837 ADSL/VPN questions

Discussion in 'Cisco' started by Paul Lawrie, Feb 13, 2004.

  1. Paul Lawrie

    Paul Lawrie Guest

    Hi all,

    I have a couple of Cisco 837 ADSL routers running IOS 12.2.x. I have
    configured them both easily using the SDM (1.0.1 and then 1.1) to access our
    ADSL provider (using static IPs). The Internet access seems stable and the
    NAT works as expected.

    I ran the VPN wizard (the advanced wizard, not the simple one) to create a
    site-to-site VPN. The VPN status shows as established (I assume this
    indicates my shared key is fine), however I couldn't get any of my data to
    travel over it. A show ip route did not show any route to the remote
    network. Should this route be added once the virtual interface comes up? I
    did also enable RIPv2 on both ends but that didn't seem to help. I tried to
    add a static route but could not determine if each end of the tunnel had an
    IP address (or what it might be). I couldn't see how to add a static route
    out of the virtual interface either, the ip route command wouldn't let me
    specify a virtual-channel interface.

    I have a reasonable amount of routing and switching experience, but almost
    no ipsec/vpn experience. Have I gone fundamentally wrong somwhere? I have
    rebuilt the configs using the simple VPN wizard in the hope that some access
    list was stopping things before.

    Thanks for your (potential) help !

    - Paul.
     
    Paul Lawrie, Feb 13, 2004
    #1
    1. Advertising

  2. Paul Lawrie

    Paul Lawrie Guest

    Okay, I updated the SDM on bother routers to 1.1 and rebuilt the
    configuration from scratch. This time I used the simple site-to-site wizard
    to build the initial config. Running-config looked sane enough to try so I
    did. The Tunnel came up fine but I had heaps of problems with various types
    of data. It is clear to me now that I probably have some kind of MTU
    problem. It certainly felt very much like an MTU issue with some operations
    working occasionally, some sites somewhat working, and some not at all.

    Looking at the bug toolkit it looks like the IOS we have (12.2.13-ZH2)
    exhibits a few MTU bugs. This is the latest available image for the 12.2
    release for the 837 IPSEC/3DES feature set.

    Can I set MTU size on the vpn? The last option is to set maximum MTU on end
    stations which of course I want to avoid.



    Ta,


    Paul.

    "Paul Lawrie" <> wrote in message
    news:u51Xb.150$...
    > Hi all,
    >
    > I have a couple of Cisco 837 ADSL routers running IOS 12.2.x. I have
    > configured them both easily using the SDM (1.0.1 and then 1.1) to access

    our
    > ADSL provider (using static IPs). The Internet access seems stable and the
    > NAT works as expected.
    >
    > I ran the VPN wizard (the advanced wizard, not the simple one) to create a
    > site-to-site VPN. The VPN status shows as established (I assume this
    > indicates my shared key is fine), however I couldn't get any of my data to
    > travel over it. A show ip route did not show any route to the remote
    > network. Should this route be added once the virtual interface comes up? I
    > did also enable RIPv2 on both ends but that didn't seem to help. I tried

    to
    > add a static route but could not determine if each end of the tunnel had

    an
    > IP address (or what it might be). I couldn't see how to add a static route
    > out of the virtual interface either, the ip route command wouldn't let me
    > specify a virtual-channel interface.
    >
    > I have a reasonable amount of routing and switching experience, but almost
    > no ipsec/vpn experience. Have I gone fundamentally wrong somwhere? I have
    > rebuilt the configs using the simple VPN wizard in the hope that some

    access
    > list was stopping things before.
    >
    > Thanks for your (potential) help !
    >
    > - Paul.
    >
    >
     
    Paul Lawrie, Feb 15, 2004
    #2
    1. Advertising

  3. Paul Lawrie

    AnyBody43 Guest

    "Paul Lawrie" <> wrote in message news:<LYDXb.860$>...
    > Okay, I updated the SDM on bother routers to 1.1 and rebuilt the
    > configuration from scratch. This time I used the simple site-to-site wizard
    > to build the initial config. Running-config looked sane enough to try so I
    > did. The Tunnel came up fine but I had heaps of problems with various types
    > of data. It is clear to me now that I probably have some kind of MTU
    > problem. It certainly felt very much like an MTU issue with some operations
    > working occasionally, some sites somewhat working, and some not at all.
    >
    > Looking at the bug toolkit it looks like the IOS we have (12.2.13-ZH2)
    > exhibits a few MTU bugs. This is the latest available image for the 12.2
    > release for the 837 IPSEC/3DES feature set.
    >
    > Can I set MTU size on the vpn? The last option is to set maximum MTU on end
    > stations which of course I want to avoid.


    We use "ip tcp adjust-mss 1392" on the Ethernet and the Dialer
    interface. I suspect that it is only needed on one or the other
    however putting it on both is easier than working it out. I was
    in troubleshooting mode whan I first did it and when it all burst
    into life I stopped. C'est la vie. The mss you need will depend on the
    IPSEC parameters that you have set. I think that we settled on 1392
    by experimentation.
     
    AnyBody43, Feb 16, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Confused

    Cisco 837-837 VPN

    Confused, Jul 9, 2003, in forum: Cisco
    Replies:
    0
    Views:
    1,825
    Confused
    Jul 9, 2003
  2. Suppa Lamah
    Replies:
    8
    Views:
    1,680
  3. Richard Antony Burton
    Replies:
    0
    Views:
    6,334
    Richard Antony Burton
    Jan 5, 2004
  4. Replies:
    4
    Views:
    4,246
  5. melchiade

    VPN through Cisco 827 / 837 ADSL

    melchiade, May 16, 2006, in forum: Cisco
    Replies:
    0
    Views:
    515
    melchiade
    May 16, 2006
Loading...

Share This Page