Cisco Crypto map unassigned after reload

[JeramelP]

Hi All,

I have a cisco 1841 running advanced security 12.4.25 ios.

After assigning a crypto map to dialer1 and dialer2 and saving the config, when i reload or reboot the router the crypto map is then not attached to the dialer interfaces. I'm not sure if it's a IOS problem or not? Has anyone got any clues about this?

Thanks






Here is my config:

Lope_De_Vega#sh run
Building configuration...

Current configuration : 10334 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Lope_De_Vega
!
boot-start-marker
boot system flash c1841-advsecurityk9-mz.124-25.bin
boot-end-marker
!
no logging buffered
enable secret 5 $1$1M/I$6ilhgIVHSIZt4b3xGibzx/
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip flow-cache timeout active 1
ip domain name
ip name-server 10.0.0.2
ip name-server 196.3.81.5
ip name-server 200.88.127.22
login block-for 600 attempts 3 within 60
login delay 3
login quiet-mode access-class IT-MANAGEMENT
login on-failure trap
login on-success trap
!
!
crypto pki trustpoint TP-self-signed-788593534
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-788593534
revocation-check none
rsakeypair TP-self-signed-788593534
!
!
crypto pki certificate chain TP-self-signed-788593534
certificate self-signed 01

(omited)

!
!
ip ssh logging events
ip ssh version 2
!
class-map match-any qosatm
match dscp ef
match ip rtp 16383 16383
match precedence 5
class-map match-any VoIP_QOS
match ip rtp 16383 16383
match precedence 5
match dscp ef
!
!
policy-map QOSPOLICY
class VoIP_QOS
priority 90
class class-default
fair-queue
policy-map PARENT
class class-default
shape peak percent 100
service-policy QOSPOLICY
policy-map qospolicy
class qosatm
priority 90
class class-default
fair-queue
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
crypto isakmp key (key) address (address) no-xauth
!
crypto isakmp client configuration group (group)
key (group-key)
dns 10.0.0.2 196.3.81.5
domain
pool REMOTE-POOL
acl SPLIT-TUNNELING
max-users 10
netmask 255.255.255.192
!
!
crypto ipsec transform-set AES-128 esp-aes esp-sha-hmac
crypto ipsec transform-set AES-256 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile IPSEC-AES-128
set transform-set AES-128
!
crypto ipsec profile IPSEC-AES-256
set transform-set AES-256
!
crypto ipsec profile IPSEC-PROFILE
set transform-set AES-256
!
!
crypto dynamic-map DYNMAP 1
set transform-set AES-128
reverse-route
!
!
crypto map REMOTE-MAP client authentication list userauthen
crypto map REMOTE-MAP isakmp authorization list groupauthor
crypto map REMOTE-MAP client configuration address respond
crypto map REMOTE-MAP 1 ipsec-isakmp dynamic DYNMAP
!
!
!
interface Tunnel0
bandwidth 800
ip address 192.168.255.253 255.255.255.252
ip nbar protocol-discovery
ip hold-time eigrp 1 16
ip route-cache flow
tunnel source Dialer2
tunnel destination 190.167.98.149
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile IPSEC-AES-128
service-policy output PARENT
!
interface FastEthernet0/0
ip address 10.0.0.240 255.255.255.0
ip access-group PROXY-LIST in
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map TWO-GATEWAYS
load-interval 60
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly
ip policy route-map TWO-GATEWAYS
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/33
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface ATM0/1/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/33
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer1
bandwidth 2700
ip address negotiated
ip access-group FIREWALL in
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly max-reassemblies 64
encapsulation ppp
ip route-cache flow
load-interval 60
dialer pool 1
dialer-group 1
fair-queue 64 16 256
crypto map REMOTE-MAP
hold-queue 224 in
!
interface Dialer2
bandwidth 800
ip address negotiated
ip access-group FIREWALL in
ip nbar protocol-discovery
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
load-interval 60
dialer pool 2
fair-queue 64 16 256
no cdp enable
ppp authentication pap callin
ppp pap sent-username (username) password (password)
crypto map REMOTE-MAP
hold-queue 224 in
!
router eigrp 1
passive-interface default
no passive-interface Tunnel0
network 10.0.0.0 0.0.0.255
network 192.168.2.0 0.0.0.63
network 192.168.255.252 0.0.0.3
no auto-summary
!
ip local pool REMOTE-POOL 192.168.2.1 192.168.2.63
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer2
ip route 10.0.1.0 255.255.255.0 10.0.0.252 220
ip route 10.255.255.254 255.255.255.255 10.0.0.252 220
ip route 190.167.98.149 255.255.255.255 Dialer2
ip route 192.168.2.0 255.255.255.192 Null0
ip route 192.168.2.64 255.255.255.192 10.0.0.252 220
ip flow-export source FastEthernet0/0
ip flow-export version 9
ip flow-export destination 10.0.0.16 9996
!
no ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
ip nat inside source list NAT interface Dialer1 overload
ip nat inside source static tcp 10.0.0.6 20 interface Dialer1 20
ip nat inside source static tcp 10.0.0.6 21 interface Dialer1 21
!
ip access-list standard IT-MANAGEMENT
permit 10.0.0.2
permit 10.0.0.3
permit 10.0.0.96
deny any
ip access-list standard IT-VTY
permit 10.0.0.0 0.0.1.255
permit 192.168.2.0 0.0.0.255
permit 192.168.255.252 0.0.0.3
deny any
ip access-list standard SNMP
permit 10.0.0.16
permit 10.0.0.96
deny any
!
ip access-list extended NAT
deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
deny ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip any any
ip access-list extended PROXY-LIST
permit ip 10.0.0.0 0.0.0.15 any
permit ip host 10.0.0.254 any
permit ip host 10.0.0.83 any
permit ip host 10.0.0.85 any
permit ip host 10.0.0.190 any
permit ip host 10.0.0.74 any
permit ip host 10.0.0.110 any
permit ip host 10.0.0.111 any
permit ip host 10.0.0.64 any
permit ip host 10.0.0.91 any
permit ip host 10.0.0.100 any
permit ip host 10.0.0.55 any
permit ip host 10.0.0.103 any
permit ip host 10.0.0.58 any
permit ip host 10.0.0.41 any
permit ip host 10.0.0.104 any
permit ip host 10.0.0.250 any
permit ip host 10.0.0.102 any
permit ip host 10.0.0.60 any
permit ip host 10.0.0.232 any
permit ip host 10.0.0.152 any
permit ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 192.168.255.252 0.0.0.3
deny ip any any
ip access-list extended SPLIT-TUNNELING
permit ip 10.0.0.0 0.0.1.255 192.168.2.0 0.0.0.63
ip access-list extended TWO-GATEWAYS
remark ACL for Route-Map to use Dialer1 for internet connectivity
deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
deny ip 10.0.0.0 0.0.0.255 host 10.255.255.254
deny ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 10.0.0.0 0.0.0.255 192.168.255.252 0.0.0.3
permit ip any any
ip access-list extended prueba
!
logging 10.0.0.96
access-list 10 permit 10.0.0.0 0.0.1.255
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 10 permit 192.168.255.252 0.0.0.3
access-list 10 deny any
dialer-list 1 protocol ip permit
snmp-server community (community) RO SNMP
no cdp run
route-map TWO-GATEWAYS permit 10
match ip address TWO-GATEWAYS
set interface Dialer1
!
route-map TWO-GATEWAYS permit 20
!
!
!
control-plane
!
alias exec memory show processes memory | include Processor
alias exec cpu show processes cpu | include CPU
alias exec r show run
alias exec s show ip route
alias exec i show ip int brief
alias exec sessions show crypto session
alias exec traffic sh ip nbar protocol-discovery stats bit-rate top-n 10
!
line con 0
exec-timeout 0 0
password (password)
logging synchronous
line aux 0
line vty 0 4
session-timeout 15
access-class IT-VTY in
password (password)
logging synchronous
login local
!
scheduler allocate 20000 1000
ntp server 10.0.0.15
ntp server 10.0.0.15 source FastEthernet0/0
end

 

[tylerdesjardins]

if it's after a reload...

the only thing I can think of off-hand is the #copy run start or
#wr mem isn't completing.

After entering either command, make sure it says '[OK]' like below


Router#wr mem
Building configuration...
[OK]
Router#

 

[JeramelP]

I always make sure to save the config each time I apply the crypto map to the Dialer interfaces, in fact, it shows the command "crypto map REMOTE-MAP" on each interface in the startup-config, however each time the router reboots the command auto-magically disappears :S

 

[tylerdesjardins]

probably a bug in the IOS then.

http://www.cisco.com/en/US/docs/ios/12_3/release/notes/123mcav3.html

Known Bug: CSCeb20989

Symptoms: After a Cisco router has reloaded, part of the configuration that is defined in the startup configuration may not show up in crypto maps.

 

[tylerdesjardins]

Use the bug toolkit to see if theres a patch/fix

 

[JeramelP]

Yup! it was an IOS bug, I just replaced the IOS to version 12.4(21) and problem solved. Thanks guys! I'll make sure to read before deploying from now on.