Cisco 871 - Lost Site-Site VPN Config

I have an ASA5505 in our main office that is talking to some 871 Routers in remote offices. I have a working config for a site to site vpn. Last night I got a call that it appeared that it was down. I checked it out and couldn't see to get it to come back up from remote.

I came into the main office and rebooted the ASA, as I couldn't ping the external IP of the router in the remote office through our network but from my home machine it was responding fine. That didn't help.

So I made the 45 Min. drive to the remote office to check it out locally. I got my laptop hooked up and the config for the VPN was not showing up in ADM. It was "gone". I re-created it and it came back up.

Any ideas what could cause this? I have saved the config naturally, so it should stay through any power outage or reboot. Though one was not reported yesterday. I am baffled by this....


Reply to
Loading thread data ...

I assume you weren't able to remotely log into the router? That suggests the router had lost other parts of it's config too.

Reply to

It is unheard of for the router to spontaneously lose its config or part of it.

Most likely it was not saved by the last user or perhaps someone changed it again.

You can check the uptime and Last Reload Reason from sh ver. It may be too late now but you can also look at the most recent startup and running config change times with sh run.

! Last configuration change at 17:58:15 BST Fri Mar 13 2009 by xxx ! NVRAM config last updated at 17:58:16 BST Fri Mar 13 2009

NVRAM is the startup by the way.

If the router crashed then look at sh stacks and look for crashinfo files in the flash.

You can also enable syslog logging for a centralised, permanent record of logged events.

This adds all commands executed from the CLI to the logs. No idea if you can log from the GUI.

event manager applet CLIaccounting event cli pattern ".*" sync no skip no action 1.0 syslog priority informational msg "$_cli_msg" set 2.0 _exit_status 1

sorry I have no clue what it means - it does though work.

sh log

Mar 13 20:53:21.918 BST: %HA_EM-6-LOG: CLIaccounting: show ip nat translations Mar 13 21:00:41.696 BST: %HA_EM-6-LOG: CLIaccounting: show running- config Mar 13 21:02:58.066 BST: %HA_EM-6-LOG: CLIaccounting: show logging Mar 13 21:05:02.455 BST: %HA_EM-6-LOG: CLIaccounting: show version

There is another method of doing CLI logging that was documented in this list a few months back. You can also use TACACS for command logging.

Finally as already alluded to I think that it is a good idea to consider arranging remote management outside of the VPN. Use access-lists to protect the outside from undesired attention.

Reply to

Yes, I was not able to get into the router, as the connection to the remote office was down. I think I will have to rethink my strategy on how this is set up and managed. I am the only user to touch the routers, I am our IT department. hehe.

I will take a look at all these ideas and see what I can come up with. Thanks for the hints.


Reply to
TimParker Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.