Disable All VPN Tunnel Timeouts on Cisco 1841 - timeout

A customer of ours has a Cisco 1841 router that is connected to another network via a IPSec VPN tunnel. Everything is working good, but occasionally the VPN tunnel will drop and come back up at a later time (sometimes in a few minutes or a few hours).
I have a feeling that the router is configured to drop the tunnel if there's not any network traffic across it after so many minutes, and then re-establishing the tunnel when traffic needs to go out across it.
What I'd like to do is have the router configured so that the tunnel stays up all the time. Documentation that I've seen makes mention of modifying group policies, but the router isn't configured for that, and I'd like to stay away from doing that if all possible.
A scrubbed copy of their router configuration is below. Any help would be appreciated.
--
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CustomerName
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$gaBA$wXYb7px.gAAFR05JJ10510
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip dhcp relay information option vpn
ip dhcp relay information option
ip dhcp relay information trust-all
!
!
ip domain name CustomerName.us
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
!
!
crypto pki trustpoint TP-self-signed-475674154
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-475674154
revocation-check none
rsakeypair TP-self-signed-475674154
!
!
crypto pki certificate chain TP-self-signed-475674154
certificate self-signed 01
  3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34373536 37343135 34301E17 0D313330 38303132 30303834
  385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3437 35363734
  31353430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  A971CD18 93797FFA EB6BE936 2F3E66C4 8E295883 6C674012 A880FA08 FAE3490A
  B362AB65 670E881C D2250574 720A6641 2A072F83 7A456DBC 0EDBBF4D FA675717
  E45AABF5 3B94F956 8D7D0EDE 57E4048B 0D616B9A 96E2F6A0 5AADC8FB 803A991C
  E0DA0B0B 7644D132 336C3DB3 7FD12D97 E9EF15EF AAC6CF12 4504AC41 C6D4BA1B
  02030100 01A37430 72300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  11041830 16821441 6C6C7368 6F72652E 616C6C73 686F7265 2E757330 1F060355
  1D230418 30168014 08293177 593054F5 0592E062 1CE0BB17 E3E71990 301D0603
  551D0E04 16041408 29317759 3054F505 92E0621C E0BB17E3 E7199030 0D06092A
  864886F7 0D010104 05000381 81008017 F56757B1 2D716F08 6748811E 2D86D83B
  92288F4B 215BADE9 78BEB571 4E2B5673 15B3DF04 DEE340F5 380B0CA1 E4BEB665
  FE80D4B2 27F302F9 CB7DEB45 5A3B5959 D46127A9 68783C20 B066BEEE 18705DCF
  D26068C7 1F5EA80C 2644ECE2 FB1894EF 6F13CA87 4CD13494 9ADE31AF 5B752C11
  375DEA79 14A3EBE0 F04FBD7E 96B1
  quit
username CustomerName privilege 15 secret 5 $1$FpRX$rOCJ52eTZllenQD5sSUvT1
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key fM579D2i92r3j9tydsanFntyeakB6KWvJDoR7n79yxsWXe8p5o3hhh5N23vkt
v4 address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set red esp-aes 256 esp-sha-hmac
!
crypto map OUTSIDE_MAP 10 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set red
set pfs group1
match address crypto10
!
!
!
!
interface FastEthernet0/0
description Connected to Cable Modem
ip address xxx.xxx.xxx.xxx 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map OUTSIDE_MAP
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1/0
switchport access vlan 2
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Vlan1
no ip address
!
interface Vlan2
description CustomerName LAN
ip address 10.10.20.1 255.255.255.0
ip helper-address 172.16.3.100
ip nat inside
ip virtual-reassembly
!
router rip
version 2
network 10.0.0.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 184.178.184.1
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.10.20.2 5060 184.178.184.16 5060 extendable
ip nat inside source static udp 10.10.20.2 5060 184.178.184.16 5060 extendable
ip nat inside source static tcp 10.10.20.2 5090 184.178.184.16 5090 extendable
ip nat inside source static udp 10.10.20.2 9000 184.178.184.16 9000 extendable
ip nat inside source static udp 10.10.20.2 9001 184.178.184.16 9001 extendable
ip nat inside source static udp 10.10.20.2 9002 184.178.184.16 9002 extendable
ip nat inside source static udp 10.10.20.2 9003 184.178.184.16 9003 extendable
ip nat inside source static udp 10.10.20.2 9004 184.178.184.16 9004 extendable
ip nat inside source static udp 10.10.20.2 9005 184.178.184.16 9005 extendable
!
ip access-list extended crypto10
permit ip 10.10.20.0 0.0.0.255 172.16.3.0 0.0.0.255
!
access-list 101 deny   ip 10.10.20.0 0.0.0.255 172.16.3.0 0.0.0.255
access-list 101 permit ip 10.10.20.0 0.0.0.255 any
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input telnet ssh
transport output all
line vty 5 15
privilege level 15
login local
transport input all
transport output all
!
scheduler allocate 20000 1000
end
--

I think here you can find answer for your question.
http://www.cisco.com/en/US/products/hw/routers/ps368/module_installation_and_configuration_guides_chapter09186a00806c1d08.html#wp2551278
IPSec SA Idle Timer Global Configuration Example
The following example globally configures the IPSec SA idle timer to
drop SAs for inactive peers after 600 seconds:
Router(config)# crypto ipsec security-association idle-time 600 IPSec
SA Idle Timer per Crypto Map Configuration Example
The following example configures the IPSec SA idle timer for the
crypto map named "test" to drop SAs for inactive peers after 600
seconds:
Router(config) # crypto map test 1 ipsec-isakmp
Router(config-crypto-map)# set security-association idle-time 600

Related

NAT traversal requires STUN or TURN

I'm a novice setting up a server for the first time to implement WebRTC
Linux is using Centos7 and has set up KMS and Coturn.
However, there is one problem.
The client and server are not connected on the screen, so I checked the logs of kms
docker logs --follow kms
0:00:01.206579656 1 0x56191aac5010 INFO KurentoServerMethods ServerMethods.cpp:90:ServerMethods: Using above 80% of system limits will throw NOT_ENOUGH_RESOURCES exception
0:00:01.206607827 1 0x56191aac5010 INFO KurentoServerMethods ServerMethods.cpp:109:ServerMethods: System limits: unlimited threads, 32768 files
0:00:01.206902099 1 0x56191aac5010 INFO KurentoWorkerPool WorkerPool.cpp:67:WorkerPool: Worker thread pool size: 2
0:00:01.207158442 1 0x56191aac5010 INFO KurentoServerMethods ServerMethods.cpp:144:ServerMethods: RPC Request Cache is ENABLED
0:00:01.207351433 1 0x56191aac5010 INFO KurentoWebSocketTransport WebSocketTransport.cpp:187:initWebSocket: WebSocket server (ws://) listening on address '::', port 8888
0:00:01.207411744 1 0x56191aac5010 INFO KurentoWebSocketTransport WebSocketTransport.cpp:88:WebSocketTransport: Secure WebSocket server (wss://) not enabled
0:00:01.208078290 1 0x56191aac5010 INFO KurentoMediaServer main.cpp:259:main: Kurento Media Server started
0:02:29.095818552 1 0x7f5070017630 INFO KurentoWebRtcEndpointImpl WebRtcEndpointImpl.cpp:164:generateDefaultCertificates: Unable to load the RSA certificate from file. Using the default certificate.
0:02:29.284074137 1 0x7f5070017630 INFO KurentoWebRtcEndpointImpl WebRtcEndpointImpl.cpp:174:generateDefaultCertificates: Unable to load the ECDSA certificate from file. Using the default certificate.
0:02:29.290405426 1 0x7f5070017630 INFO KurentoWebRtcEndpointImpl WebRtcEndpointImpl.cpp:110:remove_not_supported_codecs_from_array:<kmswebrtcendpoint0> Removing not supported codec 'AMR/8000'
0:02:29.515589312 1 0x7f5064039e00 INFO basertpendpoint kmsbasertpendpoint.c:1132:kms_base_rtp_endpoint_start_transport_send:<kmswebrtcendpoint0> Media 'video' has REMB
0:02:29.515721223 1 0x7f5064039e00 INFO basertpendpoint kmsbasertpendpoint.c:1078:kms_base_rtp_endpoint_create_remb_manager:<kmswebrtcendpoint0> Creating REMB for session ID 0 (kmswebrtcendpoint0-sess0) and remote video SSRC 3653849939
0:02:29.515746113 1 0x7f5064039e00 INFO basertpendpoint kmsbasertpendpoint.c:1089:kms_base_rtp_endpoint_create_remb_manager:<kmswebrtcendpoint0> REMB: Set RTCP min interval to 500 ms
0:02:29.519063004 1 0x7f5064007580 WARN kmswebrtcsession kmswebrtcsession.c:823:kms_webrtc_session_set_stun_server_info:<kmswebrtcsession0> STUN server not configured! NAT traversal requires STUN or TURN
0:02:29.519107324 1 0x7f5064007580 WARN kmswebrtcsession kmswebrtcsession.c:843:kms_webrtc_session_set_relay_info:<kmswebrtcsession0> TURN relay server not configured! NAT traversal requires STUN or TURN
0:02:29.522346434 1 0x7f50700054f0 INFO KurentoWorkerPool WorkerPool.cpp:67:WorkerPool: Worker thread pool size: 2
0:02:40.930306053 1 0x7f5050001630 INFO KurentoWebRtcEndpointImpl WebRtcEndpointImpl.cpp:110:remove_not_supported_codecs_from_array:<kmswebrtcendpoint1> Removing not supported codec 'AMR/8000'
0:02:40.951376487 1 0x7f5064018b30 INFO basertpendpoint kmsbasertpendpoint.c:1132:kms_base_rtp_endpoint_start_transport_send:<kmswebrtcendpoint1> Media 'video' has REMB
0:02:40.951898082 1 0x7f5064018b30 INFO basertpendpoint kmsbasertpendpoint.c:1078:kms_base_rtp_endpoint_create_remb_manager:<kmswebrtcendpoint1> Creating REMB for session ID 0 (kmswebrtcendpoint1-sess0) and remote video SSRC 3442416509
"NAT traversal requires STUN or TURN."
I don't know how to solve this part.
This is because the STUN server results from Trickle ICE were also successful.
If you know what I need to do, I'd appreciate it if you could tell me all the actions.
And please let me know if there is anything else I need to fill out!
STUN and TURN
You dont have to have coturn if you are doing local testing. The warning is saying if you want to go outside of your network (out of your router and to the web) you will need a STUN or TURN server.
Docker
Docker doesn't open the port 8888 by itself. You may need to open that port manually. To do this, add this -p 8888:8888 when creating your container.
Or if you are using the Desktop version you can enter it into Host port under the Optional settings when you first run it.

nodogsplash cannot detect wifi interface

i'm stuck and i need any help that can point me into right direction ( thank in advance for any provided help ). i want to create a wifi access point through rassberry pi 3b+ and external wifi dungle everything is setup and working great except that nodogsplash can't detect wifi interface so here my configuration so you can check if there's any error in my configuration.
here is /etc/config/wireless content :
config wifi-device 'wl0'
option type 'broadcom'
option disabled '0'
option channel 'auto'
config wifi-device 'wlan0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/soc/3f980000.usb/usb1/1-1/1-1.1/1-1.1.2/1-1.1.2:1.0'
option htmode 'HT20'
option legacy_rates '1'
option country 'TN'
config wifi-iface
option device 'wlan0'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
option network 'lan'
the content of /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda6:1455:0cd8::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option proto 'dhcp'
config 'interface' 'wifi'
option 'ifname' 'wlan0'
option 'proto' 'dhcp'
config 'interface' 'wifi_2'
option 'ifname' 'wl0'
option 'proto' 'dhcp'
and last the configuration of nodogsplash under /etc/config/nodogsplash
option enabled 1
option fwhook_enabled '1'
option gatewayinterface 'wifi'
option externalinterface 'br-lan'
option gatewayname 'OpenWrt Nodogsplash'
option maxclients '250'
option preauthidletimeout '30'
option authidletimeout '120'
option sessiontimeout '1200'
option checkinterval '600'
#TEST
option fasremoteip https://www.google.net/
option fas_secure_enabled '0'
#End TEST
list authenticated_users 'allow all'
list users_to_router 'allow tcp port 22'
list users_to_router 'allow tcp port 23'
list users_to_router 'allow tcp port 53'
list users_to_router 'allow udp port 53'
list users_to_router 'allow udp port 67'
list users_to_router 'allow tcp port 80'
list users_to_router 'allow tcp port 443'
so if i try this command service nodogsplash reload i get this error:
Interface wifi not detected.
Can not generate uci config. Will not start instance cfg015847.
thanks again for any help
hey guys thanks for the views, i found out that nodogsplash cannot detect interface if it doesn't have an ip on his own so as a dhcp client it will not detect the wifi interface.

Error while connecting to port 1883

I have a Rpi-A connected to internet via 3G surf-stick and Rpi-B connected to internet via a WiFi hotspot. Rpi-A has a public ip address and also ports 1883 and 8883 are open. Both raspberry Pi's are on different networks. I am attempting to send binary data using MQTT from Rpi-B to Rpi-A.
update: I used the below code to test the MQTT connection. replacing XX.XX.XX.XX with public IP of raspberry Pi. Still I end up getting this error--->
error: [Errno 10060] A connection attempt failed because the connected
party did not properly respond after a period of time, or established
connection failed because connected host has failed to respond.
what might be the possible reason for this error ? Is there anything missing in my code
import paho.mqtt.client as mqtt
import time
def on_connect(client, userdata, flags, rc):
print("Connected with result code " + str(rc))
client = mqtt.Client()
client.on_connect = on_connect
client.connect("xx.xx.xxx.x", 1883, 60)
client.loop_start()
while True:
time.sleep(2)
client.publish('Due_0.72/cmd/in','hello')
print "publish.."

DHCP Server Port-Based Address Allocation on Cisco switch 2960-x

I am trying to configure DHCP Server on a Cisco 2960-x Switch to achieve port-based address allocation. I would like the ip address assigned to any device connected to that port to be the same every time.
I have used the following guide to achieve this:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swdhcp82.html#wp1320905
The commands used are explained in detail here:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book.pdf
I have also tried various iterations of the following command to find something that works:
address ip-address client-id string [ascii]
What I am not sure about is the string after Client ID. Does it have to match your interface name? If not how does the DHCP server know which interface to relate the assigned IP address.
Here's my running-config:
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname otg
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$43Kk$SyzqQc5biarBjD2TD9Hw0/
enable password otgswitch
!
no aaa new-model
clock timezone UTC -5 0
clock summer-time UTC recurring
switch 1 provision ws-c2960x-24ts-l
no ip dhcp use vrf connected
ip dhcp use subscriber-id client-id
ip dhcp subscriber-id interface-name
!
ip dhcp pool mypool
network 192.168.200.0 255.255.255.0
reserved-only
address 192.168.200.20 client-id "GigabitEthernet1/0/2" ascii
address 192.168.200.25 client-id "GigaEth1/0/1" ascii
address 192.168.200.30 client-id "GE1/0/4" ascii
address 192.168.200.35 client-id 188b.4528.d482
address 192.168.200.45 client-id "188b.4528.d482" ascii
!
I then enables DHCP debug messages and here is what I receive:
Jan 4 02:55:49.112: DHCPD: Reload workspace interface Vlan1 tableid 0.
Jan 4 02:55:49.112: DHCPD: tableid for 192.168.200.245 on Vlan1 is 0
Jan 4 02:55:49.112: DHCPD: client's VPN is .
Jan 4 02:55:49.112: DHCPD: using subscriber-id as client-id
Jan 4 02:55:49.112: DHCPD: using received relay info.
Jan 4 02:55:49.112: DHCPD: DHCPDISCOVER received from client 0047.6931.2f30.2f on interface Vlan1.
Jan 4 02:55:49.112: DHCPD: using received relay info.
Please advise on what I might be doing wrong. Would appreciate your help.
I was facing problem due to loss of information in the dhcp binding table. In short the subscriber id automatically generated would not match my reservations. Here are some examples:
port# interface received SID(hex) expected SID(hex)
2 Gi1/0/2 0047-6931-2f30-2f 0047-6931-2f30-2f32
13 Gi1/0/13 0047-6931-2f30-2f31 0047-6931-2f30-2f31-33
24 Gi1/0/24 0047-6931-2f30-2f32 0047-6931-2f30-2f32-34
I was hitting IOS bug present in some 15.0 releases. I updated my ios to 15.2 and problem solved!

Ganglia:No nodes were viewed in ganglia web (centOS7)

I installed ganglia server and client at the same machine. But no nodes can view in the web when it finished. No matter google or baidu,no resolution about this problem appeared.I need help.
So this is my gmetad.conf:
[root#tools etc]# egrep -v "^#|^$" gmetad.conf
data_source "trainor" localhost 127.0.0.1
setuid_username "apache"
rrd_rootdir "/var/lib/ganglia/rrds"
case_sensitive_hostnames 0
here is my gmond.conf:
[root#tools etc]# egrep -v "^#|^$" gmond.conf
globals {
user = apache
}
cluster{
name = "trainor"
owner = "apache"
latlong = "unspecified"
url = "unspecified"
}
udp_recv_channel {
port = 8649
}
tcp_accept_channel {
port = 8649
}
Do you have a udp_send_channel set? In my experience (3.1.7), gmond doesn't report a node's own stats over the TCP channel (xml reporting) unless it receives them over UDP (raw stats collection).
You can use "gstat" to connect to gmond to see what it's outputting, or netcat to the TCP port:
nc node1.domain.com 8649
I found these pages the most useful:
https://github.com/ganglia/monitor-core/wiki/Ganglia-Quick-Start
http://timstaley.co.uk/posts/ganglia-setup-explained/

Resources