Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Dial-on-Demand Routing (DDR)

Setting Up IPsec on a DDR Link

Downloads

Document ID: 9349


Contents

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
Background Information
Configure
      Network Diagram
      Configurations
Verify
      On the Calling Side
      Before the Tunnel is Created
      After the Tunnel is Created
      Uninteresting Traffic
      Interesting Crypto Map
      Call disconnect
Troubleshoot
      Troubleshooting Commands
NetPro Discussion Forums - Featured Conversations
Related Information

Introduction

This document provides a sample configuration to set up IPsec on a dial-on-demand routing (DDR) link.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco IOSĀ® Software Release 12.2(5) on the router called tutu.

  • Cisco IOS Software Release 12.1(10) on the router called posets.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to Cisco Technical Tips Conventions.

Background Information

IPSec provides security for transmission of sensitive information over unprotected networks such as the Internet. A router can initiate a DDR session triggered by IPSec. When incoming traffic matches the crypto map, an IPSec tunnel is created, where the destination IP address is the remote IPSec peer.

Therefore, if you want only the encrypted traffic to trigger the call, define only the packets between the router and the IPSec peer as interesting traffic. For this, use the dialer-list command.

The crypto should only generate calls due to matching traffic or in order to renew the key. To check the lifetime of the key, use the show crypto ipsec sa command.

To configure IPSec on a Cisco router, see Configuring IPSec Network Security.

To configure DDR on a Cisco router, see Deciding and Preparing to Configure DDR.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool ( registered customers only) .

Network Diagram

This document uses this network setup:

ipsec_9349.gif

Configurations

This document uses these configurations:

  • Calling Side: tutu

  • Called Side: posets

Calling Side

This configuration (tutu) is based on Cisco IOS Software Release 12.2(5).

tutu

 
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption  
!
hostname tutu
!
boot system flash c800-k8osy6-mw.122-5
enable password <password>
!
username posets password <password>
!
isdn switch-type basic-net3
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key <password> address 192.168.10.1
!
!
crypto ipsec transform-set isdn esp-des esp-sha-hmac 
!
crypto map enc local-address Dialer1
crypto map enc 10 ipsec-isakmp 
set peer 192.168.10.1
set transform-set isdn 
match address 101
!
!
!
!
interface Ethernet0
ip address 172.17.243.117 255.255.255.0
!
interface BRI0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3no cdp enable
ppp authentication chap
!
interface Dialer1
ip address negotiated
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer remote-name posets
dialer idle-timeout 30
dialer string 6122
dialer hold-queue 50
dialer-group 1
no peer default ip address
ppp authentication chap
crypto map enc 

!--- Enable the crypto on the interface.

!
ip classless
ip route 172.17.0.0 255.255.0.0 172.17.243.1
ip route 192.168.10.1 255.255.255.255 Dialer1
ip route 200.0.0.0 255.255.255.0 192.168.10.1
ip route 201.0.0.0 255.0.0.0 192.168.10.1
!
access-list 101 permit ip any 201.0.0.0 0.255.255.255                             

!--- Matching traffic for the crypto map.

access-list 102 permit ip any host 192.168.10.1 

!--- Interesting traffic for dialer 1.

dialer-list 1 protocol ip list 102
!
line con 0exec-timeout 0 0
stopbits 1
line vty 0 4
login
!
no rcapi server
!
!
end

Called Side

This configuration is based on Cisco IOS Software Release 12.1(10).

posets

 
hostname posets
!
enable password <password>
!
username tutu password 
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key <password> address 192.168.10.2 
!
!
crypto ipsec transform-set isdn esp-des esp-sha-hmac 
!
crypto map enc local-address BRI0
crypto map enc 10 ipsec-isakmp 
set peer 192.168.10.2
set transform-set isdn 
match address 101
!
!
!
!
interface Loopback0
ip address 200.0.0.1 255.255.255.255
crypto map enc
!
interface Loopback10
ip address 201.0.0.1 255.255.255.255
!
interface Ethernet0
ip address 10.200.16.9 255.255.255.0
no cdp enable
!
interface BRI0
ip address 192.168.10.1 255.255.255.0
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer idle-timeout 30
dialer-group 1
isdn switch-type basic-net3
peer default ip address pool crypto
no cdp enable
ppp authentication chap
crypto map enc
!
ip local pool crypto 192.168.10.2 192.168.10.10
ip classless
ip route 201.10.0.0 255.255.0.0 10.200.16.17
!
access-list 101 permit ip 201.0.0.0 0.255.255.255 any                             
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
exec-timeout 0 0
password 
login
!
end

Verify

This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

  • show crypto map—lists the interfaces that use crypto map encapsulation.

  • show crypto ipsec sa—displays the settings used by current security associations (SAs) in user EXEC or privileged EXEC mode.

  • ping IP Address —checks whether if a computer is operating and if network connections are intact. In this case, you can use the ping command to check how outgoing calls are triggered. You can check this for Uninteresting Traffic, and Interesting Crypto Map.

On the Calling Side

Here is the output on the calling side:

   tutu#show crypto map 
   Crypto Map: "enc" idb: Dialer1 local address: 0.0.0.0
   Crypto Map "enc" 10 ipsec-isakmp
   Peer = 192.168.10.1
   Extended IP access list 101
   access-list 101 permit ip any 201.0.0.0 0.255.255.255
   Current peer: 192.168.10.1
   Security association lifetime: 4608000 kilobytes/3600 seconds
   PFS (Y/N): N
   Transform sets={ isdn, }
   Interfaces using crypto map enc:
   Dialer1

Before the Tunnel is Created

Here is the output before the tunnel is created:

   tutu#show crypto ipsec sa
   interface: Dialer1
   Crypto map tag: enc, local addr. 192.168.10.2
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (201.0.0.0/255.0.0.0/0/0)
   current_peer: 192.168.10.1
   PERMIT, flags={origin_is_acl,}
   #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
   #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
   #send errors 0, #recv errors 0
   local crypto endpt.: 192.168.10.2, remote crypto endpt.: 192.168.10.1
   path mtu 1500, media mtu 1500
   current outbound spi: 0
    inbound esp sas:
    inbound ah sas:
    inbound pcp sas:
   
    outbound esp sas:
    outbound ah sas:
    outbound pcp sas:

After the Tunnel is Created

Here is the output after the tunnel is created:

   tutu#show crypto ipsec sa
   interface: Dialer1
   Crypto map tag: enc, local addr. 192.168.10.2
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (201.0.0.0/255.0.0.0/0/0)
   current_peer: 192.168.10.1
   PERMIT, flags={origin_is_acl,}
   #pkts encaps: 14, #pkts encrypt: 14, #pkts digest 14
   #pkts decaps: 14, #pkts decrypt: 14, #pkts verify 14
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
   #send errors 1, #recv errors 0
   local crypto endpt.: 192.168.10.2, remote crypto endpt.: 192.168.10.1
   path mtu 1500, media mtu 1500
   current outbound spi: 20881139
   inbound esp sas:
   spi: 0x1FBC4B44(532433732)
   transform: esp-des esp-sha-hmac ,
   in use settings ={Tunnel, }
   slot: 0, conn id: 2000, flow_id: 1, crypto map: enc
   sa timing: remaining key lifetime (k/sec): (4607997/963)
   IV size: 8 bytes
   replay detection support: Y
    inbound ah sas:
    inbound pcp sas:
    outbound esp sas:
   spi: 0x20881139(545788217)
   transform: esp-des esp-sha-hmac ,
   in use settings ={Tunnel, }
   slot: 0, conn id: 2001, flow_id: 2, crypto map: enc
   sa timing: remaining key lifetime (k/sec): (4607997/963)
   IV size: 8 bytes
   replay detection support: Y
    outbound ah sas:
    outbound pcp sas:
   tutu#show crypto isakmp sa
   dst src state conn-id slot
   192.168.10.1 192.168.10.2 QM_IDLE 3 0

Uninteresting Traffic

Here, the output indicates that uninteresting traffic does not trigger outgoing calls:

   tutu#ping 200.0.0.1
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to 200.0.0.1, timeout is 2 seconds:
   *Mar 1 20:29:02.205: Di1 DDR: ip (s=172.17.243.117, d=200.0.0.1), 100 bytes,
   outgoing uninteresting (list 102).

Interesting Crypto Map

This output shows that an interesting crypto map triggers outgoing calls:

   tutu#ping 201.10.0.1
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to 201.10.0.1, timeout is 2 seconds:
   .!!!! 
   Success rate is 80 percent (4/5), round-trip min/avg/max = 84/98/136 ms
   tutu#

   *Mar 1 20:29:24.581: IPSEC(sa_request): ,
   (key eng. msg.) OUTBOUND local= 192.168.10.2, remote= 192.168.10.1, 
   local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), 
   remote_proxy= 201.0.0.0/255.0.0.0/0/0 (type=4),
   protocol= ESP, transform= esp-des esp-sha-hmac , 
   lifedur= 3600s and 4608000kb, 
   spi= 0x8C4512BA(2353337018), conn_id= 0, keysize= 0, flags= 0x400C
   *Mar 1 20:29:24.585: ISAKMP: received ke message (1/1)
   *Mar 1 20:29:24.589: ISAKMP (0:3): sitting IDLE. Starting QM immediately 
    (QM_IDLE)
   *Mar 1 20:29:24.589: ISAKMP (0:3): beginning Quick Mode exchange, M-ID of
   1459728062
   *Mar 1 20:29:24.593: CryptoEngine0: generate hmac context for conn id 3
   *Mar 1 20:29:24.601: ISAKMP (0:3): sending packet to 192.168.10.1 (I) QM_IDLE
   *Mar 1 20:29:24.601: Di1 DDR: ip (s=192.168.10.2, d=192.168.10.1), 200 bytes,
   outgoing interesting (list 102)
   *Mar 1 20:29:24.605: BR0 DDR: rotor dialout [priority]
   *Mar 1 20:29:24.605: BR0 DDR: Dialing cause ip (s=192.168.10.2, d=192.168.10.1)
   *Mar 1 20:29:24.609: BR0 DDR: Attempting to dial 6122
   *Mar 1 20:29:24.609: DDR: Packet queued
   *Mar 1 20:29:24.621: ISDN BR0: TX -> SETUP pd = 8 callref = 0x15
   *Mar 1 20:29:24.625: Bearer Capability i = 0x8890
   *Mar 1 20:29:24.629: Channel ID i = 0x83
   *Mar 1 20:29:24.633: Called Party Number i = 0x80, '6122', Plan:Unknown,
   Type:Unknown
   *Mar 1 20:29:24.705: ISDN BR0: RX <- CALL_PROC pd = 8 callref = 0x95
   *Mar 1 20:29:24.709: Channel ID i = 0x89
   *Mar 1 20:29:24.861: ISDN BR0: RX <- CONNECT pd = 8 callref = 0x95
   *Mar 1 20:29:24.873: %LINK-3-UPDOWN: Interface BRI0:1, changed state to up
   *Mar 1 20:29:24.877: BR0:1: interface must be fifo queue, force fifo
   *Mar 1 20:29:24.881: %DIALER-6-BIND: Interface BR0:1 bound to profile Di1
   *Mar 1 20:29:24.885: BR0:1 PPP: Treating connection as a callout
   *Mar 1 20:29:24.889: BR0:1 PPP: Phase is ESTABLISHING, Active Open 
    [0 sess,0 load]
   *Mar 1 20:29:24.889: BR0:1 LCP: O CONFREQ [Closed] id 19 len 15
   *Mar 1 20:29:24.893: BR0:1 LCP: AuthProto CHAP (0x0305C22305)
   *Mar 1 20:29:24.893: BR0:1 LCP: MagicNumber 0x14E10FCF (0x050614E10FCF)
   *Mar 1 20:29:24.897: ISDN BR0: TX -> CONNECT_ACK pd = 8 callref = 0x15
   *Mar 1 20:29:24.905: BR0:1 LCP: I CONFREQ [REQsent] id 83 len 15
   *Mar 1 20:29:24.909: BR0:1 LCP: AuthProto CHAP (0x0305C22305)
   *Mar 1 20:29:24.909: BR0:1 LCP: MagicNumber 0xEB3D74B6 (0x0506EB3D74B6)
   *Mar 1 20:29:24.913: BR0:1 LCP: O CONFACK [REQsent] id 83 len 15
   *Mar 1 20:29:24.913: BR0:1 LCP: AuthProto CHAP (0x0305C22305)
   *Mar 1 20:29:24.917: BR0:1 LCP: MagicNumber 0xEB3D74B6 (0x0506EB3D74B6)
   *Mar 1 20:29:24.917: BR0:1 LCP: I CONFACK [ACKsent] id 19 len 15
   *Mar 1 20:29:24.917: BR0:1 LCP: AuthProto CHAP (0x0305C22305)
   *Mar 1 20:29:24.921: BR0:1 LCP: MagicNumber 0x14E10FCF (0x050614E10FCF)
   *Mar 1 20:29:24.921: BR0:1 LCP: State is Open
   *Mar 1 20:29:24.925: BR0:1 PPP: Phase is AUTHENTICATING, by both 
    [0 sess, 0 load]
   *Mar 1 20:29:24.925: BR0:1 CHAP: O CHALLENGE id 19 len 25 from "tutu"
   *Mar 1 20:29:24.945: BR0:1 CHAP: I CHALLENGE id 20 len 27 from "posets"
   *Mar 1 20:29:24.949: BR0:1 CHAP: O RESPONSE id 20 len 25 from "tutu"
   *Mar 1 20:29:24.969: BR0:1 CHAP: I SUCCESS id 20 len 4
   *Mar 1 20:29:24.977: BR0:1 CHAP: I RESPONSE id 19 len 27 from "posets"
   *Mar 1 20:29:24.981: BR0:1 CHAP: O SUCCESS id 19 len 4
   *Mar 1 20:29:24.985: BR0:1 PPP: Phase is UP [0 sess, 0 load]
   *Mar 1 20:29:24.989: BR0:1 CDPCP: O CONFREQ [Not negotiated] id 19 len 4
   *Mar 1 20:29:24.989: BR0:1 IPCP: O CONFREQ [Not negotiated] id 37 len 10
   *Mar 1 20:29:24.993: BR0:1 IPCP: Address 0.0.0.0 (0x030600000000)
   *Mar 1 20:29:24.997: BR0:1 IPCP: I CONFREQ [REQsent] id 63 len 10
   *Mar 1 20:29:24.997: BR0:1 IPCP: Address 192.168.10.1 (0x0306C0A80A01)
   *Mar 1 20:29:25.001: BR0:1 IPCP: O CONFACK [REQsent] id 63 len 10
   *Mar 1 20:29:25.001: BR0:1 IPCP: Address 192.168.10.1 (0x0306C0A80A01)
   *Mar 1 20:29:25.005: BR0:1 LCP: I PROTREJ [Open] id 84 len 10 protocol CDPCP
   (0x820701130004)
   *Mar 1 20:29:25.005: BR0:1 CDPCP: State is Closed
   *Mar 1 20:29:25.009: BR0:1 IPCP: I CONFNAK [ACKsent] id 37 len 10
   *Mar 1 20:29:25.009: BR0:1 IPCP: Address 192.168.10.2 (0x0306C0A80A02)
   *Mar 1 20:29:25.013: BR0:1 IPCP: O CONFREQ [ACKsent] id 38 len 10
   *Mar 1 20:29:25.013: BR0:1 IPCP: Address 192.168.10.2 (0x0306C0A80A02)
   *Mar 1 20:29:25.025: BR0:1 IPCP: I CONFACK [ACKsent] id 38 len 10
   *Mar 1 20:29:25.025: BR0:1 IPCP: Address 192.168.10.2 (0x0306C0A80A02)
   *Mar 1 20:29:25.029: BR0:1 IPCP: State is Open
   *Mar 1 20:29:25.029: Di1 IPCP: Install negotiated IP interface address
   192.168.10.2
   *Mar 1 20:29:25.037: BR0:1 DDR: dialer protocol up
   *Mar 1 20:29:25.037: BR0:1 DDR: Call connected, 1 packets unqueued, 1
   transmitted, 0 discarded
   *Mar 1 20:29:25.041: Di1 IPCP: Install route to 192.168.10.1
   *Mar 1 20:29:25.397: ISAKMP (0:3): received packet from 192.168.10.1
    (I) QM_IDLE
   *Mar 1 20:29:25.405: CryptoEngine0: generate hmac context for conn id 3
   *Mar 1 20:29:25.405: ISAKMP (0:3): processing HASH payload. message ID =
   1459728062
   *Mar 1 20:29:25.409: ISAKMP (0:3): processing SA payload.
     message ID = 1459728062
   *Mar 1 20:29:25.409: ISAKMP (0:3): Checking IPSec proposal 1
   *Mar 1 20:29:25.409: ISAKMP: transform 1, ESP_DES
   *Mar 1 20:29:25.409: ISAKMP: attributes in transform:
   *Mar 1 20:29:25.413: ISAKMP: encaps is 1
   *Mar 1 20:29:25.413: ISAKMP: SA life type in seconds
   *Mar 1 20:29:25.413: ISAKMP: SA life duration (basic) of 3600
   *Mar 1 20:29:25.413: ISAKMP: SA life type in kilobytes
   *Mar 1 20:29:25.413: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 
   *Mar 1 20:29:25.417: ISAKMP: authenticator is HMAC-SHA
   *Mar 1 20:29:25.417: validate proposal 0
   *Mar 1 20:29:25.421: ISAKMP (0:3): atts are acceptable.
   *Mar 1 20:29:25.421: IPSEC(validate_proposal_request): proposal part #1,
   (key eng. msg.) INBOUND local= 192.168.10.2, remote= 192.168.10.1, 
   local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), 
   remote_proxy= 201.0.0.0/255.0.0.0/0/0 (type=4),
   protocol= ESP, transform= esp-des esp-sha-hmac , 
   lifedur= 0s and 0kb, 
   spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
   *Mar 1 20:29:25.429: validate proposal request 0
   *Mar 1 20:29:25.429: ISAKMP (0:3): processing NONCE payload.
     message ID = 1459728062
   *Mar 1 20:29:25.433: ISAKMP (0:3): processing ID payload.
     message ID = 1459728062
   *Mar 1 20:29:25.433: ISAKMP (0:3): processing ID payload.
     message ID = 1459728062
   *Mar 1 20:29:25.437: CryptoEngine0: generate hmac context for conn id 3
   *Mar 1 20:29:25.437: ipsec allocate flow 0
   *Mar 1 20:29:25.441: ipsec allocate flow 0
   *Mar 1 20:29:25.457: ISAKMP (0:3): Creating IPSec SAs
   *Mar 1 20:29:25.457: inbound SA from 192.168.10.1 to 192.168.10.2
   (proxy 201.0.0.0 to 0.0.0.0)
   *Mar 1 20:29:25.457: has spi 0x8C4512BA and conn_id 2000 and flags 4
   *Mar 1 20:29:25.457: lifetime of 3600 seconds
   *Mar 1 20:29:25.461: lifetime of 4608000 kilobytes
   *Mar 1 20:29:25.461: outbound SA from 192.168.10.2 to 192.168.10.1
   (proxy 0.0.0.0 to 201.0.0.0 )
   *Mar 1 20:29:25.461: has spi 129501442 and conn_id 2001 and flags C
   *Mar 1 20:29:25.465: lifetime of 3600 seconds
   *Mar 1 20:29:25.465: lifetime of 4608000 kilobytes
   *Mar 1 20:29:25.469: ISAKMP (0:3): sending packet to 192.168.10.1 (I) QM_IDLE
   *Mar 1 20:29:25.469: Di1 DDR: ip (s=192.168.10.2, d=192.168.10.1), 80 bytes,
   outgoing interesting (list 102)
   *Mar 1 20:29:25.473: ISAKMP (0:3): deleting node 1459728062 error
    FALSE reason" "
   *Mar 1 20:29:25.477: IPSEC(key_engine): got a queue event...
   *Mar 1 20:29:25.477: IPSEC(initialize_sas): ,
   (key eng. msg.) INBOUND local= 192.168.10.2, remote= 192.168.10.1, 
   local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), 
   remote_proxy= 201.0.0.0/255.0.0.0/0/0 (type=4),
   protocol= ESP, transform= esp-des esp-sha-hmac , 
   lifedur= 3600s and 4608000kb, 
   spi= 0x8C4512BA(2353337018), conn_id= 2000, keysize= 0, flags= 0x4
   *Mar 1 20:29:25.481: IPSEC(initialize_sas): ,
   (key eng. msg.) OUTBOUND local= 192.168.10.2, remote= 192.168.10.1, 
   local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), 
   remote_proxy= 201.0.0.0/255.0.0.0/0/0 (type=4),
   protocol= ESP, transform= esp-des esp-sha-hmac , 
   lifedur= 3600s and 4608000kb, 
   spi= 0x7B80902(129501442), conn_id= 2001, keysize= 0, flags= 0xC
   *Mar 1 20:29:25.489: IPSEC(create_sa): sa created,
   (sa) sa_dest= 192.168.10.2, sa_prot= 50, 
   sa_spi= 0x8C4512BA(2353337018), 
   sa_trans= esp-des esp-sha-hmac , sa_conn_id= 2000
   *Mar 1 20:29:25.489: IPSEC(create_sa): sa created,
   (sa) sa_dest= 192.168.10.1, sa_prot= 50, 
   sa_spi= 0x7B80902(129501442), 
   sa_trans= esp-des esp-sha-hmac , sa_conn_id= 2001
   *Mar 1 20:29:25.985: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1,
   changed state to up
   *Mar 1 20:29:26.585: Di1 DDR: ip (s=192.168.10.2, d=192.168.10.1), 152 bytes,
   outgoing interesting (list 102)
   *Mar 1 20:29:26.673: Di1 DDR: ip (s=192.168.10.2, d=192.168.10.1), 152 bytes,
   outgoing interesting (list 102)
   *Mar 1 20:29:26.757: Di1 DDR: ip (s=192.168.10.2, d=192.168.10.1), 152 bytes,
   outgoing interesting (list 102)
   *Mar 1 20:29:27.929: Di1 DDR: ip (s=192.168.10.2, d=192.168.10.1), 152 bytes,
   outgoing interesting (list 102)
   *Mar 1 20:29:30.885: %ISDN-6-CONNECT: Interface BRI0:1 is now connected to 6122
   posets
   tutu#ping 200.0.0.1 
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to 200.0.0.1, timeout is 2 seconds:
   !!!!!
   Success rate is 100 percent (5/5), round-trip min/avg/max = 36/38/40 ms
   tutu#
   *Mar 1 20:29:51.101: Di1 DDR: ip (s=192.168.10.2, d=200.0.0.1), 100 bytes,
   outgoing uninteresting (list 102)
   *Mar 1 20:29:51.141: Di1 DDR: ip (s=192.168.10.2, d=200.0.0.1), 100 bytes,
   outgoing uninteresting (list 102)
   *Mar 1 20:29:51.177: Di1 DDR: ip (s=192.168.10.2, d=200.0.0.1), 100 bytes,
   outgoing uninteresting (list 102)
   *Mar 1 20:29:51.217: Di1 DDR: ip (s=192.168.10.2, d=200.0.0.1), 100 bytes,
   outgoing uninteresting (list 102)
   *Mar 1 20:29:51.257: Di1 DDR: ip (s=192.168.10.2, d=200.0.0.1), 100 bytes,
   outgoing uninteresting (list 102)

Call disconnect

This output indicates that the call is disconnected when the idle-timeout is fired.

   *Mar 1 20:30:15.473: ISAKMP (0:3): purging node 1459728062
   *Mar 1 20:30:16.493: BR0:1 DDR: idle timeout
   *Mar 1 20:30:16.493: BR0:1 DDR: disconnecting call
   *Mar 1 20:30:16.497: %ISDN-6-DISCONNECT: Interface BRI0:1 disconnected from 6122
   posets, call lasted 51 seconds
   *Mar 1 20:30:16.509: ISDN BR0: TX -> DISCONNECT pd = 8 callref = 0x15
   *Mar 1 20:30:16.513: Cause i = 0x8090 - Normal call clearing
   *Mar 1 20:30:16.549: ISDN BR0: RX <- RELEASE pd = 8 callref = 0x95
   *Mar 1 20:30:16.569: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down
   *Mar 1 20:30:16.573: ISDN BR0: TX -> RELEASE_COMP pd = 8 callref = 0x15
   *Mar 1 20:30:16.625: BR0 DDR: has total 0 call(s), dial_out 0, dial_in 0
   *Mar 1 20:30:16.625: BR0:1 IPCP: State is Closed
   *Mar 1 20:30:16.629: BR0:1 PPP: Phase is TERMINATING [0 sess, 0 load]
   *Mar 1 20:30:16.629: BR0:1 LCP: State is Closed
   *Mar 1 20:30:16.629: BR0:1 PPP: Phase is DOWN [0 sess, 0 load]
   *Mar 1 20:30:16.629: BR0:1 DDR: disconnecting call
   *Mar 1 20:30:16.633: %DIALER-6-UNBIND: Interface BR0:1 unbound from profile Di1
   *Mar 1 20:30:16.641: Di1 IPCP: Remove route to 192.168.10.1
   *Mar 1 20:30:17.569: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1,
   changed state to down
   *Mar 1 20:30:19.585: IPSEC(encapsulate): encaps area too small, moving to new
   buffer:
   idbtype 0, encaps_size 84, header size 36, avail 84
   *Mar 1 20:30:19.665: Di1 DDR: cdp, 286 bytes, outgoing uninteresting (no list
   matched)

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Troubleshooting Commands

Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

Note: Before issuing debug commands, refer to Important Information on Debug Commands.

  • debug dialer packet—displays DDR debugging information about the packets received on a dialer interface.

  • debug isdn q931—shows call setup and tear down of the ISDN network connection (Layer 3).

  • debug ppp negotiation—displays information on PPP traffic and exchanges while PPP components are negotiated, including Link Control Protocol (LCP), Authentication, and Network Control Protocol (NCP). A successful PPP negotiation first opens the LCP state, then authenticates, and finally negotiates NCP.

  • debug crypto engine—displays debug messages about crypto engines, which perform encryption and decryption.

  • debug crypto ipsec—displays IPSec events.

  • debug crypto isakmp—displays messages about Internet Key Exchange (IKE) events.

NetPro Discussion Forums - Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology.
NetPro Discussion Forums - Featured Conversations for Access
Network Infrastructure: Remote Access

Related Information

Updated: Oct 13, 2008Document ID: 9349