BGP and crypto map

Discussion in 'Cisco' started by Dave Enenkel, Nov 10, 2003.

  1. Dave Enenkel

    Dave Enenkel Guest

    Hy everybody,

    at the moment i have a strange behaviour with one of my routers. It's
    a 7120 (12.2.15 T7)where i'm running bgp and vpn stuff on. The problem
    i got at the moment is, that everytime i enable a crypto map on my
    serial interface my bgp session to my providers router goes down.
    After i debuged a lot of stuff and made some testings i really thing
    it's a bug but maybe i missed something. Did someone had similar
    problems ??

    Thanx in advance for reponds

    [email protected]
    Dave Enenkel, Nov 10, 2003
    1. Advertisements

  2. Dave Enenkel

    CCIE8122 Guest

    Hy everybody,
    You gotta post a config, else there is really no way to help you.

    CCIE8122, Nov 11, 2003
    1. Advertisements

  3. How does your ACL's look ? As CCIE8122 mentioned, configs are required.
    Vidyaranya Maddi, Nov 13, 2003
  4. Are you using route-maps to match the nexthop ?

    Tijuana, mexico
    Ariel Taranto, Nov 14, 2003
  5. Dave Enenkel

    Dave Enenkel Guest

    I'm using route maps for the BGP config. For VPN i use static routes.
    [email protected]
    Dave Enenkel, Nov 14, 2003
  6. Dave Enenkel

    Dave Enenkel Guest


    appended you find an extract of my config.

    ip subnet-zero
    no ip source-route
    no ip domain lookup
    no ip cef
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key xxxxxxx address xx.xx.xx.xx no-xauth
    crypto ipsec transform-set Test-vpn esp-3des esp-sha-hmac
    crypto map Test-vpn 10 ipsec-isakmp
    set peer xx.xx.xx.xx
    set transform-set NS-Strong
    match address 175

    interface Serial1/0
    bandwidth 1984
    ip address xx.xx.xx.xx
    ip access-group 110 in
    no ip route-cache
    no ip mroute-cache
    load-interval 60
    serial restart_delay 0
    no fair-queue
    no cdp enable
    crypto map Test-vpn
    router bgp xxxx
    no synchronization
    bgp router-id xx.xx.xx.xx
    bgp log-neighbor-changes
    network xx.xx.xx.xx
    neighbor <Provider-Router> remote-as xx
    neighbor <Provider-Router> send-community
    neighbor <Provider-Router> soft-reconfiguration inbound
    neighbor <Provider-Router> route-map IN in
    neighbor <Provider-Router> route-map OUT out
    neighbor <my-other-redundant-router> remote-as xxxx
    neighbor <my-other-redundant-router> update-source Loopback0
    neighbor <my-other-redundant-router> next-hop-self
    neighbor <my-other-redundant-router> send-community
    no auto-summary
    ip classless
    ip route VPN-network serial 1/0
    no ip http server
    no ip http secure-server
    ip bgp-community new-format
    ip as-path access-list 1 permit ^$
    ip as-path access-list 2 permit ^xxx_
    ip prefix-list NO-SUBNET seq 5 permit ge 25
    access-list 110 permit icmp any any unreachable
    access-list 110 permit icmp any any source-quench
    access-list 110 permit icmp any any time-exceeded
    access-list 110 permit icmp any any parameter-problem
    access-list 110 permit icmp any any conversion-error
    access-list 110 permit icmp any xxxxxxx echo-reply
    access-list 110 deny icmp any any
    access-list 110 permit ip any any
    access-list 110 permit esp any any
    access-list 175 permit ip xxxx xxxxxx
    no cdp run
    route-map OUT permit 10
    match as-path 1
    set as-path prepend xxx xxx xxx
    route-map OUT deny 20
    route-map IN deny 5
    match ip address prefix-list NO-SUBNET
    route-map IN permit 10
    match as-path 2
    set local-preference 90
    Dave Enenkel, Nov 14, 2003
  7. Dave Enenkel

    Dave Enenkel Guest

    Hy everybody,

    Cisco TAC helped us to find the problem. The IOS is a litlle bit
    sensitive regarding the vpn config. We had a dynamic crypto map entry
    in our config (as a template) with a link to a access list where the
    access list itself was not configured.
    After setting the access lists the problem vanished.

    Thanx for all the reponses

    [email protected]
    Dave Enenkel, Nov 19, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.