Problem with GRE

Hi all

Basically, I have a vpn between a branch and central, it works fine but sometimes the GRE tunnels are off and stops working vpn. With reset solved, but the problem persists sometimes from time to time the way... is not a problem of saturation, because little traffic through the help of routerAny will be welcomeRegards

Configure the gre with a keepalive tunnel.

Sent by Cisco Support technique iPad App

Tags: Cisco Security

Similar Questions

Problem with GRE over IPsec with IOS Version 15.1 (2) T4

Hello

We have several sites that use of GRE Tunnels with card crypto for encryption. To upgrade to the latest version of a UC-520 (15.1 (2) T4 or any version of this train) I get the following error: -.

SIN-UC520(config-if) #crypto map aberdeen

% NOTE: crypto card is configured on the tunnel interface.

Currently, only one card encryption GDOI is supported on the tunnel interface.

The original Tunnel config is below:-

interface Tunnel0

Description Tunnel to Aberdeen AC

bandwidth of 512

IP unnumbered Vlan1

IP mtu 1420

QoS before filing

tunnel source a.b.c.d

destination e.f.g.h tunnel

Crypto map aberdeen

Decommissioning of the IOS version solves the problem. What gives? Have Cisco dropped support for this configuration?

I use this setup so I can choose exactly which traffic is encrypted (I do not encrypt voice for example).

Thank you
Peter.

Hi Peter,.

It looks like from the 15.1 this configuration is no longer supported. Here's what the release notes:

Error message appears when you try to apply the tunnel interface to a card encryption.

Old behavior: Error Message is not displayed when you try to apply tunnel interface card encryption using the command card crypto (interface IPSec).

New behavior: an error message appears when you try to apply the tunnel interface to a crypto map using the

crypto map command (interface IPSec).

http://www.Cisco.com/en/us/docs/iOS/15_1/release/notes/151TNEWF.html

The order reference has the following information about the error message:

A card encryption cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a card encryption, an error message is displayed as follows: crypto card is configured on the tunnel interface. Currently, only card crypto Group domain of interpretation (GDOI) is supported on the tunnel interface.

http://www.Cisco.com/en/us/docs/iOS/Security/command/reference/sec_c4.html#wp1078283

So it seems that on the new version, you can only use one (new to me) maps crypto GDOI on your tunnel interfaces.

Here's a doc that explains the GDOI implementation, I wish that I could help with the Setup, but as I said, I had not heard of him until today.

http://www.Cisco.com/en/us/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6811/prod_white_paper0900aecd804c363f.html

I hope this clarifies your questions.

Raga

HSRP with GRE ipsec problems

I have the following scenario to connect my main HQ with other directorates:

Two routers HQ and work by their internal Giga HSRP interface and use WAN connections by serial interfaces to create VPN site-to-site with other branches using GRE over ipsec.

I need to know is - right configuration or there is another way to do.

the following sample configuration on both active and standby routers and router for branch

Active router

ISAKMP crypto key password address 172.18.x.x

Crypto ipsec transform-set aes aes - esp esp-sha-hmac

Crypto card secure ipsec-isakmp 13
the value of 172.18.x.x peer
Set transform-set aes
match address 101

interface Tunnel3
Description branch01
IP 10.100.30.1 255.255.255.0
KeepAlive 10 3
source 10.100.0.x tunnel
destination 172.18.x.x tunnel
secure cryptographic card

interface GigabitEthernet0/0
IP 10.100.0.y 255.255.255.0
automatic duplex
automatic speed
Watch 1 ip 10.100.0.x
1 standby preempt

point-to-point interface Serial0/0/0.16
IP address 172.20.x.x 255.255.255.252

secure cryptographic card

access-list 101 permit will host 10.100.0.x host 172.18.x.x

Standby router

ISAKMP crypto key password address 172.18.x.x

Crypto ipsec transform-set aes aes - esp esp-sha-hmac

Crypto card secure ipsec-isakmp 13
the value of 172.18.x.x peer
Set transform-set aes
match address 101

interface Tunnel3
Description branch01
IP 10.100.30.3 255.255.255.0
KeepAlive 10 3
source 10.100.0.x tunnel
destination 172.18.x.x tunnel
secure cryptographic card

interface GigabitEthernet0/0
IP 10.100.0.z 255.255.255.0
automatic duplex
automatic speed
Watch 1 ip 10.100.0.x
1 standby preempt

point-to-point interface Serial0/0/0.16

IP address 172.19.x.x 255.255.255.252

secure cryptographic card

access-list 101 permit will host 10.100.0.x host 172.18.x.x

Branch router

ISAKMP crypto key password address 172.20.x.x
ISAKMP crypto key password address 172.19.x.x
ISAKMP crypto key password address 10.100.0.x

Crypto ipsec transform-set aes aes - esp esp-sha-hmac

Crypto card secure ipsec-isakmp 13
the value of 172.19.x.x peer
the value of 172.20.x.x peer
Set transform-set aes
match address 101

interface Tunnel3
Description branch01
IP 10.100.30.3 255.255.255.0
KeepAlive 10 3
tunnel source 172.18.x.x
destination of the 10.100.0.x tunnel
secure cryptographic card

point-to-point interface Serial0/0/0.16
IP address 172.18.x.x 255.255.255.252
secure cryptographic card

access-list 101 permit will host 172.18.x.x host 10.100.0.x

I had lots of massages of error with active or standby router and all the VPN settings are correct to the routers of the AC and branches

% CRYPTO-6-IKMP_MODE_FAILURE: the mode of information processing failed with the peer to 172.18.x.x

In your current design, I can see HSRP used to provide evacuation route VPN HA outwards. IPSec plan HA, HSRP is usually deployed when the Wan is attached Ethernet. In this case, we can build the tunnel using the virtual address HSRP giving a permanent IP address. The problem with your design, is that to reach the HSRP virtual IP address, you must cross a single hosted serial interface. If this interface is unsuccessful or if there is a problem in the path routed between cryptographic peer, you will never be able to reach the HSRP virtual IP address so the resulting solution will fail.

If it is the topology we work with, so the only recommendations I can do is to incorporate IP SLAS and followed in your design. For example, you may track the status of the interface the main router series. If the interface fails, you could decrement the HSRP interface boot priority in order to force traffic to converge on the backup router path. With star-ISAKMP KeepAlive configured on the routers in topology, routers should be able to recognize the failure and the timeout of the old SAs. Because the RADIUS is configured with two counterparts, the router can negotiae new SAs with the backup router. When the serial interface comes back online, you can have the main router anticipate waking after a delay. To detect indirect failures on the transit route, you could use ICMP IP SLA and monitoring instead. This design, however, will be properly tested for stability during the failover process.

Problem with ping VPN cisco 877

Hi all!

I have a working VPN between a fortigate and a Cisco.

I have a problem with ping network behind the cisco of the network behind the forti.

When I ping to vlan2 cisco without problem (192.168.252.1) interface, but I can't ping a server in the vlan2 (192.168.252.2) behind the cisco.

However the Cisco I can ping the server. In the forti, I see that ping to the interface vlan2 and server in vlan2 take in the same way, and I can see package.

I post my config could see it it as blocking the ping from 10.41.2.36 to 192.168.252.2 while 192.168.252.1 ping is OK?

IPSEC #show run
Building configuration...

Current configuration: 3302 bytes
!
! Last modification of the configuration at 14:42:17 CEDT Friday, June 25, 2010
! NVRAM config update at 14:42:23 CEDT Friday, June 25, 2010
!
version 12.4
no service button
horodateurs service debug datetime msec
Log service timestamps datetime localtime show-time zone
encryption password service
!
IPSEC host name
!
boot-start-marker
boot-end-marker
!
logging buffered 1000000
enable secret 5 abdellah
!
No aaa new-model
clock timezone GMT 1
clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00
!
!
dot11 syslog
IP cef
No dhcp use connected vrf ip
DHCP excluded-address IP 192.168.254.0 192.168.254.99
DHCP excluded-address IP 192.168.254.128 192.168.254.255
!
IP dhcp DHCP pool
network 192.168.254.0 255.255.255.0
router by default - 192.168.254.254
Server DNS A.A.A.A B.B.B.B
!
!
no ip domain search
name of the IP-server A.A.A.A
name of the IP-server B.B.B.B
!
!
!
!
!
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 5
ISAKMP crypto key ciscokey address IP_forti
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac vpntest
!
myvpn 10 ipsec-isakmp crypto map
defined by peer IP_forti
Set transform-set vpntest
match address 101
!
Archives
The config log
hidekeys
!
!
!
!
!
interface Tunnel0
IP 2.2.2.1 255.255.255.252
source of Dialer0 tunnel
destination of IP_forti tunnel
myvpn card crypto
!
ATM0 interface
bandwidth 320
no ip address
load-interval 30
No atm ilmi-keepalive
DSL-automatic operation mode
!
point-to-point interface ATM0.1
MTU 1492
bandwidth 160
PVC 8/35
VBR - nrt 160 160
PPPoE-client dial-pool-number 1
!
!
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
IP 192.168.20.253 255.255.255.0
IP nat inside
no ip virtual-reassembly
!
interface Vlan2
IP 192.168.252.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface Dialer0
bandwidth 128
the negotiated IP address
NAT outside IP
no ip virtual-reassembly
encapsulation ppp
load-interval 30
Dialer pool 1
Dialer-Group 1
KeepAlive 1 2
Authentication callin PPP chap Protocol
PPP chap hostname [email protected] / * /
PPP chap password 7 abdelkrim
myvpn card crypto
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer0
IP route 10.41.2.32 Tunnel0 255.255.255.240
!
no ip address of the http server
no ip http secure server
The dns server IP
translation of nat IP tcp-timeout 5400
no ip nat service sip 5060 udp port
overload of IP nat inside source list NAT interface Dialer0
!
IP access-list standard BROADCAST
permit of 0.0.0.0
deny all
!
NAT extended IP access list
IP enable any host IP_cisco
deny ip 192.168.252.0 0.0.0.255 10.41.2.32 0.0.0.31
!
access-list 101 permit ip 192.168.252.0 0.0.0.255 10.41.2.32 0.0.0.31
public RO SNMP-server community
3 RW 99 SNMP-server community
SNMP-server community a RO
SNMP-Server RO community oneCommunityRead
not run cdp
!
!
!
control plan
!
!
Line con 0
password 7 abdelkrim
opening of session
no activation of the modem
line to 0
line vty 0 4
password 7 aaaaa
opening of session
escape character 5
!
max-task-time 5000 Planner
NTP-period clock 17175037
Server NTP B.B.B.B
Server NTP A.A.A.A

end

Alex,

It's your GRE tunnel:

interface Tunnel0
IP 2.2.2.1 255.255.255.252
source of Dialer0 tunnel
destination of IP_forti tunnel
myvpn card crypto

You also have routing set by it.

You don't need a GRE tunnel, nor do you need the road to tunnel if you want just IPsec tunnel.

Isse NAT with Gre over Ipsec

Hi guys!

I have a little problem with my setup.

I would like to join the Y in X host through a VPN tunnel.

My setup works fine, until I have add this static nat entry:

-ip nat inside source static 10.20.20.1 198.41.10.1

In this case, the tunnel endpoints cannot reach each other (172.16.13.1 <->172.16.13.2).

The Ext_Router made the Nat translation and the tunnel is located between Ext_Router and R7.

What is the problem?

The configuration files are attached.

Hello

First, I would like to say that my relationship with GRE + IPsec have been pretty slim.

But what seems to me looking at the configurations and NAT, is that you must following configurations with respect to NAT on R5/Ext_Router
- Configuration of PAT translation for LAN 2 networking using the IP address of Serial 0/0 as a PAT address
- A static NAT for a single host LAN that uses ALSO address IP Serial0/0 for the translation.
If the NAT router operation is something like the Cisco PIX or ASA. The static NAT completely replaces PAT (overload) configuration and therefore no user belonging to networks source ACL 1 wont be able to use the NAT and therefore traffic will not work for them but should probably work for the host of the 10.20.20.1 Static NAT?

Could be the problem? Pourrait 198.41.10.x another IP, be used for the static NAT?

-Jouni

problems with, phone, 6, Bluetooth kit, Nissan, after update, for, Rios, 1.0.2

After the update to ios 10.0.2 - trying to use bluetooth to call my vehicle, it says: "this article is not in your phone book." How can I solve this problem?

Greetings, joybelino1!

Thank you for joining the communities Support from Apple! I can't wait to see that you are having problems with your Bluetooth in your car! The good news is that Apple has a great article that will help you with measures to try to resolve the problem. Read this article to get help to connect your iPhone, iPad, or iPod touch with your car radio. Even though he talks about problems with the connection, it also has the steps for other questions you may have once connected.
If you use Bluetooth
1. Consult the user manual of your car stereo to get the procedure to a Bluetooth device.
2. On your iOS device, drag up to open Control Center, then press ontwice to turn on Bluetooth and turn it back on.
3. Restart your iOS device.
4. On your iOS device, Cancel the twinning of your car radio. On the screen of your car désapparier your iOS device and any other device. Restart your car and your iOS device, then pair and connect again.
5. Update your iOS device.
6. Install the updates to the firmware of your car radio.
7. If you still not connect, contact Apple technical support.
Have a great day!

Anyone having problems with WiFi connectivity after upgrade to Sierra?

I was wondering if anyone else knows issues with WiFi connectivity since the upgrade to Sierra 10.12? I have not had any problems with connectivity WiFi previously on El Capitan. Now I have regular randomly loose connectivity. My internet is cable and when it is connected I have a 100% connection. My details of iMac and I have used only 10% of my storage.

No problem with my iphone 6.

Hello AspDesigns,

I understand that, since the upgrade to Mac OS Sierra, your Mac seems to have trouble staying connected to Wi - Fi. Fortunately the diagnosis built-in wireless can help identify the source of so much trouble.

Search for Wi - Fi using your Mac problems

See you soon!

Problems with mail after switching to macOS Sierra

Hey all

After having recently upgraded to macOS Sierra, I am unable to read my mail.

I get the following error every time I check on "Get Mail".

There may be a problem with the mail server or the network. Check the account settings "*" or try again.

The server returned the error: Mail could not connect to the server 'pop1.tribcsp.com' using SSL on the default ports. Verify that this server supports SSL and that your account settings are correct.

What does this error message mean and how can I solve this problem.

Thank you

Hi Michael,

I see your message that you get an error in the mail indicating that there is a problem with the mail server or the network. To help get this problem resolved, I suggest that you follow the steps below:
If mail refers to a problem with the mail server, or the network

Mail will say that it is impossible to connect due to a problem with the mail server or the network. For example, the message may refer to a connection that has expired, or too many simultaneous connections:

If you are connected to the Internet, but the connection has expired, your email provider might be affected by a discontinuance of service. Contact them or see their status Web page to ensure that their e-mail service is online. Examples of status pages:
If the message indicates the number of simultaneous connections, too many of your devices is check your e-mail account at the same time. Quit Mail on one or more of your other devices.

If you are still unable to send or receive e-mails
1. Make sure that you have installed latest version of the Mac software updates, especially if the problem occurred immediately after the installation of a previous update.
2. In OS X El Capitan or later version, you can see a status icon and the short error message in the upper right of the Mail window, under the search box. The message may indicate 'Network offline' or 'Connection failed', for example. Click the message to see more details on the issue.
3. Check your connection to the Mail connection doctor. It might be able to say more on the issue.
If you cannot send or receive e-mail on your Mac.

Take care.

iMac 27 "mid-2011 - Intermittent problem with CPU fan running at full speed and sleep mode.

Hello!

My iMac 27 "has an intermittent problem with the CPU fan runs at full speed. Sometimes it happens at the time when I start it, sometimes only in my session, and sometimes only after a certain time. So does seem to be a problem of "heating".

Second issue is with the mode 'sleep'. It may occur also at any time, at the start of the iMac, session, or after a certain time. But once he starts to go in mode 'sleep', when I wake up, it goes right back in mode after a few seconds and that it will continue indefinitely until I restart the computer.

What could be?

Please help me!

4ntoine

Here is my model of iMac:

iMac 27 "mid-2011 model 12.2

Intel Core i7 3.4 GHz

AMD Radeon HD 6970M 1024 MB

OS X El Capitan 10.11.6
SMC 1.72f2

Boot ROM IM121.0047.B23

reset the SMC

Reset the management system (SCM) controller on your Mac - Apple Support

problem with playing the clash of clans

I'm having some problems while playing the clash of clans on my 2 mini ipad screen does not seem to meet sometimes as if it was some sort of delay so I have to tap several times in order to use a filter or throw the troops on the battlefield.

Hi Trinitygr,

Thanks for posting in the Community Support from Apple! I understand that you are having problems with your iPad screen while playing a game. I like to play games on my iPad and I don't see how this could be a nuisance. I'm happy to offer assistance.

Are you only had this problem when using the app clash of Clans, or does it happen in all applications? I recommend to start by following the steps described in this article:
If an application you have installed unexpectedly closes, unresponsive, or does not open

Take care!

I'm having problems with an outdated Apple ID

I have problems with updating Apps etc in my Apple account because he always asked an obsolete in sign. How can I change this?

Hello

Go down to itunes apple ID Delete page homepage all ID and then add it back back.

See you soon

Brian

Anyone having problems with the new iPhone LTE connection 7 on Verizon?

I am now on my iPhone second 7 with Verizon. I had four phones for me and my family. I have now had issues where I have no signal in the same areas where my signal allows to be strong. I can't solve the problem with the activation/deactivation of the airplane and then mode again in normal mode. My phone will rest with no signal for 5 minutes, then going to LTE with three bars. I also had the problem where I had only 1 x signal, while my son standing right next to me has LTE. And he had the same questions, where I'm on LTE and it gets no signal. I use to have LTE where I live and work all the time, now it's spotty at best. Apple has replaced me and my sons iPhones but not luck. Still do. Any ideas or an any other suffering?

(1) go to settings/cell phone/cellular data Options/enable LTE and select ONLY the DATA. This seems to solve the problem (as a temporary solution) for most of the people affected by this problem. The bad part is your request might not be as clear (since they cannot use the highest LTE signals) and you can make calls and data at the same time. But it does not solve the issue.

(2) there are rumors (but you didn't hear that from me that we only are not supposed to discuss beta software program Apple in this forum) that the new version of Apple Beta for iOS (which also includes an update of the software carrier Verizon to 26.0) seems to solve this problem. So, there's a light at the end of the tunnel.

Problem with some fonts of symbols after the installation of the Sierra

Hello

I have recently upgraded the OS on my iMac late 2012 for Sierra, since doing so, I noticed a problem with several fonts.

All symbolic symbols Apple to Wingdings fonts not correctly displayed in the font book. Apple symbols looks like a standard wheelbase of san, and other symbolic fonts just show as question marks '?' where the images should be.

In text editing, that I can't even see the symbolic fonts like Zapf Dingbats and Wingdings in the selector. However, they all work well in Adobe Illustrator (CS5) and Microsoft Word 2011. Apple symbols still looks like a standard font.

I already tried the following:

1. check the fonts in font book

2 fix the duplicates in the font book

3. using the "Restore Standard fonts" option in the font book

4 deleting a file in the folder Preferences plist Fonts

5 deleted the cache of police and the database

I'm out of ideas. Has anyone else had the same problem found a fix?

Kind regards

Greville

I'm just to add that I used the recovery partition to do a clean install of Sierra on a hard drive external and then booted into it to see if it had the same problem.

And he does. Wingdings and other photo fonts appear as '?' in boxes where the letters must be in the font book.

So this seems like a problem with the way Sierra displays these fonts, not with the font files themselves.

ios10 problem with non-users of iphone messaging

After upgrading my iPhone 6 ios10, I had intermittent problems with the messaging of Android users (basically, the conversations no iMessage). In about 60% of the time it is not just to deliver the message no matter what I do (pressing the 'Try Again' don't work do not). He has no problem with the reception of the texts, but I can't answer to Android users (Interestingly, I can message users of Android if they are in a group with iPhone users text). I tried everything was updated to the last verision until reset of ios everything.

I can't find anything online about this. I'm the only one who what?

Group Messaging uses the MMS. Normal text messages using SMS. SMS uses the voice channel to transfer messages and is strictly a basic function. If you are experiencing problems sending SMS, contact your carrier.

I have problems with ios 9.3.5

my ipod says it's still Friday, September 23 when it is Monday 26 and is stuck in the 04:00 time when I change the time, the screen turns off a color at random, then restarts then both will and I have to change but rest later if it changes at all used to date will not change anything and it runs still works when it wants to and it doesn't stay connected to WiFi , I have the ipod 5th generation and am not elligible for ios 10 Please if you can solve this problem with ios 9.3.5 I would be very grateful as I use my ipod for almost everything. Thanks - René

It is a community based on the user. You do not speak to Apple directly. You can contact the Apple Support here: http://www.apple.com/ca/contact/

Problem with GRE

Similar Questions

If you use Bluetooth

If mail refers to a problem with the mail server, or the network

If you are still unable to send or receive e-mails

Maybe you are looking for