Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco 871 - Lost Site-Site VPN Config

Reply
Thread Tools

Cisco 871 - Lost Site-Site VPN Config

 
 
TimParker
Guest
Posts: n/a
 
      03-13-2009
I have an ASA5505 in our main office that is talking to some 871
Routers in remote offices. I have a working config for a site to site
vpn. Last night I got a call that it appeared that it was down. I
checked it out and couldn't see to get it to come back up from
remote.

I came into the main office and rebooted the ASA, as I couldn't ping
the external IP of the router in the remote office through our network
but from my home machine it was responding fine. That didn't help.

So I made the 45 Min. drive to the remote office to check it out
locally. I got my laptop hooked up and the config for the VPN was not
showing up in ADM. It was "gone". I re-created it and it came back
up.

Any ideas what could cause this? I have saved the config naturally, so
it should stay through any power outage or reboot. Though one was not
reported yesterday. I am baffled by this....

Thoughts?
 
Reply With Quote
 
 
 
 
alexd
Guest
Posts: n/a
 
      03-13-2009
TimParker wrote:

> I have an ASA5505 in our main office that is talking to some 871
> Routers in remote offices. I have a working config for a site to site
> vpn. Last night I got a call that it appeared that it was down. I
> checked it out and couldn't see to get it to come back up from
> remote.


I assume you weren't able to remotely log into the router? That suggests the
router had lost other parts of it's config too.

--
<http://ale.cx/> (AIM:troffasky) ((E-Mail Removed))
19:16:29 up 98 days, 21:27, 3 users, load average: 0.09, 0.09, 0.02
Sexy ladies, and nasty boys, all freaky freakin', to the robot noise

 
Reply With Quote
 
 
 
 
bod43
Guest
Posts: n/a
 
      03-13-2009
On 13 Mar, 19:19, alexd <(E-Mail Removed)> wrote:
> TimParker wrote:
> > I have an ASA5505 in our main office that is talking to some 871
> > Routers in remote offices. I have a working config for a site to site
> > vpn. Last night I got a call that it appeared that it was down. I
> > checked it out and couldn't see to get it to come back up from
> > remote.

>
> I assume you weren't able to remotely log into the router? That suggests the
> router had lost other parts of it's config too.
>


It is unheard of for the router to spontaneously lose its config
or part of it.

Most likely it was not saved by the last user or perhaps someone
changed it again.

You can check the uptime and Last Reload Reason from sh ver.
It may be too late now but you can also look at the most recent
startup and running config change times with sh run.

! Last configuration change at 17:58:15 BST Fri Mar 13 2009 by xxx
! NVRAM config last updated at 17:58:16 BST Fri Mar 13 2009

NVRAM is the startup by the way.

If the router crashed then look at
sh stacks and look for crashinfo files in the flash.

You can also enable syslog logging for a centralised, permanent record
of logged events.

This adds all commands executed from the CLI to the logs.
No idea if you can log from the GUI.

event manager applet CLIaccounting
event cli pattern ".*" sync no skip no
action 1.0 syslog priority informational msg "$_cli_msg"
set 2.0 _exit_status 1

sorry I have no clue what it means - it does though work.

sh log

Mar 13 20:53:21.918 BST: %HA_EM-6-LOG: CLIaccounting: show ip nat
translations
Mar 13 21:00:41.696 BST: %HA_EM-6-LOG: CLIaccounting: show running-
config
Mar 13 21:02:58.066 BST: %HA_EM-6-LOG: CLIaccounting: show logging
Mar 13 21:05:02.455 BST: %HA_EM-6-LOG: CLIaccounting: show version


There is another method of doing CLI logging that was documented
in this list a few months back. You can also use TACACS
for command logging.

Finally as already alluded to I think that it is a good idea to
consider arranging remote management outside of the VPN.
Use access-lists to protect the outside from undesired attention.


 
Reply With Quote
 
TimParker
Guest
Posts: n/a
 
      03-14-2009
Yes, I was not able to get into the router, as the connection to the
remote office was down. I think I will have to rethink my strategy on
how this is set up and managed. I am the only user to touch the
routers, I am our IT department. hehe.

I will take a look at all these ideas and see what I can come up with.
Thanks for the hints.

Tim


On Mar 13, 4:14*pm, bod43 <(E-Mail Removed)> wrote:
> On 13 Mar, 19:19, alexd <(E-Mail Removed)> wrote:
>
> > TimParker wrote:
> > > I have an ASA5505 in our main office that is talking to some 871
> > > Routers in remote offices. I have a working config for a site to site
> > > vpn. Last night I got a call that it appeared that it was down. I
> > > checked it out and couldn't see to get it to come back up from
> > > remote.

>
> > I assume you weren't able to remotely log into the router? That suggests the
> > router had lost other parts of it's config too.

>
> It is unheard of for the router to spontaneously lose its config
> or part of it.
>
> Most likely it was not saved by the last user or perhaps someone
> changed it again.
>
> You can check the uptime and Last Reload Reason from sh ver.
> It may be too late now *but you can also look at the most recent
> startup and running config change times with sh run.
>
> ! Last configuration change at 17:58:15 BST Fri Mar 13 2009 by xxx
> ! NVRAM config last updated at 17:58:16 BST Fri Mar 13 2009
>
> NVRAM is the startup by the way.
>
> If the router crashed then look at
> sh stacks and look for crashinfo files in the flash.
>
> You can also enable syslog logging for a centralised, permanent record
> of logged events.
>
> This adds all commands executed from the CLI to the logs.
> No idea if you can log from the GUI.
>
> event manager applet CLIaccounting
> *event cli pattern ".*" sync no skip no
> *action 1.0 syslog priority informational msg "$_cli_msg"
> *set 2.0 _exit_status 1
>
> sorry I have no clue what it means - it does though work.
>
> sh log
>
> Mar 13 20:53:21.918 BST: %HA_EM-6-LOG: CLIaccounting: show ip nat
> translations
> Mar 13 21:00:41.696 BST: %HA_EM-6-LOG: CLIaccounting: show running-
> config
> Mar 13 21:02:58.066 BST: %HA_EM-6-LOG: CLIaccounting: show logging
> Mar 13 21:05:02.455 BST: %HA_EM-6-LOG: CLIaccounting: show version
>
> There is another method of doing CLI logging that was documented
> in this list a few months back. You can also use TACACS
> for command logging.
>
> Finally as already alluded to I think that it is a good idea to
> consider arranging remote management outside of the VPN.
> Use access-lists to protect the outside from undesired attention.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN issue with Cisco 871 persepolis77 Cisco 1 04-02-2008 06:15 PM
Windows XP -- Cisco 871 VPN Vincent Cisco 1 07-24-2007 01:08 PM
cisco 871 vpn split tunnel brane Cisco 0 06-19-2007 10:28 PM
configuration cisco 871 & vpn strippone@hotmail.com Cisco 0 12-13-2006 10:03 AM
Cisco 871 + ASA 5510 Quality of Service Config michikrall@hotmail.com Cisco 3 04-14-2006 02:24 PM



Advertisments