Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN and CEF

Hi All.

I have Cisco 2921, two ISP, NAT, LoadBalancing, VPN.

When i turn on CEF (ip cef) , Vpn-client do not access local LAN, only loopback.

With "no ip cef" everithing work fine.

It is normal?

And one more question: How to configure cisco (whith my functionality) for accounting whith NetFlow?

Thanks.

5 REPLIES
Cisco Employee

Re: VPN and CEF

Albert,

Theory goes, router should work better with CEF enabled ;-)


So behavior you're describing is definetly not the correct one.

Please open a TAC service request for this or if you can't check with newer IOS and if that does not help go via TAC.

Marcin

New Member

Re: VPN and CEF

Our customer has the same problem that consists of incompatibility of  "ip route-cache cef" interface command and VPN Client access to network  connected to that interface... So, customer should choose between remote  access VPN and netflow accounting functionalities. He has chosen the  first.

Albert, have you found the solution from TAC?..

New Member

Re: VPN and CEF

I've found the answer by myself surfing the forum...

So, for us the solution was to change the code

crypto dynamic-map RA_MAP_DYNAMIC 10
set transform-set RA_TS
set isakmp-profile VPNCLIENT_P1_PROFILE
reverse-route

to this one (see reverse-route string):

crypto dynamic-map RA_MAP_DYNAMIC 10
set transform-set RA_TS
set isakmp-profile VPNCLIENT_P1_PROFILE
reverse-route remote-peer x.x.x.x

where x.x.x.x - our default GW.

After we changed the "reverse-route" string we obtained the ability to painlessly enable "ip route-cache cef" on an internal/external interfaces and netflow finally started to export the flow data to collector. It was like a mirracle .

Hope this helps, guys.

New Member

Re: VPN and CEF

Thanks.

What is x.x.x.x? It is ip address of outgoing interface? Or Local LAN?

New Member

Re: VPN and CEF

x.x.x.x - is the default gateway for our 2921 device...

I can add that the same address is in "ip route" command:

ip route 0.0.0.0 0.0.0.0 x.x.x.x
1515
Views
0
Helpful
5
Replies