Cisco 871 - Lost Site-Site VPN Config

Discussion in 'Cisco' started by TimParker, Mar 13, 2009.

  1. TimParker

    TimParker Guest

    I have an ASA5505 in our main office that is talking to some 871
    Routers in remote offices. I have a working config for a site to site
    vpn. Last night I got a call that it appeared that it was down. I
    checked it out and couldn't see to get it to come back up from
    remote.

    I came into the main office and rebooted the ASA, as I couldn't ping
    the external IP of the router in the remote office through our network
    but from my home machine it was responding fine. That didn't help.

    So I made the 45 Min. drive to the remote office to check it out
    locally. I got my laptop hooked up and the config for the VPN was not
    showing up in ADM. It was "gone". I re-created it and it came back
    up.

    Any ideas what could cause this? I have saved the config naturally, so
    it should stay through any power outage or reboot. Though one was not
    reported yesterday. I am baffled by this....

    Thoughts?
     
    TimParker, Mar 13, 2009
    #1
    1. Advertising

  2. TimParker

    alexd Guest

    TimParker wrote:

    > I have an ASA5505 in our main office that is talking to some 871
    > Routers in remote offices. I have a working config for a site to site
    > vpn. Last night I got a call that it appeared that it was down. I
    > checked it out and couldn't see to get it to come back up from
    > remote.


    I assume you weren't able to remotely log into the router? That suggests the
    router had lost other parts of it's config too.

    --
    <http://ale.cx/> (AIM:troffasky) ()
    19:16:29 up 98 days, 21:27, 3 users, load average: 0.09, 0.09, 0.02
    Sexy ladies, and nasty boys, all freaky freakin', to the robot noise
     
    alexd, Mar 13, 2009
    #2
    1. Advertising

  3. TimParker

    bod43 Guest

    On 13 Mar, 19:19, alexd <> wrote:
    > TimParker wrote:
    > > I have an ASA5505 in our main office that is talking to some 871
    > > Routers in remote offices. I have a working config for a site to site
    > > vpn. Last night I got a call that it appeared that it was down. I
    > > checked it out and couldn't see to get it to come back up from
    > > remote.

    >
    > I assume you weren't able to remotely log into the router? That suggests the
    > router had lost other parts of it's config too.
    >


    It is unheard of for the router to spontaneously lose its config
    or part of it.

    Most likely it was not saved by the last user or perhaps someone
    changed it again.

    You can check the uptime and Last Reload Reason from sh ver.
    It may be too late now but you can also look at the most recent
    startup and running config change times with sh run.

    ! Last configuration change at 17:58:15 BST Fri Mar 13 2009 by xxx
    ! NVRAM config last updated at 17:58:16 BST Fri Mar 13 2009

    NVRAM is the startup by the way.

    If the router crashed then look at
    sh stacks and look for crashinfo files in the flash.

    You can also enable syslog logging for a centralised, permanent record
    of logged events.

    This adds all commands executed from the CLI to the logs.
    No idea if you can log from the GUI.

    event manager applet CLIaccounting
    event cli pattern ".*" sync no skip no
    action 1.0 syslog priority informational msg "$_cli_msg"
    set 2.0 _exit_status 1

    sorry I have no clue what it means - it does though work.

    sh log

    Mar 13 20:53:21.918 BST: %HA_EM-6-LOG: CLIaccounting: show ip nat
    translations
    Mar 13 21:00:41.696 BST: %HA_EM-6-LOG: CLIaccounting: show running-
    config
    Mar 13 21:02:58.066 BST: %HA_EM-6-LOG: CLIaccounting: show logging
    Mar 13 21:05:02.455 BST: %HA_EM-6-LOG: CLIaccounting: show version


    There is another method of doing CLI logging that was documented
    in this list a few months back. You can also use TACACS
    for command logging.

    Finally as already alluded to I think that it is a good idea to
    consider arranging remote management outside of the VPN.
    Use access-lists to protect the outside from undesired attention.
     
    bod43, Mar 13, 2009
    #3
  4. TimParker

    TimParker Guest

    Yes, I was not able to get into the router, as the connection to the
    remote office was down. I think I will have to rethink my strategy on
    how this is set up and managed. I am the only user to touch the
    routers, I am our IT department. hehe.

    I will take a look at all these ideas and see what I can come up with.
    Thanks for the hints.

    Tim


    On Mar 13, 4:14 pm, bod43 <> wrote:
    > On 13 Mar, 19:19, alexd <> wrote:
    >
    > > TimParker wrote:
    > > > I have an ASA5505 in our main office that is talking to some 871
    > > > Routers in remote offices. I have a working config for a site to site
    > > > vpn. Last night I got a call that it appeared that it was down. I
    > > > checked it out and couldn't see to get it to come back up from
    > > > remote.

    >
    > > I assume you weren't able to remotely log into the router? That suggests the
    > > router had lost other parts of it's config too.

    >
    > It is unheard of for the router to spontaneously lose its config
    > or part of it.
    >
    > Most likely it was not saved by the last user or perhaps someone
    > changed it again.
    >
    > You can check the uptime and Last Reload Reason from sh ver.
    > It may be too late now  but you can also look at the most recent
    > startup and running config change times with sh run.
    >
    > ! Last configuration change at 17:58:15 BST Fri Mar 13 2009 by xxx
    > ! NVRAM config last updated at 17:58:16 BST Fri Mar 13 2009
    >
    > NVRAM is the startup by the way.
    >
    > If the router crashed then look at
    > sh stacks and look for crashinfo files in the flash.
    >
    > You can also enable syslog logging for a centralised, permanent record
    > of logged events.
    >
    > This adds all commands executed from the CLI to the logs.
    > No idea if you can log from the GUI.
    >
    > event manager applet CLIaccounting
    >  event cli pattern ".*" sync no skip no
    >  action 1.0 syslog priority informational msg "$_cli_msg"
    >  set 2.0 _exit_status 1
    >
    > sorry I have no clue what it means - it does though work.
    >
    > sh log
    >
    > Mar 13 20:53:21.918 BST: %HA_EM-6-LOG: CLIaccounting: show ip nat
    > translations
    > Mar 13 21:00:41.696 BST: %HA_EM-6-LOG: CLIaccounting: show running-
    > config
    > Mar 13 21:02:58.066 BST: %HA_EM-6-LOG: CLIaccounting: show logging
    > Mar 13 21:05:02.455 BST: %HA_EM-6-LOG: CLIaccounting: show version
    >
    > There is another method of doing CLI logging that was documented
    > in this list a few months back. You can also use TACACS
    > for command logging.
    >
    > Finally as already alluded to I think that it is a good idea to
    > consider arranging remote management outside of the VPN.
    > Use access-lists to protect the outside from undesired attention.
     
    TimParker, Mar 14, 2009
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    3
    Views:
    5,949
  2. Replies:
    0
    Views:
    1,221
  3. brane

    cisco 871 vpn split tunnel

    brane, Jun 19, 2007, in forum: Cisco
    Replies:
    0
    Views:
    598
    brane
    Jun 19, 2007
  4. Vincent

    Windows XP -- Cisco 871 VPN

    Vincent, Jul 24, 2007, in forum: Cisco
    Replies:
    1
    Views:
    536
    Chad Mahoney
    Jul 24, 2007
  5. 187therapy

    Cisco Pix site to site vpn config

    187therapy, Apr 12, 2008, in forum: Cisco
    Replies:
    0
    Views:
    3,203
    187therapy
    Apr 12, 2008
Loading...

Share This Page