BFD Feautre 1941

Hi all

I am not able to configure the BFD feature on the interface of 1941.Details from 1941 -.

C1900 Software (C1900-UNIVERSALK9-M), Version 15.2 M3 (4)

CISCO1941/K9

However, I was able to configure BFD in 1841 which has the image of business ahead.

My request is to know if I need upgrade IOS 1941 or must turn on the feature to the company ahead.

Appreciate your help in advance.

Also find error setting.

Kind regards

Pranav Mhatre

+ 91 7506174262

You must purchase a license 'Env', which gives you the old license 'Data', which includes BFD support.

Tags: Cisco Support

Similar Questions

  • Help to configure the router Cisco 1941

    Help!

    I just bought a router cisco 1941, I understand, it came with the Cisco CP, but I don't know how get you to the part where I can use it.

    Also, how can I connect to the router directly without using the HyperTerminal console, all I want to be able to do is configure the address IP of the ISP and my IP address so I can use it for surfing the internet.

    Help, please.

    Hello

    Thanks for the screenshots and show the output! You will need a few lines of command for CCP to work:

    Configure the terminal

    username username privilege 15 secret PASSWORD

    IP http server

    local IP authentication

    Sent by Cisco Support technique iPad App

  • Cisco ASA vs 1941?

    Dear, I have a cisco Asa 5510, making the basic roles of firewall in the network. And router 1941 which is our internet router. We plan to provide VPN access and will also host a database that must be accessible from the internet. It would be useful that someone can advice on the following please.

    1. can I configure the requirements above in a cisco router 1941?

    2. do I need a separate firewall device as ASA?

    3. do I need a special permit to achieve?

    4 port transfers a better option for the publication of our database for external access? Wait at least 500 simultaneous (sometimes) users accessing the portal.

    Thank you.

    Hello..

    You can do this by using the Module of internal Service (VPN, ISM) and licensing support on your router and it supports maximum of 500 sessions at a time. But I think it will be more expensive, then do the port forwarding on your router.

    For more information

    http://www.Cisco.com/c/en/us/products/collateral/interfaces-modules/VPN-...

    The port forwarding for you just the database server...

    Please rate if you find this information useful.

    Kind regards!

  • Cisco 1941: no risk in "ip Routing" or "ip cef" for NetFlow when bypass

    Hello

    It's on a router Cisco 1941.  version 15.1 ipv4 only.

    I would like to enable Netflow v9 for use with PRTG bandwidth monitoring.

    I tried the instructions at http://kb.paessler.com/en/topic/563-do-you-have-any-configuration-tips-for-cisco-routers-and-prtg and the first step fails because I

    no ip Routing
    No cef

    in my running-config.  More precisely, this

     interface GigabitEthernet 0/1 ip route-cache flow exit

    fails with the error message "ip Routing not enabled."

    I have read conflicting information on the question if I need to change one or both of these lines.  And I have enough to http://www.cisco.com/c/en/us/td/docs/ios/15_1/release/notes/15_1m_and_t/151-4MCAVS.html afraid to try just scanned.

    I hope that's enough of my config for someone to give some useful information.  Note the BYPASS.

    interface GigabitEthernet0/0
     no ip address
     no ip redirects
     no ip unreachables
     no ip route-cache
     load-interval 30
     duplex auto
     speed auto
     no cdp enable
     no mop enabled
     bridge-group 1
     bridge-group 1 spanning-disabled
    !
    interface GigabitEthernet0/1
     bandwidth 10000
     ip address 201.201.201.51 255.255.255.0
     ip access-group 110 in
     ip access-group 120 out
     no ip redirects
     no ip unreachables
     no ip route-cache
     load-interval 30
     duplex auto
     speed 10
     no cdp enable
     bridge-group 1
     bridge-group 1 spanning-disabled
    !
    ip default-gateway 201.201.201.1
    ip forward-protocol nd
    !
    no ip http server
    no ip http secure-server
    ip flow-export version 9
    ip flow-export destination 201.201.201.89 9991

    Looking forward to comments from a person with experience, do something similar.

    Thank you.

    We do not know anything about your environment or why you decided to activate ip Routing and fill. But there is probably a reason why you did that.

    The importance of this is that NetFlow data are generated as part of the routing decisions. And you prevent your router to make routing decisions as you have disabled ip Routing. So I don't see anyway that you can get this router NetFlow, as long you have disabled ip Routing.

    HTH

    Rick

  • L2l 1941 to ASA VPN

    Hi all

    I have a strange problem, trying to establish a VPN between my camera (1941) and a distance of ASA.

    The question is, can I say is that the IKE phase precipitates after MM6. I'm not an expert in the present, but I'll try to explain to the best of my knowledge

    Here's a cry full debugging isakmp:
    * 05:12:05.187 Jun 10: ISAKMP: (1001): serving SA., his is 3AD3BE6C, delme is 3AD3BE6C
    * Jun 10 05:12:05.259: ISAKMP: (0): profile of THE request is (NULL)
    * 05:12:05.259 Jun 10: ISAKMP: created a struct peer 41.223.4.83, peer port 500
    * 05:12:05.259 Jun 10: ISAKMP: new created position = 0x4B475724 peer_handle = 0 x 80000004
    * 05:12:05.259 Jun 10: ISAKMP: lock struct 0x4B475724, refcount 1 to peer isakmp_initiator
    * 05:12:05.259 Jun 10: ISAKMP: 500 local port, remote port 500
    * 05:12:05.263 Jun 10: ISAKMP: set new node 0 to QM_IDLE
    * 05:12:05.263 Jun 10: ISAKMP: find a dup her to the tree during the isadb_insert his 3AD3BE6C = call BVA
    * 05:12:05.263 Jun 10: ISAKMP: (0): cannot start aggressive mode, try the main mode.
    * 05:12:05.263 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83
    * Jun 10 05:12:05.263: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
    * Jun 10 05:12:05.263: ISAKMP: (0): built the seller-07 ID NAT - t
    * Jun 10 05:12:05.263: ISAKMP: (0): built of NAT - T of the seller-03 ID
    * Jun 10 05:12:05.263: ISAKMP: (0): built the seller-02 ID NAT - t
    * 05:12:05.263 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    * 05:12:05.263 Jun 10: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1
     
    * Jun 10 05:12:05.263: ISAKMP: (0): Beginner Main Mode Exchange
    * Jun 10 05:12:05.263: ISAKMP: (0): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_NO_STATE
    * 05:12:05.263 Jun 10: ISAKMP: (0): sending a packet IPv4 IKE.
    * 05:12:05.475 Jun 10: ISAKMP (0): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_NO_STATE
    * 05:12:05.475 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    * 05:12:05.475 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2
     
    * Jun 10 05:12:05.475: ISAKMP: (0): treatment ITS payload. Message ID = 0
    * Jun 10 05:12:05.475: ISAKMP: (0): load useful vendor id of treatment
    * Jun 10 05:12:05.475: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
    * 05:12:05.475 Jun 10: ISAKMP (0): provider ID is NAT - T RFC 3947
    * Jun 10 05:12:05.475: ISAKMP: (0): load useful vendor id of treatment
    * Jun 10 05:12:05.475: ISAKMP: (0): IKE frag vendor processing id payload
    * 05:12:05.475 Jun 10: ISAKMP: (0): IKE Fragmentation support not enabled
    * 05:12:05.475 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83
    * Jun 10 05:12:05.475: ISAKMP: (0): pre-shared key local found
    * 05:12:05.475 Jun 10: ISAKMP: analysis of the profiles for xauth...
    * 05:12:05.475 Jun 10: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
    * 05:12:05.475 Jun 10: ISAKMP: AES - CBC encryption
    * 05:12:05.475 Jun 10: ISAKMP: keylength 256
    * 05:12:05.475 Jun 10: ISAKMP: SHA hash
    * 05:12:05.475 Jun 10: ISAKMP: group by default 2
    * 05:12:05.475 Jun 10: ISAKMP: pre-shared key auth
    * 05:12:05.475 Jun 10: ISAKMP: type of life in seconds
    * 05:12:05.475 Jun 10: ISAKMP: life (basic) of 28800
    * 05:12:05.475 Jun 10: ISAKMP: (0): atts are acceptable
    . Next payload is 0
    * 05:12:05.475 Jun 10: ISAKMP: (0): Acceptable atts: real life: 0
    * 05:12:05.475 Jun 10: ISAKMP: (0): Acceptable atts:life: 0
    * 05:12:05.475 Jun 10: ISAKMP: (0): base life_in_seconds:28800
    * 05:12:05.475 Jun 10: ISAKMP: (0): return real life: 28800
    * 05:12:05.475 Jun 10: ISAKMP: (0): timer life Started: 28800.
     
    * Jun 10 05:12:05.511: ISAKMP: (0): load useful vendor id of treatment
    * Jun 10 05:12:05.511: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
    * 05:12:05.511 Jun 10: ISAKMP (0): provider ID is NAT - T RFC 3947
    * Jun 10 05:12:05.511: ISAKMP: (0): load useful vendor id of treatment
    * Jun 10 05:12:05.511: ISAKMP: (0): IKE frag vendor processing id payload
    * 05:12:05.511 Jun 10: ISAKMP: (0): IKE Fragmentation support not enabled
    * 05:12:05.511 Jun 10: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    * 05:12:05.511 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2
     
    * Jun 10 05:12:05.511: ISAKMP: (0): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_SA_SETUP
    * 05:12:05.511 Jun 10: ISAKMP: (0): sending a packet IPv4 IKE.
    * 05:12:05.511 Jun 10: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    * 05:12:05.511 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3
     
    * 05:12:05.727 Jun 10: ISAKMP (0): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_SA_SETUP
    * 05:12:05.727 Jun 10: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    * 05:12:05.727 Jun 10: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4
     
    * Jun 10 05:12:05.727: ISAKMP: (0): processing KE payload. Message ID = 0
    * Jun 10 05:12:05.759: ISAKMP: (0): processing NONCE payload. Message ID = 0
    * 05:12:05.759 Jun 10: ISAKMP: (0): pair found pre-shared key matching 41.223.4.83
    * Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment
    * Jun 10 05:12:05.759: ISAKMP: (1003): provider ID is the unit
    * Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment
    * Jun 10 05:12:05.759: ISAKMP: (1003): provider ID seems the unit/DPD but major incompatibility of 104
    * Jun 10 05:12:05.759: ISAKMP: (1003): provider ID is XAUTH
    * Jun 10 05:12:05.759: ISAKMP: (1003): load useful vendor id of treatment
    * Jun 10 05:12:05.763: ISAKMP: (1003): addressing another box of IOS
    !
    * Jun 10 05:12:05.763: ISAKMP: (1003): load useful vendor id of treatment
    * 05:12:05.763 Jun 10: ISAKMP: (1003): vendor ID seems the unit/DPD but hash mismatch
    * 05:12:05.763 Jun 10: ISAKMP: receives the payload type 20
    * 05:12:05.763 Jun 10: ISAKMP (1003): sound not hash no match - this node outside NAT
    * 05:12:05.763 Jun 10: ISAKMP: receives the payload type 20
    * 05:12:05.763 Jun 10: ISAKMP (1003): No. NAT found for oneself or peer
    * 05:12:05.763 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    * 05:12:05.763 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM4 = IKE_I_MM4
     
    * 05:12:05.763 Jun 10: ISAKMP: (1003): send initial contact
    * 05:12:05.763 Jun 10: ISAKMP: (1003): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
    * 05:12:05.763 Jun 10: ISAKMP (1003): payload ID
    next payload: 8
    type: 1
    address: 82.117.193.82
    Protocol: 17
    Port: 500
    Length: 12
    * 05:12:05.763 Jun 10: ISAKMP: (1003): the total payload length: 12
    * Jun 10 05:12:05.763: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) MM_KEY_EXCH
    * 05:12:05.763 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.
    * 05:12:05.763 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    * 05:12:05.763 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM4 = IKE_I_MM5
     
    * 05:12:05.975 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) MM_KEY_EXCH
    * Jun 10 05:12:05.975: ISAKMP: (1003): payload ID for treatment. Message ID = 0
    * 05:12:05.975 Jun 10: ISAKMP (1003): payload ID
    next payload: 8
    type: 1
    address: 41.223.4.83
    Protocol: 17
    Port: 0
    Length: 12
    * Jun 10 05:12:05.975: ISAKMP: (0): peer games * no * profiles
    * Jun 10 05:12:05.975: ISAKMP: (1003): HASH payload processing
    . Message ID = 0
    * 05:12:05.975 Jun 10: ISAKMP: received payload type 17
    * 05:12:05.979 Jun 10: ISAKMP: (1003): SA authentication status:
    authenticated
    * 05:12:05.979 Jun 10: ISAKMP: (1003): SA has been authenticated with 41.223.4.83
    * 05:12:05.979 Jun 10: ISAKMP: try to insert a 82.117.193.82/41.223.4.83/500/peer and inserted 4 B 475724 successfully.
    * 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    * 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM5 = IKE_I_MM6
     
    * 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    * 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM6 = IKE_I_MM6
     
    * 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    * 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE
     
    * 05:12:05.979 Jun 10: ISAKMP: (1003): start Quick Mode Exchange, M - ID 2434392874
    * 05:12:05.979 Jun 10: ISAKMP: (1003): initiator QM gets spi
    * Jun 10 05:12:05.979: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) QM_IDLE
    * 05:12:05.979 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.
    * 05:12:05.979 Jun 10: ISAKMP: (1003): entrance, node 2434392874 = IKE_MESG_INTERNAL, IKE_INIT_QM
    * 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_QM_READY = IKE_QM_I_QM1
    * 05:12:05.979 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    * 05:12:05.979 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
     
    * 05:12:06.195 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) QM_IDLE
    * 05:12:06.195 Jun 10: ISAKMP: node set 169965215 to QM_IDLE
    * Jun 10 05:12:06.195: ISAKMP: (1003): HASH payload processing
    . Message ID = 169965215
    * Jun 10 05:12:06.195: ISAKMP: (1003): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
    0, message ID SPI = 169965215, a = 0x3AD3BE6C
    * 05:12:06.199 Jun 10: ISAKMP: (1003): error suppression node 169965215 FALSE reason 'informational (en) State 1.
    * 05:12:06.199 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    * 05:12:06.199 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
     
    * 05:12:06.199 Jun 10: ISAKMP (1003): received 41.223.4.83 packet dport 500 sport Global 500 (I) QM_IDLE
    * 05:12:06.199 Jun 10: ISAKMP: node set 1149953416 to QM_IDLE
    * Jun 10 05:12:06.199: ISAKMP: (1003): HASH payload processing. Message ID = 1149953416
    * Jun 10 05:12:06.199: ISAKMP: (1003): treatment of payload to DELETE
    . Message ID = 1149953416
    * 05:12:06.199 Jun 10: ISAKMP: (1003): peer does not paranoid KeepAlive.
     
    * 05:12:06.199 Jun 10: ISAKMP: (1003): removal of HIS State "No reason" why (I) QM_IDLE (post 41.223.4.83)
    * 05:12:06.199 Jun 10: ISAKMP: (1003): error suppression node 1149953416 FALSE reason 'informational (en) State 1.
    * 05:12:06.199 Jun 10: ISAKMP: node set 613686650 to QM_IDLE
    * Jun 10 05:12:06.199: ISAKMP: (1003): lot of 41.223.4.83 sending my_port 500 peer_port 500 (I) QM_IDLE
    * 05:12:06.199 Jun 10: ISAKMP: (1003): sending a packet IPv4 IKE.
    * 05:12:06.199 Jun 10: ISAKMP: (1003): purge the node 613686650
    * 05:12:06.199 Jun 10: ISAKMP: (1003): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    * 05:12:06.199 Jun 10: ISAKMP: (1003): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA
     
    * 05:12:06.199 Jun 10: ISAKMP: (1003): removal of HIS State "No reason" why (I) QM_IDLE (post 41.223.4.83)
    * 05:12:06.199 Jun 10: ISAKMP: Unlocking counterpart struct 0x4B475724 for isadb_mark_sa_deleted(), count 0
    * 05:12:06.199 Jun 10: ISAKMP: delete peer node by peer_reap for 41.223.4.83: 4 B 475724
    * 05:12:06.203 Jun 10: ISAKMP: (1003): node-1860574422 error suppression FALSE reason 'IKE deleted.
    * 05:12:06.203 Jun 10: ISAKMP: (1003): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    * 05:12:06.203 Jun 10: ISAKMP: (1003): former State = new State IKE_DEST_SA = IKE_DEST_SA
     
    * 05:12:25.187 Jun 10: ISAKMP: (1002): purge the node 1140237073

    Installed IOS is c1900-universalk9-mz. Spa. 154 - 3.M5.bin

    Before that, I had 15.3, same thing.

    BGPR1 # running sho
    Building configuration...
     
    Current configuration: 5339 bytes
    !
    ! Last configuration change at 05:19:14 UTC Friday, June 10, 2016 by boris
    !
    version 15.4
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    encryption password service
    !
    hostname BGPR1
    !
    boot-start-marker
    start the system flash0:c1900 - universalk9-mz. Spa. 154 - 3.M5.bin
    boot-end-marker
    !
    !
    logging buffered 51200 warnings
    !
    No aaa new-model
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    IP flow-cache timeout active 1
    IP cef
    No ipv6 cef
    !
    Authenticated MultiLink bundle-name Panel
    !
    CTS verbose logging
    !
    Crypto pki trustpoint TP-self-signed-
    enrollment selfsigned
    name of the object cn = IOS-Self-signed-certificate-
    revocation checking no
    rsakeypair TP-self-signed-3992366821
    !
    !
    chain pki crypto TP-self-signed certificates.
    certificate self-signed 01
    quit smoking
    udi pid CISCO1941/K9 sn CF license
    !
    !
    username
    username
    !
    redundancy
    !
    !
    !
    No crypto ikev2 does diagnosis error
    !
    !
    !
    !
    crypto ISAKMP policy 1
    BA aes 256
    preshared authentication
    Group 2
    lifetime 28800
    isakmp encryption key * address 41.223.4.83
    !
    !
    Crypto ipsec transform-set Meridian ah-sha-hmac esp - aes 256
    tunnel mode
    !
    !
    !
    Meridian 10 map ipsec-isakmp crypto
    VODACOM VPN description
    defined by peer 41.223.4.83
    86400 seconds, life of security association set
    the transform-set Meridian value
    match address 100
    !
    !
    !
    !
    !
    the Embedded-Service-Engine0/0 interface
    no ip address
    Shutdown
    !
    interface GigabitEthernet0/0
    Description peer na Telekom
    IP 79.101.96.6 255.255.255.252
    penetration of the IP stream
    stream IP output
    automatic duplex
    automatic speed
    No cdp enable
    !
    interface GigabitEthernet0/1
    Description peer na SBB
    IP 82.117.193.82 255.255.255.252
    penetration of the IP stream
    stream IP output
    automatic duplex
    automatic speed
    No cdp enable
    Meridian of the crypto map
    !
    interface FastEthernet0/0/0
    no ip address
    !
    interface FastEthernet0/0/1
    no ip address
    !
    interface FastEthernet0/0/2
    no ip address
    !
    interface FastEthernet0/0/3
    switchport access vlan 103
    no ip address
    !
    interface Vlan1
    IP 37.18.184.1 255.255.255.0
    penetration of the IP stream
    stream IP output
    !
    interface Vlan103
    IP 10.10.10.1 255.255.255.0
    !
    router bgp 198370
    The log-neighbor BGP-changes
    37.18.184.0 netmask 255.255.255.0
    10.10.10.2 neighbor remote - as 201047
    map of route-neighbor T-OUT 10.10.10.2 out
    neighbour 79.101.96.5 distance - 8400
    neighbor 79.101.96.5 fall-over
    neighbor 79.101.96.5 LOCALPREF route map in
    79.101.96.5 T-OUT out neighbor-route map
    neighbour 82.117.193.81 distance - as 31042
    neighbor 82.117.193.81 fall-over
    neighbor 82.117.193.81 route LocalOnly outside map
    !
    IP forward-Protocol ND
    !
    IP as path access list 10 permit ^ $
    IP as path access list 20 permits ^ $ 31042
    no ip address of the http server
    local IP http authentication
    no ip http secure server
    IP http timeout policy slowed down 60 life 86400 request 10000
    IP flow-export Vlan1 source
    peer of IP flow-export version 5 - as
    37.18.184.8 IP flow-export destination 2055
    !
    IP route 37.18.184.0 255.255.255.0 Null0
    IP route 104.28.15.63 255.255.255.255 79.101.96.5
    IP route 217.26.67.79 255.255.255.255 79.101.96.5
    !
    !
    IP-list of prefixes Filter_IN_Telekom seq 10 permit 0.0.0.0/0
    !
    T-OUT route map permit 10
    match 10 way
    !
    route allowed LOCALPREF 10 map
    set local preference 90
    !
    SBBOnly allowed 10 route map
    20 as path game
    !
    LocalOnly allowed 10 route map
    match 10 way
    !
    !
    m3r1d1an RO SNMP-server community
    Server SNMP ifindex persist
    access-list 100 permit ip host 37.18.184.4 41.217.203.234
    access-list 100 permit ip host 37.18.184.169 41.217.203.234
    !
    control plan
    !
    !
    !
    Line con 0
    Synchronous recording
    local connection
    line to 0
    line 2
    no activation-character
    No exec
    preferred no transport
    transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
    StopBits 1
    line vty 0 4
    privilege level 15
    local connection
    entry ssh transport
    line vty 5 15
    privilege level 15
    local connection
    entry ssh transport
    !
    Scheduler allocate 20000 1000
    !
    end
     
    BGPR1 #.

    BGPR1 #sho cry isa his

    IPv4 Crypto ISAKMP Security Association

    DST CBC conn-State id

    41.223.4.83 82.117.193.82 MM_NO_STATE 1106 ACTIVE (deleted)

    41.223.4.83 82.117.193.82 MM_NO_STATE 1105 ACTIVE (deleted)

    For "sho cry ipsec his" I get only a lot of mistakes to send.

    For the other end, I had all the settings, I have no access to this device, they insist that this is a simple installation and that any problem is on my side.

    I tried to juggle the order of the access list, life card crypto security association and all "googlable" solutions, that I could find.

    Any input appreciated.

    Corresponds to the phase 2 double-checking on the SAA, including PFS.

    crypto ipsec transform-set meridian ah-sha-hmac esp-aes 256  mode tunnel

  • router in 1941 with the wan, backup interface

    people

    I am looking to set up an interface to backup to a remote site, I have

    the current configuration is a 1941 (15.1 (4) M3) with two interfaces, lan and wan

    I now need to create a course of failover if the wan link fails

    I am considering using a service provider VSDL who will provide me with an Ethernet port on a modem and then use PPPoE to authenticate to the ISP and get an IP etc.

    I intend to use an IP SLA to create traffic and road condition in case of failure of the primary wan link dialer interface failover

    traffic on the two links will be also encrypted on a l2l tunnel using IPsec profiles

    I have already implemented and tested in VIRL using standard Ethernet ports but have not yet tested with an ip and PPPoE Dialer

    I know what I want to do is not new, but I hope someone out there can point me to a recent guide to config or sharing their problems with a similar configuration

    Thanks to anyone who takes the time to read this or answer

    Hello

    between these docs should almost get up and running that have all examples, pppoe, ip sla failover with the ACB and the nat if needed, just tweak it for your configuration

    https://supportforums.Cisco.com/document/32186/dual-Internet-links-NATIN...

    https://learningnetwork.Cisco.com/thread/87317

    http://www.ciscozine.com/dual-Internet-connections-in-activestandby-mode...

    PPPOE

    http://www.Cisco.com/c/en/us/TD/docs/routers/access/800/software/CONFIGU...

    http://www.Cisco.com/c/en/us/TD/docs/routers/access/800/software/CONFIGU...

    EDIT: commands are same for 1941 as 800

    tshoot good guide for pppoe

    http://www.Cisco.com/c/en/us/support/docs/long-reach-Ethernet-LRE-Digita...

  • ASR 9001 BFD and BVI/subinterface

    Hello
    I would like to run BFD to my neighbor who is an ASR920.
    The ASR 9001 looks BFD will not work on the BVI interface so I tried to configure subinterfaces.
    But ASR 9001 does not support of vlan native 920 ASR must be able to talk to in CMHTs!

    Any suggestions?

    Thank you
    / Daniel

    Daniel,

    BFD is supported on IRB/BVI in 5.1.3 +, you may be running an older version?

    Concerning

    Eddie.

  • Router Cisco 1941 - crypto isakmp policy command missing - IPSEC VPN

    Hi all

    I was looking around and I can't find the command 'crypto isakmp policy' on this router Cisco 1941.  I wanted to just a regular Lan IPSEC to surprise and Lan installation tunnel, the command isn't here.  Have I not IOS bad? I thought that a picture of K9 would do the trick.

    Any suggestions are appreciated

    That's what I get:

    Router (config) #crypto?
    CA Certification Authority
    main activities key long-term
    public key PKI components

    SEE THE WORM

    Cisco IOS software, software C1900 (C1900-UNIVERSALK9-M), Version 15.0 (1) M2, VERSION of the SOFTWARE (fc2)
    Technical support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2010 by Cisco Systems, Inc.
    Updated Thursday, March 10, 10 22:27 by prod_rel_team

    ROM: System Bootstrap, Version 15.0 M6 (1r), RELEASE SOFTWARE (fc1)

    The availability of router is 52 minutes
    System returned to ROM by reload at 02:43:40 UTC Thursday, April 21, 2011
    System image file is "flash0:c1900 - universalk9-mz.» Spa. 150 - 1.M2.bin.
    Last reload type: normal charging
    Reload last reason: reload command

    This product contains cryptographic features...

    Cisco CISCO1941/K9 (revision 1.0) with 487424K / 36864K bytes of memory.
    Card processor ID FTX142281F4
    2 gigabit Ethernet interfaces
    2 interfaces Serial (sync/async)
    Configuration of DRAM is 64 bits wide with disabled parity.
    255K bytes of non-volatile configuration memory.
    254464K bytes of system CompactFlash ATA 0 (read/write)

    License info:

    License IDU:

    -------------------------------------------------
    Device SN # PID
    -------------------------------------------------
    * 0 FTX142281F4 CISCO1941/K9

    Technology for the Module package license information: "c1900".

    ----------------------------------------------------------------
    Technology-technology-package technology
    Course Type next reboot
    -----------------------------------------------------------------
    IPBase ipbasek9 ipbasek9 Permanent
    security, none none none
    given none none none

    Configuration register is 0 x 2102

    You need get the license of security feature to configure the IPSec VPN.

    Currently, you have 'none' for the security feature:

    ----------------------------------------------------------------
    Technology-technology-package technology
    Course Type next reboot
    -----------------------------------------------------------------
    IPBase ipbasek9 ipbasek9 Permanent
    security, none none none
    given none none none

    Here is the information about the licenses on router 1900 series:

    http://www.Cisco.com/en/us/partner/docs/routers/access/1900/hardware/installation/guide/Software_Licenses.html

  • Aironet 1140 access point / 1941 router question

    I currently have:

    -router (not wireless) 1941

    -Access point 1140

    Looks like I got the AP on controller instead of the standalone version.  My question is, the 1941 (not 1941W) has a wireless controller?  If not, is there a controller module I can add to my router?  Or I would return the AP I to the standalone version (or the 1941 for the 1941W)?

    Thanks in advance for any advice / help.

    It is not a controller which can go in the 1941. The controllers are quite expensive if you probably don't want to go this way in any case. Before you send the return of accreditation, Sue TAC and see if you can convert it to a standalone. Some AP support this, but I'm not sure of the 1140 series.

    It will be useful.

  • Cisco 1941 hit crypto speed limit

    I have read the documentation about the 85Meg / 170 Meg limit on the SRI G2s

    As far as I know - this does NOT apply to the 1941.

    I have a 1941 with sec - k9 license, you can not buy a license of h - s for this device.

    "

    The SSEC-K9 license removes the reduction applied by the US Government on the encrypted tunnel and encrypted flow export restrictions. SSEC-K9 is available only on the Cisco 2921, 2951 Cisco, Cisco 3925, 3945 Cisco, Cisco 3925th and 3945TH Cisco.

    With the SSEC-K9 license, the ISR G2 router can go above the limit of the reduction of the maximum of 225 tunnels for IP (IPsec) security and the flow rate of 85 Mbps of one-way traffic in or out the ISR G2 router encrypted, with a total of 170 Mbps bidirectional / s.

    Cisco 1941 and 2901 2911 already have maximum encryption within the limits of export capabilities. The HSEC license requires pre-installed image of the universalk9 and the DRY license. »

    I took this means that '1941 and 2901 2911' must go faster than that?  It seems that they are limited to 85Mbit!

    MEL-4-TX_BW_LIMIT %: bandwidth limit Maximum Tx 85000 Kbps reached for the cryptographic functionality with technology securityk9 package license.

    MEL-4-TX_BW_LIMIT %: bandwidth limit Maximum Tx 85000 Kbps reached for the cryptographic functionality with technology securityk9 package license.

    Can anyone confirm if they got more than 85 Mbps out of one of these devices? FYI, I'm not nat'ing nothing - this is purely static device VTI.  Ive sent the packages using iPerf via this device @ 500 + Mbit.

    Well, you can communicate with Cisco and talk to them about your concerns about the text of this.  It would probably help others in the future also.

    Regarding this site selling the 1941 with license of k9 SSEC, according to me, is either a typo or that they do not know the product.

    According to this document the 1941 has the regular permit of K9 SEC available to her.

    1900

    CISCO1941-SEC/K9

    License of Cisco 1941 PAK, 256 MB of DRAM Security Bundle w/sec
     

    CISCO1941W-SEC/K9

    Cisco 1941W Security Bundle w/sec license PAK, 802.11a/b/g/n

    --

    Please do not forget to select a correct answer and rate useful posts

  • Site to Site VPN Cisco IOS 1941 15.0 (1) M1

    Hello

    I am currently developing a Site VPN site between an ASA and a router in 1941. Configuring VPN on the SAA seems to be ok, because it works without problem with router 1841 with IOS 12.4 to the other site. The same VPN configuration on the new router in 1941 with M1 IOS 15.0 (1) does not work. It seems that the access to the crypto map list is the problem. The router never start the VPN connection. When the ASA attempts to establish the VPN, the debugging of the router log shows:

    ...

    * 14:37:52.263 may 5: ISAKMP: (1007): proposal of IPSec checking 1
    * 14:37:52.263 may 5: ISAKMP: turn 1, ESP_3DES
    * 14:37:52.263 may 5: ISAKMP: attributes of transformation:
    * 14:37:52.263 may 5: ISAKMP: type of life in seconds
    * 14:37:52.263 may 5: ISAKMP: life of HIS (basic) of 28800
    * 14:37:52.263 may 5: ISAKMP: type of life in kilobytes
    * 14:37:52.263 may 5: ISAKMP: service life of SA (IPV) 0x0 0 x 46 0 50 x 0 x 0
    * 14:37:52.263 may 5: ISAKMP: program is 1 (Tunnel)
    * 14:37:52.263 may 5: ISAKMP: authenticator is HMAC-SHA
    * 14:37:52.263 may 5: ISAKMP: group is 2
    * 14:37:52.263 may 5: ISAKMP: (1007): atts are acceptable.
    * 5 May 14:37:52.263: ISAKMP: (1007): IPSec policy invalidated proposal with error 32
    * 5 May 14:37:52.263: ISAKMP: (1007): politics of ITS phase 2 is not acceptable! (local... remote control...)

    ...

    Any clue?

    Concerning

    Claudia

    The configuration of the router:

    version 15.0
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    no password encryption service
    !
    hostname Cisco1941
    !
    No aaa new-model
    !
    No ipv6 cef
    no ip source route
    IP cef
    !
    IP domain name xyz.de
    !
    Authenticated MultiLink bundle-name Panel
    !
    Crypto pki trustpoint TP-self-signature-...
    !
    TP-self-signature-... crypto pki certificate chain
    quit smoking
    license udi pid CISCO1941/K9 sn...
    !
    username privilege 15 secret 5 xyz $1$...
    !
    redundancy
    !
    session of crypto consignment
    !
    crypto ISAKMP policy 10
    BA 3des
    preshared authentication
    Group 2
    ISAKMP crypto key... address 1.2.3.4
    invalid-spi-recovery crypto ISAKMP
    !
    Crypto ipsec transform-set esp-3des esp-sha-hmac tsAsa
    !
    ASA 10 ipsec-isakmp crypto map
    defined peer 1.2.3.4
    Set transform-set tsAsa
    PFS group2 Set
    match address 100
    !
    interface GigabitEthernet0/0
    Description * inside *.
    IP 10.100.100.1 255.255.255.0
    automatic duplex
    automatic speed
    !
    !
    interface GigabitEthernet0/1
    IP 5.6.7.8 255.255.255.240
    IP access-group 111 to
    no ip-cache cef route
    no ip route cache
    automatic duplex
    automatic speed
    card crypto asa
    !
    !
    ATM0/0/0 interface
    no ip address
    Shutdown
    No atm ilmi-keepalive
    !
    !
    IP forward-Protocol ND
    !
    IP route 0.0.0.0 0.0.0.0 1.2.3.5
    !
    access-list 100 permit ip 10.100.100.0 0.0.0.255 10.10.10.0 0.0.0.255
    access-list 111 allow esp 1.2.3.4 host 5.6.7.8
    access-list 111 permit udp host 1.2.3.4 host 5.6.7.8 eq isakmp
    access-list 111 allow ahp host 1.2.3.4 5.6.7.8
    access-list 111 deny ip any any newspaper

    ....

    end

    Try to do this:

    IP route 10.10.10.0 255.255.255.0 interface Ge0/1

    Route IP 1.2.3.4 255.255.255.255 by default-gateway-to-Ge0/1

    The rest of your config looks very good.

  • Need help with configuration on cisco vpn client settings 1941

    Hey all,.

    I just bought a new router 1941 SRI and need help with the configuration of the parameters of the VPN client. Orders aspect a little different here, as I'm used to the configuration of ASA and PIX for vpn, routers not...

    If anyone can help with orders?

    I need the installation:

    user names, authentication group etc.

    Thank you!

    Take a peek inside has the below examples of config - everything you need: -.

    http://www.Cisco.com/en/us/products/ps5854/prod_configuration_examples_list.html

    HTH >

    Andrew.

  • DRY 1941/licenses K9 IPSec Remote Access

    Hi all

    I had some difficulty trying to get a definitive answer on this and im hoping some can clear this up for me once and for all.

    On the ISR G2 1941 with SECURITY license on IOS 15 technology...

    1. Are ipsec VPN for remote access is supported?
    2. If so, do I buy any other feature of the licenses for the number of "seats"? (SSLVPN for example, even if I do not wish to use SSLVPN, only of the IPSec remote access)

    Short and sweet

    Thanks for all the help

    See you soon

    Shaun

    Security technology licenses is sufficient.

    Please refer to This Q & A , which States:

    Q. what bitrate County and the performance of the tunnel are available on the Cisco ISR G2 routers with SECK9 license?
    A. the SEC - K9 permanent licenses apply to the Cisco 1900, 2900 and 3900 ISR G2 platforms; These licenses limit all counts of tunnel encrypted to maximum of 225 tunnels for safety IP (IPsec), Secure Sockets Layer VPN (SSL VPN), a secure gateway of multiplexing (TDM) of distribution time and secure Cisco Unified border element (CUBE) and 1000 tunnels for sessions of the Transport Layer Security (TLS).
    The license of SEC - K9 limit flow to less than or equal to 85 Mbps traffic unidirectional or not the router ISR G2, with a total of 170 Mbps two-way encrypted. This requirement applies to the Cisco 1900, 2900 and 3900 ISR G2 platforms.

  • Cisco 1941 ssl vpn license

    Anyone know if the FL-WEBVPN-10-K9 will work on my 1941 or is it only for the older gen SRI?

    My router has already installed security license, but I think I need a VPN SSL to SSL license.

    Thank you

    1941 supports up to 75 users of ssl vpn.
    You buy FL-SSLVPN-10 | 25. license 100 - K9. FL-WEBVPN-X are only supported on ISR routers 1st generation 1800,2800...).

  • Newbie Help Needed: Cisco 1941 router site to site VPN traffic routing issue

    Hello

    Please I need help with a VPN site-to site, I installed a router Cisco 1941 and a VPN concentrator based on Linux (Sophos UTM).

    The VPN is established between them, but I can't say the cisco router to send and receive traffic through the tunnel.

    Please, what missing am me?

    A few exits:

    ISAKMP crypto to show her:

    isakmp crypto #show her

    IPv4 Crypto ISAKMP Security Association

    DST CBC conn-State id

    62.173.32.122 62.173.32.50 QM_IDLE 1045 ACTIVE

    IPv6 Crypto ISAKMP Security Association

    Crypto ipsec to show her:

    Interface: GigabitEthernet0/0

    Tag crypto map: QRIOSMAP, local addr 62.173.32.122

    protégé of the vrf: (none)

    local ident (addr, mask, prot, port): (192.168.20.0/255.255.255.0/0/0)

    Remote ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)

    current_peer 62.173.32.50 port 500

    LICENCE, flags is {origin_is_acl},

    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

    #pkts decaps: 52, #pkts decrypt: 52, #pkts check: 52

    compressed #pkts: 0, unzipped #pkts: 0

    #pkts uncompressed: 0, #pkts compr. has failed: 0

    #pkts not unpacked: 0, #pkts decompress failed: 0

    Errors #send 0, #recv 0 errors

    local crypto endpt. : 62.173.32.122, remote Start crypto. : 62.173.32.50

    Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0

    current outbound SPI: 0x4D7E4817 (1300121623)

    PFS (Y/N): Y, Diffie-Hellman group: group2

    SAS of the esp on arrival:

    SPI: 0xEACF9A (15388570)

    transform: esp-3des esp-md5-hmac.

    running parameters = {Tunnel}

    Conn ID: 2277, flow_id: VPN:277 on board, sibling_flags 80000046, crypto card: QRIOSMAP

    calendar of his: service life remaining (k/s) key: (4491222/1015)

    Size IV: 8 bytes

    support for replay detection: Y

    Status: ACTIVE

    Please see my config:

    crypto ISAKMP policy 1

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    encryption... isakmp key address 62.X.X... 50

    ISAKMP crypto keepalive 10 periodicals

    !

    !

    Crypto ipsec transform-set esp-3des esp-md5-hmac TS-QRIOS

    !

    QRIOSMAP 10 ipsec-isakmp crypto map

    peer 62.X.X set... 50

    transformation-TS-QRIOS game

    PFS group2 Set

    match address 100

    !

    !

    !

    !

    !

    interface GigabitEthernet0/0

    Description WAN CONNECTION

    62.X.X IP... 124 255.255.255.248 secondary

    62.X.X IP... 123 255.255.255.248 secondary

    62.X.X IP... 122 255.255.255.248

    NAT outside IP

    IP virtual-reassembly in

    automatic duplex

    automatic speed

    card crypto QRIOSMAP

    !

    interface GigabitEthernet0/0.2

    !

    interface GigabitEthernet0/1

    LAN CONNECTION description $ES_LAN$

    address 192.168.20.1 255.255.255.0

    IP nat inside

    IP virtual-reassembly in

    automatic duplex

    automatic speed

    !

    IP nat pool mypool 62.X.X... ... Of 122 62.X.X 122 30 prefix length

    IP nat inside source list 1 pool mypool overload

    overload of IP nat inside source list 100 interface GigabitEthernet0/0

    !

    access-list 1 permit 192.168.20.0 0.0.0.255

    access-list 2 allow 10.2.0.0 0.0.0.255

    Note access-list 100 category QRIOSVPNTRAFFIC = 4

    Note access-list 100 IPSec rule

    access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255

    access-list 101 permit esp 62.X.X host... 50 62.X.X host... 122

    access list 101 permit udp host 62.X.X... 50 62.X.X... host isakmp EQ. 122

    access-list 101 permit ahp host 62.X.X... 50 62.X.X host... 122

    access-list 101 deny ip any any newspaper

    access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255

    access-list 110 permit ip 192.168.20.0 0.0.0.255 any

    !

    !

    !

    !

    sheep allowed 10 route map

    corresponds to the IP 110

    The parts of the configuration you posted seem better than earlier versions of the config. The initial problem was that traffic was not in the VPN tunnel. That works now?

    Here are the things I see in your config

    I don't understand the relationship of these 2 static routes by default. It identifies completely the next hop and a mask the bytes of Middleweight of the next hop. Sort of, it seems that they might be the same. But if they were the same, I don't understand why they both make their appearance in the config. Can provide you details?

    IP route 0.0.0.0 0.0.0.0 62.X.X... 121

    IP route 0.0.0.0 0.0.0.0 62.172.32.121

    This static route implies that there is another network (10.2.0/24) connected through the LAN. But there is no other reference to it and especially not for this translation. So I wonder how it works?

    IP route 10.2.0.0 255.255.255.0 192.168.20.2

    In this pair of static routes, the second route is a specific subnet more and would be included in the first and routes for the next of the same break. So I wonder why they are there are. There is not necessarily a problem, but is perhaps something that could be cleaned up.

    IP route 172.17.0.0 255.255.0.0 Tunnel20

    IP route 172.17.2.0 255.255.255.0 Tunnel20

    And these 2 static routes are similar. The second is a more precise indication and would be included in the first. And it is referred to the same next hop. So why have the other?

    IP route 172.18.0.0 255.255.0.0 Tunnel20

    IP route 172.18.0.0 Tunnel20 255.255.255.252

    HTH

    Rick

Maybe you are looking for