cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
571
Views
3
Helpful
7
Replies

problems with ISDN backup and IPSEc VPN

tnikoletos
Level 1
Level 1

Please help,

I configured two 876 routers for DSL and ISDN backup connections between two sites.

I first configured ISDN and checked the connectivity and everything worked.

I then congigured VPN (IPSec tunnel) and also the firewall and i get the following weird response from the router.

The VPN works fine but when i disconnect/ disable the WAN port the ISDN gets up but traffic doesnt flow from one site to another. I can ping the other ISDN peer (only from the ISDN interface)but packets dont pass through from the ethernet interface.

The VPN is configured through SDM tool and I have configured the DSL peers and traffic to be encrypted / decrypted at the ethernet (VLAN) interfaces. (I also tried to setup a VPN with encryption /decryption at the DSL interfaces but it didnt work...)

any suggestions?????

PS. Since the other router is at a customer site is there any way I can reboot the router remotely so that i can experiment with the router and if something goes wrong to get back to the working state without losing the configuration??

thanks

themis

7 Replies 7

paolo bevilacqua
Hall of Fame
Hall of Fame

Hi,

First of all, I think this scenario is a bit too complex for SDM so you will need to use classical CLI. The problem can be due to the fact that if you want the traffic to be ciphered also when back-up is active, you also configure the crypto map on ISDN interface. Note, if currently you have crypto map on ethernet only, your traffic is not being ciphered.

To test configurations at the remote site, enter "reload in 15", then make your changes without saving. If you get locked out, the router will reboot and you can access it again, Else you can do "reload cancel" when happy with the new configuration.

Hope this helps, please rate post if it does!

Hi there,

To be honest i dont want to encrypt traffic through ISDN since it has low bandwidth. Is it possible?

Also, when you say that " if currently you have crypto map on ethernet only, your traffic is not being ciphered." what do you mean? because when i monitor the VPN i see that the traffic passes between the 2 sites and encryption/ decryption takes place...

What if i send you a copy of the config to have a look?

best regards,

themis

I think is very reasonable not to encrypt over ISDN unless it is really top secret stuff that we are talking about. However, it is certainly possible to encrypt if you want.

When the traffic is actually being encrypted, you will see that the crypto-map is always applied only to the WAN interface. The internal LAN does not have that command applied.

You can certainly post the router configuration here. Just remove the ipsec keys because the router stores them in clear. It is much easier to analyze and discuss a CLI configuration because the GUI is hiding too many things in order to simplify the process.

As a courtesy to those providing answer, please rate all useful posts using the scrollbox below!

Hello ,

I am sending you the config and a logic diagram.

Since I have experimented a bit with the router you will find quite a few things that are rubbish in the config (especially with ACL's). To make it easier I have gathered the ACLs' that are currently used:

ATM : inbound 107

VLAN: inbound 104

BRI : none

NAT: 101

VPN : crypro 100 / IPSec Policy SDM_CMAP_1

I hope this helps. Thanks again

themis

Ok new feedback,

I re-enabled the backup operation of the ISDN (through SDM)and it worked (I saw the private subnet on the other site. BUT when i re-enabled the DSL interface the router didnt close the ISDN connection and I couldnt reestablish the connection to the internet...?!!

Help!

themis

Hi,

I didn't had time to look at your configuration. There are things like backup that I'm not sure the SDM does correctly, and there are specific techniques and configuration for this (eg, monitor OAM loopback on the PVC, or use IP SLA with floating static and track). I suggest you become a little more expert in the CLI configuration before you move to configure ISDN backup.

Hello,

I am starting to believe that there is a bug in the IOS because I checked the config and the operation of the router with a friend who is much mored experienced than me.

Is there a site in which I can check the IOS for any known issues-bugs?

the routers currently have an IOS 12.4(6)T5 image.

regards,

Themis

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco