Configurando a redundância de IPSec sobre ISDN usando relógio de discador
Contents
Introduction
Este documento fornece uma configuração de exemplo de como criptografar o tráfego da rede atrás do Roteador 1 para a rede atrás do Roteador 2 (os 0s de loopback são usados como redes neste exemplo). Se o enlace primário (Ethernet) entre o Roteador 1 e o Roteador 2 cair, o tráfego de Segurança IP (IPSec) continuará a fluir através do enlace secundário (ISDN). Existem várias formas de alcançar este objetivo; você pode usar dialer watch, interface de backup, circuito de demanda e estática flutuante. Esse exemplo de configuração demonstra o mecanismo do relógio do discador. Para obter informações sobre outros recursos, consulte Avaliando interfaces de backup, rotas estáticas flutuantes e relógio de discador para backup de DDR.
Prerequisites
Requirements
Não existem requisitos específicos para este documento.
Componentes Utilizados
As informações neste documento são baseadas nestas versões de software e hardware:
-
Cisco 2621 e 3640 Routers
-
Software Cisco IOS® versão 12.3(3)
As informações neste documento foram criadas a partir de dispositivos em um ambiente de laboratório específico. All of the devices used in this document started with a cleared (default) configuration. Se sua rede estiver ativa, certifique-se de que você entendeu o impacto potencial de qualquer comando antes de usá-lo.
Conventions
For more information on document conventions, refer to the Cisco Technical Tips Conventions.
Configurar
Nesta seção, você encontrará informações para configurar os recursos descritos neste documento.
Observação: para encontrar informações adicionais sobre os comandos usados neste documento, use a ferramenta Command Lookup Tool (somente clientes registrados).
Diagrama de Rede
Este documento usa a configuração de rede mostrada no diagrama aqui:
Configurações
Este documento utiliza as configurações mostradas aqui:
| Roteador 1 (2621) |
|---|
r1#show running-config Building configuration... Current configuration : 2244 bytes ! version 12.3 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname r1 ! boot-start-marker boot-end-marker ! ! username r2 password 0 cisco !--- This is the username for remote router (Router 2) !--- and shared secret. Shared secret (used for Challenge Handshake !--- Authentication Protocol [CHAP]) must be the same on both sides. no aaa new-model ip subnet-zero ip tcp synwait-time 5 ! ! no ip domain lookup ! ip audit notify log ip audit po max-events 100 ip ssh break-string no ftp-server write-enable ! ! ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key cisco address 222.222.222.222 ! ! crypto ipsec transform-set abc esp-des esp-md5-hmac ! crypto map cisco local-address Loopback1 crypto map cisco 10 ipsec-isakmp set peer 222.222.222.222 !--- Peer address, Loopback 1 of Router 2 set transform-set abc match address 101 !--- Networks to encrypt (Loopback 0 on both ends) ! isdn switch-type basic-ts013 ! ! ! ! ! ! ! ! ! no voice hpi capture buffer no voice hpi capture destination ! ! ! ! ! ! interface Loopback0 !--- Network to encrypt ip address 11.11.11.11 255.255.255.0 ! interface Loopback1 !--- Used for peer address for IPSec ip address 111.111.111.111 255.255.255.0 ! interface FastEthernet0/0 !--- Primary link ip address 10.1.1.1 255.255.255.0 no ip route-cache !--- Enable process switching no ip mroute-cache duplex auto speed auto crypto map cisco !--- Apply crypto map on primary interface ! interface BRI0/0 no ip address encapsulation ppp no ip route-cache no ip mroute-cache dialer pool-member 1 isdn switch-type basic-ts013 no cdp enable ! interface Dialer1 !--- Backup link ip address 20.1.1.1 255.255.255.0 encapsulation ppp no ip route-cache !--- Enable process switching ip ospf cost 9999 !--- Increase the cost so that when primary comes up again, !--- Open Shortest Path First (OSPF) routes are !--- preferred using the primary link (due to better cost). no ip mroute-cache dialer idle-timeout 180 dialer pool 1 dialer string 94134028 dialer watch-group 1 !--- Enable dialer watch on this backup interface. !--- Watch the route specified with the dialer watch-list 1 command. dialer-group 1 !--- Apply interesting traffic defined in dialer list 1. no peer neighbor-route ppp authentication chap crypto map cisco !--- Apply crypto map on backup interface. ! router ospf 1 !--- OSPF advertising Loopback 0, Loopback 1, !--- primary, and secondary links. log-adjacency-changes network 10.1.1.0 0.0.0.255 area 0 network 11.11.11.0 0.0.0.255 area 0 network 20.1.1.0 0.0.0.255 area 0 network 111.111.111.0 0.0.0.255 area 0 ! ip http server no ip http secure-server ip classless ! ! access-list 101 permit ip host 11.11.11.11 host 22.22.22.22 !--- Access control list (ACL) 101 is the !--- IPSec traffic used in match address. access-list 110 deny ip any any !--- ACL 110 is for the dialer list to mark !--- all IP traffic uninteresting. The dialer watch will !--- trigger the ISDN backup when the route is lost. dialer watch-list 1 ip 222.222.222.222 255.255.255.255 !--- This defines the route(s) to be watched. !--- This exact route (including subnet mask) !--- must exist in the routing table. !--- Use the dialer watch-group 1 command to apply this !--- list to the backup interface. dialer watch-list 1 delay route-check initial 10 dialer-list 1 protocol ip list 110 !--- Interesting traffic is defined by ACL 110. !--- This is applied to Dialer1 using dialer group 1. ! ! ! dial-peer cor custom ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous escape-character 27 line aux 0 line vty 0 4 login ! end |
| Roteador 2 (3640) |
|---|
r2#show running-config Building configuration... Current configuration : 2311 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname r2 ! boot-start-marker boot-end-marker ! username r1 password 0 cisco !--- This is the username for remote router (Router 1) !--- and shared secret. Shared secret (used for CHAP) !--- must be the same on both sides. no aaa new-model ip subnet-zero ip tcp synwait-time 5 ! ! no ip domain lookup ! ip audit notify log ip audit po max-events 100 ip ssh break-string no ftp-server write-enable ! ! ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key cisco address 111.111.111.111 ! ! crypto ipsec transform-set abc esp-des esp-md5-hmac ! ! crypto map cisco local-address Loopback1 crypto map cisco 10 ipsec-isakmp set peer 111.111.111.111 !--- Peer address, Loopback 1 of Router 1 set transform-set abc match address 101 !--- Networks to encrypt (Loopback 0 on both ends) ! isdn switch-type basic-ts013 ! ! ! ! ! ! ! ! ! no voice hpi capture buffer no voice hpi capture destination ! ! ! ! ! ! interface Loopback0 ip address 22.22.22.22 255.255.255.0 !--- Network to encrypt ! interface Loopback1 ip address 222.222.222.222 255.255.255.0 !--- Used for peer address for IPSec. ! interface BRI0/0 no ip address encapsulation ppp no ip route-cache no ip mroute-cache dialer pool-member 1 isdn switch-type basic-ts013 ! interface Ethernet0/0 !--- Primary link ip address 10.1.1.2 255.255.255.0 no ip route-cache !--- Enable process switching. no ip mroute-cache half-duplex crypto map cisco !--- Apply crypto map on primary interface. ! interface Dialer1 ip address 20.1.1.2 255.255.255.0 encapsulation ppp no ip route-cache ip ospf cost 9999 no ip mroute-cache dialer pool 1 dialer idle-timeout 600 dialer remote-name r1 !--- Dialer for the BRI interface of the remote router !--- without a dial string. dialer-group 1 !--- Apply interesting traffic defined in dialer list 1. ppp authentication chap crypto map cisco !--- Apply crypto map on backup interface. ! router ospf 1 log-adjacency-changes network 10.1.1.0 0.0.0.255 area 0 network 20.1.1.0 0.0.0.255 area 0 network 22.22.22.0 0.0.0.255 area 0 network 222.222.222.0 0.0.0.255 area 0 ! no ip http server no ip http secure-server ip classless ! ! access-list 101 permit ip host 22.22.22.22 host 11.11.11.11 access-list 110 deny ospf any any !--- Mark OSPF as uninteresting. !--- This will not allow OSPF hellos !--- to try to bring the link up. access-list 110 permit ip any any dialer-list 1 protocol ip list 110 !--- Interesting traffic is defined by ACL 110. !--- This is applied to Dialer1 using dialer group 1. ! line con 0 exec-timeout 0 0 logging synchronous escape-character 27 line aux 0 line vty 0 4 login ! end |
Verificar
Esta seção fornece informações que você pode usar para confirmar se sua configuração funciona corretamente.
Exemplo de saída do comando
A Output Interpreter Tool (somente clientes registrados) oferece suporte a determinados comandos show, o que permite exibir uma análise da saída do comando show.
-
Tabela de roteamento do roteador 1 (2621)—link primário ativo
r1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 I - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area, * - candidate default, U - per-user static route, o - ODR, P - periodic downloaded static route Gateway of last resort is not set 222.222.222.0/32 is subnetted, 1 subnets O 222.222.222.222 [110/2] via 10.1.1.2, 00:00:25, FastEthernet0/0 20.0.0.0/24 is subnetted, 1 subnets C 20.1.1.0 is directly connected, Dialer1 22.0.0.0/32 is subnetted, 1 subnets O 22.22.22.22 [110/2] via 10.1.1.2, 00:00:25, FastEthernet0/0 111.0.0.0/24 is subnetted, 1 subnets C 111.111.111.0 is directly connected, Loopback1 10.0.0.0/24 is subnetted, 1 subnets C 10.1.1.0 is directly connected, FastEthernet0/0 11.0.0.0/24 is subnetted, 1 subnets C 11.11.11.0 is directly connected, Loopback0 -
Tabela de roteamento do roteador 2 (3640)—link primário ativo
r2#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 I - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area, * - candidate default, U - per-user static route, o - ODR, P - periodic downloaded static route Gateway of last resort is not set. C 222.222.222.0/24 is directly connected, Loopback1 20.0.0.0/24 is subnetted, 1 subnets C 20.1.1.0 is directly connected, Dialer1 22.0.0.0/24 is subnetted, 1 subnets C 22.22.22.0 is directly connected, Loopback0 111.0.0.0/32 is subnetted, 1 subnets O 111.111.111.111 [110/11] via 10.1.1.1, 00:06:22, Ethernet0/0 10.0.0.0/24 is subnetted, 1 subnets C 10.1.1.0 is directly connected, Ethernet0/0 11.0.0.0/32 is subnetted, 1 subnets O 11.11.11.11 [110/11] via 10.1.1.1, 00:06:23, Ethernet0/0 -
Vizinho OSPF do Roteador 1 (2621)—link primário ativo
r1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 222.222.222.222 1 FULL/DR 00:00:33 10.1.1.2 FastEthernet0/0
-
Vizinho OSPF do Roteador 2 (3640)—link primário ativo
r2#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 111.111.111.111 1 FULL/BDR 00:00:31 10.1.1.1 Ethernet0/0
-
Tabela de roteamento do roteador 1 (2621)—link primário inativo
r1#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP I - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area, * - candidate default, U - per-user static route, o - ODR, P - periodic downloaded static route Gateway of last resort is not set. 222.222.222.0/32 is subnetted, 1 subnets O 222.222.222.222 [110/10000] via 20.1.1.2, 00:00:09, Dialer1 20.0.0.0/24 is subnetted, 1 subnets C 20.1.1.0 is directly connected, BRI0/0 20.0.0.0/24 is subnetted, 1 subnets C 20.1.1.0 is directly connected, Dialer1 22.0.0.0/32 is subnetted, 1 subnets O 22.22.22.22 [110/10000] via 20.1.1.2, 00:00:09, Dialer1 111.0.0.0/24 is subnetted, 1 subnets C 111.111.111.0 is directly connected, Loopback1 10.0.0.0/24 is subnetted, 1 subnets O 10.1.1.0 [110/10009] via 20.1.1.2, 00:00:09, Dialer1 11.0.0.0/24 is subnetted, 1 subnets C 11.11.11.0 is directly connected, Loopback0 -
Tabela de roteamento do roteador 2 (3640)—link primário inativo
r2#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP I - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area, * - candidate default, U - per-user static route, o - ODR, P - periodic downloaded static route Gateway of last resort is not set. C 222.222.222.0/24 is directly connected, Loopback1 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 20.1.1.0/24 is directly connected, Dialer1 C 20.1.1.1/32 is directly connected, Dialer1 22.0.0.0/24 is subnetted, 1 subnets C 22.22.22.0 is directly connected, Loopback0 111.0.0.0/32 is subnetted, 1 subnets O 111.111.111.111 [110/10000] via 20.1.1.1, 00:00:07, Dialer1 10.0.0.0/24 is subnetted, 1 subnets C 10.1.1.0 is directly connected, Ethernet0/0 11.0.0.0/32 is subnetted, 1 subnets O 11.11.11.11 [110/10000] via 20.1.1.1, 00:00:08, Dialer1 -
Vizinho OSPF do Roteador 1 (2621)—enlace primário inativo
r1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 222.222.222.222 0 FULL/ - 00:00:32 20.1.1.2 Dialer1
-
Vizinho OSPF do Roteador 2 (3640)—link primário inativo
r2#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 111.111.111.111 0 FULL/ - 00:00:31 20.1.1.1 Dialer1
O debug dialer e várias saídas do comando show exibidas aqui mostram o link primário como falha, e o dialer watch reconhece a rota perdida. Em seguida, o roteador inicia o link de backup e o OSPF converge através do link secundário. Sempre que o timeout de ociosidade expira, o roteador verifica se o enlace principal está inativo. Se o enlace principal estiver ativo, o dialer watch desconectará o enlace de backup após o temporizador de desativação expirar e desligará a chamada, e o OSPF converge por meio do enlace principal como de costume.
Essas são as saídas dos comandos debug e show do Roteador 1 (2621), quando o enlace principal fica inativo e é ativado novamente.
r1#show debug
Dial on demand:
Dial on demand events debugging is on
r1#
03:00:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
changed state to down
!--- Primary link was brought down manually when you disable the switch ports.
03:00:21: %OSPF-5-ADJCHG: Process 1, Nbr 222.222.222.222 on FastEthernet0/0
from FULL to DOWN, Neighbor Down: Interface down or detached
!--- Primary link goes down. !--- OSPF loses neighbor adjacency.
r1#
!--- Dialer watch kicks in.
03:00:21: DDR: Dialer Watch: watch-group = 1
03:00:21: DDR: network 222.222.222.222/255.255.255.255 DOWN,
03:00:21: DDR: primary DOWN
03:00:21: DDR: Dialer Watch: Dial Reason: Primary of group 1 DOWN
03:00:21: DDR: Dialer Watch: watch-group = 1,
03:00:21: BR0/0 DDR: rotor dialout [best]
least recent failure is also most recent failure
03:00:21: BR0/0 DDR: rotor dialout [best] also has most recent failure
03:00:21: BR0/0 DDR: rotor dialout [best]
03:00:21: DDR: dialing secondary by dialer string 94134028 on Di1
03:00:21: BR0/0 DDR: Attempting to dial 94134028
03:00:21: DDR: Dialer Watch: watch-group = 1
r1#
03:00:21: DDR: network 222.222.222.222/255.255.255.255 DOWN,
03:00:21: DDR: primary DOWN
03:00:21: DDR: Dialer Watch: Dial Reason: Secondary of group 1 AVAILABLE
03:00:21: DDR: Dialer Watch: watch-group = 1,
03:00:21: DDR: Dialer Watch: watch-group = 1
03:00:21: DDR: network 222.222.222.222/255.255.255.255 DOWN,
03:00:21: DDR: primary DOWN
03:00:21: DDR: Dialer Watch: Dial Reason: Secondary of group 1 AVAILABLE
03:00:21: DDR: Dialer Watch: watch-group = 1,
03:00:21: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0/0, TEI 82 changed to up
03:00:94489280514: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up
03:00:94489280516: BR0/0:1 DDR: Dialer Watch: resetting call in progress
03:00:94489280512: BR0/0:1: interface must be fifo queue, force fifo
03:00:94489280512: %DIALER-6-BIND: Interface BR0/0:1 bound to profile Di1
r1#
03:00:22: BR0/0:1 DDR: Remote name for r2
03:00:22: BR0/0:1 DDR: dialer protocol up
03:00:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1,
changed state to up
r1#
03:00:28: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to 94134028 r2
!--- Backup link is now connected to Router 2.
r1#
03:00:31: %OSPF-5-ADJCHG: Process 1, Nbr 222.222.222.222 on Dialer1
from LOADING to FULL, Loading Done
!--- OSPF converges over the backup link.
r1#
r1#show dialer
BRI0/0 - dialer type = ISDN
Dial String Successes Failures Last DNIS Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
BRI0/0:1 - dialer type = ISDN
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: Dialing on watched route loss
!--- Dial reason is the lost route.
Interface bound to profile Di1
Time until disconnect 154 secs
!--- Idle timeout is ticking.
Current call connected 00:00:25
Connected to 94134028 (r2)
BRI0/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
Di1 - dialer type = DIALER PROFILE
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Number of active calls = 1
Dial String Successes Failures Last DNIS Last status
94134028 45 24 00:00:27 successful Default
r1#show isdn active
-----------------------------------------------------------------------------
ISDN ACTIVE CALLS
-----------------------------------------------------------------------------
Call Calling Called Remote Seconds Seconds Seconds Charges
Type Number Number Name Used Left Idle Units/Currency
-----------------------------------------------------------------------------
Out ---N/A--- 94134028 r2 37 142 37 0
-----------------------------------------------------------------------------
r1#show dialer
BRI0/0 - dialer type = ISDN
Dial String Successes Failures Last DNIS Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
BRI0/0:1 - dialer type = ISDN
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: Dialing on watched route loss
Interface bound to profile Di1
Time until disconnect 47 secs
!--- Idle timeout is ticking.
Current call connected 00:02:12
Connected to 94134028 (r2)
BRI0/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
Di1 - dialer type = DIALER PROFILE
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Number of active calls = 1
Dial String Successes Failures Last DNIS Last status
94134028 45 24 00:02:14 successful Default
r1#show dialer
BRI0/0 - dialer type = ISDN
Dial String Successes Failures Last DNIS Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
BRI0/0:1 - dialer type = ISDN
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: Dialing on watched route loss
Interface bound to profile Di1
Time until disconnect 0 secs
!--- Idle timeout is ticking.
Current call connected 00:02:59
Connected to 94134028 (r2)
BRI0/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
Di1 - dialer type = DIALER PROFILE
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Number of active calls = 1
Dial String Successes Failures Last DNIS Last status
94134028 45 24 00:03:05 successful Default
r1#
03:03:22: BR0/0:1 DDR: idle timeout
!--- Idle timed out. !--- Dialer watch checks lost routes !--- again and reset the idle time since primary is not up yet.
03:03:22: DDR: Dialer Watch: watch-group = 1
03:03:22: DDR: network 222.222.222.222/255.255.255.255 UP,
03:03:22: DDR: primary DOWN
!--- Primary link is still down.
r1#
r1#show dialer
BRI0/0 - dialer type = ISDN
Dial String Successes Failures Last DNIS Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
BRI0/0:1 - dialer type = ISDN
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: Dialing on watched route loss
Interface bound to profile Di1
Time until disconnect 154 secs
!--- Idle timeout was reset by dialer watch.
Current call connected 00:03:25
Connected to 94134028 (r2)
BRI0/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
Di1 - dialer type = DIALER PROFILE
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Number of active calls = 1
Dial String Successes Failures Last DNIS Last status
94134028 45 24 00:03:28 successful Default
r1#
03:04:59: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
changed state to up
!--- Primary link was brought up manually when the switch ports are enabled.
r1#
r1#
03:05:50: %OSPF-5-ADJCHG: Process 1, Nbr 222.222.222.222 on FastEthernet0/0
from LOADING to FULL, Loading Done
r1#
r1#show ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface
222.222.222.222 0 FULL/ - 00:00:02 20.1.1.2 Dialer1
!--- OSPF over secondary link is still up because !--- the call is not terminated yet, waiting for idle timeout.
222.222.222.222 1 FULL/DR 00:00:38 10.1.1.2 FastEthernet0/0
!--- OSPF is now starts to converge over primary link.
r1#
r1#show ip route 222.222.222.222
!--- The watched route is now learned through the primary link. !--- Check the cost.
Routing entry for 222.222.222.222/32
Known via "ospf 1", distance 110, metric 2, type intra area
Last update from 10.1.1.2 on FastEthernet0/0, 00:00:16 ago
Routing Descriptor Blocks:
* 10.1.1.2, from 222.222.222.222, 00:00:16 ago, via FastEthernet0/0
Route metric is 2, traffic share count is
r1#
03:06:22: BR0/0:1 DDR: idle timeout
!--- Idle timed out. !--- Dialer watch checks lost routes. Since primary is up, !--- it tears down the call.
03:06:22: DDR: Dialer Watch: watch-group = 1
03:06:22: DDR: network 222.222.222.222/255.255.255.255 UP,
03:06:22: DDR: primary UP
03:06:22: BR0/0:1 DDR: disconnecting call
03:06:22: BR0/0:1 DDR: Dialer Watch: resetting call in progress
03:06:22: DDR: Dialer Watch: watch-group = 1
03:06:22: DDR: network 222.222.222.222/255.255.255.255 UP,
03:06:22: DDR: primary UP
03:06:22: %ISDN-6-DISCONNECT: Interface BRI0/0:1
disconnected from 94134028 r2,
call lasted 360 seconds
03:06:96677768412: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to down
03:06:94489281195: BR0/0 DDR: has total 0 call(s), dial_out 0, dial_in 0
r1#
03:06:94489280544: %DIALER-6-UNBIND: Interface BR0/0:1
unbound from profile Di1
03:06:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1,
changed state to down
r1#
03:06:37: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0/0,
TEI 82 changed to down
r1#
03:07:01: %OSPF-5-ADJCHG: Process 1, Nbr 222.222.222.222 on Dialer1
from FULL to DOWN, Neighbor Down: Dead timer expired
!--- OSPF neighbor is down because the secondary link is down. !--- Dead timer has expired.
r1#
r1#show ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface
222.222.222.222 1 FULL/DR 00:00:38 10.1.1.2 FastEthernet0/0
!--- OSPF neighbor is through the primary link only.
r1#u all
All possible debugging has been turned off
r1#
Troubleshoot
Esta seção fornece informações que podem ser usadas para o troubleshooting da sua configuração. Para obter informações sobre como solucionar problemas gerais com as Camadas 1, 2 e 3 do ISDN, consulte Using the show isdn status Command for BRI Troubleshooting.
Comandos para Troubleshooting
A Output Interpreter Tool (somente clientes registrados) oferece suporte a determinados comandos show, o que permite exibir uma análise da saída do comando show.
Observação: antes de emitir comandos debug, consulte Informações Importantes sobre Comandos Debug.
Esses comandos debug podem ser executados em ambos os pares IPSec.
-
debug crypto isakmp — Exibe erros durante a Fase 1.
-
debug crypto ipsec — Exibe erros durante a Fase 2.
-
debug crypto engine — Exibe informações a partir do cripto mecanismo.
Esses comandos show podem ser executados em ambos os pares de IPSec.
-
show crypto isakmp sa — Exibe todas as associações de segurança (SAs) atuais do Internet Key Exchange (IKE) em um peer.
-
show crypto ipsec sa — Exibe as configurações usadas pelas SAs [IPSec] atuais.
-
show crypto engine connections ative —Exibe as conexões atuais e as informações sobre pacotes criptografados e descriptografados.
Esses comandos clear podem ser usados para limpar SAs.
-
clear crypto isakmp — Limpa as associações de segurança da Fase um.
-
clear crypto sa — Limpa as associações de segurança da Fase dois.
Informações Relacionadas
- Página de suporte do IPSec
- Configurando e Troubleshooting de Backup DDR
- Avaliação das interfaces de backup, rotas estáticas flutuantes e Dialer Watch para fazer o backup de chamadas DDR
- Configuração do backup de discagem usando o Dialer Watch
- Usando o Comando show isdn status para Troubleshooting de BRI
- Suporte Técnico - Cisco Systems
Histórico de revisões
| Revisão | Data de publicação | Comentários |
|---|---|---|
1.0 |
14-Jan-2008 |
Versão inicial |
FeedbackContate a Cisco
- Abrir um caso de suporte
- (É necessário um Contrato de Serviço da Cisco)