Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
0
Helpful
1
Replies

Connecting to google, tunnel up/line protocol down.

joseph.williams@atos.net
Level 1
Level 1

‎03-02-2021 03:14 PM

Any help would be appreciated.

I can ping the other end of the tunnel but the line protocol on my side is down.

Also, any debug hints would be helpful.

 

Current configuration : 13779 bytes
!
! Last configuration change at 22:23:49 UTC Fri Feb 12 2021 by jwilliams
! NVRAM config last updated at 19:17:58 UTC Fri Feb 12 2021 by cfraule
!
version 16.9
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec show-timezone
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname az05oescsec
!
boot-start-marker
boot system flash bootflash:isr4300-universalk9.16.09.05.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 64000 informational
enable secret 5 $1$EqGD$fX52L6HkdB12FQi9HDFE0.
!
aaa new-model
!
!
aaa authentication login default group tacacs+ line enable
aaa accounting exec default
action-type start-stop
group tacacs+
!
!
!
!
!
!
!
aaa session-id common
no ip source-route
!
no ip bootp server
no ip domain lookup
ip domain name us.bull.com
!
!
!
login block-for 15 attempts 4 within 20
login on-failure log every 4
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
!
flow record FLW-RECORD
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect transport icmp ipv4 code
collect transport icmp ipv4 type
collect transport tcp flags
collect interface output
collect counter bytes
!
!
flow monitor FLW-MON
cache timeout active 120
cache entries 20000
record FLW-RECORD
!
!
!
!
crypto pki trustpoint TP-self-signed-3730741338
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3730741338
revocation-check none
rsakeypair TP-self-signed-3730741338
!
!
crypto pki certificate chain TP-self-signed-3730741338
certificate self-signed 01

!
license udi pid ISR4331/K9 sn FDO19460B8D
no license smart enable
diagnostic bootup level minimal
!
spanning-tree extend system-id
archive
log config
hidekeys
!
!
!
username
username
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 192
authentication pre-share
group 5
lifetime 67000
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
lifetime 36600
crypto isakmp key oesc2bull20160204 address 204.87.88.6
crypto isakmp key oescGOOGLE20210211 address 35.236.234.135
!
!
crypto ipsec transform-set TUN-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set ESP-AES192-SHA esp-aes 192 esp-sha-hmac
mode tunnel
crypto ipsec transform-set AES-128 esp-aes esp-sha-hmac
mode tunnel
!
!
!
!
crypto map RMTIPSEC 10 ipsec-isakmp
set peer 204.87.88.6
set security-association lifetime seconds 28800
set transform-set ESP-AES192-SHA
set pfs group2
match address GRE-TUN24
crypto map RMTIPSEC 11 ipsec-isakmp
set peer 35.236.234.135
set security-association lifetime seconds 28800
set transform-set AES-128
set pfs group2
match address GRE-TUN90
!
!
!
!
!
!
!
!
interface Loopback0
ip address 172.18.124.239 255.255.255.255
!
interface Tunnel24
description Tunnel to
bandwidth 1536
ip address 172.19.24.2 255.255.255.252
no ip proxy-arp
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 10 3
tunnel source GigabitEthernet0/0/1
tunnel destination 204.87.88.6
ip virtual-reassembly
!
interface Tunnel90
description Tunnel to Google
bandwidth 1536
ip address 172.19.24.5 255.255.255.252
no ip proxy-arp
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 10 3
tunnel source GigabitEthernet0/0/1
tunnel destination 35.236.234.135
ip virtual-reassembly
!
interface GigabitEthernet0/0/0
description LAN interface - VLAN 902
ip flow monitor FLW-MON unicast input
ip flow monitor FLW-MON unicast output
ip address
standby 1 ip 192.90.178.68
standby 1 priority 85
ip ospf cost 20
media-type rj45
negotiation auto
!
interface GigabitEthernet0/0/1
description Internet connection - 192.90.181.201/24
ip flow monitor FLW-MON unicast input
ip flow monitor FLW-MON unicast output
ip address 192.90.181.201 255.255.255.0
ip access-group ACL-FROM-G01 in
negotiation auto
crypto map RMTIPSEC
ip virtual-reassembly
!
interface GigabitEthernet0/0/2
description to az05oescpri
no ip address
no ip proxy-arp
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
description to az05oescpri
switchport access vlan 168
!
interface GigabitEthernet0/1/1
shutdown
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
shutdown
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan168
description to az05oescpri
ip flow monitor FLW-MON unicast input
ip flow monitor FLW-MON unicast output
ip address 1
no ip proxy-arp
!
router ospf 100
router-id
log-adjacency-changes detail
redistribute connected metric-type 1 subnets route-map CONNECTED->OSPF
redistribute static metric-type 1 subnets route-map STATIC->OSPF
network area 100
network area 100
network area 100
!
no ip forward-protocol nd
ip telnet source-interface Tunnel24
no ip http server
no ip http secure-server
ip tftp source-interface Loopback0
ip route 0.0.0.0 0.0.0.0 192.90.181.254
ip route 3
ip route 1
ip route 1
ip route 1
ip route 1
ip route 1
ip route 1
ip route 2
ip tacacs source-interface Loopback0
!
ip ssh time-out 60
ip ssh source-interface Loopback0
ip ssh logging events
ip ssh version 2
!
!
ip prefix-list STATIC->OSPF seq 10 permit 192.5.20.0/24
ip prefix-list STATIC->OSPF seq 15 permit 192.5.32.0/24
ip prefix-list STATIC->OSPF seq 30 permit 192.90.0.0/16 le 32
!

deny any log
!
ip access-list extended ACL-FROM-G01

logging trap warnings
logging source-interface Loopback0
logging host 192.5.32.138
access-list 3 permit 192.5.20.0 0.0.0.255
access-list 3 permit 192.5.32.0 0.0.0.255
access-list 7 permit 192.5.20.0 0.0.0.255
access-list 7 permit 192.5.32.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
route-map STATIC->OSPF permit 10
match ip address prefix-list STATIC->OSPF
!
route-map CONNECTED->OSPF permit 10
match interface Loopback0 GigabitEthernet0/0/0
!
snmp-server engineID local 00000009020000500F0E0B61
snmp-server community ripcord RO 3
snmp-server community bullvox RW 7
snmp-server trap-source Loopback0
snmp-server source-interface informs Loopback0
snmp-server packetsize 8192
snmp-server location 1-104 computer room, Phoenix AZ 85029
snmp-server contact AZ05 LAN/WAN Group
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps ospf state-change
snmp-server enable traps config
snmp-server host 192.5.32.152 version 2c ripcord
tacacs-server host 192.5.32.134
tacacs-server host 192.5.32.146
tacacs-server host 192.5.32.147
tacacs-server directed-request
tacacs-server key 7
!
!
!
!
control-plane
!
banner login ^CC

Labels:
0 Helpful
1 Reply 1

balaji.bandi
Hall of Fame
Hall of Fame

‎03-02-2021 04:44 PM 

show crypto isakmp sa
show crypto ipsec sa

 Post the above output to understand the issue, also makes sure your interesting IP ACL matches another side.

try to ping or contact the other side's IP address to see any changes of the outcome?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents