04-29-2007 10:40 PM - edited 03-03-2019 04:45 PM
Please help,
I configured two 876 routers for DSL and ISDN backup connections between two sites.
I first configured ISDN and checked the connectivity and everything worked.
I then congigured VPN (IPSec tunnel) and also the firewall and i get the following weird response from the router.
The VPN works fine but when i disconnect/ disable the WAN port the ISDN gets up but traffic doesnt flow from one site to another. I can ping the other ISDN peer (only from the ISDN interface)but packets dont pass through from the ethernet interface.
The VPN is configured through SDM tool and I have configured the DSL peers and traffic to be encrypted / decrypted at the ethernet (VLAN) interfaces. (I also tried to setup a VPN with encryption /decryption at the DSL interfaces but it didnt work...)
any suggestions?????
PS. Since the other router is at a customer site is there any way I can reboot the router remotely so that i can experiment with the router and if something goes wrong to get back to the working state without losing the configuration??
thanks
themis
04-30-2007 04:06 AM
Hi,
First of all, I think this scenario is a bit too complex for SDM so you will need to use classical CLI. The problem can be due to the fact that if you want the traffic to be ciphered also when back-up is active, you also configure the crypto map on ISDN interface. Note, if currently you have crypto map on ethernet only, your traffic is not being ciphered.
To test configurations at the remote site, enter "reload in 15", then make your changes without saving. If you get locked out, the router will reboot and you can access it again, Else you can do "reload cancel" when happy with the new configuration.
Hope this helps, please rate post if it does!
04-30-2007 05:51 AM
Hi there,
To be honest i dont want to encrypt traffic through ISDN since it has low bandwidth. Is it possible?
Also, when you say that " if currently you have crypto map on ethernet only, your traffic is not being ciphered." what do you mean? because when i monitor the VPN i see that the traffic passes between the 2 sites and encryption/ decryption takes place...
What if i send you a copy of the config to have a look?
best regards,
themis
04-30-2007 06:01 AM
I think is very reasonable not to encrypt over ISDN unless it is really top secret stuff that we are talking about. However, it is certainly possible to encrypt if you want.
When the traffic is actually being encrypted, you will see that the crypto-map is always applied only to the WAN interface. The internal LAN does not have that command applied.
You can certainly post the router configuration here. Just remove the ipsec keys because the router stores them in clear. It is much easier to analyze and discuss a CLI configuration because the GUI is hiding too many things in order to simplify the process.
As a courtesy to those providing answer, please rate all useful posts using the scrollbox below!
05-01-2007 10:15 PM
Hello ,
I am sending you the config and a logic diagram.
Since I have experimented a bit with the router you will find quite a few things that are rubbish in the config (especially with ACL's). To make it easier I have gathered the ACLs' that are currently used:
ATM : inbound 107
VLAN: inbound 104
BRI : none
NAT: 101
VPN : crypro 100 / IPSec Policy SDM_CMAP_1
I hope this helps. Thanks again
themis
05-02-2007 11:19 PM
Ok new feedback,
I re-enabled the backup operation of the ISDN (through SDM)and it worked (I saw the private subnet on the other site. BUT when i re-enabled the DSL interface the router didnt close the ISDN connection and I couldnt reestablish the connection to the internet...?!!
Help!
themis
05-03-2007 04:27 AM
Hi,
I didn't had time to look at your configuration. There are things like backup that I'm not sure the SDM does correctly, and there are specific techniques and configuration for this (eg, monitor OAM loopback on the PVC, or use IP SLA with floating static and track). I suggest you become a little more expert in the CLI configuration before you move to configure ISDN backup.
05-03-2007 11:48 PM
Hello,
I am starting to believe that there is a bug in the IOS because I checked the config and the operation of the router with a friend who is much mored experienced than me.
Is there a site in which I can check the IOS for any known issues-bugs?
the routers currently have an IOS 12.4(6)T5 image.
regards,
Themis
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide