Recent content by Nutz

Nice. Turns out the SPAs are LR and the Nexus 5020 the ASR trunks to is all SR.

The 10GE SPA interface cards have two LEDs, one for status and the other for link. Both are illuminated, but there is no fiber connected to the cards and I cannot figure out if the whole ASR is bad, or just the cards. Also, the ASR's "boot" LED is constantly blinking, so I'm thinking *something*...

So, it turns out on our version IOS [12.2(33)SHX] VRF mode must be enabled to do VTIs. That's part of why the tunnel interface wasn't functioning. So now I've got the SPA enabled and associated with the VTI. I was able to pass one ping across it before the ISAKMP association reset for some...

Okay, I just put a router between them and it's the same thing. And yes I tried to ping. Also tried to ping sourcing the local loopback interface. What happens is the traffic is sent out the physical interface due to the default route. When I remove the default route traffic fails to pass...

Nope. Configured it verbatim per the document and it still didn't work. I don't know what's causing the tunnel interface to be stuck up/down. My gut tells me if I can get that frakker to come up my mission is accomplished.

Hmm... that should do it then. Looks like what I did the other day, only slightly modified. I'll give it a try in the morning. Hell, I may just mock this up in the lab at the house tonight if I get a chance.

The first one I already looked at and it's not utilizing tunnel interfaces. It's just a straight up old fashioned IPSec VPN in tunnel mode. I already did that last week. What I need is tunnel interfaces with Static VTIs. And we can't do GRE. Not allowed for what we're trying to accomplish...

Lets try this instead.. Can someone post a config based on the information I provided that would establish an IPSec tunnel using tunnel interfaces? From there I should be able to port it into what I need.

Something I was just told is that it wont work because the Fa1/0 interfaces on the two devices are in the same subnet. Any truth to this?

The crypto section looks good according to teh docs I have on hand if doing straight IPSec. However, when using the tunnel interfaces things go pear shaped. And Cisco's site is down at the moment so I'm SOL there for a while.

For the moment, yes. Just a tunnel using a tunnel interface. What parts are missing? I'm trying to remember the config off the top of my head and I've gone through VRF+SPA+Tunnel, VRF+Tunnel w/o SPA, SPA+Tunnel w/o VRF, and every permutation thereof so don't be surprised if I'm mixing config...

Here is what I remember of the config off the top of my head: 6509 access-list 110 permit ip 10.2.0.1 host 10.1.0.1 host access-list 110 permit ip 10.1.0.1 host 10.2.0.1 host access-list 110 permit icmp 10.2.0.1 host 10.1.0.1 host access-list 110 permit icmp 10.1.0.1 host 10.2.0.1 host...

I cannot get a VPN tunnel interface to come up on two Cisco devices. One is a 6509 using a SPA card and VRF mode, the other is a 3825 with nothing special going on. I'm trying to establish a Virtual Tunnel Interface on the 6509 utilizing VRF and the SPA, but I'm at my wits end on this one...

Gah! Fooking hell. When setting up a VPN, make sure the SPA module is turned off if you're not using it, otherwise it'll disable the IPSec features of the IOS. I just spent the better part of two weeks finding this out.

Does anyone have experience with VRF VPN implementations? I'm having some trouble at work getting failover to work, or even getting the VRF implemented properly and could use some help. I'm new to this service provider's network and had a task dumped in my lap. Nobody knows how to do VRF or...