Show Interface Tunnel explaination

Hello

Can anyone explain me what this means:

Show interface Tunnel

Tunnel of transmission bandwidth 8000 (Kbps)
Tunnel to receive 8000 (Kbps) bandwidth

Is VPN bandwidth? If Yes, we change it?

Thank you

If yes, can we change it?

Yes, you can if you run the Advanced IP Services feature (and above).

Tags: Cisco Security

Similar Questions

IP unknown 'show interface authentication session '.

We currently use 802. 1 x with EAP - TLS based machine authenctication and each example cisco has the IP address when you place an order show authentication session interface. Our of appears as unknown for the IP address. Authenticate us through ACS 4.0 and I can't find anything on how to cisco for that switch to retrieve the IP address. Is this a configuration problem or is there a function that we do not?

Hello

try running the command switch (config) #ip - analysis of device

I assume that the user is authenticated.

hope this helps

Package and drop on GRE tunnel CPU high usage

Hello world

We have GRE tunnel between 2 sites.

Users have complained about the slow pace and I checked the CPU usage is too high.

She went from 40-70% on average in the last hours.

Here is the setting of the tunnel interface

MTU 17916 bytes, BW 100 Kbit, DLY 50000 usec,

reliability 255/255, txload 235/255, rxload 241/255

Input queue: 0, 75, 4339, 0 (size/max/drops/dumps); Total output drops: 89

Other end has 39 drops

Is it ok to have drops when there is large amount of traffic through the tunnel of?.

Need to know what I should look for?

Are these drops 89 ok to have?

Thank you

MAhesh

Hello Manu,

If this is not yet a subject that would be close to me, but I'll have a try.

What model device you use on the site where you use an observer the CPU high? Maybe the device cannot handle the amount of traffic using this method?

Can you post any output of the command "show interface Tunnel x"?

What type of connection WAN this GRE Tunnel use?

Is the bandwidth on what whether failure 8000 kbps both inside and outside?

I think that you can configure by using the commands

"transmission of bandwidth of tunnel.

"bandwidth tunnel receive."

There also a command

"bandwidth".

What you use this connection for, were there changes in the use of network between sites that would explain the increased use of the processor?

It seems according to the output above the Tunnel is simply "push and in" as much traffic as possible. Or as much traffic it can push accoring to the configuration of the interface.

txload 235/255, rxload 241/255

This coupled with high CPU usage could explain naturally drops. Although of course, the CPU usage is probably the effect of the use of the tunnel bandwidth.

-Jouni

IOS Tunnel interface. Size of the NEGATIVE queue?

When I do a 'show int' on my tunnel interface, I see a NEGATIVE queue size. Is it normal or I see a bug in the IOS?

Router #sho int tunnel1

Tunnel1 is up, line protocol is up

Material is Tunnel

The Internet address is 172.16.14.2/30

MTU 1514 bytes, BW 600 Kbit, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

KeepAlive not set

Source xxx.xx.xxx.xx (FastEthernet4), destination yyy.yyy.yy.yy tunnel

Tunnel protocol / transport GRE/IP, off key, off sequencing

TTL 255 tunnel

Disabled packages, quick tunneling active parity check

Tunnel of transmission bandwidth 8000 (Kbps)

Tunnel to receive 8000 (Kbps) bandwidth

Last entry of 00:00:00, 00:00:00 exit, exit hang never

Final cleaning of "show interface" counters 00:15:14

Queue entry :-542544/75/0/0 (size/max/drops/dumps); Total output drops: 0

Strategy of queues: fifo (pre-ranking QOS)

Output queue: 0/0 (size/max)

5 minute input rate 0 bps, 0 packets/s

5 minute output rate 0 bps, 0 packets/s

packages of 1499, 148506 bytes, 0 no buffer entry

Received 0 broadcasts, 0 Runts, 0 Giants 0 shifters

errors entry 0, 0 CRC, overgrown plot of 0, 0, 0 ignored, 0 abort

My config tunnel isn't something special...

Tunnel1 interface

bandwidth 600

IP 172.16.14.2 255.255.255.252

IP 1400 MTU

IP pim sparse - dense mode

QoS before filing

source of tunnel FastEthernet4

destination yyy.yyy.yy.yyy tunnel

Looks like a software defect. The closest I could find is Bug ID CSCed86842.

http://www.Cisco.com/cgi-bin/support/Bugtool/onebug.pl?BugID=CSCed86842&SUBM

I hope it helps.

Kind regards

Arul

netsh interface, can show, but can't

Dear all,

I used the following script for the month, to enable or disable a network interface:

@ ECHO OFF
CLS

SET CONNECTION = connection to the Local network
SET TEMPFILE = c:\tempnetsh.txt
SET ACTIVE = NEWSTATE

REM echo % TEMPFILE %

name of the interface, see the command netsh interface = "CONNECT %" > TEMPFILE %

the REM netsh interface show interface name = 'CONNECTION % '.

Current state of the echo:
"Disabled" TEMPFILE % FINDSTR
IF % ERRORLEVEL IS 0 (SET ACTIVE = NEWSTATE)

"Valid" TEMPFILE % FINDSTR
If %ERRORLEVEL% is 0)
ECHO.
CHOICE/c/m YN "sure you want to disable this connection."
IF ERRORLEVEL 1 SET NEWSTATE = DISABLED
IF ERRORLEVEL 2 SET NEWSTATE = ENABLED
)
The ECHO processing...
netsh interface set interface "CONNECT %" % NEWSTATE %

New connection ECHO status:
name of the interface, see the command netsh interface = 'CONNECTION % '.

DEL % TEMPFILE

BREAK

Basically, it gets the status of the defined interface, if it is disabled, it automatically allows and if it is enabled, it prompts before disabling.

It worked fine for months, but continued on with that update Windows this morning, the script can get the status of the interface

name of the interface, see the command netsh interface = 'CONNECTION % '.

It works very well and that it is correctly written in the temporary file, but it cannot define in another State

netsh interface set interface "CONNECT %" % NEWSTATE %

The last line fails with the error message

' The system cannot find the file specified.'.

I can't roll back updates of Windows, because it is run by my company (although I could, but they would be resettled in any case).

I am administrator on my computer (Windows 7 Enterprise 64-bit, SP1).

I can't disable the network interface of control, and Internet\Network connected without any problem.

The latest updates have been

KB3109094

KB3110329

KB3035132

KB3035126

KB3148198

I tried to link these patches for this issue, nothing helps.

Can someone tell me a trick to solve it?

Regards and thanks in advance

Hi Anthony,.

Welcome to the Microsoft community. I might help you.

To better understand the issue, I would like to know what is your computer connected to the domain?

If the computer is connected to the domain, the question you posted would be better suited to the TechNet community. Please visit the following link for assistance.

http://social.technet.Microsoft.com/forums/en/w7itpronetworking/threads

Hope this information is useful.

Using the Tunnel interface on router

Hello world

I see hew Tunnel interface on the router.

Router is running OSPF.

However, there is no cryptographic statements.

tunnel configuration

Tunnel1 interface

10.4.x.x from IP x.x.x.x

time 7

source of tunnel Loopback1

destination 10.4.x.x tunnel

My question is when we use the interface Tunnel without any cryptographic statements?

Thank you

MAhesh

This Tunnel is a plain GRE Tunnel. They are generally used without crypto when:

(1) traffic is not sent through an untrusted network and cryptographic protection is not necessary.
(2) the GRE traffic gets encrypted on a separate device if the end point free WILL is not able to do the necessary cryptographic protection.

Sent by Cisco Support technique iPad App

How a GRE tunnel is applied to a physical interface?

Within the tunnel configuration, we use the controls, the source and destination for the tunnel, but the physical interface does he know how to use the tunnel? The source code of the tunnel parameters replace the physical interface? If we don't configure a tunnel with the right source this interface would then send all information encapsulated in the GRE?

If we also configure IPSec on the interface, and specify a card encryption to encrypt only the corresponding traffic this corresponding traffic would not use the GREtunnel or information without worrying if it was encrypted IPSec is also be encapsulated in the GRE?

Also, I read here: https://supportforums.cisco.com/docs/DOC-3067

'Bind the card crypto to Physics (outside) interface if you are using the version of Cisco IOS 12.2.15 software or later. If not, then the card encryption should be applied to the tunnel as well as the physical interface interface. »

Why was it necessary to apply the crypto map to both physical and tunnel interfaces, and why is it not necessary with versions of IOS?

Thanks for any help! -Mark

Hi Mark,

When you set the source of the tunnel in the tunnel interface, the router adds the IP address of the specific interface (loopback or physical) to the GRE packet generated by the tunnel interface.

This is useful when you need to deliver a tunnel through the Internet WILL, but the tunnel interface has an IP of priivate, if you use the interface external (with a public IP address) as the source of the tunnel.

When remote endpoint WILL receive the packet, search interface tunnel there as destination of the tunnel and decaps the packets, and then he gets the GRE packet and forwards it to the specific tunnel interface.

Since 12.4 you simply apply the crypto map to the interface defined as the' tunnel', usually the one connected to the Internet, where all VPN tunnels are landed. The reason for this is the endpoint VPN termination being the physical and not the tunnel interface interface.

The reason why you need to add the encryption card for both is not clear for me, since I did not support older versions of code.

Do not forget that when configuring a GRE/IPsec tunnel in ACL Cryptography you set the source and tunnel destination IPs.

Hoping to help.

Portu.

Please note all useful posts

Post edited by: Javier Portuguez

Nexus 7 k - int tunnel configuration failed

I can not configure a tunnel on a Nexus 7 k interface

tunnel of feature has been activated

config:

CLU # configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

CLU (config) # tunnel feature

CLU (config) # interface 0 tunnel

clu(Config-if) # tunnel source loopback1 clusaug(config-if) # don't tunnel destination 171.48.25.21 clusaug(config-if) # ip address 171.57.252.53/31 clusaug(config-if) # no shutdown

CLU #.

# sh tunnel interface 0 CLU Tunnel0 is broken (hardware prog failed)

State of the admin: to the top

The Internet address is 171.57.252.53/31

MTU 1476 bytes, BW 9 Kbit

Tunnel/GRE/IP transport protocol

Tunnel source 171.57.252.51 (loopback1), destination 171.48.25.21

Transport protocol is in the VRF 'by default'

RX

0 packets input, 1 minute input rate 0 packets/s

TX

exit 0 packets, 1 minute 0 packets/s rate

Final cleaning of "show interface" counters never

CLU # sh recording of the last 2

2014 22 jan 14:00:03 clu % VSHD-5-VSHD_SYSLOG_CONFIG_I: configured for the vty by su on 109.1.19.

[email protected] / * /2

2014 22 jan 14:01:10 clu last message repeated 1 time

Cannot find advice for "material prog failed.

Hi Holger,

Please join by using the Insert Picture option in the reply window. It should be on the top next to the bullet and numbering option. If you want, send me an email to [email protected] / * /.

See you soon,.

-amit singh

Impossible to pass traffic through the VPN tunnel

I have an ASA 5505 9.1 running. I have the VPN tunnel connection, but I am not able to pass traffic. through the tunnel. Ping through the internet works fine.

Here is my config

LN-BLF-ASA5505 > en
Password: *.
ASA5505-BLF-LN # sho run
: Saved
:
: Serial number: JMX1216Z0SM
: Material: ASA5505, 256 MB RAM, 500 MHz Geode Processor
:
ASA 5,0000 Version 21
!
LN-BLF-ASA5505 hostname
domain lopeznegrete.com
activate the password
volatile xlate deny tcp any4 any4
volatile xlate deny tcp any4 any6
volatile xlate deny tcp any6 any4
volatile xlate deny tcp any6 any6
volatile xlate deny udp any4 any4 eq field
volatile xlate deny udp any4 any6 eq field
volatile xlate deny udp any6 any4 eq field
volatile xlate deny udp any6 any6 eq field
passwd
names of
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.116.254 255.255.255.0
OSPF cost 10
!
interface Vlan2
nameif outside
security-level 0
IP 50.201.218.69 255.255.255.224
OSPF cost 10
!
boot system Disk0: / asa915-21 - k8.bin
passive FTP mode
DNS server-group DefaultDNS
domain lopeznegrete.com
network obj_any object
subnet 0.0.0.0 0.0.0.0
the LNC_Local_TX_Nets object-group network
Description of internal networks Negrete Lopez (Texas)
object-network 192.168.1.0 255.255.255.0
object-network 192.168.2.0 255.255.255.0
object-network 192.168.3.0 255.255.255.0
object-network 192.168.4.0 255.255.255.0
object-network 192.168.5.0 255.255.255.0
object-network 192.168.51.0 255.255.255.0
object-network 192.168.55.0 255.255.255.0
object-network 192.168.52.0 255.255.255.0
object-network 192.168.20.0 255.255.255.0
object-network 192.168.56.0 255.255.255.0
object-network 192.168.59.0 255.255.255.0
object-network 10.111.14.0 255.255.255.0
object-network 10.111.19.0 255.255.255.0
the LNC_Blueleaf_Nets object-group network
object-network 192.168.116.0 255.255.255.0
access outside the permitted scope icmp any4 any4 list
extended outdoor access allowed icmp a whole list
outside_1_cryptomap list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
inside_nat0_outbound list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
LNC_BLF_HOU_VPN list extended access permitted ip object-group LNC_Blueleaf_Nets-group of objects LNC_Local_TX_Nets
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 741.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
outside access-group in external interface
!
router ospf 1
255.255.255.255 network 192.168.116.254 area 0
Journal-adj-changes
default-information originate always
!
Route outside 0.0.0.0 0.0.0.0 50.201.218.94 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
the ssh LOCAL console AAA authentication
AAA authentication enable LOCAL console
Enable http server
http 192.168.2.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
Crypto ipsec pmtu aging infinite - the security association
card crypto outside_map 1 match address outside_1_cryptomap
peer set card crypto outside_map 1 50.201.218.93
card crypto outside_map 1 set transform-set ESP-3DES-SHA ikev1
outside_map interface card crypto outside
Crypto ca trustpoint _SmartCallHome_ServerCA
no use of validation
Configure CRL
trustpool crypto ca policy
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308204 4 a0030201 d 308205ec 0202106e cc7aa5a7 032009b 8 cebcf4e9 52d 49130
010105 05003081 09060355 04061302 55533117 ca310b30 0d 864886f7 0d06092a
30150603 55040 has 13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313 has 3038 06035504
0b 133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 7a 656420 75736520 6f6e6c79 31453043 06035504 03133c 56 686f7269
65726953 69676e20 436c 6173 73203320 5075626c 69632050 72696 72792043 61 d
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d 3230 30323037 32333539 35395a 30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b 131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 5465726d 20757365 20617420 73206f66 39060355 040b 1332
68747470 7777772e 733a2f2f 76657269 7369676e 2e636f6d 2f727061 20286329
302d 0603 55040313 26566572 69536967 61737320 33205365 6e20436c 3130312f
63757265 20536572 76657220 20473330 82012230 0d06092a 864886f7 4341202d
010101 05000382 010f0030 82010 0d has 02 b187841f 82010100 c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 d188786c 83488174 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 63cd
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 01 has 38201 02030100 df308201
082b 0601 05050701 01042830 26302406 082 b 0601 db303406 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1 d 130101
ff040830 02010030 70060355 b 200469 30673065 060, 6086 480186f8 1 d 060101ff
45010717 03305630 2806082b 06010505 07020116 1 c 687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302 has 06 082 b 0601 05050702 02301e1a
1 c 687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029 has 027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 2d67352e 70636133 63726c 30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c 59305730 55160969 5da05b30 04 61305fa1
6 d 616765 2f676966 3021301f 2b0e0302 30070605 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1 b 311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301D 0603
445 1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 c 1604140d 551d0e04
1 230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300 d 0609 d
2a 864886 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 f70d0101
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c 265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
99 c 71928 8705 404167d 1 273aeddc 866d 24f78526 a2bed877 7d494aca 6decd018
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit smoking
crypto isakmp identity address
Crypto isakmp nat-traversal 1500
Crypto ikev1 allow outside
IKEv1 crypto policy 10
preshared authentication
aes-256 encryption
sha hash
Group 5
life 86400
IKEv1 crypto policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH stricthostkeycheck
SSH 0.0.0.0 0.0.0.0 inside
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
SSH version 2
SSH group dh-Group1-sha1 key exchange
Console timeout 0
management-access inside

a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
attributes of Group Policy DfltGrpPolicy
Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
username
username
tunnel-group 50.201.218.93 type ipsec-l2l
IPSec-attributes tunnel-group 50.201.218.93
IKEv1 pre-shared-key *.
NOCHECK Peer-id-validate
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
call-home service
anonymous reporting remote call
call-home
contact-email-addr [email protected] / * /
Profile of CiscoTAC-1
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:e519f212867755f697101394f40d9ed7
: end
LN-BLF-ASA5505 #.

Assuming that you have an active IPSEC security association (i.e. "show crypto ipsec his" shows the tunnel is up), please perform a packet trace to see why it's a failure:
```
 packet-tracer input inside tcp 192.168.116.1 1025 192.168.1.1 80 detail
```
(simulating a hypothetical customer of blue LNC tries to navigate to a hypothetical LNC TX Local site server)

Multiple virtual private networks - one Interface

Hello

I read up on top of the site to create using IPSEC VPN. My question is, if I have a router dedictaed "VPN" in the same place, say the external interface is F0/0. I want to configure different VPN for this site to some remote sites using this router, but I want to be able to each of these VPN connections have got it of own interface, fo the goal, routing some subnets over a VPN connection and routing another subnet on the other VPN sites.

So Hub site, I have an outside interface, but need IPSEC VPN multi-site spoke and each site to have an interface I can route traffic through... If that makes sense?

Thank you

I fear that your post, as written makes no sense to me. You start by saying you have a router with an outside interface. Then, you say that you need more than one interface. On the surface that seems to indicate you need to get a different router which will have several available for VPN interfaces.

Maybe if stress you less the need for multiple interfaces and explain a bit more about what you really need that it would be a way to accomplish what you need with the existing router.

I'll start with what seems to indicate that with an interface of the router would have a card encryption. But a card encryption can have multiple instances of cryptographic definitions it contains with a single instance for each remote peer. So, for example, you could have crypto match GRANT_map 10 of peers A and GRANT_map 20 for homologous B and 30 GRANT_map for C counterpart. Within each instance of the encryption card you would identify a single access list to identify traffic to destination each peer. It might look like this:

map GRANT_map 10 ipsec-isakmp crypto

dieudo game address

defined peer 1.2.3.4

map GRANT_map 20 ipsec-isakmp crypto

match the address peerB

defined by the 5.6.7.8 peers

map GRANT_map 30 ipsec-isakmp crypto

match the address peerC

defined by peer 9.10.11.12

Dieudo extended IP access list

ip licensing 10.1.1.0 0.0.0.255 172.16.0.0 0.0.255.255

peerB extended IP access list

ip licensing 10.2.2.0 0.0.0.255 172.17.0.0 0.0.255.255

peerC extended IP access list

IP 10.3.3.0 allow 0.0.0.255 172.18.0.0 0.0.255.255

Or maybe you can consider using the GRE with IPSec VPN tunnels. You can configure several tunnels, each source just outside of the interface, and each of them would end on a different peer. You can send some 10 to Dieudo tunnel subnets and route to other subnets of tunnel 20-peerB and route to other subnets of tunnel 30-peerC. This kind of solution might meet your requirements.

HTH

Rick

Random Tunnel IPSec Packet drops

Hi experts,

I am trying to solve a problem of fall of random package for tunneling IPSec between two VTI. For more than a month, we could not see not any question, and from today, we have 30% through a tunnel packet loss IPSec.

After analysis, I have concluded that packet loss is located somewhere on the way to the uc520 to the 2921. Package account see the correctly on the output interface physics uc520, but the number of packets is low on the interface of penetration on the 2921.

Pings outside of the tunnel by the way are very good.

I also deleted the tunnels on both ends and after they have recovery, the question was always present.

Pointers on research where packets get lost?

RR-hq-2921 #ping 10.1.13.1 g0/1 source rep 100

Type to abort escape sequence.

Send 100, echoes ICMP 100 bytes to 10.1.13.1, wait time is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!..!.!!!!!!!!!..!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

..!!.!!!!!!!!!!!.!!!!!!!!.!!!!

Topology:

[uc520] == HAVE == {{{cloud}}} == MODEM == [2921]

Test:

Claire 2921 # counters g0/0

Disable "show interface" counters on this interface [confirm]

% CLEAR-5-COUNTERS: claire counter on interface GigabitEthernet0/0

Execute on uc520: ping source timeout 0 rep 4000

This is supposed to increase rapidly the number of packets at a distance of 4000 packages, as it has done on the output uc520 interface

# 2921 sho int g0/0 | I entered the packages

3348 packets input, 607812 bytes, 0 no buffer< missing="" ~650="">

# 2921 sho int g0/0

GigabitEthernet0/0 is up, line protocol is up

Material is CN Gigabit Ethernet, the address is XXXXXXXX

Description: Outdoors - WAN port

The Internet address is XXX.XXX.XXX.XXX/YY

MTU 1500 bytes, BW 35000 Kbit/s, 10 DLY usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

KeepAlive set (10 sec)

Full-Duplex, 1 Gbps, media type is RJ45

control output stream is XON, control of input stream is XON

Type of the ARP: ARPA, ARP Timeout 04:00

Last entry of 00:00:00, 00:00:00 exit, exit hang never

Final cleaning of the counters 'show interface' 00:00:42

Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 0

Strategy of queues: fifo

Output queue: 0/40 (size/max)

30 second entry rate 75000 bps, 51 packets/s

exit rate of 30 seconds 77000 bps, 52 packets/s

3456 packets input, 619794 bytes, 0 no buffer

Received 0 emissions (0 of IP multicasts)

0 Runts, 0 giants, 0 shifters

entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored

Watchdog 0, multicast 0, break 0 comments

3454 packets output, 632194 bytes, 0 underruns

0 output errors, 0 collisions, 0 resets interface

unknown protocol 0 drops

0 babbles, collision end 0, 0 deferred

carrier, 0 no carrier, lost 0 0 interrupt output

output buffer, the output buffers 0 permuted 0 failures

Good infor

Now, did you ask your ISP if they made the last changes made?

I think that your suspcious is correct and if the number of packets do not match, then probably something in the environment has changed, since it worked before with the same configuration and IOS versions.

HTH.

IPsec VPN between two routers - mode ESP Transport and Tunnel mode

Hi experts,

I have this question about the Transport mode and Tunnel mode for awhile.

Based on my understanding of 'Transport' mode is not possible because you always original "internal" private in the IP headers or IP addresses. They are always different as public IP on interfaces enabled with Crypto Card addresses. When encapsulated in the VPN tunnel, the internal IP addresses must be included or the remote VPN router won't know where to forward the packet.

To test, I built a simple GNS3 with three routers laboratory. R1 and R3 are configured as VPN routers and the R2 must simulate Internet.

My configs are also very basic. The R2 is routing between 1.1.1.0/24 and 2.2.2.0/24. It is defined as the gateway of R1 and R3.

R1:

crypto ISAKMP policy 100
BA aes
preshared authentication
Group 2
ISAKMP crypto key 123456 address 2.2.2.2
!
Crypto ipsec transform-set ESP_null null esp esp-sha-hmac
!
10 map ipsec-isakmp crypto map
defined peer 2.2.2.2
transformation-ESP_null game
match address VPN

!

list of IP - VPN access scope
ip permit 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!

R3:

crypto ISAKMP policy 100
BA aes
preshared authentication
Group 2
ISAKMP crypto key 123456 address 1.1.1.2
!
!
Crypto ipsec transform-set ESP_null null esp esp-sha-hmac
!
10 map ipsec-isakmp crypto map
defined peer 1.1.1.2
transformation-ESP_null game
match address VPN

!

list of IP - VPN access scope
Licensing ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

I configured transform-"null" value, while it will not encrypt the traffic.

Then I tried the two 'transport' mode and mode "tunnel". I ping a host in the internal network of the R1 to another host in the internal network of the R3. I also tried 'telnet'. I also captured packets and carefully compared in both modes.

Packets encapsulated in exactly the same way!

It's just SPI + sequence No. + + padding

I will attach my screenshots here for you guys to analyze it. I would be grateful for any explanation. I confused maybe just when it comes to the NAT...

I guess my next step is to check if the two modes to make the difference when the GRE is used.

Thank you

Difan

Hi Difan,

As you point out the mode of transport is not always applicable (i.e. applicable if IP source and destination is equal to corresnpoding proxy IDs).

A typical scenario in this mode of transport is used:

-Encryption between two hosts

-GRE tunnels

-L2TP over IPsec

Even if you set "transport mode" this does not mean that it will be used. IOS routers and I blieve also ASA will perform backup even if the mode of transport is configured but does not apply in tunnel mode.

I can take a look at your traces to sniff, but all first can you please check if you transport mode on your ipsec security associations? "See the crypto ipsec his" exit you will show the tunnel or transport mode.

HTH,

Marcin

DMVPN Tunnel and EIGRP routing problem

I have redundant paths to a remote 2811 router on my network of sites. The first links is a T1 frame relay connection that has been in place for years, and the new link is on a 54 Mbps fixed wireless that was recently created.

I'm under EIGRP to my process of routing protocol 100 for the two links.

I installed a DMVPN Tunnel between the remote 2811 and no. 2851 router on my host site. The tunnel interface shows to the top and to the top of both sides and I can ping the IP remote tunnel of my networks side host.

However my eigrp routes are not spread over this new tunnel link and if I run a command show ip eigrp neighbor on each router I show only the neighbor for the frame relay link and not the new wireless link.

What I'm missing here?

A tunnel0 to see the shows the following:

Tunnel0 is up, line protocol is up
Material is Tunnel
The Internet address is 10.x.x.x/24
MTU 1514 bytes, BW 54000 Kbps, DLY 10000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
KeepAlive not set
Tunnel source (FastEthernet0/1), destination 172.x.x.x 10.x.x.x
Tunnel/GRE/IP transport protocol
Key 0x186A0, sequencing of the people with reduced mobility
Disabled packages parity check
TTL 255 tunnel
Quick tunneling enabled
Tunnel of transmission bandwidth 8000 (Kbps)
Tunnel to receive 8000 (Kbps) bandwidth
Tunnel of protection through IPSec (profile "CiscoCP_Profile1")
Last entry of 00:00:01, exit ever, blocking of output never
Final cleaning of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 947
Strategy of queues: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bps, 0 packets/s
5 minute output rate 0 bps, 0 packets/s
packages of 880, 63000 bytes, 0 no buffer entry
Received 0 broadcasts, 0 Runts, 0 Giants 0 shifters
errors entry 0, 0 CRC, overgrown plot of 0, 0, 0 ignored, 0 abort
output of 910 packages, 81315 bytes, 0 underruns
0 output errors, 0 collisions, 0 resets interface
unknown protocol 0 drops
output buffer, the output buffers 0 permuted 0 failures

Please go ahead and add a static route on the hub, so it goes through the wireless link and let me know if everything works correctly.

Federico.

lost wifi interface

My laptop HP (15-n224sa, running windows 8.1) has worked fine since I bought it in the month of April, but last Sunday he suddenly lost access wifi and I struggled to restore it since.

Initially I tried to use the built in convenience stores Windows and HP & diagnostic tools, but that anywhere my
actions and controls are as follows:
-In network connections, I can see the Ethernet and WiFI adapters, but the WiFi adapter is disabled.
-J' tried to activate the WiFi card and get a message 'enabling', but nothing happens.
-J' uninstalled the adapter and restarted in the case that forced Windows to recognize it but no joy - the WiFi adapter
is reinstalled, but can not be activated.
-J' tried to reinstall the driver, but just get the message that I already have the latest version of the driver
-J' updated the bios, more in hope than anything else, no joy.
-netsh wlan show interface gives the message "there are no wireless on the system interface.
-J' tried to use a wifi dongle, but who has the same problem.
-J' have tried restore to the last point of restoration before the problem started, but who do not have and I don't know that it would be
have solved the problem.
-Autoconfiguration WLAN service is running.

Ethernet access still works, but it's a pain using a wired connection.

Laptop is a HP 15-n224sa, running windows 8.1
1.80 GHz processor Intel Core i3-3217U
Realtek RTL8188EE 802.11bgn Wi - Fi adapter
HID compatible wireless radio controls
HP wireless button Driver

Any suggestions please? It seems that I have "lost" the wireless interface? How can I reinstate that? This could be a physical problem rather than a pilot / configuration problem? If so, how could prove that? Thank you.

Well, I received the replacement wireless lan card and installed. Turned on the portable, full of anticipation and, still had the same problem. Called HP and they said that, as long as it is not a plug ' Play device, I had to use HP Recovery Manager to restore the machine back to factory settings and then it would recognize the new card. This means taking backups of all the data on the laptop that this is deleted. A bit of pain, but did this and I now have a WiFi again. However, I can't say if the original wireless LAN card was really bad in the first place (and I won't be back to try) in which case the system recovery could have resurrected the wifi in any case, but it's a drastic thing to try. In any case, thanks to HP support Office for their help, I now to reinstall all the software I lost by making the system recovery. If anyone is interested, here is the link that HP gave me for the recovery of the system, but I'm not sure its applicable to all HP Laptops:

h10025.www1.HP.com/ewfrf/wc/document?cc=us&LC=en&docName=c03489643#N179

Adapters of tunnel gone wild on Windows 7

On my windows machine 7, ipconfig shows many tunnel adapters (some listed below).

I disabled ipv6, netsh cmds attempted to disable the router isatap etc and restarted... but it does not help.

Is there a reliable way to eliminate these tunnel adapters appears in ipconfig?

Thank you

Parag

Card tunnel Local Area Connection * 50:

State of the media...: Media disconnected
The connection-specific DNS suffix. :
... Description: 42 Microsoft 6to4 card #.
Physical address.... : 00-00-00-00-00-00-00-E0
DHCP active...: No.
Autoconfiguration enabled...: Yes

Card tunnel Local Area Connection * 51:

State of the media...: Media disconnected
The connection-specific DNS suffix. :
... Description: 43 Microsoft 6to4 card #.
Physical address.... : 00-00-00-00-00-00-00-E0
DHCP active...: No.
Autoconfiguration enabled...: Yes

Card tunnel Local Area Connection * 52:

State of the media...: Media disconnected
The connection-specific DNS suffix. :
... Description: 44 Microsoft 6to4 card #.
Physical address.... : 00-00-00-00-00-00-00-E0
DHCP active...: No.
Autoconfiguration enabled...: Yes

Card tunnel Local Area Connection * 53:

State of the media...: Media disconnected
The connection-specific DNS suffix. :
... Description: 45 Microsoft 6to4 card #.
Physical address.... : 00-00-00-00-00-00-00-E0
DHCP active...: No.
Autoconfiguration enabled...: Yes

Card tunnel Local Area Connection * 54:

State of the media...: Media disconnected
The connection-specific DNS suffix. :
... Description: 46 Microsoft 6to4 card #.
Physical address.... : 00-00-00-00-00-00-00-E0
DHCP active...: No.
Autoconfiguration enabled...: Yes

For any question on Windows 7:

http://social.answers.Microsoft.com/forums/en-us/category/Windows7

Link above is Windows 7 Forum for questions on Windows 7.

Windows 7 questions should be directed to the it.

You are in the Vista Forums.

See you soon.

Mick Murphy - Microsoft partner

Show Interface Tunnel explaination

Similar Questions

Maybe you are looking for