
071687: Feb 3 06:33:50.044: ISAKMP:(2907): IPSec policy invalidated proposal wi
th error 256
071688: Feb 3 06:33:50.060: ISAKMP:(2907): IPSec policy invalidated proposal wi
th error 256
071689: Feb 3 06:33:50.060: ISAKMP:(2907): IPSec policy invalidated proposal wi
th error 256
071690: Feb 3 06:33:50.060: ISAKMP:(2907): IPSec policy invalidated proposal wi
th error 256
ASKER
Hey - Sorry for the lag. any progress on your end?
ive looked over the config, and I am a bit confused why your using GRE still and "ip nhrp" instead of Crypto and and a route map?
I think we need to take a step back and define what you have. Im guessing these are two DSL circuits without fixed IP addresses and your trying to link these sites together?
Can you the full config for both 877's and the PIX - change the usernames and passwords and any public IP if hard coded on interface
Thanks
ive looked over the config, and I am a bit confused why your using GRE still and "ip nhrp" instead of Crypto and and a route map?
I think we need to take a step back and define what you have. Im guessing these are two DSL circuits without fixed IP addresses and your trying to link these sites together?
Can you the full config for both 877's and the PIX - change the usernames and passwords and any public IP if hard coded on interface
Thanks
ASKER
Bro We have Static IP On both Side, Both are DSL Line
We have UC520 router on HUB (Head Office of Company) & Cisco877 in Branch office),
Bro if u feel configuration are some wrong so please giude me we can edit our configuration,
also One another router is connected into main router which is 192.168.8.0 subnet but it's doesn't have static IP
I need to ping all branches from all router,
Please help me, I know I am wrong, But I am not too familier in Cisco Networking, But I can do if u will help me
Thanks in Advance
HUB.txt
SPOKE.txt
We have UC520 router on HUB (Head Office of Company) & Cisco877 in Branch office),
Bro if u feel configuration are some wrong so please giude me we can edit our configuration,
also One another router is connected into main router which is 192.168.8.0 subnet but it's doesn't have static IP
I need to ping all branches from all router,
Please help me, I know I am wrong, But I am not too familier in Cisco Networking, But I can do if u will help me
Thanks in Advance
HUB.txt
SPOKE.txt
The other non static 877 - is it remote or direclty attached to the 520?
Are the configs on both 877 the same except for local ip range?
I see your defining a DHCP pool labeled Phone - Are you VOIP ing over these (across pacific to BigPond\Testra?)
Are you using the 802.11 and are these suppose to have not not access to the tunnel? ie is it only for people to browse and not see the inside servers?
Do all three routers form a triangle in routing or do you want spoke and hub? (if the UC is unavailable should the two 877's talk?)
Can you do a DIR or a show ver and let me know exactly what version IOS your running.
Sorry to throw a bunch of questions at you, just dont want to make a mess
Mike
Are the configs on both 877 the same except for local ip range?
I see your defining a DHCP pool labeled Phone - Are you VOIP ing over these (across pacific to BigPond\Testra?)
Are you using the 802.11 and are these suppose to have not not access to the tunnel? ie is it only for people to browse and not see the inside servers?
Do all three routers form a triangle in routing or do you want spoke and hub? (if the UC is unavailable should the two 877's talk?)
Can you do a DIR or a show ver and let me know exactly what version IOS your running.
Sorry to throw a bunch of questions at you, just dont want to make a mess
Mike
ASKER
We are using VOIP over 3 Branch, UC520 is in Perth, 877 is in INDIA, & 3rd in Melbourne (Cisco 1861)
we have Static IP in Perth & India but doesn't have in Melbourne, which is Best way for communacating all router with Each other & Which is we are using Presently, My call manager is in Perth .
I have attached Sh Ver of All Router, also attached sh run Of Melbourne
Sh-Ver-HUB.txt
Sh-Ver-India.txt
Sh-Ver-Melbourne.txt
Sh-RUN--Melbourne.txt
we have Static IP in Perth & India but doesn't have in Melbourne, which is Best way for communacating all router with Each other & Which is we are using Presently, My call manager is in Perth .
I have attached Sh Ver of All Router, also attached sh run Of Melbourne
Sh-Ver-HUB.txt
Sh-Ver-India.txt
Sh-Ver-Melbourne.txt
Sh-RUN--Melbourne.txt
I see your infrestructure is growing - lol
I will review the configs as soon as i get a chance to focus on it.
So the three sites are PER, MEL, IND and to roll back to the original issue, every works and randomly
routing stops and a "cleared crypto sa & clear crypto isakmp" fixes it.
1) The cleared crypto sa & clear crypto isakmp you enter at the Spoke (MEL\IND)
2) Does it happen to Both?
3) How Often?
4) Do they both fail at the same time?
Is this is only happening in MEL I had a similar problem since Bigpond has upgraded to a newer DSL spec that was not compatible with the rev of 12.4 I had there.
I will review the configs as soon as i get a chance to focus on it.
So the three sites are PER, MEL, IND and to roll back to the original issue, every works and randomly
routing stops and a "cleared crypto sa & clear crypto isakmp" fixes it.
1) The cleared crypto sa & clear crypto isakmp you enter at the Spoke (MEL\IND)
2) Does it happen to Both?
3) How Often?
4) Do they both fail at the same time?
Is this is only happening in MEL I had a similar problem since Bigpond has upgraded to a newer DSL spec that was not compatible with the rev of 12.4 I had there.
ASKER
We don't have this issue on Melbourne, It's happended only between IND & Perth,
when it's happend I need to enter clear command on IND also Perth
when it's happend I need to enter clear command on IND also Perth
ASKER
Maybe this issue happend due to bugs on router I am getting CrashInfo in IND router,
Can you please check if any serious Issue
crashinfo-20110205-034745
Can you please check if any serious Issue
crashinfo-20110205-034745
well a crashing router is never a good sign!
Are you familiar with TFTP and Cisco flashing?
Are you familiar with TFTP and Cisco flashing?
ASKER
Yes Bro, I can Upload New Image, But unable to undersatnd what is the Main Issue in Software
& why it's happended ?
& why it's happended ?
Still unsure why, but before we can say this might be a hardware problem we need to make sure it's on the latest IOS version
Can you do a DIR
That should show me the long fine name of the IOS image booting in Flash
Mike
Can you do a DIR
That should show me the long fine name of the IOS image booting in Flash
Mike
ASKER
It's was crash before 1 hours & reason showing unknown in sh ver
Router#dir
Directory of flash:/
2 -rwx 19004980 --- -- ---- --:--:-- ----- c870-advipservicesk9-mz.12
4-15.T9.bin
21 -rwx 660 Sep 13 2007 17:18:45 +00:00 vlan.dat
23482368 bytes total (4470784 bytes free)
Router#
Router#dir
Directory of flash:/
2 -rwx 19004980 --- -- ---- --:--:-- ----- c870-advipservicesk9-mz.12
4-15.T9.bin
21 -rwx 660 Sep 13 2007 17:18:45 +00:00 vlan.dat
23482368 bytes total (4470784 bytes free)
Router#
Router#sh version
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T9,
RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 29-Apr-09 05:52 by prod_rel_team
ROM: System Bootstrap, Version 12.3(8r)YI3, RELEASE SOFTWARE
Router uptime is 1 hour, 59 minutes
System returned to ROM by reload at 03:47:45 UTC Sat Feb 5 2011
System restarted at 03:48:37 UTC Sat Feb 5 2011
System image file is "flash:c870-advipservicesk9-mz.124-15.T9.bin"
Last reload reason: Unknown reason
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 877W (MPC8272) processor (revision 0x200) with 118784K/12288K bytes of mem
ory.
Processor board ID FHK110914N0
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
1 802.11 Radio
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)
Configuration register is 0x2102
Router#
Do you have access to cisco's web site for a newer flash or do you nedd one?
Does the Router crash happen at the same time you loose routing and need to clear crypto isakmp ?
Does the Router crash happen at the same time you loose routing and need to clear crypto isakmp ?
ASKER
I don't have access to cisco's web site ,
I don't think Router cras happen at same time when i losed routing, as I have seen that it's happens sometimes, but not all the time. But Router crash one time in day
I don't think Router cras happen at same time when i losed routing, as I have seen that it's happens sometimes, but not all the time. But Router crash one time in day
ASKER
Hi Dear,
Please check error on HUB Router, But VPN is Still up, I think somethink wrong in Crypto policy,
Please look if u can understand this
Please check error on HUB Router, But VPN is Still up, I think somethink wrong in Crypto policy,
Please look if u can understand this
000296: Feb 5 02:09:08.431: *** Not encrypted dot1x packet from 0016.eaee.1328
has been discarded
000297: Feb 5 03:08:44.359: %LINK-3-UPDOWN: Interface Virtual-Access4, changed
state to up
000298: Feb 5 03:08:44.363: %LINK-3-UPDOWN: Interface Virtual-Access5, changed
state to up
000299: Feb 5 03:08:45.359: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vir
tual-Access4, changed state to up
000300: Feb 5 03:08:45.363: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vir
tual-Access5, changed state to up
000301: Feb 5 03:09:32.505: %ALIGN-3-SPURIOUS: Spurious memory access made at 0
x829E305C reading 0x0
000302: Feb 5 03:09:32.505: %ALIGN-3-TRACE: -Traceback= 0x829E305C 0x81F50B68 0
x81F50F84 0x81F4F5F0 0x81F53270 0x81F542BC 0x81F4E3EC 0x8017716C
000303: Feb 5 03:09:32.505: %ALIGN-3-TRACE: -Traceback= 0x829E305C 0x81F50B68 0
x81F53F54 0x820274C0 0x8202617C 0x81F21D00 0x81F30CF4 0x80DDC7E4
000304: Feb 5 03:09:32.505: %ALIGN-3-TRACE: -Traceback= 0x829E305C 0x81F50B68 0
x81F53F54 0x820274C0 0x8202617C 0x81F21D00 0x81F30C28 0x80DD8A7C
000305: Feb 5 03:09:32.505: %ALIGN-3-TRACE: -Traceback= 0x829E305C 0x81F50B68 0
x81F53F54 0x820274C0 0x8202617C 0x81F21D00 0x81F30C28 0x80DE8488
000306: Feb 5 03:09:32.505: %ALIGN-3-TRACE: -Traceback= 0x829E305C 0x81F50B68 0
x81F53F54 0x820274C0 0x8202617C 0x81F21D00 0x81F30C28 0x80DE8608
000307: Feb 5 03:09:32.505: %ALIGN-3-TRACE: -Traceback= 0x829E305C 0x81F50B68 0
x81F53F54 0x820274C0 0x8202617C 0x81F21D00 0x81F30C28 0x80DD88B8
000308: Feb 5 03:46:49.089: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0
/1/0, changed state to Administrative Shutdown
000309: Feb 5 03:46:52.257: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0
/1/0, changed state to up
000310: Feb 5 03:47:27.718: %SYS-5-CONFIG_I: Configured from console by admin o
n vty0 (115.108.160.226)
000311: Feb 5 04:10:57.148: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-6:SEP001BD50
19982 IP:192.168.4.175 Socket:5 DeviceType:Phone has unregistered abnormally.
000312: Feb 5 04:11:05.133: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
IPSEC packet.
(ip) vrf/dest_addr= /XX.XX.XX.XX, src_addr= XX.XX.XX.XX, prot= 47
000313: Feb 5 04:12:00.331: %IPPHONE-6-REG_ALARM: 14: Name=SEP001BD5019982 Load
= SCCP31.8-2-2SR2S Last=CM-closed-TCP
000314: Feb 5 04:12:00.391: %IPPHONE-6-REG_ALARM: 14: Name=SEP001BD5019982 Load
= SCCP31.8-2-2SR2S Last=CM-closed-TCP
000315: Feb 5 04:12:00.431: %IPPHONE-6-REGISTER: ephone-6:SEP001BD5019982 IP:19
2.168.4.175 Socket:5 DeviceType:Phone has registered.
000316: Feb 5 04:40:05.784: *** Not encrypted dot1x packet from 001d.a231.4aad
has been discarded
000317: Feb 5 04:40:38.526: *** Not encrypted dot1x packet from 001d.a231.4aad
has been discarded
000318: Feb 5 04:47:38.067: *** Not encrypted dot1x packet from 001d.a231.4aad
has been discarded
000319: Feb 5 05:01:48.918: *** Not encrypted dot1x packet from 001d.a231.4aad
has been discarded
000320: Feb 5 06:11:42.947: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-6:SEP001BD50
19982 IP:192.168.4.175 Socket:5 DeviceType:Phone has unregistered abnormally.
000321: Feb 5 06:11:49.479: %IPPHONE-6-REG_ALARM: 10: Name=SEP001BD5019982 Load
= SCCP31.8-2-2SR2S Last=TCP-timeout
000322: Feb 5 06:11:49.479: %IPPHONE-6-REGISTER: ephone-6:SEP001BD5019982 IP:19
2.168.4.175 Socket:5 DeviceType:Phone has registered.
000323: Feb 5 06:50:49.000: *** Not encrypted dot1x packet from 001d.a231.4aad
has been discarded
000324: Feb 5 10:08:30.032: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-6:SEP001BD50
19982 IP:192.168.4.175 Socket:5 DeviceType:Phone has unregistered abnormally.
000325: Feb 5 10:10:38.742: %IPPHONE-6-REG_ALARM: 10: Name=SEP001BD5019982 Load
= SCCP31.8-2-2SR2S Last=TCP-timeout
000326: Feb 5 10:10:38.754: %IPPHONE-6-REGISTER: ephone-6:SEP001BD5019982 IP:19
2.168.4.175 Socket:5 DeviceType:Phone has registered.
000327: Feb 5 11:05:16.925: %LINK-3-UPDOWN: Interface Virtual-Access5, changed
state to down
000328: Feb 5 11:05:17.925: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vir
tual-Access5, changed state to down
000329: Feb 5 11:05:33.681: %ALIGN-3-SPURIOUS: Spurious memory access made at 0
x829E305C reading 0x0
000330: Feb 5 11:05:33.681: %ALIGN-3-TRACE: -Traceback= 0x829E305C 0x81F50B68 0
x81F50F84 0x81F51084 0x81F4DA4C 0x81F4FC38 0x81F4F5F0 0x81F5078C
000331: Feb 5 11:39:38.918: *** Not encrypted dot1x packet from 0016.eaee.1328
has been discarded
000332: Feb 5 11:46:51.911: *** Not encrypted dot1x packet from 0016.eaee.1328
has been discarded
000333: Feb 5 12:08:39.329: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-6:SEP001BD50
19982 IP:192.168.4.175 Socket:5 DeviceType:Phone has unregistered abnormally.
000334: Feb 5 12:09:39.412: %CRYPTO-4-IKMP_NO_SA: IKE message from 115.108.160.
226 has no SA and is not an initialization offer
000335: Feb 5 12:14:53.781: %IPPHONE-6-REG_ALARM: 10: Name=SEP001BD5019982 Load
= SCCP31.8-2-2SR2S Last=TCP-timeout
000336: Feb 5 12:14:53.785: %IPPHONE-6-REG_ALARM: 10: Name=SEP001BD5019982 Load
= SCCP31.8-2-2SR2S Last=TCP-timeout
000337: Feb 5 12:14:53.785: %IPPHONE-6-REGISTER: ephone-6:SEP001BD5019982 IP:19
2.168.4.175 Socket:5 DeviceType:Phone has registered.
000338: Feb 5 12:40:18.087: SSH2 0: Unexpected mesg type received
000339: Feb 5 13:15:35.967: *** Not encrypted dot1x packet from 001d.a231.4aad
has been discarded
000340: Feb 5 13:47:15.893: *** Not encrypted dot1x packet from 0016.eaee.1328
has been discarded
000341: Feb 5 13:54:41.091: %IPPHONE-6-UNREGISTER_ABNORMAL: ephone-6:SEP001BD50
19982 IP:192.168.4.175 Socket:5 DeviceType:Phone has unregistered abnormally.
000342: Feb 5 13:54:48.272: *** Not encrypted dot1x packet from 0016.eaee.1328
has been discarded
000343: Feb 5 13:55:55.602: *** Not encrypted dot1x packet from 0016.eaee.1328
has been discarded
000344: Feb 5 13:56:43.400: %DOT11-4-MAXRETRIES: Packet to client 0016.eaee.132
8 reached max retries, removing the client
000345: Feb 7 01:33:34.639: *** Not encrypted dot1x packet from 0016.eaee.1328
has been discarded
000346: Feb 7 01:33:50.875: *** Not encrypted dot1x packet from 001d.a231.4aad
has been discarded
000347: Feb 7 03:39:17.173: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
IPSEC packet.
(ip) vrf/dest_addr= /XX.XX.XX.XX, src_addr= XX.XX.XX.XX, prot= 47
000348: Feb 7 03:39:20.165: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000349: Feb 7 03:39:20.165: ISAKMP:(0):atts are not acceptable. Next payload is
3
000350: Feb 7 03:39:20.165: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000351: Feb 7 03:39:20.165: ISAKMP:(0):atts are not acceptable. Next payload is
3
000352: Feb 7 03:39:20.165: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000353: Feb 7 03:39:20.165: ISAKMP:(0):atts are not acceptable. Next payload is
3
000354: Feb 7 03:39:20.165: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000355: Feb 7 03:39:20.165: ISAKMP:(0):atts are not acceptable. Next payload is
3
000356: Feb 7 03:39:20.169: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000357: Feb 7 03:39:20.169: ISAKMP:(0):atts are not acceptable. Next payload is
3
000358: Feb 7 03:39:20.169: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000359: Feb 7 03:39:20.169: ISAKMP:(0):atts are not acceptable. Next payload is
3
000360: Feb 7 03:39:20.169: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000361: Feb 7 03:39:20.169: ISAKMP:(0):atts are not acceptable. Next payload is
3
000362: Feb 7 03:39:20.169: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000363: Feb 7 03:39:20.169: ISAKMP:(0):atts are not acceptable. Next payload is
3
000364: Feb 7 03:39:20.169: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000365: Feb 7 03:39:20.169: ISAKMP:(0):atts are not acceptable. Next payload is
3
000366: Feb 7 03:39:20.169: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000367: Feb 7 03:39:20.169: ISAKMP:(0):atts are not acceptable. Next payload is
3
000368: Feb 7 03:39:20.169: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000369: Feb 7 03:39:20.169: ISAKMP:(0):atts are not acceptable. Next payload is
3
000370: Feb 7 03:39:20.169: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000371: Feb 7 03:39:20.169: ISAKMP:(0):atts are not acceptable. Next payload is
3
000372: Feb 7 03:39:20.193: ISAKMP:(0): claimed IOS but failed authentication
000373: Feb 7 03:39:21.837: ISAKMP (0/2239): Unknown Attr: MODECFG_HOSTNAME (0x
700A)
000374: Feb 7 03:39:22.393: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000375: Feb 7 03:39:22.393: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000376: Feb 7 03:39:22.393: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000377: Feb 7 03:39:22.393: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000378: Feb 7 03:39:22.397: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000379: Feb 7 03:39:22.397: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000380: Feb 7 03:39:22.397: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000381: Feb 7 03:39:22.397: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000382: Feb 7 03:39:22.397: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000383: Feb 7 03:39:22.397: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000384: Feb 7 03:39:22.397: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000385: Feb 7 03:39:22.397: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000386: Feb 7 03:39:22.417: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000387: Feb 7 03:39:22.417: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000388: Feb 7 03:39:22.417: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000389: Feb 7 03:39:22.417: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000390: Feb 7 03:39:22.417: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000391: Feb 7 03:39:22.421: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000392: Feb 7 03:39:22.421: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000393: Feb 7 03:39:22.421: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000394: Feb 7 03:39:22.421: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000395: Feb 7 03:39:22.421: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000396: Feb 7 03:39:22.421: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000397: Feb 7 03:39:22.421: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 256
000398: Feb 7 03:39:22.934: ISAKMP:(2239):deleting node -1494177723 error TRUE
reason "Delete Larval"
000399: Feb 7 03:39:22.950: ISAKMP:(2239):deleting node 847146984 error TRUE re
ason "Delete Larval"
000400: Feb 7 03:39:52.923: ISAKMP:(2239):deleting node 298063460 error TRUE re
ason "Delete Larval"
000401: Feb 7 03:39:52.943: ISAKMP:(2239):deleting node -903285737 error TRUE r
eason "Delete Larval"
000402: Feb 7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000403: Feb 7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000404: Feb 7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000405: Feb 7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000406: Feb 7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000407: Feb 7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000408: Feb 7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000409: Feb 7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000410: Feb 7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000411: Feb 7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000412: Feb 7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000413: Feb 7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000414: Feb 7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000415: Feb 7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000416: Feb 7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000417: Feb 7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000418: Feb 7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000419: Feb 7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000420: Feb 7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000421: Feb 7 03:39:53.779: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000422: Feb 7 03:39:53.779: ISAKMP:(2239): phase 2 SA policy not acceptable! (l
ocal 58.108.208.65 remote 115.108.160.226)
000423: Feb 7 03:39:53.783: ISAKMP:(2239):deleting node -1923026943 error TRUE
reason "QM rejected"
000424: Feb 7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000425: Feb 7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000426: Feb 7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000427: Feb 7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000428: Feb 7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000429: Feb 7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000430: Feb 7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000431: Feb 7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000432: Feb 7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000433: Feb 7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000434: Feb 7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000435: Feb 7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000436: Feb 7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000437: Feb 7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000438: Feb 7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000439: Feb 7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000440: Feb 7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000441: Feb 7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000442: Feb 7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000443: Feb 7 03:39:53.799: ISAKMP:(2239): IPSec policy invalidated proposal wi
th error 32
000444: Feb 7 03:39:53.799: ISAKMP:(2239): phase 2 SA policy not acceptable! (l
ocal 58.108.208.65 remote 115.108.160.226)
000445: Feb 7 03:39:53.803: ISAKMP:(2239):deleting node 1849779352 error TRUE r
eason "QM rejected"
000446: Feb 7 03:40:11.912: %IPPHONE-6-REG_ALARM: 17: Name=SEP001BD5019982 Load
= SCCP31.8-2-2SR2S Last=KeepaliveTO
000447: Feb 7 03:40:11.984: %IPPHONE-6-REG_ALARM: 17: Name=SEP001BD5019982 Load
= SCCP31.8-2-2SR2S Last=KeepaliveTO
000448: Feb 7 03:40:12.028: %IPPHONE-6-REGISTER: ephone-6:SEP001BD5019982 IP:19
2.168.4.175 Socket:5 DeviceType:Phone has registered.
000449: Feb 7 03:40:22.924: ISAKMP:(2239):deleting node 1486549235 error TRUE r
eason "Delete Larval"
000450: Feb 7 03:40:22.952: ISAKMP:(2239):deleting node 1216159300 error TRUE r
eason "Delete Larval"
000451: Feb 7 03:40:23.784: ISAKMP:(2239):deleting SA reason "gen_ipsec_isakmp_
delete but doi isakmp" state (R) QM_IDLE (peer 115.108.160.226)
000452: Feb 7 03:40:23.784: ISAKMP:(2239):deleting SA reason "gen_ipsec_isakmp_
delete but doi isakmp" state (R) QM_IDLE (peer 115.108.160.226)
000453: Feb 7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000454: Feb 7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
3
000455: Feb 7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000456: Feb 7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
3
000457: Feb 7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000458: Feb 7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
3
000459: Feb 7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000460: Feb 7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
3
000461: Feb 7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000462: Feb 7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
3
000463: Feb 7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000464: Feb 7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
3
000465: Feb 7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000466: Feb 7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
3
000467: Feb 7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000468: Feb 7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
3
000469: Feb 7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000470: Feb 7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
3
000471: Feb 7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000472: Feb 7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
3
000473: Feb 7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000474: Feb 7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
3
000475: Feb 7 03:40:25.084: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000476: Feb 7 03:40:25.084: ISAKMP:(0):atts are not acceptable. Next payload is
3
000477: Feb 7 03:40:25.112: ISAKMP:(0): claimed IOS but failed authentication
000478: Feb 7 03:40:25.680: ISAKMP (0:2240): Unknown Input IKE_MESG_FROM_IPSEC,
IKE_PHASE2_DEL: state = IKE_XAUTH_REQ_SENT
000479: Feb 7 03:40:25.680: ISAKMP (0:2240): Unknown Input IKE_MESG_FROM_IPSEC,
IKE_PHASE2_DEL: state = IKE_XAUTH_REQ_SENT
000480: Feb 7 03:40:25.680: ISAKMP (0:2240): Unknown Input IKE_MESG_FROM_IPSEC,
IKE_PHASE2_DEL: state = IKE_XAUTH_REQ_SENT
000481: Feb 7 03:40:26.712: ISAKMP (0/2240): Unknown Attr: MODECFG_HOSTNAME (0x
700A)
000482: Feb 7 03:40:27.276: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000483: Feb 7 03:40:27.276: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000484: Feb 7 03:40:27.276: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000485: Feb 7 03:40:27.276: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000486: Feb 7 03:40:27.276: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000487: Feb 7 03:40:27.276: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000488: Feb 7 03:40:27.276: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000489: Feb 7 03:40:27.280: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000490: Feb 7 03:40:27.280: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000491: Feb 7 03:40:27.280: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000492: Feb 7 03:40:27.280: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000493: Feb 7 03:40:27.280: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000494: Feb 7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000495: Feb 7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000496: Feb 7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000497: Feb 7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000498: Feb 7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000499: Feb 7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000500: Feb 7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000501: Feb 7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000502: Feb 7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000503: Feb 7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000504: Feb 7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000505: Feb 7 03:40:27.296: ISAKMP:(2240): IPSec policy invalidated proposal wi
th error 256
000506: Feb 7 03:40:30.680: ISAKMP:(0):Can't decrement IKE Call Admission Contr
ol stat incoming_active since it's already 0.
000507: Feb 7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000508: Feb 7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
3
000509: Feb 7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000510: Feb 7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
3
000511: Feb 7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000512: Feb 7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
3
000513: Feb 7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000514: Feb 7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
3
000515: Feb 7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000516: Feb 7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
3
000517: Feb 7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000518: Feb 7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
3
000519: Feb 7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000520: Feb 7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
3
000521: Feb 7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000522: Feb 7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
3
000523: Feb 7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000524: Feb 7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
3
000525: Feb 7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000526: Feb 7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
3
000527: Feb 7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000528: Feb 7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
3
000529: Feb 7 03:40:32.976: ISAKMP:(0):Encryption algorithm offered does not ma
tch policy!
000530: Feb 7 03:40:32.976: ISAKMP:(0):atts are not acceptable. Next payload is
3
000531: Feb 7 03:40:33.000: ISAKMP:(0): claimed IOS but failed authentication
000532: Feb 7 03:40:33.576: ISAKMP (0:2241): Unknown Input IKE_MESG_FROM_IPSEC,
IKE_PHASE2_DEL: state = IKE_XAUTH_REQ_SENT
000533: Feb 7 03:40:33.580: ISAKMP (0:2241): Unknown Input IKE_MESG_FROM_IPSEC,
IKE_PHASE2_DEL: state = IKE_XAUTH_REQ_SENT
000534: Feb 7 03:40:34.624: ISAKMP (0/2241): Unknown Attr: MODECFG_HOSTNAME (0x
700A)
000535: Feb 7 03:40:35.168: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000536: Feb 7 03:40:35.168: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000537: Feb 7 03:40:35.168: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000538: Feb 7 03:40:35.168: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000539: Feb 7 03:40:35.168: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000540: Feb 7 03:40:35.168: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000541: Feb 7 03:40:35.168: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000542: Feb 7 03:40:35.168: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000543: Feb 7 03:40:35.168: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000544: Feb 7 03:40:35.168: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000545: Feb 7 03:40:35.172: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000546: Feb 7 03:40:35.172: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000547: Feb 7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000548: Feb 7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000549: Feb 7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000550: Feb 7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000551: Feb 7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000552: Feb 7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000553: Feb 7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000554: Feb 7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000555: Feb 7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000556: Feb 7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000557: Feb 7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
000558: Feb 7 03:40:35.196: ISAKMP:(2241): IPSec policy invalidated proposal wi
th error 256
ASKER
Hello Bro,
Can you please look http://www.networking-forum.com/viewtopic.php?p=42943
somebody said in above link you may need to configure a route map defining the tunnel traffic instead of an access list. You will need to configure the routemap with the "set interface" command to route your traffic through the loopback.
It's because the routing table sends the traffic straight out the appropriate interface which doesn't have the crypto map applied and the traffic isn't getting encrypted.
Can you suggest, I am not getting him
Please help
Can you please look http://www.networking-forum.com/viewtopic.php?p=42943
somebody said in above link you may need to configure a route map defining the tunnel traffic instead of an access list. You will need to configure the routemap with the "set interface" command to route your traffic through the loopback.
It's because the routing table sends the traffic straight out the appropriate interface which doesn't have the crypto map applied and the traffic isn't getting encrypted.
Can you suggest, I am not getting him
Please help
ASKER
Anyone Help me please
do you have ntp set up?
Try this
Router#show ntp status
Clock is synchronized, stratum 8, reference is 127.127.7.1
nominal freq is 249.5901 Hz, actual freq is 249.5901 Hz, precision is 2**16
reference time is D100F57F.A2AAFA6D (12:03:11.635 UK Sat Feb 12 2011)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec
The output below shows that my router is time synced.
This is important if you are using a vpn tunnel.
conf t
ntp master
ntp server <ip or dns of a time server all your routers can reach>
Greg
Try this
Router#show ntp status
Clock is synchronized, stratum 8, reference is 127.127.7.1
nominal freq is 249.5901 Hz, actual freq is 249.5901 Hz, precision is 2**16
reference time is D100F57F.A2AAFA6D (12:03:11.635 UK Sat Feb 12 2011)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec
The output below shows that my router is time synced.
This is important if you are using a vpn tunnel.
conf t
ntp master
ntp server <ip or dns of a time server all your routers can reach>
Greg
ASKER
Bro we have setup this on My Router
coinop-uc520#sh ntp sta
coinop-uc520#sh ntp status
Clock is synchronized, stratum 8, reference is 127.127.7.1
nominal freq is 250.0000 Hz, actual freq is 249.9897 Hz, precision is 2**18
reference time is D10108F7.7667B9EA (22:26:15.462 WST Sat Feb 12 2011)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec
coinop-uc520#
One sily ques ? please don't mind
what is relation of NTP with My Issue ?
coinop-uc520#sh ntp sta
coinop-uc520#sh ntp status
Clock is synchronized, stratum 8, reference is 127.127.7.1
nominal freq is 250.0000 Hz, actual freq is 249.9897 Hz, precision is 2**18
reference time is D10108F7.7667B9EA (22:26:15.462 WST Sat Feb 12 2011)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec
coinop-uc520#
One sily ques ? please don't mind
what is relation of NTP with My Issue ?
I had a quick look at your configs and i did not see the anything after the acl's so i thought this could have been missed...
I just googled for isakmp time skew and got the below link
http://kb.syneto.net/entry/54/
•There is a large time skew between the two tunnel endpoints; solution: configure NTP on both machines.
•The Syneto acting as CA might have a time skew; solution: configure NTP on both machines.
there is some other stuff on there which might be useful.
Greg
I just googled for isakmp time skew and got the below link
http://kb.syneto.net/entry/54/
•There is a large time skew between the two tunnel endpoints; solution: configure NTP on both machines.
•The Syneto acting as CA might have a time skew; solution: configure NTP on both machines.
there is some other stuff on there which might be useful.
Greg
ASKER
Thanks for reply,
I removed after acl in my attached config because I thoughy that part is not necessary, If u need I can Post Full config
Vikrant
I removed after acl in my attached config because I thoughy that part is not necessary, If u need I can Post Full config
Vikrant
I would remove all the vpn config and start again on all the routers.
Looks like there is plenty of stuff in there you are not using.
Also ths is very easy to redo with the sdm web gui.
Are you able to drop the routers for an hour or two?
Greg
Looks like there is plenty of stuff in there you are not using.
Also ths is very easy to redo with the sdm web gui.
Are you able to drop the routers for an hour or two?
Greg
Also are you able to get remote access to the routers if you do break the vpn...
Greg
Greg
ASKER
Yes Bro,
I have All, Bro I can remove all stuff abt VPN through CLI
I can Manage It, But I am Only using CLI mode not using SDM
Thanks
VIkrant
I have All, Bro I can remove all stuff abt VPN through CLI
I can Manage It, But I am Only using CLI mode not using SDM
Thanks
VIkrant
having a look at the hub config
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
mode transport <<here
!
crypto ipsec profile DMVPN
set transform-set DMVPN
I would remove the mode transport and from all your routers.
Greg
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
mode transport <<here
!
crypto ipsec profile DMVPN
set transform-set DMVPN
I would remove the mode transport and from all your routers.
Greg
ASKER
You mean
No crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
&
no crypto ipsec profile DMVPN
bro but this is for DMVPN
anyway I am doing try
No crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
&
no crypto ipsec profile DMVPN
bro but this is for DMVPN
anyway I am doing try
ASKER
Sorry for above comment
u mean I need to remove only mode transport from crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
Am i correct ?
u mean I need to remove only mode transport from crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
Am i correct ?
yes
conf t
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
no mode transport
conf t
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
no mode transport
ASKER
Ok Bro Done this
ASKER
Bro,
Do we need any output for getting Status ?
Vikrant
Do we need any output for getting Status ?
Vikrant
now to wait to see if it fixes the problem...
how long before we know?
Greg
how long before we know?
Greg
ASKER
Ok Bro,
Lot's of Thanks, I will Inform you
Lot's of Thanks, I will Inform you
ASKER
Bro,
I am getting CrashInfo in remote router, Can you please check if any serious Issue.
Sometime router reboot automatic.
Regards
crashinfo-20110214-055549
I am getting CrashInfo in remote router, Can you please check if any serious Issue.
Sometime router reboot automatic.
Regards
crashinfo-20110214-055549
ASKER
Bro
also
got this error today
%CRYPTO-4-IKMP_BAD_MESSAGE : IKE message from XX.XX.XX.XX failed its sanity check or is malformed
also
got this error today
%CRYPTO-4-IKMP_BAD_MESSAGE
From
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_tech_note09186a00800a65d1.shtml
Spurious Accesses
Spurious access is an attempt by Cisco IOS software to access memory in a restricted location. An example of system log output for a spurious access is shown below:
%ALIGN-3-SPURIOUS: Spurious memory access made at 0x60968C44 reading 0x0
%ALIGN-3-TRACE: -Traceback= 60968C44 60269808 602389D8 00000000 00000000 00000000
00000000 00000000
Cause
A spurious access occurs when a process attempts to read from the lowest 16 KB region of memory. This portion of memory is reserved and should never be accessed. A read operation to this region of memory is usually caused when a nonexisting value is returned to a function in the software, or in other words, when a null pointer is passed to a function.
Cisco IOS Software Handling
Depending on the platform, Cisco IOS software handles spurious accesses differently. On platforms where this is possible, the Cisco IOS software code handles these invalid accesses by returning a value of zero and recording the event. If this is not supported on the platform, then the router will crash with a SegV error. Since any spurious access is inappropriate, spurious accesses always point to a bug.
From your crashinfo
========= Show Alignment ========================== ===
Alignment data for:
C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T9, RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Compiled Wed 29-Apr-09 05:52 by prod_rel_team
Total Spurious Accesses 4, Recorded 4
I am guessing that the crypto commands you have in your router which are not being used are making this worse.
Are you able to sit next to this router and rebuild from the start.
Maybe, not 100% sure these commands are not needed
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 5
lifetime 28800
to remove these commands i would issue a router reload first and then remove the commands
that way if the commands are in use the router reloads and you have your old config back...
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1360 <<<<<<this is just WRONG and may be creating an issue
should be
ip tcp adjust-mss 1452 <<<<<<is the same as the mtu-40
but i dont think its needed
here is some good reading about mtu and tunnels from
http://www.tek-tips.com/viewthread.cfm?qid=784463
I think Dulem is on the right path. I ran into a similar problem awhile back. Some of the PC's were able to get through the GRE tunnel while other couldn't. Yes, it was always the same PC's. The problem turned out to be the mtu size of the packet. I'm not sure how you're connecting to the internet, but I'll assume it's a DSL connection (it doesn't really matter). I don't know if your using IPSec, but I'll assume so. And you have a GRE tunnel established through the IPsec tunnel (typically setup). With all these "tunnels" setup, the overhead added to the packet will exceed the allowable size to be transported across the network. If you're using a cisco router with the righto IOS, you can force the mtu size of all the traffic coming from an interface. Use the following command:interface FastEthernet 0/0ip tcp adjust-mss 1360Notice that this command is applied to the interface on the LAN, not the tunnel (do this on both sides).This is one approach. The other is to manual set the MTU size on each PC (using an application like DrTCP, but are literlly tons of these types of apps out there).Hope this helps...
I would also remove the command from the vlan1 or change it to match the interface Dialer0.
Greg
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_tech_note09186a00800a65d1.shtml
Spurious Accesses
Spurious access is an attempt by Cisco IOS software to access memory in a restricted location. An example of system log output for a spurious access is shown below:
%ALIGN-3-SPURIOUS: Spurious memory access made at 0x60968C44 reading 0x0
%ALIGN-3-TRACE: -Traceback= 60968C44 60269808 602389D8 00000000 00000000 00000000
00000000 00000000
Cause
A spurious access occurs when a process attempts to read from the lowest 16 KB region of memory. This portion of memory is reserved and should never be accessed. A read operation to this region of memory is usually caused when a nonexisting value is returned to a function in the software, or in other words, when a null pointer is passed to a function.
Cisco IOS Software Handling
Depending on the platform, Cisco IOS software handles spurious accesses differently. On platforms where this is possible, the Cisco IOS software code handles these invalid accesses by returning a value of zero and recording the event. If this is not supported on the platform, then the router will crash with a SegV error. Since any spurious access is inappropriate, spurious accesses always point to a bug.
From your crashinfo
========= Show Alignment ==========================
Alignment data for:
C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T9, RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Compiled Wed 29-Apr-09 05:52 by prod_rel_team
Total Spurious Accesses 4, Recorded 4
I am guessing that the crypto commands you have in your router which are not being used are making this worse.
Are you able to sit next to this router and rebuild from the start.
Maybe, not 100% sure these commands are not needed
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 5
lifetime 28800
to remove these commands i would issue a router reload first and then remove the commands
that way if the commands are in use the router reloads and you have your old config back...
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1360 <<<<<<this is just WRONG and may be creating an issue
should be
ip tcp adjust-mss 1452 <<<<<<is the same as the mtu-40
but i dont think its needed
here is some good reading about mtu and tunnels from
http://www.tek-tips.com/viewthread.cfm?qid=784463
I think Dulem is on the right path. I ran into a similar problem awhile back. Some of the PC's were able to get through the GRE tunnel while other couldn't. Yes, it was always the same PC's. The problem turned out to be the mtu size of the packet. I'm not sure how you're connecting to the internet, but I'll assume it's a DSL connection (it doesn't really matter). I don't know if your using IPSec, but I'll assume so. And you have a GRE tunnel established through the IPsec tunnel (typically setup). With all these "tunnels" setup, the overhead added to the packet will exceed the allowable size to be transported across the network. If you're using a cisco router with the righto IOS, you can force the mtu size of all the traffic coming from an interface. Use the following command:interface FastEthernet 0/0ip tcp adjust-mss 1360Notice that this command is applied to the interface on the LAN, not the tunnel (do this on both sides).This is one approach. The other is to manual set the MTU size on each PC (using an application like DrTCP, but are literlly tons of these types of apps out there).Hope this helps...
I would also remove the command from the vlan1 or change it to match the interface Dialer0.
Greg
ASKER
Ok Bro,
Should be remove from Spoke or HUB or both
Should be remove from Spoke or HUB or both
I was looking at the spoke.
however i would remove the crpto commands from the one local to you.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 5
lifetime 28800
once that is removed on the local router and it stays working, i would remove from the remote one.
i think its
reload in 30
but i am not next to a router.
Also the mtu commands may force an interface reset.
Greg
however i would remove the crpto commands from the one local to you.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 5
lifetime 28800
once that is removed on the local router and it stays working, i would remove from the remote one.
i think its
reload in 30
but i am not next to a router.
Also the mtu commands may force an interface reset.
Greg
ASKER
Hi Bro,
I removed from Local router & it's working fine also rrebbot local router after rebooted VPN is fine,
But I got below error On HUB Router after reboot local router
%CRYPTO-4-RECVD_PKT_NOT_IP SEC: Rec'd packet not an
IPSEC packet.
(ip) vrf/dest_addr= /XX.XX.XX.XX, src_addr= XX.XX.XX.XX, prot= 47
I removed from Local router & it's working fine also rrebbot local router after rebooted VPN is fine,
But I got below error On HUB Router after reboot local router
%CRYPTO-4-RECVD_PKT_NOT_IP
IPSEC packet.
(ip) vrf/dest_addr= /XX.XX.XX.XX, src_addr= XX.XX.XX.XX, prot= 47
ASKER
did you also change the mtu settings?
Can you paste a copy of the router configs with passwords removed.
interface Vlan2
description -= ISP 2 =-
ip address 192.168.0.254 255.255.255.0
ip nat outside
ip virtual-reassembly
crypto ipsec client ezvpn AustraliaVPN
What are you using that for?
Are you trying to use dmvpn or ezvpn...
Greg
Can you paste a copy of the router configs with passwords removed.
interface Vlan2
description -= ISP 2 =-
ip address 192.168.0.254 255.255.255.0
ip nat outside
ip virtual-reassembly
crypto ipsec client ezvpn AustraliaVPN
What are you using that for?
Are you trying to use dmvpn or ezvpn...
Greg
ASKER
Not sure which are in use
Router#sh run
Building configuration...
Current configuration : 6971 bytes
!
! Last configuration change at 05:16:28 UTC Tue Feb 15 2011 by admin
! NVRAM config last updated at 04:59:14 UTC Tue Feb 15 2011 by admin
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable password 7 XXXXXXXXXXXXXXX
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2149300000
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2149300000
revocation-check none
rsakeypair TP-self-signed-2149300000
!
!
crypto pki certificate chain TP-self-signed-2149300000
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313439 33303030 3030301E 170D3037 30383234 30343338
35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31343933
30303030 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C3A7 F701D7A0 5DDD90D6 818BB30E D9E680F7 1EEB12BD B0047D7A 978A7188
B8862673 B88BB646 4A4B6FC7 5CF73422 4DDB2BEB 39CC2141 E18B3006 F8892C1E
D95D4678 5A2E7441 7799C02A AD9EB079 ADC006A6 6A5F18B0 1219208A 8E682BEF
45D1B98F F0AE8282 B38C7E86 F17A5E3D 621EDFA4 18057C0D F3E0177F 8EFF09B7
2DAD0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07526F75 7465722E 301F0603 551D2304 18301680 14275D63
B6D8FFFE C641F864 25EF338D 278EAFF2 82301D06 03551D0E 04160414 275D63B6
D8FFFEC6 41F86425 EF338D27 8EAFF282 300D0609 2A864886 F70D0101 04050003
8181001B EDA25E81 08ADA2F7 730400E5 E76F533E 851E5CF7 421EAD2E 26C8AE3C
31EACF15 E74ABF74 2AF8039F DF61E414 B389AFEC F69047C3 23D63935 2D8AB419
2DD95465 1A9578B3 218BA9AC A9DDE380 78410250 B8ECF6F3 CE19428C BE8087C4
9B247169 5465173A 1D89C3EE 7A1E3A84 1CCC6367 529ECEDB 70DD3234 1F09E852 587376
quit
dot11 syslog
!
dot11 ssid Coinopsolutions
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 15221E1F0C3A1D2D3B3B2323425037
!
dot11 ssid coinopsolutions
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 15221E1F0C3A3D2D3B3B23234250
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.4.1 192.168.4.25
!
ip dhcp pool LAN-POOL
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
dns-server 192.168.4.1
lease 0 2
!
!
ip name-server 202.54.10.2
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
!
!
crypto isakmp policy 20
authentication pre-share
lifetime 28800
crypto isakmp key DMVPN_STR0NG_K3Y address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120
!
!
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto ipsec profile DMVPN
set transform-set DMVPN
!
!
!
crypto ipsec client ezvpn AustraliaVPN
connect auto
group EZVPN_GROUP_1 key Coinopsolutions.com
mode network-extension
peer 58.108.208.65
username XXXXXXXXXXXXXXX password XXXXXXXXXXXXXXX
xauth userid mode local
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface Loopback0
no ip address
!
interface Loopback1
no ip address
!
interface Tunnel0
description -= DMVPN =-
ip address 10.91.255.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_A
ip nhrp map multicast 58.108.208.65
ip nhrp map 10.91.255.1 58.108.208.65
ip nhrp network-id 91
ip nhrp holdtime 600
ip nhrp nhs 10.91.255.1
ip nhrp registration no-unique
delay 1000
tunnel source Vlan2
tunnel mode gre multipoint
tunnel key 91
tunnel protection ipsec profile DMVPN
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
description -= ISP 2 =-
switchport access vlan 2
spanning-tree portfast
!
interface Dot11Radio0
no ip address
ip nat inside
ip virtual-reassembly
!
encryption vlan 1 mode ciphers tkip
!
ssid Coinopsolutions
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ES_LAN$
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan2
description -= ISP 2 =-
ip address 192.168.0.254 255.255.255.0
ip nat outside
ip virtual-reassembly
crypto ipsec client ezvpn AustraliaVPN
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXXXXXXXXXXXXX
ppp chap password 7XXXXXXXXXXXXXXX
ppp pap sent-username XXXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXX
!
interface Dialer1
no ip address
!
interface BVI1
ip address 192.168.4.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly
crypto ipsec client ezvpn AustraliaVPN inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip route 10.1.1.0 255.255.255.0 10.91.255.1
ip route 10.10.10.0 255.255.255.0 10.1.1.1
ip route 10.10.10.0 255.255.255.0 10.91.255.2
ip route 192.168.2.0 255.255.255.0 10.91.255.1
ip route 192.168.8.0 255.255.255.0 192.168.2.1
ip route 192.168.8.0 255.255.255.0 10.91.255.2
!
!
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list ToNAT interface Vlan2 overload
!
ip access-list extended ToNAT
deny ip any 10.0.0.0 0.255.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 192.168.4.0 0.0.3.255 any
ip access-list extended acl_vpn
permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 10.1.1.0 0.0.0.255
!
dialer-list 1 protocol ip permit
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
bridge 1 route ip
!
line con 0
password 7 XXXXXXXXXXXXXXX
login local
no modem enable
line aux 0
line vty 0 4
password 7 XXXXXXXXXXXXXXX
login local
!
scheduler max-task-time 5000
sntp server 120.88.46.10
end
ASKER
I removed ezvpn from Spoke rouer, All is working fine but same error getting On HUB Router after reboot Spoke
if you remove the ezvpn from spoke then it will lose its nat outside interface.
Please check that the computers on that site can access the internet...
Greg
Please check that the computers on that site can access the internet...
Greg
Are you happy that people at the remote site use their internet connection to access the internet or do you have a managed solution at the hub site?
ASKER
Bro Internet is working fine in LAN from spoke Router
ASKER
But geting timeout If i ping Another spoke from my LAP-Top
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Vikrant>ping 192.168.8.13 -t
Pinging 192.168.8.13 with 32 bytes of data:
Request timed out.
Reply from 192.168.8.13: bytes=32 time=711ms TTL=125
Reply from 192.168.8.13: bytes=32 time=720ms TTL=125
Reply from 192.168.8.13: bytes=32 time=746ms TTL=125
Reply from 192.168.8.13: bytes=32 time=742ms TTL=125
Reply from 192.168.8.13: bytes=32 time=741ms TTL=125
Reply from 192.168.8.13: bytes=32 time=801ms TTL=125
Reply from 192.168.8.13: bytes=32 time=813ms TTL=125
Reply from 192.168.8.13: bytes=32 time=691ms TTL=125
Reply from 192.168.8.13: bytes=32 time=717ms TTL=125
Reply from 192.168.8.13: bytes=32 time=816ms TTL=125
Reply from 192.168.8.13: bytes=32 time=705ms TTL=125
Reply from 192.168.8.13: bytes=32 time=685ms TTL=125
Reply from 192.168.8.13: bytes=32 time=704ms TTL=125
Reply from 192.168.8.13: bytes=32 time=762ms TTL=125
Reply from 192.168.8.13: bytes=32 time=735ms TTL=125
Reply from 192.168.8.13: bytes=32 time=843ms TTL=125
Reply from 192.168.8.13: bytes=32 time=702ms TTL=125
Reply from 192.168.8.13: bytes=32 time=868ms TTL=125
Reply from 192.168.8.13: bytes=32 time=686ms TTL=125
Reply from 192.168.8.13: bytes=32 time=685ms TTL=125
Request timed out.
Reply from 192.168.8.13: bytes=32 time=696ms TTL=125
Reply from 192.168.8.13: bytes=32 time=813ms TTL=125
Reply from 192.168.8.13: bytes=32 time=689ms TTL=125
Reply from 192.168.8.13: bytes=32 time=700ms TTL=125
Reply from 192.168.8.13: bytes=32 time=698ms TTL=125
Reply from 192.168.8.13: bytes=32 time=725ms TTL=125
Reply from 192.168.8.13: bytes=32 time=791ms TTL=125
Reply from 192.168.8.13: bytes=32 time=705ms TTL=125
Request timed out.
Reply from 192.168.8.13: bytes=32 time=672ms TTL=125
Reply from 192.168.8.13: bytes=32 time=694ms TTL=125
Reply from 192.168.8.13: bytes=32 time=677ms TTL=125
Reply from 192.168.8.13: bytes=32 time=1930ms TTL=125
Reply from 192.168.8.13: bytes=32 time=808ms TTL=125
Request timed out.
Reply from 192.168.8.13: bytes=32 time=695ms TTL=125
Reply from 192.168.8.13: bytes=32 time=697ms TTL=125
Reply from 192.168.8.13: bytes=32 time=713ms TTL=125
Reply from 192.168.8.13: bytes=32 time=693ms TTL=125
Reply from 192.168.8.13: bytes=32 time=679ms TTL=125
Reply from 192.168.8.13: bytes=32 time=709ms TTL=125
Reply from 192.168.8.13: bytes=32 time=706ms TTL=125
Reply from 192.168.8.13: bytes=32 time=724ms TTL=125
Reply from 192.168.8.13: bytes=32 time=696ms TTL=125
Reply from 192.168.8.13: bytes=32 time=673ms TTL=125
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Vikrant>ping 192.168.8.13 -t
Pinging 192.168.8.13 with 32 bytes of data:
Request timed out.
Reply from 192.168.8.13: bytes=32 time=711ms TTL=125
Reply from 192.168.8.13: bytes=32 time=720ms TTL=125
Reply from 192.168.8.13: bytes=32 time=746ms TTL=125
Reply from 192.168.8.13: bytes=32 time=742ms TTL=125
Reply from 192.168.8.13: bytes=32 time=741ms TTL=125
Reply from 192.168.8.13: bytes=32 time=801ms TTL=125
Reply from 192.168.8.13: bytes=32 time=813ms TTL=125
Reply from 192.168.8.13: bytes=32 time=691ms TTL=125
Reply from 192.168.8.13: bytes=32 time=717ms TTL=125
Reply from 192.168.8.13: bytes=32 time=816ms TTL=125
Reply from 192.168.8.13: bytes=32 time=705ms TTL=125
Reply from 192.168.8.13: bytes=32 time=685ms TTL=125
Reply from 192.168.8.13: bytes=32 time=704ms TTL=125
Reply from 192.168.8.13: bytes=32 time=762ms TTL=125
Reply from 192.168.8.13: bytes=32 time=735ms TTL=125
Reply from 192.168.8.13: bytes=32 time=843ms TTL=125
Reply from 192.168.8.13: bytes=32 time=702ms TTL=125
Reply from 192.168.8.13: bytes=32 time=868ms TTL=125
Reply from 192.168.8.13: bytes=32 time=686ms TTL=125
Reply from 192.168.8.13: bytes=32 time=685ms TTL=125
Request timed out.
Reply from 192.168.8.13: bytes=32 time=696ms TTL=125
Reply from 192.168.8.13: bytes=32 time=813ms TTL=125
Reply from 192.168.8.13: bytes=32 time=689ms TTL=125
Reply from 192.168.8.13: bytes=32 time=700ms TTL=125
Reply from 192.168.8.13: bytes=32 time=698ms TTL=125
Reply from 192.168.8.13: bytes=32 time=725ms TTL=125
Reply from 192.168.8.13: bytes=32 time=791ms TTL=125
Reply from 192.168.8.13: bytes=32 time=705ms TTL=125
Request timed out.
Reply from 192.168.8.13: bytes=32 time=672ms TTL=125
Reply from 192.168.8.13: bytes=32 time=694ms TTL=125
Reply from 192.168.8.13: bytes=32 time=677ms TTL=125
Reply from 192.168.8.13: bytes=32 time=1930ms TTL=125
Reply from 192.168.8.13: bytes=32 time=808ms TTL=125
Request timed out.
Reply from 192.168.8.13: bytes=32 time=695ms TTL=125
Reply from 192.168.8.13: bytes=32 time=697ms TTL=125
Reply from 192.168.8.13: bytes=32 time=713ms TTL=125
Reply from 192.168.8.13: bytes=32 time=693ms TTL=125
Reply from 192.168.8.13: bytes=32 time=679ms TTL=125
Reply from 192.168.8.13: bytes=32 time=709ms TTL=125
Reply from 192.168.8.13: bytes=32 time=706ms TTL=125
Reply from 192.168.8.13: bytes=32 time=724ms TTL=125
Reply from 192.168.8.13: bytes=32 time=696ms TTL=125
Reply from 192.168.8.13: bytes=32 time=673ms TTL=125
ASKER
One more thing Dialer Interface is not my WAN Int
we are getting internet from DSL modem, it plugged into fa3, it means my WAN int is VLAN 2
I think getting trouble for understand,
sorry to say
Regards
Vikrant
we are getting internet from DSL modem, it plugged into fa3, it means my WAN int is VLAN 2
I think getting trouble for understand,
sorry to say
Regards
Vikrant
Great
Now to remove ezvpn from hub?
Is anything else using it?
Greg
Now to remove ezvpn from hub?
Is anything else using it?
Greg
ASKER
Bro cant remove EZVPN becuase we using it when we are on Tour,
we are connect EZVPN through dialup
Bro, please look above We are geting timeout If i ping Another spoke from my LAP-Top
we are connect EZVPN through dialup
Bro, please look above We are geting timeout If i ping Another spoke from my LAP-Top
Why are the ping times so high?
cna you traceroute them please
Greg
cna you traceroute them please
Greg
Ok but the EZVPN is not being used by anything else at the moment so it will not cause any issues right?
And it only needs to be set up on the hub?
Greg
And it only needs to be set up on the hub?
Greg
ASKER
Which Ip Public or local ?
ASKER
Yes Bro,
EZVPN is not used by anything at the moment ?
EZVPN is not used by anything at the moment ?
if you tarceroute the local ip we can see if you are fully meshed or not.
The dmvpn is supposed to mesh all routers. If the trace goes through the hub it is not working correctly.
To configure mine, i use eigrp and let the router do the work.
If you do a show ip route it will also give us the info we need.
Greg
The dmvpn is supposed to mesh all routers. If the trace goes through the hub it is not working correctly.
To configure mine, i use eigrp and let the router do the work.
If you do a show ip route it will also give us the info we need.
Greg
ASKER
Now I hope we will fix this issue, I just did a little happy
please check below is from router also check in code that is from Laptop
Router#traceroute 192.168.8.13
Type escape sequence to abort.
Tracing the route to 192.168.8.13
1 10.91.255.1 580 msec 616 msec 648 msec
2 10.91.255.2 724 msec 688 msec 680 msec
3 192.168.8.13 688 msec 720 msec 700 msec
Router#sh ip
Router#sh ip rou
Router#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.0.1 to network 0.0.0.0
S 192.168.8.0/24 [1/0] via 192.168.2.1
[1/0] via 10.91.255.2
C 192.168.4.0/24 is directly connected, BVI1
10.0.0.0/24 is subnetted, 3 subnets
S 10.10.10.0 [1/0] via 10.91.255.2
[1/0] via 10.1.1.1
S 10.1.1.0 [1/0] via 10.91.255.1
C 10.91.255.0 is directly connected, Tunnel0
C 192.168.0.0/24 is directly connected, Vlan2
S 192.168.2.0/24 [1/0] via 10.91.255.1
S* 0.0.0.0/0 [1/0] via 192.168.0.1
Router#
please check below is from router also check in code that is from Laptop
Router#traceroute 192.168.8.13
Type escape sequence to abort.
Tracing the route to 192.168.8.13
1 10.91.255.1 580 msec 616 msec 648 msec
2 10.91.255.2 724 msec 688 msec 680 msec
3 192.168.8.13 688 msec 720 msec 700 msec
Router#sh ip
Router#sh ip rou
Router#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.0.1 to network 0.0.0.0
S 192.168.8.0/24 [1/0] via 192.168.2.1
[1/0] via 10.91.255.2
C 192.168.4.0/24 is directly connected, BVI1
10.0.0.0/24 is subnetted, 3 subnets
S 10.10.10.0 [1/0] via 10.91.255.2
[1/0] via 10.1.1.1
S 10.1.1.0 [1/0] via 10.91.255.1
C 10.91.255.0 is directly connected, Tunnel0
C 192.168.0.0/24 is directly connected, Vlan2
S 192.168.2.0/24 [1/0] via 10.91.255.1
S* 0.0.0.0/0 [1/0] via 192.168.0.1
Router#
C:\Users\Vikrant>tracert 192.168.8.13
Tracing route to WAREHOUSE1 [192.168.8.13]
over a maximum of 30 hops:
1 11 ms 4 ms 6 ms 192.168.4.1
2 620 ms 599 ms 667 ms 10.91.255.1
3 * 703 ms 690 ms 10.91.255.2
4 698 ms 715 ms 699 ms WAREHOUSE1 [192.168.8.13]
Trace complete.
Working backwards
interface Tunnel0
description -= DMVPN =-
ip address 10.91.255.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_A
ip nhrp map multicast 58.108.208.65
ip nhrp map 10.91.255.1 58.108.208.65
ip nhrp network-id 91
ip nhrp holdtime 600
ip nhrp nhs 10.91.255.1
ip nhrp registration no-unique
delay 1000
tunnel source Vlan2
tunnel mode gre multipoint
tunnel key 91
tunnel protection ipsec profile DMVPN <<<<< this is the profile
crypto ipsec profile DMVPN <<<<< this is the profile
set transform-set DMVPN <<<<< not to usefule that this has the same name as above
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac Is the transform set used by the line above.
the rest is not being used if you dont want the ezvpn to acces the spoke directly.
This is how i have mine configured.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set COMP esp-des esp-md5-hmac comp-lzs
!
crypto ipsec profile DMVPN
set transform-set ESP-3DES-SHA COMP
Greg
interface Tunnel0
description -= DMVPN =-
ip address 10.91.255.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_A
ip nhrp map multicast 58.108.208.65
ip nhrp map 10.91.255.1 58.108.208.65
ip nhrp network-id 91
ip nhrp holdtime 600
ip nhrp nhs 10.91.255.1
ip nhrp registration no-unique
delay 1000
tunnel source Vlan2
tunnel mode gre multipoint
tunnel key 91
tunnel protection ipsec profile DMVPN <<<<< this is the profile
crypto ipsec profile DMVPN <<<<< this is the profile
set transform-set DMVPN <<<<< not to usefule that this has the same name as above
crypto ipsec transform-set DMVPN esp-3des esp-md5-hmac Is the transform set used by the line above.
the rest is not being used if you dont want the ezvpn to acces the spoke directly.
This is how i have mine configured.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set COMP esp-des esp-md5-hmac comp-lzs
!
crypto ipsec profile DMVPN
set transform-set ESP-3DES-SHA COMP
Greg
As i dont fully know your topology, did that use the best route...
If it did , can you try a pathping from windows.
it will ping every hop and should tell us where we are losing the packets.
Greg
If it did , can you try a pathping from windows.
it will ping every hop and should tell us where we are losing the packets.
Greg
ASKER
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set COMP esp-des esp-md5-hmac comp-lzs
!
crypto ipsec profile DMVPN
set transform-set ESP-3DES-SHA COMP
is should be use only spoke or both ?
crypto ipsec transform-set COMP esp-des esp-md5-hmac comp-lzs
!
crypto ipsec profile DMVPN
set transform-set ESP-3DES-SHA COMP
is should be use only spoke or both ?
that would be used on both.
Greg
Greg
ASKER
Can you please check Path Ping
C:\Users\Vikrant>pathping 192.168.8.1
Tracing route to 192.168.8.1 over a maximum of 30 hops
0 Vikrant-PC.mshome.net [192.168.4.29]
1 192.168.4.1
2 10.91.255.1
3 192.168.8.1
Computing statistics for 75 seconds...
Source to Here This Node/Link
Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address
0 Vikrant-PC.mshome.net [192.168.4.2
9]
0/ 100 = 0% |
1 1ms 0/ 100 = 0% 0/ 100 = 0% 192.168.4.1
3/ 100 = 3% |
2 632ms 4/ 100 = 4% 1/ 100 = 1% 10.91.255.1
0/ 100 = 0% |
3 728ms 3/ 100 = 3% 0/ 100 = 0% 192.168.8.1
Trace complete.
C:\Users\Vikrant>
C:\Users\Vikrant>pathping 192.168.8.1
Tracing route to 192.168.8.1 over a maximum of 30 hops
0 Vikrant-PC.mshome.net [192.168.4.29]
1 192.168.4.1
2 10.91.255.1
3 192.168.8.1
Computing statistics for 75 seconds...
Source to Here This Node/Link
Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address
0 Vikrant-PC.mshome.net [192.168.4.2
9]
0/ 100 = 0% |
1 1ms 0/ 100 = 0% 0/ 100 = 0% 192.168.4.1
3/ 100 = 3% |
2 632ms 4/ 100 = 4% 1/ 100 = 1% 10.91.255.1
0/ 100 = 0% |
3 728ms 3/ 100 = 3% 0/ 100 = 0% 192.168.8.1
Trace complete.
C:\Users\Vikrant>
192.168.4.1 3/ 100 = 3% |
I think you are losing packets to your default gateway.
Are you using wireless?
Greg
I think you are losing packets to your default gateway.
Are you using wireless?
Greg
im not 100%sure that pasted into the window correctly.
Can you ping 192.168.4.1 -t and see if you are losing any packets...
Greg
Can you ping 192.168.4.1 -t and see if you are losing any packets...
Greg
ASKER
Yes i am on Wireless
But not losed any packets if i ping router
Do u need my Topology Diagram ?
also below output from System which is connect to Spoke thorogh LAN Cable
C:\Users\Satish>pathping 192.168.8.13
Tracing route to WAREHOUSE1 [192.168.8.13]
over a maximum of 30 hops:
0 Satish-PC.mshome.net [192.168.4.26]
1 192.168.4.1
2 10.91.255.1
3 10.91.255.2
4 WAREHOUSE1 [192.168.8.13]
Computing statistics for 100 seconds...
Source to Here This Node/Link
Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address
0 Satish-PC.mshome.net [192.168.4.26
]
0/ 100 = 0% |
1 1ms 0/ 100 = 0% 0/ 100 = 0% 192.168.4.1
4/ 100 = 4% |
2 629ms 6/ 100 = 6% 2/ 100 = 2% 10.91.255.1
0/ 100 = 0% |
3 719ms 4/ 100 = 4% 0/ 100 = 0% 10.91.255.2
0/ 100 = 0% |
4 782ms 4/ 100 = 4% 0/ 100 = 0% WAREHOUSE1 [192.168.8.13]
Trace complete.
But not losed any packets if i ping router
Do u need my Topology Diagram ?
also below output from System which is connect to Spoke thorogh LAN Cable
C:\Users\Satish>pathping 192.168.8.13
Tracing route to WAREHOUSE1 [192.168.8.13]
over a maximum of 30 hops:
0 Satish-PC.mshome.net [192.168.4.26]
1 192.168.4.1
2 10.91.255.1
3 10.91.255.2
4 WAREHOUSE1 [192.168.8.13]
Computing statistics for 100 seconds...
Source to Here This Node/Link
Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address
0 Satish-PC.mshome.net [192.168.4.26
]
0/ 100 = 0% |
1 1ms 0/ 100 = 0% 0/ 100 = 0% 192.168.4.1
4/ 100 = 4% |
2 629ms 6/ 100 = 6% 2/ 100 = 2% 10.91.255.1
0/ 100 = 0% |
3 719ms 4/ 100 = 4% 0/ 100 = 0% 10.91.255.2
0/ 100 = 0% |
4 782ms 4/ 100 = 4% 0/ 100 = 0% WAREHOUSE1 [192.168.8.13]
Trace complete.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Vikrant>ping 192.168.4.1 -t
Pinging 192.168.4.1 with 32 bytes of data:
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=5ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=2ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=4ms TTL=255
Reply from 192.168.4.1: bytes=32 time=2ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=2ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=3ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=5ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
interface Tunnel0
description -= DMVPN =-
ip address 10.91.255.3 255.255.255.0 < this is your router
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_A
ip nhrp map multicast 58.108.208.65
ip nhrp map 10.91.255.1 58.108.208.65 < this is your hub
0 Satish-PC.mshome.net [192.168.4.26]
1 192.168.4.1
2 10.91.255.1
3 10.91.255.2
4 WAREHOUSE1 [192.168.8.13]
the packets are going through the hub..
this is not configured correctly.
I would remove the static routes and add this
router eigrp 1
network 192.168.4.0 0.0.0.255
network 10.91.255.0 0.0.0.255
no auto-summary
this would need to be set up on every router.
If a router has a network attached to it then on that router you need the command
router eigrp 1
network 10.91.255.0 0.0.0.255 < this is the vpn and is on all routers
network 192.168.4.0 0.0.0.255< this a local network to the router. EIGRP will advertise this to the other routers.
As to why you are dropping packets, I would need to see both configs without passwords again please.
Greg
description -= DMVPN =-
ip address 10.91.255.3 255.255.255.0 < this is your router
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_A
ip nhrp map multicast 58.108.208.65
ip nhrp map 10.91.255.1 58.108.208.65 < this is your hub
0 Satish-PC.mshome.net [192.168.4.26]
1 192.168.4.1
2 10.91.255.1
3 10.91.255.2
4 WAREHOUSE1 [192.168.8.13]
the packets are going through the hub..
this is not configured correctly.
I would remove the static routes and add this
router eigrp 1
network 192.168.4.0 0.0.0.255
network 10.91.255.0 0.0.0.255
no auto-summary
this would need to be set up on every router.
If a router has a network attached to it then on that router you need the command
router eigrp 1
network 10.91.255.0 0.0.0.255 < this is the vpn and is on all routers
network 192.168.4.0 0.0.0.255< this a local network to the router. EIGRP will advertise this to the other routers.
As to why you are dropping packets, I would need to see both configs without passwords again please.
Greg
ASKER
coinop-uc520(config)#route r eigrp 1
Protocol not in this image
Not sure if HUB router is not supported
Protocol not in this image
Not sure if HUB router is not supported
ASKER
IS it possible to use any other protocol ?
can you use ospf?
Greg
Greg
ASKER
Same bro, Strange for me
coinop-uc520(config)#route r ospf 1
Protocol not in this image
coinop-uc520(config)#
also same for RIP
I am not sure
coinop-uc520(config)#route
Protocol not in this image
coinop-uc520(config)#
also same for RIP
I am not sure
ASKER
Hello Bro,
All is fine now, between spoke 1 & hub, Just having issue from Spoke 2, where is i am, means from India, All is fine betwwen Perh & melbourne but getting packets lossed from India,
Please see attched Diagram for knowing my Network
Bro, You've got me like GOD, I'll never forget this favor of you, actuaaly i don't have that much exp in networking, i just start my carreer in this field from last 2 years, you are really great,
How old are you working in Networkin ?
Vikrant
3-Network.jpg
From-HUB-2-Spoke-1.txt
From-Spoke2-to-HUB.txt
All is fine now, between spoke 1 & hub, Just having issue from Spoke 2, where is i am, means from India, All is fine betwwen Perh & melbourne but getting packets lossed from India,
Please see attched Diagram for knowing my Network
Bro, You've got me like GOD, I'll never forget this favor of you, actuaaly i don't have that much exp in networking, i just start my carreer in this field from last 2 years, you are really great,
How old are you working in Networkin ?
Vikrant
3-Network.jpg
From-HUB-2-Spoke-1.txt
From-Spoke2-to-HUB.txt
ASKER
One more question,
Can we configure India & Melbourne direct without HUB means Perth ?
Can we configure India & Melbourne direct without HUB means Perth ?
yes we need to set up static routes.
I will have a look tonight as busy at the moment.
Greg
I will have a look tonight as busy at the moment.
Greg
Just to check , do all three sites have static ip addreses?
And if they do, what are they.
Greg
And if they do, what are they.
Greg
interface Tunnel0
description -= DMVPN =-
ip address 10.91.255.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_A
ip nhrp map multicast 58.108.208.65
ip nhrp map 10.91.255.1 58.108.208.65
we can add more into this if you have static ip's
ip nhrp map <local ip> <outside ip>
then we can add ip routes using the local ip
Greg
description -= DMVPN =-
ip address 10.91.255.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_A
ip nhrp map multicast 58.108.208.65
ip nhrp map 10.91.255.1 58.108.208.65
we can add more into this if you have static ip's
ip nhrp map <local ip> <outside ip>
then we can add ip routes using the local ip
Greg
ASKER
Bro,
We have Static IP only in Perth, rest sites has Dynamic IP,
we have configure Static Router as per Below Please let me know if anything wrong
Perth(192.168.2.0 & 10.1.1.1)
ip route 10.10.10.0 255.255.255.0 10.91.255.2
ip route 192.168.4.0 255.255.255.0 10.91.255.3
ip route 192.168.8.0 255.255.255.0 10.91.255.2
India(192.168.4.0/24)
ip route 10.1.1.0 255.255.255.0 10.91.255.1
ip route 10.10.10.0 255.255.255.0 10.1.1.1
ip route 10.10.10.0 255.255.255.0 10.91.255.2
ip route 192.168.2.0 255.255.255.0 10.91.255.1
ip route 192.168.4.0 255.255.254.0 Dialer0
ip route 192.168.8.0 255.255.255.0 192.168.2.1
ip route 192.168.8.0 255.255.255.0 10.91.255.2
Melboure (192.168.8.0/24 & 10.10.10.0)
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.1.1.0 255.255.255.0 10.91.255.1
ip route 192.168.2.0 255.255.255.0 10.91.255.1
ip route 192.168.4.0 255.255.255.0 192.168.2.1
ip route 192.168.4.0 255.255.255.0 10.1.1.1
ip route 192.168.4.0 255.255.255.0 10.91.255.3
We have Static IP only in Perth, rest sites has Dynamic IP,
we have configure Static Router as per Below Please let me know if anything wrong
Perth(192.168.2.0 & 10.1.1.1)
ip route 10.10.10.0 255.255.255.0 10.91.255.2
ip route 192.168.4.0 255.255.255.0 10.91.255.3
ip route 192.168.8.0 255.255.255.0 10.91.255.2
India(192.168.4.0/24)
ip route 10.1.1.0 255.255.255.0 10.91.255.1
ip route 10.10.10.0 255.255.255.0 10.1.1.1
ip route 10.10.10.0 255.255.255.0 10.91.255.2
ip route 192.168.2.0 255.255.255.0 10.91.255.1
ip route 192.168.4.0 255.255.254.0 Dialer0
ip route 192.168.8.0 255.255.255.0 192.168.2.1
ip route 192.168.8.0 255.255.255.0 10.91.255.2
Melboure (192.168.8.0/24 & 10.10.10.0)
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.1.1.0 255.255.255.0 10.91.255.1
ip route 192.168.2.0 255.255.255.0 10.91.255.1
ip route 192.168.4.0 255.255.255.0 192.168.2.1
ip route 192.168.4.0 255.255.255.0 10.1.1.1
ip route 192.168.4.0 255.255.255.0 10.91.255.3
India(192.168.4.0/24)
ip route 10.1.1.0 255.255.255.0 10.91.255.1
ip route 10.10.10.0 255.255.255.0 10.1.1.1 <this is wrong
ip route 10.10.10.0 255.255.255.0 10.91.255.2
ip route 192.168.2.0 255.255.255.0 10.91.255.1
ip route 192.168.4.0 255.255.254.0 Dialer0 < this is local,no route required
ip route 192.168.8.0 255.255.255.0 192.168.2.1 <this is wrong
ip route 192.168.8.0 255.255.255.0 10.91.255.2
Melboure (192.168.8.0/24 & 10.10.10.0)
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.1.1.0 255.255.255.0 10.91.255.1
ip route 192.168.2.0 255.255.255.0 10.91.255.1
ip route 192.168.4.0 255.255.255.0 192.168.2.1 <this is wrong
ip route 192.168.4.0 255.255.255.0 10.1.1.1 <this is wrong
ip route 192.168.4.0 255.255.255.0 10.91.255.3
Does that make sense ?
Greg
ip route 10.1.1.0 255.255.255.0 10.91.255.1
ip route 10.10.10.0 255.255.255.0 10.1.1.1 <this is wrong
ip route 10.10.10.0 255.255.255.0 10.91.255.2
ip route 192.168.2.0 255.255.255.0 10.91.255.1
ip route 192.168.4.0 255.255.254.0 Dialer0 < this is local,no route required
ip route 192.168.8.0 255.255.255.0 192.168.2.1 <this is wrong
ip route 192.168.8.0 255.255.255.0 10.91.255.2
Melboure (192.168.8.0/24 & 10.10.10.0)
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.1.1.0 255.255.255.0 10.91.255.1
ip route 192.168.2.0 255.255.255.0 10.91.255.1
ip route 192.168.4.0 255.255.255.0 192.168.2.1 <this is wrong
ip route 192.168.4.0 255.255.255.0 10.1.1.1 <this is wrong
ip route 192.168.4.0 255.255.255.0 10.91.255.3
Does that make sense ?
Greg
ASKER
Ok Bro,
The first time that I did not get any error, All is working Fine, just need to fix Ping time from Spoke 2
Ok i will Fix as per your suggestion, Just please let me know, You did correction only in India & Melbourne so is Perth configuration are fine about route ?
Vik
The first time that I did not get any error, All is working Fine, just need to fix Ping time from Spoke 2
Ok i will Fix as per your suggestion, Just please let me know, You did correction only in India & Melbourne so is Perth configuration are fine about route ?
Vik
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Dear,
I don't think issue solved, I just thinking may issue with my ISP, If i ping google.com it's working Normal but if i ping my Perth Static IP that time ping times will get so high & also I tracert Ping IP, it's seems data is going via US & Singapur to AU, Not sure why my ISP is unsing US server
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Vikrant>ping google.com
Pinging google.com [209.85.153.104] with 32 bytes of data:
Reply from 209.85.153.104: bytes=32 time=94ms TTL=51
Reply from 209.85.153.104: bytes=32 time=305ms TTL=51
Reply from 209.85.153.104: bytes=32 time=203ms TTL=51
Reply from 209.85.153.104: bytes=32 time=151ms TTL=51
Ping statistics for 209.85.153.104:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 94ms, Maximum = 305ms, Average = 188ms
C:\Users\Vikrant>ping 58.108.208.65
Pinging 58.108.208.65 with 32 bytes of data:
Reply from 58.108.208.65: bytes=32 time=662ms TTL=231
Reply from 58.108.208.65: bytes=32 time=678ms TTL=231
Reply from 58.108.208.65: bytes=32 time=616ms TTL=231
Reply from 58.108.208.65: bytes=32 time=627ms TTL=231
Ping statistics for 58.108.208.65:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 616ms, Maximum = 678ms, Average = 645ms
C:\Users\Vikrant>tracert 58.108.208.65
Tracing route to 58.108.208.65.optusnet.com .au [58.108.208.65]
over a maximum of 30 hops:
1 1 ms 1 ms 1 ms 192.168.4.1
2 3 ms 2 ms 2 ms 192.168.0.1
3 201 ms 127 ms 78 ms 115.108.160.1.static-Nagpu r.vsnl.net .in [115.108
.160.1]
4 163 ms 84 ms 59 ms 172.31.44.225
5 117 ms 88 ms 96 ms 172.31.44.221
6 100 ms 162 ms 95 ms 172.31.44.222
7 88 ms 90 ms 90 ms 172.31.70.21
8 609 ms 248 ms 120 ms 172.31.8.210
9 82 ms 92 ms 81 ms 172.31.45.229
10 79 ms 88 ms 218 ms 172.31.16.209
11 157 ms 97 ms 89 ms 172.31.1.65
12 118 ms 189 ms 96 ms 203.197.13.2.static.vsnl.n et.in [203.197.13.2]
13 137 ms 135 ms 157 ms 59.163.16.54.static.vsnl.n et.in [59.163.16.54]
14 170 ms 151 ms 144 ms 59.163.16.54.static.vsnl.n et.in [59.163.16.54]
15 153 ms 137 ms 137 ms if-1-0-0-101.core1.CFO-Che nnai.as645 3.net [116.0
.79.9]
16 315 ms 532 ms 440 ms if-1-0-0-0.tcore1.CXR-Chen nai.as6453 .net [180.87
.36.13]
17 363 ms 448 ms 317 ms if-3-3.tcore2.CXR-Chennai. as6453.net [180.87.36.
6]
18 334 ms 319 ms 340 ms if-5-2.tcore2.SVW-Singapor e.as6453.n et [180.87.1
5.69]
19 457 ms 447 ms 369 ms if-7-2.tcore2.LVW-LosAngel es.as6453. net [180.87.
15.26]
20 543 ms 394 ms 349 ms 209.58.53.14
21 648 ms 546 ms 571 ms 203.208.191.6
22 640 ms 656 ms 663 ms bla2-ge3-0.gw.optusnet.com .au [211.29.125.250]
23 629 ms 600 ms 619 ms sun2-ge0-1-0-904.gw.optusn et.com.au [211.29.125.
81]
24 609 ms 600 ms 584 ms per2-ge5-0-0-909.gw.optusn et.com.au [211.29.125.
213]
25 588 ms 616 ms 577 ms per800-e2-1.ba.optusnet.co m.au [198.142.7.254]
26 594 ms 598 ms 609 ms 58.108.208.65.optusnet.com .au [58.108.208.65]
Trace complete.
C:\Users\Vikrant>
I don't think issue solved, I just thinking may issue with my ISP, If i ping google.com it's working Normal but if i ping my Perth Static IP that time ping times will get so high & also I tracert Ping IP, it's seems data is going via US & Singapur to AU, Not sure why my ISP is unsing US server
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Vikrant>ping google.com
Pinging google.com [209.85.153.104] with 32 bytes of data:
Reply from 209.85.153.104: bytes=32 time=94ms TTL=51
Reply from 209.85.153.104: bytes=32 time=305ms TTL=51
Reply from 209.85.153.104: bytes=32 time=203ms TTL=51
Reply from 209.85.153.104: bytes=32 time=151ms TTL=51
Ping statistics for 209.85.153.104:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 94ms, Maximum = 305ms, Average = 188ms
C:\Users\Vikrant>ping 58.108.208.65
Pinging 58.108.208.65 with 32 bytes of data:
Reply from 58.108.208.65: bytes=32 time=662ms TTL=231
Reply from 58.108.208.65: bytes=32 time=678ms TTL=231
Reply from 58.108.208.65: bytes=32 time=616ms TTL=231
Reply from 58.108.208.65: bytes=32 time=627ms TTL=231
Ping statistics for 58.108.208.65:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 616ms, Maximum = 678ms, Average = 645ms
C:\Users\Vikrant>tracert 58.108.208.65
Tracing route to 58.108.208.65.optusnet.com
over a maximum of 30 hops:
1 1 ms 1 ms 1 ms 192.168.4.1
2 3 ms 2 ms 2 ms 192.168.0.1
3 201 ms 127 ms 78 ms 115.108.160.1.static-Nagpu
.160.1]
4 163 ms 84 ms 59 ms 172.31.44.225
5 117 ms 88 ms 96 ms 172.31.44.221
6 100 ms 162 ms 95 ms 172.31.44.222
7 88 ms 90 ms 90 ms 172.31.70.21
8 609 ms 248 ms 120 ms 172.31.8.210
9 82 ms 92 ms 81 ms 172.31.45.229
10 79 ms 88 ms 218 ms 172.31.16.209
11 157 ms 97 ms 89 ms 172.31.1.65
12 118 ms 189 ms 96 ms 203.197.13.2.static.vsnl.n
13 137 ms 135 ms 157 ms 59.163.16.54.static.vsnl.n
14 170 ms 151 ms 144 ms 59.163.16.54.static.vsnl.n
15 153 ms 137 ms 137 ms if-1-0-0-101.core1.CFO-Che
.79.9]
16 315 ms 532 ms 440 ms if-1-0-0-0.tcore1.CXR-Chen
.36.13]
17 363 ms 448 ms 317 ms if-3-3.tcore2.CXR-Chennai.
6]
18 334 ms 319 ms 340 ms if-5-2.tcore2.SVW-Singapor
5.69]
19 457 ms 447 ms 369 ms if-7-2.tcore2.LVW-LosAngel
15.26]
20 543 ms 394 ms 349 ms 209.58.53.14
21 648 ms 546 ms 571 ms 203.208.191.6
22 640 ms 656 ms 663 ms bla2-ge3-0.gw.optusnet.com
23 629 ms 600 ms 619 ms sun2-ge0-1-0-904.gw.optusn
81]
24 609 ms 600 ms 584 ms per2-ge5-0-0-909.gw.optusn
213]
25 588 ms 616 ms 577 ms per800-e2-1.ba.optusnet.co
26 594 ms 598 ms 609 ms 58.108.208.65.optusnet.com
Trace complete.
C:\Users\Vikrant>
Reply from 192.168.8.13: bytes=32 time=574ms TTL=126
Reply from 192.168.8.13: bytes=32 time=564ms TTL=126
Reply from 192.168.8.13: bytes=32 time=541ms TTL=126
Reply from 192.168.8.13: bytes=32 time=579ms TTL=126
Reply from 192.168.8.13: bytes=32 time=568ms TTL=126
Reply from 192.168.8.13: bytes=32 time=690ms TTL=126
Reply from 192.168.8.13: bytes=32 time=554ms TTL=126
Reply from 192.168.8.13: bytes=32 time=582ms TTL=126
Reply from 192.168.8.13: bytes=32 time=575ms TTL=126
Reply from 192.168.8.13: bytes=32 time=648ms TTL=126
Reply from 192.168.8.13: bytes=32 time=586ms TTL=126
Reply from 192.168.8.13: bytes=32 time=564ms TTL=126
Reply from 192.168.8.13: bytes=32 time=577ms TTL=126
Reply from 192.168.8.13: bytes=32 time=574ms TTL=126
Reply from 192.168.8.13: bytes=32 time=604ms TTL=126
Reply from 192.168.8.13: bytes=32 time=567ms TTL=126
Reply from 192.168.8.13: bytes=32 time=621ms TTL=126
Reply from 192.168.8.13: bytes=32 time=556ms TTL=126
Reply from 192.168.8.13: bytes=32 time=573ms TTL=126
Reply from 192.168.8.13: bytes=32 time=554ms TTL=126
Reply from 192.168.8.13: bytes=32 time=574ms TTL=126
Reply from 192.168.8.13: bytes=32 time=660ms TTL=126
Reply from 192.168.8.13: bytes=32 time=556ms TTL=126
Reply from 192.168.8.13: bytes=32 time=662ms TTL=126
Reply from 192.168.8.13: bytes=32 time=570ms TTL=126
Reply from 192.168.8.13: bytes=32 time=581ms TTL=126
Reply from 192.168.8.13: bytes=32 time=701ms TTL=126
Reply from 192.168.8.13: bytes=32 time=576ms TTL=126
Reply from 192.168.8.13: bytes=32 time=595ms TTL=126
Reply from 192.168.8.13: bytes=32 time=563ms TTL=126
Reply from 192.168.8.13: bytes=32 time=565ms TTL=126
Reply from 192.168.8.13: bytes=32 time=530ms TTL=126
Reply from 192.168.8.13: bytes=32 time=558ms TTL=126
Reply from 192.168.8.13: bytes=32 time=1896ms TTL=126
Reply from 192.168.8.13: bytes=32 time=561ms TTL=126
Reply from 192.168.8.13: bytes=32 time=560ms TTL=126
Reply from 192.168.8.13: bytes=32 time=575ms TTL=126
Reply from 192.168.8.13: bytes=32 time=583ms TTL=126
Reply from 192.168.8.13: bytes=32 time=634ms TTL=126
Reply from 192.168.8.13: bytes=32 time=569ms TTL=126
Reply from 192.168.8.13: bytes=32 time=581ms TTL=126
Reply from 192.168.8.13: bytes=32 time=575ms TTL=126
Reply from 192.168.8.13: bytes=32 time=585ms TTL=126
Reply from 192.168.8.13: bytes=32 time=530ms TTL=126
Reply from 192.168.8.13: bytes=32 time=632ms TTL=126
Reply from 192.168.8.13: bytes=32 time=566ms TTL=126
Reply from 192.168.8.13: bytes=32 time=537ms TTL=126
Reply from 192.168.8.13: bytes=32 time=540ms TTL=126
Reply from 192.168.8.13: bytes=32 time=564ms TTL=126
Reply from 192.168.8.13: bytes=32 time=570ms TTL=126
Reply from 192.168.8.13: bytes=32 time=609ms TTL=126
Reply from 192.168.8.13: bytes=32 time=579ms TTL=126
Reply from 192.168.8.13: bytes=32 time=646ms TTL=126
Reply from 192.168.8.13: bytes=32 time=647ms TTL=126
Reply from 192.168.8.13: bytes=32 time=596ms TTL=126
Reply from 192.168.8.13: bytes=32 time=591ms TTL=126
Reply from 192.168.8.13: bytes=32 time=557ms TTL=126
Reply from 192.168.8.13: bytes=32 time=547ms TTL=126
Reply from 192.168.8.13: bytes=32 time=584ms TTL=126
Reply from 192.168.8.13: bytes=32 time=572ms TTL=126
Request timed out.
Reply from 192.168.8.13: bytes=32 time=555ms TTL=126
Reply from 192.168.8.13: bytes=32 time=575ms TTL=126
Reply from 192.168.8.13: bytes=32 time=569ms TTL=126
Reply from 192.168.8.13: bytes=32 time=570ms TTL=126
Reply from 192.168.8.13: bytes=32 time=530ms TTL=126
Reply from 192.168.8.13: bytes=32 time=553ms TTL=126
Reply from 192.168.8.13: bytes=32 time=613ms TTL=126
Request timed out.
Reply from 192.168.8.13: bytes=32 time=553ms TTL=126
Reply from 192.168.8.13: bytes=32 time=536ms TTL=126
Reply from 192.168.8.13: bytes=32 time=570ms TTL=126
Reply from 192.168.8.13: bytes=32 time=559ms TTL=126
Reply from 192.168.8.13: bytes=32 time=570ms TTL=126
Reply from 192.168.8.13: bytes=32 time=557ms TTL=126
Reply from 192.168.8.13: bytes=32 time=611ms TTL=126
Reply from 192.168.8.13: bytes=32 time=659ms TTL=126
Reply from 192.168.8.13: bytes=32 time=603ms TTL=126
Reply from 192.168.8.13: bytes=32 time=571ms TTL=126
Reply from 192.168.8.13: bytes=32 time=619ms TTL=126
Reply from 192.168.8.13: bytes=32 time=568ms TTL=126
Reply from 192.168.8.13: bytes=32 time=619ms TTL=126
Reply from 192.168.8.13: bytes=32 time=584ms TTL=126
Reply from 192.168.8.13: bytes=32 time=572ms TTL=126
Reply from 192.168.8.13: bytes=32 time=610ms TTL=126
Reply from 192.168.8.13: bytes=32 time=609ms TTL=126
Reply from 192.168.8.13: bytes=32 time=628ms TTL=126
Reply from 192.168.8.13: bytes=32 time=1977ms TTL=126
Reply from 192.168.8.13: bytes=32 time=629ms TTL=126
Reply from 192.168.8.13: bytes=32 time=567ms TTL=126
Reply from 192.168.8.13: bytes=32 time=559ms TTL=126
Request timed out.
Reply from 192.168.8.13: bytes=32 time=602ms TTL=126
Reply from 192.168.8.13: bytes=32 time=554ms TTL=126
Reply from 192.168.8.13: bytes=32 time=622ms TTL=126
Reply from 192.168.8.13: bytes=32 time=577ms TTL=126
Reply from 192.168.8.13: bytes=32 time=567ms TTL=126
Reply from 192.168.8.13: bytes=32 time=617ms TTL=126
Reply from 192.168.8.13: bytes=32 time=694ms TTL=126
Reply from 192.168.8.13: bytes=32 time=640ms TTL=126
Reply from 192.168.8.13: bytes=32 time=568ms TTL=126
Reply from 192.168.8.13: bytes=32 time=591ms TTL=126
Reply from 192.168.8.13: bytes=32 time=553ms TTL=126
Reply from 192.168.8.13: bytes=32 time=562ms TTL=126
Reply from 192.168.8.13: bytes=32 time=581ms TTL=126
Reply from 192.168.8.13: bytes=32 time=667ms TTL=126
Reply from 192.168.8.13: bytes=32 time=565ms TTL=126
Reply from 192.168.8.13: bytes=32 time=563ms TTL=126
Reply from 192.168.8.13: bytes=32 time=581ms TTL=126
Reply from 192.168.8.13: bytes=32 time=619ms TTL=126
Reply from 192.168.8.13: bytes=32 time=553ms TTL=126
Reply from 192.168.8.13: bytes=32 time=578ms TTL=126
Reply from 192.168.8.13: bytes=32 time=566ms TTL=126
Reply from 192.168.8.13: bytes=32 time=566ms TTL=126
Reply from 192.168.8.13: bytes=32 time=699ms TTL=126
Reply from 192.168.8.13: bytes=32 time=731ms TTL=126
Reply from 192.168.8.13: bytes=32 time=581ms TTL=126
Reply from 192.168.8.13: bytes=32 time=576ms TTL=126
Reply from 192.168.8.13: bytes=32 time=554ms TTL=126
Reply from 192.168.8.13: bytes=32 time=584ms TTL=126
Reply from 192.168.8.13: bytes=32 time=564ms TTL=126
Reply from 192.168.8.13: bytes=32 time=602ms TTL=126
Reply from 192.168.8.13: bytes=32 time=631ms TTL=126
Reply from 192.168.8.13: bytes=32 time=567ms TTL=126
Reply from 192.168.8.13: bytes=32 time=584ms TTL=126
Reply from 192.168.8.13: bytes=32 time=608ms TTL=126
Reply from 192.168.8.13: bytes=32 time=581ms TTL=126
Reply from 192.168.8.13: bytes=32 time=628ms TTL=126
Reply from 192.168.8.13: bytes=32 time=541ms TTL=126
Reply from 192.168.8.13: bytes=32 time=548ms TTL=126
Reply from 192.168.8.13: bytes=32 time=685ms TTL=126
Reply from 192.168.8.13: bytes=32 time=613ms TTL=126
Reply from 192.168.8.13: bytes=32 time=573ms TTL=126
Reply from 192.168.8.13: bytes=32 time=592ms TTL=126
Reply from 192.168.8.13: bytes=32 time=691ms TTL=126
Reply from 192.168.8.13: bytes=32 time=558ms TTL=126
Reply from 192.168.8.13: bytes=32 time=577ms TTL=126
Reply from 192.168.8.13: bytes=32 time=528ms TTL=126
Reply from 192.168.8.13: bytes=32 time=595ms TTL=126
Reply from 192.168.8.13: bytes=32 time=551ms TTL=126
Reply from 192.168.8.13: bytes=32 time=560ms TTL=126
Reply from 192.168.8.13: bytes=32 time=539ms TTL=126
Request timed out.
Reply from 192.168.8.13: bytes=32 time=636ms TTL=126
Reply from 192.168.8.13: bytes=32 time=805ms TTL=126
Reply from 192.168.8.13: bytes=32 time=602ms TTL=126
Reply from 192.168.8.13: bytes=32 time=613ms TTL=126
Reply from 192.168.8.13: bytes=32 time=588ms TTL=126
Reply from 192.168.8.13: bytes=32 time=627ms TTL=126
Reply from 192.168.8.13: bytes=32 time=579ms TTL=126
Reply from 192.168.8.13: bytes=32 time=525ms TTL=126
Reply from 192.168.8.13: bytes=32 time=551ms TTL=126
Reply from 192.168.8.13: bytes=32 time=551ms TTL=126
Reply from 192.168.8.13: bytes=32 time=648ms TTL=126
Reply from 192.168.8.13: bytes=32 time=546ms TTL=126
Reply from 192.168.8.13: bytes=32 time=745ms TTL=126
Reply from 192.168.8.13: bytes=32 time=563ms TTL=126
Reply from 192.168.8.13: bytes=32 time=542ms TTL=126
Reply from 192.168.8.13: bytes=32 time=582ms TTL=126
Reply from 192.168.8.13: bytes=32 time=562ms TTL=126
Reply from 192.168.8.13: bytes=32 time=557ms TTL=126
Reply from 192.168.8.13: bytes=32 time=554ms TTL=126
Reply from 192.168.8.13: bytes=32 time=553ms TTL=126
Reply from 192.168.8.13: bytes=32 time=594ms TTL=126
Reply from 192.168.8.13: bytes=32 time=561ms TTL=126
Reply from 192.168.8.13: bytes=32 time=599ms TTL=126
Reply from 192.168.8.13: bytes=32 time=559ms TTL=126
Reply from 192.168.8.13: bytes=32 time=566ms TTL=126
Reply from 192.168.8.13: bytes=32 time=564ms TTL=126
Reply from 192.168.8.13: bytes=32 time=602ms TTL=126
Reply from 192.168.8.13: bytes=32 time=561ms TTL=126
Reply from 192.168.8.13: bytes=32 time=560ms TTL=126
Reply from 192.168.8.13: bytes=32 time=600ms TTL=126
Reply from 192.168.8.13: bytes=32 time=570ms TTL=126
Reply from 192.168.8.13: bytes=32 time=545ms TTL=126
Reply from 192.168.8.13: bytes=32 time=703ms TTL=126
Reply from 192.168.8.13: bytes=32 time=621ms TTL=126
Reply from 192.168.8.13: bytes=32 time=560ms TTL=126
Reply from 192.168.8.13: bytes=32 time=587ms TTL=126
Reply from 192.168.8.13: bytes=32 time=628ms TTL=126
Reply from 192.168.8.13: bytes=32 time=583ms TTL=126
Reply from 192.168.8.13: bytes=32 time=612ms TTL=126
Reply from 192.168.8.13: bytes=32 time=573ms TTL=126
Reply from 192.168.8.13: bytes=32 time=703ms TTL=126
Reply from 192.168.8.13: bytes=32 time=681ms TTL=126
Reply from 192.168.8.13: bytes=32 time=557ms TTL=126
Reply from 192.168.8.13: bytes=32 time=608ms TTL=126
Reply from 192.168.8.13: bytes=32 time=547ms TTL=126
Reply from 192.168.8.13: bytes=32 time=561ms TTL=126
Reply from 192.168.8.13: bytes=32 time=529ms TTL=126
Reply from 192.168.8.13: bytes=32 time=547ms TTL=126
Reply from 192.168.8.13: bytes=32 time=596ms TTL=126
Reply from 192.168.8.13: bytes=32 time=553ms TTL=126
Reply from 192.168.8.13: bytes=32 time=561ms TTL=126
Reply from 192.168.8.13: bytes=32 time=529ms TTL=126
Reply from 192.168.8.13: bytes=32 time=559ms TTL=126
Reply from 192.168.8.13: bytes=32 time=687ms TTL=126
Reply from 192.168.8.13: bytes=32 time=626ms TTL=126
Reply from 192.168.8.13: bytes=32 time=586ms TTL=126
Reply from 192.168.8.13: bytes=32 time=572ms TTL=126
Reply from 192.168.8.13: bytes=32 time=586ms TTL=126
Reply from 192.168.8.13: bytes=32 time=577ms TTL=126
Reply from 192.168.8.13: bytes=32 time=587ms TTL=126
Reply from 192.168.8.13: bytes=32 time=634ms TTL=126
Reply from 192.168.8.13: bytes=32 time=2061ms TTL=126
Reply from 192.168.8.13: bytes=32 time=508ms TTL=126
Reply from 192.168.8.13: bytes=32 time=677ms TTL=126
Reply from 192.168.8.13: bytes=32 time=545ms TTL=126
Reply from 192.168.8.13: bytes=32 time=576ms TTL=126
Reply from 192.168.8.13: bytes=32 time=542ms TTL=126
Reply from 192.168.8.13: bytes=32 time=551ms TTL=126
Reply from 192.168.8.13: bytes=32 time=531ms TTL=126
Reply from 192.168.8.13: bytes=32 time=528ms TTL=126
Reply from 192.168.8.13: bytes=32 time=559ms TTL=126
Reply from 192.168.8.13: bytes=32 time=556ms TTL=126
Reply from 192.168.8.13: bytes=32 time=583ms TTL=126
Reply from 192.168.8.13: bytes=32 time=598ms TTL=126
Reply from 192.168.8.13: bytes=32 time=562ms TTL=126
Reply from 192.168.8.13: bytes=32 time=649ms TTL=126
Reply from 192.168.8.13: bytes=32 time=697ms TTL=126
Reply from 192.168.8.13: bytes=32 time=586ms TTL=126
Reply from 192.168.8.13: bytes=32 time=574ms TTL=126
Reply from 192.168.8.13: bytes=32 time=570ms TTL=126
Reply from 192.168.8.13: bytes=32 time=631ms TTL=126
Reply from 192.168.8.13: bytes=32 time=598ms TTL=126
Reply from 192.168.8.13: bytes=32 time=546ms TTL=126
Reply from 192.168.8.13: bytes=32 time=565ms TTL=126
Reply from 192.168.8.13: bytes=32 time=617ms TTL=126
Reply from 192.168.8.13: bytes=32 time=594ms TTL=126
Reply from 192.168.8.13: bytes=32 time=523ms TTL=126
Reply from 192.168.8.13: bytes=32 time=550ms TTL=126
Reply from 192.168.8.13: bytes=32 time=550ms TTL=126
Reply from 192.168.8.13: bytes=32 time=574ms TTL=126
Reply from 192.168.8.13: bytes=32 time=535ms TTL=126
Reply from 192.168.8.13: bytes=32 time=552ms TTL=126
Reply from 192.168.8.13: bytes=32 time=542ms TTL=126
Reply from 192.168.8.13: bytes=32 time=561ms TTL=126
Reply from 192.168.8.13: bytes=32 time=555ms TTL=126
Reply from 192.168.8.13: bytes=32 time=589ms TTL=126
Reply from 192.168.8.13: bytes=32 time=552ms TTL=126
Reply from 192.168.8.13: bytes=32 time=539ms TTL=126
Reply from 192.168.8.13: bytes=32 time=597ms TTL=126
Reply from 192.168.8.13: bytes=32 time=599ms TTL=126
Reply from 192.168.8.13: bytes=32 time=669ms TTL=126
Reply from 192.168.8.13: bytes=32 time=553ms TTL=126
Reply from 192.168.8.13: bytes=32 time=563ms TTL=126
Reply from 192.168.8.13: bytes=32 time=548ms TTL=126
Reply from 192.168.8.13: bytes=32 time=607ms TTL=126
Reply from 192.168.8.13: bytes=32 time=545ms TTL=126
Reply from 192.168.8.13: bytes=32 time=534ms TTL=126
Reply from 192.168.8.13: bytes=32 time=563ms TTL=126
Reply from 192.168.8.13: bytes=32 time=563ms TTL=126
Reply from 192.168.8.13: bytes=32 time=518ms TTL=126
Reply from 192.168.8.13: bytes=32 time=580ms TTL=126
Reply from 192.168.8.13: bytes=32 time=545ms TTL=126
Reply from 192.168.8.13: bytes=32 time=556ms TTL=126
Reply from 192.168.8.13: bytes=32 time=612ms TTL=126
Reply from 192.168.8.13: bytes=32 time=550ms TTL=126
Reply from 192.168.8.13: bytes=32 time=528ms TTL=126
Reply from 192.168.8.13: bytes=32 time=526ms TTL=126
Reply from 192.168.8.13: bytes=32 time=554ms TTL=126
Reply from 192.168.8.13: bytes=32 time=543ms TTL=126
Reply from 192.168.8.13: bytes=32 time=630ms TTL=126
Reply from 192.168.8.13: bytes=32 time=529ms TTL=126
Reply from 192.168.8.13: bytes=32 time=548ms TTL=126
Reply from 192.168.8.13: bytes=32 time=537ms TTL=126
Reply from 192.168.8.13: bytes=32 time=1894ms TTL=126
Reply from 192.168.8.13: bytes=32 time=548ms TTL=126
Reply from 192.168.8.13: bytes=32 time=526ms TTL=126
Reply from 192.168.8.13: bytes=32 time=550ms TTL=126
Reply from 192.168.8.13: bytes=32 time=542ms TTL=126
Reply from 192.168.8.13: bytes=32 time=549ms TTL=126
Reply from 192.168.8.13: bytes=32 time=555ms TTL=126
Reply from 192.168.8.13: bytes=32 time=542ms TTL=126
Reply from 192.168.8.13: bytes=32 time=553ms TTL=126
Reply from 192.168.8.13: bytes=32 time=539ms TTL=126
Reply from 192.168.8.13: bytes=32 time=578ms TTL=126
Reply from 192.168.8.13: bytes=32 time=527ms TTL=126
Reply from 192.168.8.13: bytes=32 time=546ms TTL=126
Reply from 192.168.8.13: bytes=32 time=544ms TTL=126
Reply from 192.168.8.13: bytes=32 time=835ms TTL=126
Reply from 192.168.8.13: bytes=32 time=621ms TTL=126
Reply from 192.168.8.13: bytes=32 time=550ms TTL=126
Reply from 192.168.8.13: bytes=32 time=578ms TTL=126
Reply from 192.168.8.13: bytes=32 time=555ms TTL=126
Reply from 192.168.8.13: bytes=32 time=513ms TTL=126
Reply from 192.168.8.13: bytes=32 time=521ms TTL=126
Reply from 192.168.8.13: bytes=32 time=520ms TTL=126
Reply from 192.168.8.13: bytes=32 time=610ms TTL=126
Reply from 192.168.8.13: bytes=32 time=589ms TTL=126
Reply from 192.168.8.13: bytes=32 time=536ms TTL=126
Reply from 192.168.8.13: bytes=32 time=575ms TTL=126
Reply from 192.168.8.13: bytes=32 time=563ms TTL=126
Reply from 192.168.8.13: bytes=32 time=537ms TTL=126
Reply from 192.168.8.13: bytes=32 time=545ms TTL=126
Reply from 192.168.8.13: bytes=32 time=553ms TTL=126
Reply from 192.168.8.13: bytes=32 time=742ms TTL=126
Reply from 192.168.8.13: bytes=32 time=577ms TTL=126
Reply from 192.168.8.13: bytes=32 time=622ms TTL=126
As you asked about my networking experience, I have no work related experience
I work as a desktop support engineer.
However I have my own Cisco routers which are located across the world to run my family voip network.
Also I started writing my own program found at tftpterminal.co.uk while I was studying for my CCNA.
Greg
I work as a desktop support engineer.
However I have my own Cisco routers which are located across the world to run my family voip network.
Also I started writing my own program found at tftpterminal.co.uk while I was studying for my CCNA.
Greg
ASKER
That's great Bro,
It is worth praising, You are work as a desktop support engineer, & you have Great Experience in CIsco & Networking,
Very happy I am with you, Can you please look my above Post
It is worth praising, You are work as a desktop support engineer, & you have Great Experience in CIsco & Networking,
Very happy I am with you, Can you please look my above Post
I have to agree the internet is wrong !
I would do traceroutes from each router to the other two to make sure everything works.
Can you post the output from show crypto ipakmp sa
From a spoke and the hub.
This should show us if the mesh is working.
Greg
I would do traceroutes from each router to the other two to make sure everything works.
Can you post the output from show crypto ipakmp sa
From a spoke and the hub.
This should show us if the mesh is working.
Greg
ASKER
Hi,
It's working as far as my think but not 100% sure in Melbourne & India
from Spoke 2 (india)
Router#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
58.108.208.65 192.168.0.254 QM_IDLE 2019 0 ACTIVE
192.168.0.254 58.108.208.65 QM_IDLE 2020 0 ACTIVE
IPv6 Crypto ISAKMP SA
Router#
From HUB (PERTH)
coinop-uc520#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
58.108.208.65 58.110.120.205 QM_IDLE 2216 0 ACTIVE
58.108.208.65 115.108.160.226 QM_IDLE 2214 0 ACTIVE
115.108.160.226 58.108.208.65 QM_IDLE 2215 0 ACTIVE
IPv6 Crypto ISAKMP SA
coinop-uc520#
Spoke 1(Melbourne)
Melbourne#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
58.108.208.65 58.110.120.205 QM_IDLE 2839 ACTIVE
IPv6 Crypto ISAKMP SA
Melbourne#
It's working as far as my think but not 100% sure in Melbourne & India
from Spoke 2 (india)
Router#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
58.108.208.65 192.168.0.254 QM_IDLE 2019 0 ACTIVE
192.168.0.254 58.108.208.65 QM_IDLE 2020 0 ACTIVE
IPv6 Crypto ISAKMP SA
Router#
From HUB (PERTH)
coinop-uc520#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
58.108.208.65 58.110.120.205 QM_IDLE 2216 0 ACTIVE
58.108.208.65 115.108.160.226 QM_IDLE 2214 0 ACTIVE
115.108.160.226 58.108.208.65 QM_IDLE 2215 0 ACTIVE
IPv6 Crypto ISAKMP SA
coinop-uc520#
Spoke 1(Melbourne)
Melbourne#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
58.108.208.65 58.110.120.205 QM_IDLE 2839 ACTIVE
IPv6 Crypto ISAKMP SA
Melbourne#
that looks to be caused by the internet routing issue.
It should resolve soon , if you isp has any idea......
Greg
It should resolve soon , if you isp has any idea......
Greg
ASKER
Ok Bro,
Nice Job with you Thank you verry much, Veery verry happy, i will contact to my ISP
Nice Job with you Thank you verry much, Veery verry happy, i will contact to my ISP
Also slightly confused by the GRE statement.
Since your only have two sites and a pix you dont need the other stuff and im not sure which one it's negoticiating. Error during tunnel negoticiating is normal until it finds a common one.
You say this use to work? guess the magic question is "What changed"
At any point can your route across the VPN? could this be firewall or route table related and not crypto?
If it works and then stops it might be lifetime or you might want to try keep alive packets.
would need versions and more detail logs and configs, but if you have any other questions let me know.
HTH
Mike