Cisco IOS IPSec failover | Route based VPN with HSRP

Similar Questions

• Cisco IOS IPS in router 2921/k9

  Hi all

  I have a router from Cisco 2921 box database (error C2921/K9) series with BAse IP IOS (IOS SL-29-IPB-K9) image. I want to activate the function of IOS IPS level on this router now. Based on the Cisco Document, I found that I need to purchase a license additional subscripton enale the IPS feature. My querry is-

  It will build on the IOS for basic IP base or do I have to change the IOS?

  If I need to buy the Licesne subscription, how can I get the part number and the cost for the same thing?

  Do I need to purchase any additional module for this as (NME-IPS-K9)?

  Thanks in advance for your quick help

  concerning

  Sunny

  Hi Sunny,

  You do not need a module (however you might install a module instead function in IOS IPS).

  You need 2 licenses:

  1 - a 'security' for your 2921 license enable the IPS feature:

  SL-29-SEC-K9

  License security (paper) for Cisco 2901-2951 (the two system & spare)

  (if you don't have a router, but you can order it with the license as a Pack: CISCO2921-SEC/K9)

  2 - a signature subscription license, which is part of a contract of "services to SPI.

  A "services for IPS" is essentially a SmartNet contract (including the replacement of equipment, to the TAC, etc) more access to the update of the signature.

  SKU for that start with CON-SU or CON - SUO and depends on what level of service for the replacement of HW, and if you want a replacement service on the spot.

  for example CON - SU1 - 2921SEC - this includes a SMARTnet agreement with 8x5xNBD without on-site intervention

  For more information:

  http://www.Cisco.com/en/us/prod/collateral/modules/ps10598/ordering_guide_c07_557736_ps10538_Products_Data_Sheet.html#wp9000630

  http://www.Cisco.com/en/us/prod/collateral/iosswrel/ps6537/ps6586/ps6634/product_data_sheet0900aecd803137cf.html

  http://www.Cisco.com/en/us/products/ps6076/serv_group_home.html

  WARNING: I'm not in the sale so you can check with your local sales office or with a partner of Cisco, Cisco. In fact, some partners may offer a signature subscription service that is clean (without cover material).

  HTH

  Herbert

• Easy VPN with the Tunnel Interface virtual IPSec dynamic

  Hi all

  I configured easy vpn remote on a cisco 1841 and dynamic server easy vpn with virtual tunnel interface on the server (cisco 7200, 12.4.15T14)

  http://www.Cisco.com/en/us/partner/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html

  It works with easy vpn remote to the client mode and mode network-extesión, but it doesn't seem to work when I configure mode plus network on the client of the cpe, or when I try to have TWO inside the ez crypto interfaces. On the customer's site, I see two associations of security, but on the server PE site only security SA!

  Without virtual dynamic tunnel interface, dynamic map configuration is ok... This is a limitation of the virtual tunnnel dynamic interface?

  Federica

  If one side is DVTI and the other uses a dynamic map, it does support only 1 SA. If the two end uses DVTI or the two end uses dynamic card then it supports several SAs.

  Here is the note of documentation for your reference:

  Note: Multiple inside interfaces are supported only when the Cisco Easy VPN server and the Cisco Easy VPN client have the same type of Easy VPN configuration. In other words, both must use a Legacy Easy VPN configuration, or both must use a DVTI configuration.
  
  

  Here's the URL:

  http://www.Cisco.com/en/us/docs/iOS/sec_secure_connectivity/configuration/guide/sec_easy_vpn_rem_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1046365

  Hope that answers your question.

• L2l vpn with Firewall Palo Alto

  I'm setting up a tunnel of l2l with a firewall of palo alto and evil.  It is a fairly simple installation, we are traffic encryption public to the public for download of the side sftp asa.  Here are the parts relevant to the config and various outputs...  Remote admin side asserts that the phase 1 pass and we have a timeout of waiting for phase 2.  Any help would be appreciated.

  1.1.1.1 (customer2 destination address)
  1.1.1.2 (customer2 vpn gateway)
  2.2.2.0 (space local public ip)

  description of CustomerVPN2 name 1.1.1.1 customer VPN2

  Inside_nat0_outbound to access extended list ip 2.2.2.0 allow 255.255.255.240 host CustomerVPN2
  Outside_4_cryptomap to access extended list ip 2.2.2.0 allow 255.255.255.240 host CustomerVPN2

  card crypto Outside_map 4 corresponds to the address Outside_4_cryptomap
  crypto map Outside_map 4 set type of connection are created only
  card crypto Outside_map 4 set peer 1.1.1.2
  card crypto Outside_map 4 the value transform-set ESP-AES-256-SHA

  crypto ISAKMP policy 50
  preshared authentication
  aes-256 encryption
  sha hash
  Group 2
  life 86400

  tunnel-group 1.1.1.2 type ipsec-l2l
  1.1.1.2 tunnel-group ipsec-attributes
  pre-shared-key *.

  SH crypto isakmp (reviews listed as type: user)

  8 peer IKE: 1.1.1.2
  Type: user role: initiator
  Generate a new key: no State: MM_WAIT_MSG2

  Debug crypto ipsec (looks like he's trying all cryptographic cards except one)

  IPSec (crypto_map_check): crypto Outside_map 1 hole card no match for ACL Outside_1_cryptomap.

  IPSec (crypto_map_check): card crypto Outside_map 2 do not match for ACL Outside_2_cryptomap hole.

  IPSec (crypto_map_check): card crypto Outside_map 3 hole not correspond to ACL Outside_3_cryptomap.

  IPSec (crypto_map_check): card crypto Outside_map 3 hole not correspond to ACL OO_temp_Outside_map3.

  and finally.

  03 Oct 10:39:09 [IKEv1]: IP = 1.1.1.2, removing counterpart peer table faile
  d, no match!
  03 Oct 10:39:09 [IKEv1]: IP = 1.1.1.2, error: cannot delete PeerTblEntr

  Hey Evo,

  You asa public interface is the same as the public ip address that you are trying to encrypt?

  I think you need to create a Nat policy that can be a private ip address as well and then use it as your side of interesting traffic, because the Admin in Palo Alto is right about the vpn route accordingly.

  Here are some links for policy based Nat & paloalto side vpn screenshots and explanations.

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807d2874.shtml

  http://www.danielelonghi.com/wp-content/uploads/2011/05/Howto-create-VPN-connection-between-JUNOS-and-paloalto.PDF

  http://netsecinfo.blogspot.com/2008/02/route-based-VPNs-explained.html

  Manish

• Customer Cisco IPSec vpn cisco ios router <>==

  Hello

  I need to implement ipsec vpn for all users of 10-15. They all use the vpn cisco 5.x client and we have a router for cisco ios at the office. We already have a situation of work for these users. However, it has become a necessity which known only devices (laptops company) are allowed to install a virtual private network.

  I think that the only way to achieve this is to use certificates. But we don't won't to buy certificates if there is a free way to implement. So my question is

  (1) what are the options I have to configure vpn ipsec, where only known devices can properly configure a vpn and all unknown devices are blocked?

  (2) if the certificate is the only way. Can I somehow produce these certificates myself using cisco router ios?

  (3) someone at - it an example of a similar installation/configuration?

  Thanks in advance.

  Kind regards

  M.

  Unfortunately if you connect to the router IOS, there is no other way except using the certificate. If you connect to a Cisco ASA firewall, then you can identify the laptop company using DAP (Dynamic Access Policy).

• The IOS IPSec VPN configuration Cisco router

  Hi experts,

  I have not configured the VPN for a long time on the routers so I want your recommendation on best practices.

  I need to run OSPF over it, so it must be GRE over IPSec

  I googled and I see the old type of config that I used to do with the use of the crypto map. Then I see config with profile Ipsec that is applied to the interface of tunnel (tunnel protection). I also see on the manual on isakmp profile...

  Is there an example of configuration that you can provide? This is site to site VPN with PAT most basic on the interface for the remote desktop for surfing the Internet. My routers are fairly recent. One is 2821 with new 12.4 T code and another 2921 router.

  Thank you

  Hello!

  I didn't have a corresponding exactly to your needs, but I did a. I set it up by hand while there might be errors in config.

• Site to site VPN with router IOS

  I want to create a VPN site-to site on the Internet. On the remote site, aside from the VPN to the head office, there should be no traffic not allowed in internal from the Internet to the network and that there should be no traffic from the internal network to the Internet allowed. The internal network will run a private 192.168.x.x address range.

  I'm going to use a Cisco 2811 router integrated of services on the remote site and this will last an IPSec VPN that will end a hub at Headquarters. I understand that this router has an IOS and IPS firewall built in.

  Would I be right in thinking that because I don't want to have access to the Internet (except VPN) or should I configure IOS firewall features on the router? And there is no point in the configuration of the features IPS wouldn't?

  My thought is that only an entry in list of unique access to deny pi a whole applied inbound to the interface that connects to the Internet would be the best strategy. I think that the command "sysopt connection permit-ipsec" should allow the VPN to form even with the ip address to deny any any ACL (or is it just a Pix command? If Yes, then I have to allow ESP and UDP 500 (ISAKMP) from the public address of the hub at Headquarters to allow the VPN to form wouldn't I?).

  Think I'll probably expand slightly the access list to allow the icmp Protocol, ssh and https traffic from the IP address of firewall seat outside so that I can monitor the remote site and access it safely if the fail VPN.

  And I wouldn't need one access list on the interface connected to the internal network I would like because the range of addresses would be not routable, so they would not be able to initiate connections to the Internet (all the trffic to the remote site is specified under a valuable traffic to bring up the VPN)

  Use one of the IOS Firewall inspect commands or the IPS would be useless and have no effect in this case wouldn't it?

  I really just need to know if the ip address to deny any any ACL on the external interface on the remote site is the best solution (and the simplest), and whether it will be safe.

  We used to use fiewalls Pix for remote VPN site to site, Amazon refuse incoming connections on the external interface by default but now I have been informed that these series 2800 routers will be used later, so I would get my thoughts straight and be able to build safe to do the same work all existing PIX are doing (they are all installed for just the VPN at Headquarters as in) the first paragraph).

  I would like any advice or thoughts on the subject. I don't know there must be a ton of people who put routers for the same purpose.

  Thank you in advance.

  Pete.

  Pete

  I did a lot of implementations site VPN to another using IOS routers. They work very well. Based on my experience I offer these comments and I hope that they will help you:

  -you don't want a list of incoming access on the external interface, but you want more in it than simply refuse an ip. There is no permit-ipsec sysopt connection in IOS so you want to certainly allowed ISAKMP and IPSec/ESP. I suggest that you also want to allow SSH. I would like to allow ICMP but only starting from the address space of the network head end. I do not allow HTTPS since I generally do not allow the http server on the router. If you want HTTPS then certainly enable it. To facilitate the ping and traceroute on the remote I frequently allow icmp echo-reply, timeout and unreachable port from any source.

  -I want to put an inside interface access list. There are certain types of traffic that I don't want to send from the Remote LAN. I have usually refuse any trap SNMP or snmp for LAN devices and refuse out of the local network icmp redirects. I also often configure RPF controls inside interface to catch any device which is misconfigured.

  -If you want to allow SSH when the VPN is not active (and I highly recommend that you do) then you will probably need to configure at least 1 (and maybe more) users and password of the router ID. And you want to configure authentication on the vty use local authentication if the head end authentication server is not available.

  -I'm not clear from your description if you plan to run a dynamic routing via the VPN Protocol. I wish I had a dynamic routing protocol because I want to announce a default route to the remote control via the VPN. I do not locally configure a default route on the remote router. This way if the VPN tunnel is up there is a default route pointing to the tunnel and if the VPN tunnel is not up then there is no local route by default and users on the remote database can not access the Internet. It is a simple and very effective method to ensure that all user traffic must pass through the central site.

  -regarding the routes defined on the remote router, my approach is that I define a static route for the endpoint of the tunnel to allow the tunnel to implement and I set up static routes for the subnet to the head of line I can SSH. And I do not configure other static routes the on the remote router.

  -You probably want to disable cdp on the external interface and also to disable the proxy-arp (and I don't make any ip unreachable).

  -There is frequently a problem when using VPN site-to-site with fragmentation. If a device on the local network sends a frame of maximum size, and then the router needs to add additional headers for IPSec, then the frame is too large and requires fragmentation. I like to use tcp adjust-mss ip to control the chunk size for TCP traffic and avoid any problems with fragmentation.

  -I don't think you want to set up the firewall or IPS from the features of IOS on the 2811.

  I hope that your application is fine and that my suggestions could be useful.

  [edit] after posting my response, I read through your post again and realize that you make to a VPN concentrator. The approach I have proposed on the execution of a routing protocol works for me because I usually have a router IOS in mind. It would not work to connect to a hub.

  HTH

  Rick

• ISA500 site by site ipsec VPN with Cisco IGR

  Hello

  I tried a VPN site by site work with Openswan and Cisco 2821 router configuration an Ipsec tunnel to site by site with Cisco 2821 and ISA550.

  But without success.

  my config for openswan, just FYI, maybe not importand for this problem

  installation of config

  protostack = netkey

  nat_traversal = yes

  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4:!$RIGHT_SUBNET

  nhelpers = 0

  Conn rz1

  IKEv2 = no

  type = tunnel

  left = % all

  leftsubnet=192.168.5.0/24

  right =.

  rightsourceip = 192.168.1.2

  rightsubnet=192.168.1.0/24

  Keylife 28800 = s

  ikelifetime 28800 = s

  keyingtries = 3

  AUTH = esp

  ESP = aes128-sha1

  KeyExchange = ike

  authby secret =

  start = auto

  IKE = aes128-sha1; modp1536

  dpdaction = redΘmarrer

  dpddelay = 30

  dpdtimeout = 60

  PFS = No.

  aggrmode = no

  Config Cisco 2821 for dynamic dialin:

  crypto ISAKMP policy 1

  BA aes

  sha hash

  preshared authentication

  Group 5

  lifetime 28800

  !

  card crypto CMAP_1 1-isakmp dynamic ipsec DYNMAP_1

  !

  access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

  !

  Crypto ipsec transform-set ESP-AES-SHA1 esp - aes esp-sha-hmac

  crypto dynamic-map DYNMAP_1 1

  game of transformation-ESP-AES-SHA1

  match address 102

  !

  ISAKMP crypto key address 0.0.0.0 0.0.0.0

  ISAKMP crypto keepalive 30 periodicals

  !

  life crypto ipsec security association seconds 28800

  !

  interface GigabitEthernet0/0.4002

  card crypto CMAP_1

  !

  I tried ISA550 a config with the same constelations, but without suggesting.

  Anyone has the same problem?

  And had anyone has a tip for me, or has someone expirense with a site-by-site with ISA550 and Cisco 2821 ipsec tunnel?

  I can successfully establish a tunnel between openswan linux server and the isa550.

  Patrick,

  as you can see on newspapers, the software behind ISA is also OpenSWAN

  I have a facility with a 892 SRI running which should be the same as your 29erxx.

  Use your IOS Config dynmap, penny, you are on the average nomad. If you don't have any RW customer you shoul go on IOS "No.-xauth" after the isakmp encryption key.

  Here is my setup, with roardwarrior AND 2, site 2 site.

  session of crypto consignment

  logging crypto ezvpn

  !

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  lifetime 28800

  !

  crypto ISAKMP policy 2

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  lifetime 28800

  !

  crypto ISAKMP policy 3

  BA 3des

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 4

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 5

  BA 3des

  preshared authentication

  Group 2

  life 7200

  ISAKMP crypto address XXXX XXXXX No.-xauth key

  XXXX XXXX No.-xauth address isakmp encryption key

  !

  ISAKMP crypto client configuration group by default

  key XXXX

  DNS XXXX

  default pool

  ACL easyvpn_client_routes

  PFS

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac FEAT

  !

  dynamic-map crypto VPN 20

  game of transformation-FEAT

  market arriere-route

  !

  !

  card crypto client VPN authentication list by default

  card crypto VPN isakmp authorization list by default

  crypto map VPN client configuration address respond

  10 VPN ipsec-isakmp crypto map

  Description of VPN - 1

  defined peer XXX

  game of transformation-FEAT

  match the address internal_networks_ipsec

  11 VPN ipsec-isakmp crypto map

  VPN-2 description

  defined peer XXX

  game of transformation-FEAT

  PFS group2 Set

  match the address internal_networks_ipsec2

  card crypto 20-isakmp dynamic VPN ipsec VPN

  !

  !

  Michael

  Please note all useful posts

• IOS IPSEC VPN with NAT - translation problem

  I'm having a problem with IOS IPSEC VPN configuration.

  /*

  crypto ISAKMP policy 10

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto keys TEST123 address 205.xx.1.4

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac CHAIN

  !

  !

  Map 10 CRYPTO map ipsec-isakmp crypto

  the value of 205.xx.1.4 peer

  transformation-CHAIN game

  match address 115

  !

  interface FastEthernet0/0

  Description FOR the EDGE ROUTER

  IP address 208.xx.xx.33 255.255.255.252

  NAT outside IP

  card crypto CRYPTO-map

  !

  interface FastEthernet0/1

  INTERNAL NETWORK description

  IP 10.15.2.4 255.255.255.0

  IP nat inside

  access-list 115 permit 192.xx.xx.128 0.0.0.3 ip 172.xx.1.0 0.0.0.3

  */

  (This configuration is incomplete / NAT configuration needed)

  Here is the solution that I'm looking for:

  When a session is initiated from the "internal network" to the "distance IPSEC - 172.xx.1.0/30 ' network I want the address scheme '10.15.0.0/16' NAT translation deals with '192.xx.xx.128/30' before forwarding via the IPSEC VPN Tunnel.

  For more information, see "SCHEMA ATTACHED".

  Any help is greatly appreciated!

  Thank you

  Clint Simmons

  Network engineer

  You can try the following NAT + route map approach (method 2 in this link)

  http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

  Thank you

  Raja K

• IPSec site to site VPN cisco VPN client routing problem and

  Hello

  I'm really stuck with the configuration of ipsec site to site vpn (hub to spoke, multiple rays) with cisco vpn remote client access to this vpn.

  The problem is with remote access - cisco vpn client access - I can communicate with hub lan - but I need also communication of all lans speaks of the cisco vpn client.

  There are on the shelves, there is no material used cisco - routers DLINK.

  Someone told me that it is possible to use NAT to translate remote access IP-lan-HUB customers and thus allow communication - but I'm unable to set up and operate.

  Can someone help me please?

  Thank you

  Peter

  RAYS - not cisco devices / another provider

  Cisco 1841 HSEC HUB:

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  ISAKMP crypto key x xx address no.-xauth

  !

  the group x crypto isakmp client configuration

  x key

  pool vpnclientpool

  ACL 190

  include-local-lan

  !

  86400 seconds, duration of life crypto ipsec security association

  Crypto ipsec transform-set esp-3des esp-sha-hmac 1cisco

  !

  Crypto-map dynamic dynmap 10

  Set transform-set 1cisco

  !

  card crypto ETH0 client authentication list userauthen

  card crypto isakmp authorization list groupauthor ETH0

  client configuration address card crypto ETH0 answer

  ETH0 1 ipsec-isakmp crypto map

  set peer x

  Set transform-set 1cisco

  PFS group2 Set

  match address 180

  card ETH0 10-isakmp ipsec crypto dynamic dynmap

  !

  !

  interface FastEthernet0/1

  Description $ES_WAN$

  card crypto ETH0

  !

  IP local pool vpnclientpool 192.168.200.100 192.168.200.150

  !

  !

  overload of IP nat inside source list LOCAL interface FastEthernet0/1

  !

  IP access-list extended LOCAL

  deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

  deny ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

  IP 192.168.7.0 allow 0.0.0.255 any

  !

  access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

  !

  How the DLINK has been configured for traffic between the site to site VPN subnets? You are able to add multiple remote subnets on DLINK? If you can, then you must add the pool of Client VPN subnet.

  Alternatively, if you cannot add multiple subnet on DLINK router, you can change the pool of Client VPN 192.168.6.0/24, and on the crypto ACL between the site to site VPN, you must edit the 180 existing ACL

  DE:

  access-list 180 allow ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 180 allow ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

  TO:

  access-list 180 allow ip 192.168.6.0 0.0.1.255 192.168.1.0 0.0.0.255

  Also change the ACL 190 split tunnel:

  DE:

  access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.200.0 0.0.0.255

  access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

  TO:

  access-list 190 allow ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255

  access-list 190 allow ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

  Finally, replace the remote subnet 192.168.7.0/255.255.255.0 192.168.6.0/255.255.254.0 DLINK.

  Hope that helps.

• IPSec VPN with private WAN address... Help!

  I am trying to establish an IPSec Site to Site VPN to my company network. I use a Cisco 2811. If I plug a Public IP WAN connection my tunnel past traffic without problem, but if I tell a router in the middle where the 2811 pulls a private IP address of the home router I no longer get a tunnel a success. Any suggestion?

  I have the following instructions.

  FA 0/0
  DHCP IP ADDRESS
  CRYPTO MAP AESMAP

  VLAN 1
  IP ADDRESS XX. XX. XX. XX 255.255.255.240 (public IP)

  IP ROUTE 0.0.0.0 0.0.0.0 FA 0/0

  If this can help clerify the "router" is a CradlePoint (CRT500) that takes the Mobile 3 G and send it to an ethernet port on the WAN port on my router. The installation remains mobile and I rarely get the chance to have a public IP address for my WAN. Currently I use a SonicWall TX 100 router that allows me to VPN to my network of companies. We hope to move all of our mobile kits to the cisco product, but need to find a solution before change can occur.

  If I do 'Show IP Crypto ISAKMP SA' it shows: XX. XX. XX. XX (PUBLIC) <> Active 192.168.0.1.

  My thoughts are that my TCP 500 traffic to the VPN router and when the VPN router sends traffic to the address there SA with it's no the case because it is an ip address private. Limited my knowledge of the works of the VPN, I think only in Phase 1, two addresses must "bind" and NAT cannot be used with VPN? But I keep out hope that this might be a somewhat common question and there is a procedure in place to get around, or maybe I'm just a bad configuration or IP road...

  When I disable card crypto on the FA 0/0 and add NAT to the FA 0/0 and 1 VLAN more change my IP Route to "0.0.0.0 0.0.0.0 192.168.0.1" I get non - vpn connectivity.  Also, I put the address that gets my FA 0/0 in the DMZ of the Cradlepoint.

  Thanks for any help anyone can provide!

  Brandon,

  NAT - T is designed to overcome the problems of NAT/PAT, known in the world of IPv4.

  The big problem is that if you have a public IPv4 address, you will need to run PAT. Packages ESP / AH do not have a port number so that they cannot be PATed. To do this, we enacapsulate IPsec payload inside udp/4500 packages.

  That being said, some providers overcome this problem differently, but it's not THE standard way.

  Your head should see you as PublicIP facig of internet device.

  I agree, that both sonicwall and IOS should work with other IOS. At the same time, it is difficult to say what is happening in the middle.

  I would say that if possible, connect you to a case of TAC, the guys will be able to view your configs and able to solve the problem when it's there. These types of discussions on the forums can go for very long ;-)

  Marcin

• IPSec VPN with DynDNS host problems after change of address

  Hi guys,.

  I have a weird problem on an IOS router.

  I need to implement IPSec VPN L2L.

  Because of the security requirements of each site needed a clean pre-shared key. Sites dynamic IP and it's

  why I use dyndns.

  ISAKMP crypto key KEY hostname XXXXXXXXXXX.dyndns.org

  CMAP_1 1 ipsec-isakmp crypto map
  define peer dynamic XXXXXXXXX.dyndns.org

  First of all, it works fine, but after the change of IP address it no longer works.

  Debugging, I discovered that it resolves the new IP address but IPSec attempts to connect to the previous INVESTIGATION period.

  I tried this on two other IOS, 15.0 and 12.4

  This debugging output:

  01:02:39.735 Mar 1: IPSEC: addr of Peer Link70 (70.1.1.3) is out of date, triggering DNS
  * 01:02:39.735 Mar 1: IPSEC: Peer has the address 70.1.1.3 (DNS cache).                 New IP address
  * 1 Mar 01:02:41.731: IPSEC (sa_request):,.
  (Eng. msg key.) Local OUTGOING = 1.1.1.2, distance = 70.1.1.200, OLD IP
  local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),
  remote_proxy = 10.254.70.0/255.255.255.0/0/0 (type = 4),
  Protocol = ESP, transform = esp-3des esp-sha-hmac (Tunnel),
  lifedur = 240 s and KB 4608000,
  SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
  * 1 Mar 01:02:41.739: ISAKMP: (0): profile of THE request is (NULL)
  * 01:02:41.739 Mar 1: ISAKMP: created a struct peer 70.1.1.200, peer port 500
  * 01:02:41.739 Mar 1: ISAKMP: new created position = 0x673FB268 peer_handle = 0 x 80000008
  * 01:02:41.739 Mar 1: ISAKMP: lock struct 0x673FB268, refcount 1 to peer isakmp_initiator
  * 01:02:41.743 Mar 1: ISAKMP: 500 local port, remote port 500
  * 01:02:41.743 Mar 1: ISAKMP: set new node 0 to QM_IDLE
  * 01:02:41.743 Mar 1: insert his with his 650AE400 = success
  * 01:02:41.747 Mar 1: ISAKMP: (0): cannot start aggressive mode, try the main mode.
  * 01:02:41.747 Mar 1: ISAKMP: (0): no pre-shared with 70.1.1.200!                     PROBLEM!
  * 1 Mar 01:02:41.747: ISAKMP: (0): pre-shared key or Cert No. address.                   PROBLEM!
  * 1 Mar 01:02:41.747: ISAKMP: (0): construct_initial_message: cannot start main mode
  * 01:02:41.751 Mar 1: ISAKMP: Unlocking counterpart struct 0x673FB268 for isadb_unlock_peer_delete_sa(), count 0
  * 01:02:41.751 Mar 1: ISAKMP: delete peer node by peer_reap for 70.1.1.200: 673FB268
  * 01:02:41.751 Mar 1: ISAKMP: (0): serving SA., his is 650AE400, delme is 650AE400
  * 01:02:41.755 Mar 1: ISAKMP: (0): purge the node-267512777
  * 01:02:41.755 Mar 1: ISAKMP: error during the processing of HIS application: failed to initialize SA
  * 01:02:41.755 Mar 1: ISAKMP: error while processing message KMI 0, error 2.
  * 1 Mar 01:02:41.759: IPSEC (key_engine): had an event of the queue with 1 KMI messages...
  Success rate is 0% (0/5)

  I'm building a lab to find a solution for this.

  The other side is a VPN Linksys router, I tried with an IOS router on both sites also, but I got same results.

  I tried with DPD, ISAKMP profiles don't... no help.

  Hi Smailmilak83,

  Configuration of a static encryption with a specific peer card creates a society of surveillance for the peer. Dns lookup he's now only the first time, he tries to connect, after which it's just going to be her generate a new key. If she would ideally use the value peer in the his and not the config or a dns lookup. So, it is wise to use a dynamic encryption card.

  Please try to use a dynamic encryption instead of a static map. Although there are some limitations including crypto being initiated only at the other end, we can work around keeping the tunnel directly.

  Hope that helps.

  Sent by Cisco Support technique iPhone App

  -Please note the solutions.

• Site to Site VPN of IOS - impossible route after VPN + NAT

  Hello

  I have problems with a VPN on 2 routers access 8xx: I am trying to set up a quick and dirty VPN Site to Site with a source NAT VPN tunnel endpoint. This configuration is only intended to run from one day only inter. I managed to do the work of VPN and I traced the translations of NAT VPN tunnel endpoint, but I couldn't make these translated packages which must move outside the access router, because intended to be VPN traffic network is not directly connected to leave the router. However, I can ping the hosts directly connected to the router for access through the VPN.

  Something done routing not to work, I don't think the NATing, because I tried to remove the NAT and I couldn't follow all outgoing packets that must be sent, so I suspect this feature is not included in the IOS of the range of routers Cisco 8xx.

  I'm that extends the features VPN + NAT + routing too, or is there a configuration error in my setup?

  This is the configuration on the router from Cisco 8xx (I provided only the VPN endpoint, as the works of VPN endpoint)

  VPN endpoints: 10.20.1.2 and 10.10.1.2

  routing to 192.168.2.0 is necessary to 192.168.1.2 to 192.168.1.254

  From 172.31.0.x to 192.168.1.x

  !

  version 12.4

  no service button

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  encryption password service

  !

  hostname INSIDEVPN

  !

  boot-start-marker

  boot-end-marker

  !

  enable secret 5 xxxxxxxxxxxxxxx

  !

  No aaa new-model

  !

  !

  dot11 syslog

  no ip cef

  !

  !

  !

  !

  IP domain name xxxx.xxxx

  !

  Authenticated MultiLink bundle-name Panel

  !

  !

  username root password 7 xxxxxxxxxxxxxx

  !

  !

  crypto ISAKMP policy 10

  BA 3des

  preshared authentication

  ISAKMP crypto key address 10.20.1.2 xxxxxxxxxxxxx

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac VPN-TRANSFORMATIONS

  !

  CRYPTOMAP 10 ipsec-isakmp crypto map

  defined by peer 10.20.1.2

  game of transformation-VPN-TRANSFORMATIONS

  match address 100

  !

  Archives

  The config log

  hidekeys

  !

  !

  LAN controller 0

  line-run cpe

  !

  !

  !

  !

  interface BRI0

  no ip address

  encapsulation hdlc

  Shutdown

  !

  interface FastEthernet0

  switchport access vlan 12

  No cdp enable

  card crypto CRYPTOMAP

  !

  interface FastEthernet1

  switchport access vlan 2

  No cdp enable

  !

  interface FastEthernet2

  switchport access vlan 2

  No cdp enable

  !

  interface FastEthernet3

  switchport access vlan 2

  No cdp enable

  !

  interface Vlan1

  no ip address

  !

  interface Vlan2

  IP 192.168.1.1 255.255.255.248

  NAT outside IP

  IP virtual-reassembly

  !

  interface Vlan12

  10.10.1.2 IP address 255.255.255.0

  IP nat inside

  IP virtual-reassembly

  card crypto CRYPTOMAP

  !

  IP forward-Protocol ND

  IP route 192.168.2.0 255.255.255.0 192.168.1.254

  IP route 10.20.0.0 255.255.0.0 10.10.1.254

  Route IP 172.31.0.0 255.255.0.0 Vlan12

  !

  !

  no ip address of the http server

  no ip http secure server

  IP nat inside source static 172.31.0.2 192.168.1.11

  IP nat inside source 172.31.0.3 static 192.168.1.12

  !

  access-list 100 permit ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.255.255

  access-list 100 permit ip 192.168.2.0 0.0.0.255 172.31.0.0 0.0.255.255

  !

  !

  control plan

  !

  !

  Line con 0

  no activation of the modem

  line to 0

  line vty 0 4

  password 7 xxxxxxxxx

  opening of session

  !

  max-task-time 5000 Planner

  end

  Hi Jürgen,

  First of all, when I went through your config, I saw these lines,

  !
  

  interface Vlan2
  

  IP 192.168.1.1 255.255.255.248
  

  !

  !

  IP route 192.168.2.0 255.255.255.0 192.168.1.254
  

  !

  With 255.255.255.248 192.168.1.1 and 192.168.1.254 subnet will fall to different subnets. So I don't think you can join 192.168.2.0/24 subnet to the local router at this point. I think you should fix that first.

  Maybe have 192.168.1.2 255.255.255. 248 on the router connected (instead of 192.168.1.254)

  Once this has been done. We will have to look at routing.

  You are 172.31.0.2-> 192.168.1.11 natting

  
  

  Now, in order for that to work, make sure that a source addresses (192.168.1.11) NAT is outside the subnet router to router connected (if you go with 192.168.1.0/29 subnet router to router, with 192.168.1.1/29 on the local router and 192.168.1.2/29 on the connected router as suggested, it will be fine). So in this case 192.168.1.8/29 to the subnet that your NAT would be sources fall.

  Have a static route on the router connected (192.168.1.2) for the network 192.168.1.8/29 pointing 192.168.1.1,

  !

  IP route 192.168.1.8 255.255.255.248 192.168.1.1

  !

  If return packets will be correctly routed toward our local router.

  If you have an interface on the connected rotuer which includes the NAT would be source address range, let's say 192.168.1.254/24, even if you do your packages reach somehow 192.168.2.0/24, the package return never goes to the local router (192.168.1.1) because the connected router sees it as a connected subnet, so it will only expire

  I hope I understood your scenario. Pleae make changes and let me know how you went with it.

  Also, please don't forget to rate this post so useful.

  Shamal

• L2l VPN with NAT static to hide the IP internal on Cisco 1841 ISR

  I configured a VPN L2L on a Cisco 1841 ISR.  I'm statically from some of my internal hosts to IPS that are included in encrypted traffic.  Please note that not all internal hosts are underway using a NAT.  I am doing this for hidden some of the actual IP addresses on the inside network.  I confirmed that the VPN works as well as natives of VPN traffic.  I configured VPN L2L traditionally on the Cisco ASA 5500 Series devices, and this is my first attempt with HIA of 1841.  I want just the other to take a glance to see if I missed something, or could I effectively part of the configuration.  All comments are welcome.

  VPN-RTR-01 #show run
  Building configuration...

  Current configuration: 9316 bytes
  !
  version 12.4
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  encryption password service
  !
  hostname VPN-RTR-01
  !
  boot-start-marker
  boot-end-marker
  !
  ! type map necessary for vwic/slot-slot 0/0 control
  logging buffered 51200 warnings
  no console logging
  enable secret 5 xxxxxxxxxxxxxxx
  enable password 7 xxxxxxxxxxxxxxx
  !
  No aaa new-model
  IP cef
  !
  !
  !
  !
  no ip domain search
  property intellectual auth-proxy max-nodata-& 3
  property intellectual admission max-nodata-& 3
  !
  !
  Crypto pki trustpoint TP-self-signed-2010810276
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 2010810276
  revocation checking no
  rsakeypair TP-self-signed-2010810276
  !
  !
  TP-self-signed-2010810276 crypto pki certificate chain
  certificate self-signed 01
  30820246 308201AF A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
  69666963 32303130 38313032 6174652D 3736301E 31393334 OF 30333131 170 3131
  30365A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
  4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 30313038 65642D
  31303237 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
  8100C3FF F5EADA3B BCB06873 5577DB24 2AD8ECBB 00D53F1A 37342E2E 5CC9202A
  7F128E51 016CD6EC D8734F4D 28BE8B0A FCD6B714 8D13585B 7844C09C 79BA8F13
  B75E4E98 25D91F02 A4773F66 83407A8B 85447 64 A6889DD9 6085857F 737F8A9F
  749F4297 8804C4F3 D28A6C33 F4137BBE 67F9B945 F239789E 1303AD6D DB98B7E2
  52B 50203 010001 HAS 3 1 130101 FF040530 030101FF 30190603 0F060355 6E306C30
  551 1104 12301082 0E535458 2D56504E 2 525452 2 303130 1 230418 1F060355 D
  3B 232987 30168014 2CBB9DD0 B34B7243 7F8095C8 7AFBEFE3 301D 0603 551D0E04
  1604143B 2329872C BB9DD0B3 4B72437F 8095C87A FBEFE330 0D06092A 864886F7
  010104 05000381 8100A 831 8E05114A DE8AF6C5 4CB45914 36B6427C 42B30F07 0D
  C5C47BC9 0110BCAA A985CB3F 5CBB855B B12D3225 B8021234 86D1952C 655071E4
  66C18F42 F84492A9 835DE884 341B3A95 A3CED4E8 F37E7609 88F52640 741D74D2
  37842 D 39 E5F2B208 0D4D57E1 C5633DEB ACDFC897 7D50683D 05B5FDAA E42714B4
  DD29E815 E9F90877 4 D 68
  quit smoking
  username privilege 15 password 7 xxxxxxxxxxxxxxx lhocin
  username privilege 15 password 7 xxxxxxxxxxxxxxx jsmith
  !
  !
  !
  !
  crypto ISAKMP policy 5
  BA aes 256
  preshared authentication
  Group 2
  lifetime 28800
  xxxxxxxxxxxxxxx key address 172.21.0.1 crypto ISAKMP xauth No.
  !
  !
  Crypto ipsec transform-set ESP-AES256-SHA esp - aes 256 esp-sha-hmac
  !
  card crypto SITES REMOTE VPN-ipsec-isakmp 1
  defined by peer 172.21.0.1
  game of transformation-ESP-AES256-SHA
  match address VPN-REMOTE-SITE
  !
  !
  !
  interface FastEthernet0/0
  no ip address
  automatic speed
  full-duplex
  No mop enabled
  !
  interface FastEthernet0/0.1
  encapsulation dot1Q 1 native
  !
  interface FastEthernet0/0.2
  Description $FW_INSIDE$
  encapsulation dot1Q 61
  IP 10.1.0.34 255.255.255.224
  IP access-group 100 to
  IP nat inside
  IP virtual-reassembly
  !
  interface FastEthernet0/0.3
  Description $FW_OUTSIDE$
  encapsulation dot1Q 111
  IP 172.20.32.17 255.255.255.224
  IP access-group 101 in
  Check IP unicast reverse path
  NAT outside IP
  IP virtual-reassembly
  crypto VPN-REMOTE-SITE map
  !
  interface FastEthernet0/1
  no ip address
  Shutdown
  automatic duplex
  automatic speed
  !
  IP forward-Protocol ND
  IP route 0.0.0.0 0.0.0.0 172.20.32.1
  IP route 10.16.0.0 255.255.0.0 10.1.0.33
  IP route 10.19.0.0 255.255.0.0 10.1.0.33
  IP route 10.191.0.0 255.255.0.0 10.1.0.33
  IP route 10.192.0.0 255.255.0.0 10.1.0.33
  IP route 192.168.20.48 255.255.255.240 10.1.0.33
  !
  !
  IP http server
  local IP http authentication
  IP http secure server
  IP http timeout policy inactive 600 life 86400 request 10000
  IP nat inside source map route NO_NAT interface FastEthernet0/0.3 overload
  IP nat inside source static 10.191.0.11 192.168.20.54 STATIC_NAT_7 card expandable route
  IP nat inside source static 10.191.0.12 192.168.20.55 STATIC_NAT_8 card expandable route
  IP nat inside source static 10.192.1.1 192.168.20.56 STATIC_NAT_1 card expandable route
  IP nat inside source static 10.192.1.2 192.168.20.57 STATIC_NAT_2 card expandable route
  IP nat inside source static 10.192.1.3 192.168.20.58 STATIC_NAT_3 card expandable route
  IP nat inside source static 10.192.1.4 192.168.20.59 STATIC_NAT_4 card expandable route
  IP nat inside source static 10.192.1.5 192.168.20.61 STATIC_NAT_5 card expandable route
  IP nat inside source static 10.16.1.6 192.168.20.62 STATIC_NAT_6 card expandable route
  !
  VPN-REMOTE-SITE extended IP access list
  IP 192.168.20.48 allow the host 0.0.0.15 10.174.52.39
  IP 192.168.20.48 allow the host 0.0.0.15 10.174.52.40
  inside_nat_static_1 extended IP access list
  permit ip host 10.192.1.1 10.174.52.39
  permit ip host 10.192.1.1 10.174.52.40
  refuse an entire ip
  inside_nat_static_2 extended IP access list
  permit ip host 10.192.1.2 10.174.52.39
  permit ip host 10.192.1.2 10.174.52.40
  refuse an entire ip
  inside_nat_static_3 extended IP access list
  permit ip host 10.192.1.3 10.174.52.39
  permit ip host 10.192.1.3 10.174.52.40
  refuse an entire ip
  inside_nat_static_4 extended IP access list
  permit ip host 10.192.1.4 10.174.52.39
  permit ip host 10.192.1.4 10.174.52.40
  refuse an entire ip
  inside_nat_static_5 extended IP access list
  permit ip host 10.192.1.5 10.174.52.39
  permit ip host 10.192.1.5 10.174.52.40
  refuse an entire ip
  inside_nat_static_6 extended IP access list
  permit ip host 10.16.1.6 10.174.52.39
  permit ip host 10.16.1.6 10.174.52.40
  refuse an entire ip
  inside_nat_static_7 extended IP access list
  permit ip host 10.191.0.11 10.174.52.39
  permit ip host 10.191.0.11 10.174.52.40
  refuse an entire ip
  inside_nat_static_8 extended IP access list
  permit ip host 10.191.0.12 10.174.52.39
  permit ip host 10.191.0.12 10.174.52.40
  refuse an entire ip
  !
  access-list 100 remark self-generated by the configuration of the firewall SDM
  Access-list 100 = 1 SDM_ACL category note
  access-list 100 deny ip 172.20.32.0 0.0.0.31 all
  access-list 100 deny ip 255.255.255.255 host everything
  access-list 100 deny ip 127.0.0.0 0.255.255.255 everything
  access ip-list 100 permit a whole
  Remark SDM_ACL category of access list 101 = 17
  access-list 101 permit udp any host 192.168.20.62
  access-list 101 permit tcp any host 192.168.20.62
  access-list 101 permit udp any host 192.168.20.61
  access-list 101 permit tcp any host 192.168.20.61
  access-list 101 permit udp any host 192.168.20.59
  access-list 101 permit tcp any host 192.168.20.59
  access-list 101 permit udp any host 192.168.20.58
  access-list 101 permit tcp any host 192.168.20.58
  access-list 101 permit udp any host 192.168.20.57
  access-list 101 permit tcp any host 192.168.20.57
  access-list 101 permit udp any host 192.168.20.56
  access-list 101 permit tcp any host 192.168.20.56
  access-list 101 permit udp any host 192.168.20.55
  access-list 101 permit tcp any host 192.168.20.55
  access-list 101 permit udp any host 192.168.20.54
  access-list 101 permit tcp any host 192.168.20.54
  access-list 101 permit ip 10.174.52.40 host 192.168.20.48 0.0.0.15
  access-list 101 permit ip 10.174.52.39 host 192.168.20.48 0.0.0.15
  access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq non500-isakmp
  access-list 101 permit udp host 172.21.0.1 host 172.20.32.17 eq isakmp
  access-list 101 permit esp 172.21.0.1 host 172.20.32.17
  access-list 101 permit ahp host 172.21.0.1 172.20.32.17
  access-list 101 permit icmp any host 172.20.32.17 - response
  access-list 101 permit icmp any host 172.20.32.17 time limit
  access-list 101 permit icmp any unreachable host 172.20.32.17
  access-list 101 permit udp any host isakmp 172.20.32.17 newspaper eq
  access-list 101 permit udp any host 172.20.32.17 eq non500-isakmp
  access-list 101 permit tcp any host 172.20.32.17 eq 443
  access-list 101 permit tcp any host 172.20.32.17 eq 22
  access-list 101 permit tcp any host 172.20.32.17 eq cmd
  access-list 101 deny ip 10.1.0.32 0.0.0.31 all
  access-list 101 deny ip 10.0.0.0 0.255.255.255 everything
  access-list 101 deny ip 172.16.0.0 0.15.255.255 all
  access-list 101 deny ip 192.168.0.0 0.0.255.255 everything
  access-list 101 deny ip 127.0.0.0 0.255.255.255 everything
  access-list 101 deny ip 255.255.255.255 host everything
  access-list 101 deny host ip 0.0.0.0 everything
  access-list 101 deny ip any any newspaper
  access-list 102 deny ip 192.168.20.48 0.0.0.15 host 10.174.52.40
  access-list 102 deny ip 192.168.20.48 0.0.0.15 host 10.174.52.39
  access-list 102 permit ip 10.1.0.32 0.0.0.31 all
  !
  allowed NO_NAT 1 route map
  corresponds to the IP 102
  !
  STATIC_NAT_8 allowed 10 route map
  inside_nat_static_8 match ip address
  !
  STATIC_NAT_5 allowed 10 route map
  inside_nat_static_5 match ip address
  !
  STATIC_NAT_4 allowed 10 route map
  inside_nat_static_4 match ip address
  !
  STATIC_NAT_7 allowed 10 route map
  inside_nat_static_7 match ip address
  !
  STATIC_NAT_6 allowed 10 route map
  inside_nat_static_6 match ip address
  !
  STATIC_NAT_1 allowed 10 route map
  inside_nat_static_1 match ip address
  !
  STATIC_NAT_3 allowed 10 route map
  inside_nat_static_3 match ip address
  !
  STATIC_NAT_2 allowed 10 route map
  inside_nat_static_2 match ip address
  !
  !
  !
  control plan
  !
  !
  !
  Line con 0
  exec-timeout 30 0
  line to 0
  line vty 0 4
  privilege level 15
  local connection
  transport input telnet ssh
  line vty 5 15
  privilege level 15
  local connection
  transport input telnet ssh
  !
  Scheduler allocate 20000 1000
  end

  VPN-RTR-01 #.

  Hello

  Configuration looks ok to me.

  yet you can cross-reference with the following link:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080223a59.shtml

  I hope this helps.

  Kind regards

  Anisha

  P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

• Cisco router restarts randomly with Bus error

  Cisco router restarts randomly with the following error:

  System has been restarted by error of bus to PC 0x4183614C, speech 0 x 95848 at 09:30:28 UTC Tuesday, April 23, 2013

  I've pasted below see the chimneys and release the version.

  view the stacks

  
  

  Minimum factory chimneys:

  Format name / free

  5396/6000 inspect Init Msg

  Subsystem SPAN 5368/6000

  58920/60000 EEM Auto record Proc

  Automatic start of 4772/6000 upgrade process

  DIB 5164/6000 error message

  HAND OF SASL 5396/6000

  4968/6000 LICENSE DEFAULT AGENT

  5368/12000 Init

  4216/6000 update prst

  4384/6000 VPN_HW_MIB_CREATION

  5188/6000 RADIUS INITCONFIG

  Update process random rom 2128/3000

  8356/12000 SSH process

  Stats URPF 5316/6000

  Interruption of battery level:

  Level named format / unused

  Network interfaces 1 1484828 6284/9000

  2 3264990 8548/9000 DMA/Timer Interrupt

  3 1 8388/9000 PA Int management Manager

  Console 4 115 8612/9000 Uart

  External interrupt 5 0 9000/9000

  NMI 7 223352 8564/9000 interrupt handler

  Spurious interrupts: 11

  System has been restarted by error of bus to PC 0x4183614C, speech 0 x 95848 at 09:30:28 UTC Tuesday, April 23, 2013

  Software of 2800 (C2800NM-ADVSECURITYK9-M), Version 12.4 (24) T, RELEASE SOFTWARE (fc1)

  Technical support: http://www.cisco.com/techsupport

  Updated Thursday 25 February 09 17:55 by prod_rel_team

  Image text-base: 0 x 40011240, database: 0x42B41940

  The failure of the system stack trace:

  FP: 0X472252B8, RA: 0X4183614C

  FP: 0 X 47225310, RA: 0X418312F8

  FP: 0 X 47225348, RA: 0X41647DC0

  FP: 0X472253A8, RA: 0X4164A8F4

  FP: 0 X 47225428, RA: 0X4164B248

  See the version

  
  

  Cisco IOS software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4 (24) T, RELEASE SOFTWARE (fc1)

  Technical support: http://www.cisco.com/techsupport

  Copyright (c) 1986-2009 by Cisco Systems, Inc.

  Updated Thursday 25 February 09 17:55 by prod_rel_team

  ROM: System Bootstrap, Version 12.4 (1r) [hqluong 1r], RELEASE SOFTWARE (fc1)

  availability of Cisco is 28 minutes

  System returned to ROM by bus to the 0x4183614C PC error, address 0 x 95848 at 09:30:28 UTC Tuesday, April 23, 2013

  System image file is "flash: c2800nm-advsecurityk9 - mz.124 - 24.T.bin".

  This product contains cryptographic features and is under the United States

  States and local laws governing the import, export, transfer and

  use. Delivery of Cisco cryptographic products does not imply

  third party approval to import, export, distribute or use encryption.

  Importers, exporters, distributors and users are responsible for

  compliance with U.S. laws and local countries. By using this product you

  agree to comply with the regulations and laws in force. If you are unable

  to satisfy the United States and local laws, return the product.

  A summary of U.S. laws governing Cisco cryptographic products to:

  http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html

  If you need assistance please contact us by mail at

  [email protected] / * /.

  Cisco 2821 (revision 53.51) with 1036288K / 12288K bytes of memory.

  Card processor ID FCZ1017732F

  2 gigabit Ethernet interfaces

  2 modules of virtual private network (VPN)

  Configuration of DRAM is wide with parity 64-bit capable.

  239K bytes of non-volatile configuration memory.

  250880K bytes of ATA CompactFlash (read/write)

  Configuration register is 0 x 2102

  You want to use the tool interpreter of output for this work:

  http://www.Cisco.com/pcgi-bin/support/OutputInterpreter/home.p

  For more information about the resolution of crashes, see this article:

  http://www.Cisco.com/en/us/products/HW/IAD/ps397/products_tech_note09186a00800b4447.shtml

  In this case, it looks like CSCsy09250, described here:

  http://www.Cisco.com/en/us/products/CSA/Cisco-SA-20100324-SCCP.html

  You should contact Cisco for the software updated by following the instructions of this bulletin.

  That crash possibly caused by part of sone intentionally sends out packets malformed to your device, so if you have reason to believe that someone in your community could run metasploit or similar "Penetration Testing" tools, you can look into that as well.