Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco 837 LAN-to-LAN problem - see config

I have many LAN-to-LAN ADSL Cisco 837's connected to our Cisco 3015 Concentrator. I have just confiured another much the same as the others, but with the new 12.4 IOS. The others use 12.3T. The new router connects to as a LAN-to-LAN fine and VPN tunnel is established, however I can ping the router until a PC on this new VPN router logs on and gets a DHCP address, i can then ping the router and PC. IF the PC's network cable is unglugged from the back of the 837 I can ping the router again, why?? I have the routers config below, must be something simple:

Current configuration : 2991 bytes

!

! No configuration change since last restart

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ABCDEFGHI

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable password *********

!

no aaa new-model

!

resource policy

!

no ip dhcp use vrf connected

ip dhcp excluded-address 172.19.7.1 172.19.7.10

!

ip dhcp pool client

network 172.19.7.0 255.255.255.0

default-router 172.19.7.1

dns-server 192.168.1.10 192,168.1.11

lease 0 2

!

!

no ip cef

ip inspect name outbound tcp

ip inspect name outbound udp

ip inspect name outbound ftp

ip inspect name outbound http

ip inspect name outbound icmp

!

!

!

username ******** password 0 ********

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key *********** address 10.10.10.1

!

!

crypto ipsec transform-set tran_set esp-3des esp-md5-hmac

!

crypto map tran_set 10 ipsec-isakmp

set peer 10.10.10.1

set transform-set tran_set

match address 101

!

!

!

interface Ethernet0

ip address 172.19.7.1 255.255.255.0

ip inspect outbound in

hold-queue 100 out

!

interface Ethernet2

no ip address

shutdown

hold-queue 100 out

!

interface ATM0

no ip address

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

dsl operating-mode auto

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

interface Dialer1

ip address negotiated

ip access-group inbound in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname name@name.com

ppp chap password 0 ***********

ppp pap sent-username name@name.com password 0 ************

crypto map tran_set

!

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

!

!

!

ip access-list extended inbound

permit udp any any eq isakmp

permit esp any any

permit icmp any any

permit udp any any eq ntp

permit tcp *.*.*.* 0.0.0.255 any eq telnet

permit tcp *.*.*.* 0.0.0.255 any eq 22

permit tcp *.*.*.* 0.0.0.255 any eq ftp-data

permit tcp *.*.*.* 0.0.0.255 any eq ftp

permit tcp *.*.*.* 0.0.0.255 any eq www

permit tcp *.*.*.* 0.0.0.255 any eq 443

permit ip 192.168.0.0 0.0.255.255 172.19.7.0 0.0.0.255

logging trap warnings

logging 192.168.1.12

access-list 101 permit ip 172.19.7.0 0.0.0.255 any

dialer-list 1 protocol ip permit

snmp-server community ******* RO

snmp-server enable traps tty

snmp-server host 192.168.1.12 RO

!

control-plane

!

!

line con 0

no modem enable

transport output all

line aux 0

transport output all

line vty 0 4

exec-timeout 0 0

login local

transport input all

transport output all

!

scheduler max-task-time 5000

sntp server 158.43.128.33

end

12 REPLIES
Bronze

Re: Cisco 837 LAN-to-LAN problem - see config

Hello,

from which IP address to which IP address are you pinging ? And which IP address is being assigned to your Dialer 1 interface ?

Regards,

Nethelper

New Member

Re: Cisco 837 LAN-to-LAN problem - see config

As the LAN-to-LAN has been established I'm pinging inside router address 172.19.7.1. from our internal network. I have noticed as soon as a pc is connected and get the next DHCP address 172.19.7.2 I can ping both devices. I hae also noticed the pc and router (from console) can ping the internal network at all times.

Bronze

Re: Cisco 837 LAN-to-LAN problem - see config

Hello,

when you say you are pinging the IP address of the router from your internal network, do you mean the internal network IP 172.19.7.2 ? To be honest I do not clearly understand what you are asking: when your PC gets a DHCP assigned address, what can you NOT ping ?

Regards,

Nethelper

New Member

Re: Cisco 837 LAN-to-LAN problem - see config

Right this is proving to be difficult. I will approve from a different angle. This 837 is connected remotely to our Cisco concentrator, it is a LAN-to-LAN. The concentrator and me (head office) are on the same nework. This remote network (837) has one PC connected to it's 4 port hub. Everything works, I can ping the router and PC from the head office, and the PC on the remote network can ping my pc and all server. However as soon as this PC on the remote network is turned off I can no longer ping the remote router. If the PC is turned back on I can.

New Member

Re: Cisco 837 LAN-to-LAN problem - see config

That makes no real sense - when you say the PC is turned off, I would make sure the remote user is not 'turning off' the router also... you should be able to connect to the public interface anyway to confirm this.

New Member

Re: Cisco 837 LAN-to-LAN problem - see config

also, I don't really see how this VPN is working at all:-

1. Your crypto ACL matches ALL traffic outbound

2. You don't have a routable destination address for the crypto map (10.10.10.1 is an internal address, but you have no route to it)

3. You appear to have a dynamic IP address on the public interface, so how will the peer establish a connection?

Is this because you have changed the public details for securty?

If so your crypto ACL I think should be:-

access-list 101 permit ip 172.19.7.0 0.0.0.255 192.168.0.0.0.0.255.255

p.

New Member

Re: Cisco 837 LAN-to-LAN problem - see config

Hi,

If I understand u correctly you can not ping the remote router internal address?

As I recall these 837 routers have a 4-port hub and an internal int e0. Check when the pc shuts down whether e0 goes down or stays up.

HTH

E.

New Member

Re: Cisco 837 LAN-to-LAN problem - see config

ekiriakos you have hit it on the nail so to speak. I turned off the PC that was on the 4 port hub (back of 837) and this is what is displayed on console:

Feb 20 08:12:47.713: %LINK-3-UPDOWN: Interface Ethernet0, changed state to down

Feb 20 08:12:47.713: %LINK-3-UPDOWN: Interface FastEthernet2, changed state to d

own

Feb 20 08:12:48.713: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0,

changed state to down

Feb 20 08:12:48.713: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEtherne

t2, changed state to down

It does the opposite if the PC is turned back on. Why does the router care what the PC does, the Ethernet0 should stay up.

hope you can advise

New Member

Re: Cisco 837 LAN-to-LAN problem - see config

I think you may be dealing with an IOS bug - is it possible to downgrade the IOS on this box to the same version as the others? (TFTP from the workstation should be OK)

I have 837's running 12.2/3 and they do not exibit this behaviour.

p.

New Member

Re: Cisco 837 LAN-to-LAN problem - see config

It may be a bug as suggested. I did a quick search on CCO but can't find anything. Perhaps if you post the exact ver of ios u use, using the sh ver command that may help.

Rgds

E.

New Member

Re: Cisco 837 LAN-to-LAN problem - see config

Here it is:

Cisco IOS Software, C837 Software (C837-K9O3Y6-M), Version 12.4(5a), RELEASE SOF

TWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2006 by Cisco Systems, Inc.

Compiled Sat 14-Jan-06 01:43 by alnguyen

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)

New Member

Re: Cisco 837 LAN-to-LAN problem - see config

Seems down-grading to 12.3 fix the problem.

263
Views
0
Helpful
12
Replies
CreatePlease to create content