Lost packet in an ping between Cisco to Riverstone Router, but viceversa no
Hi,
I need your help to explain me the next behavior.
I have interconnected an Cisco Router with an
RiverStone Router, i see the
next:
1. When i execute an ping from the cisco router to RS
router, i see an path
with lost of packets, this with certain frecuency.
2. When i execute the ping from the cisco router to
CPE, through Riverstone
router, all the packets are the succeful.
I need some explain at this !!!
Thanks
Jesus Ibar
Rick,
Searching in Internet and Riverstone, we found the next document: Ping rate-limiting feature added in 7..x and newer
Ref: http://rstone.riverstonenet.com/hoth%2Dpub/techbltn/tb0096%2D9.html
Here explain this issue, we apply the workaround and the packet lost, was solved:
Before:
PE_Mty#ping vrf SONUS-VOIP
Protocol [ip]:
Target IP address: 192.168.57.2
Repeat count [5]: 1000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.57.2, timeout is 2 seconds:
Success rate is 93 percent (932/1000), round-trip min/avg/max = 1/3/272 ms
PE_Mty#
After of apply the workaround:
PE_Mty#ping vrf SONUS-VOIP
Protocol [ip]:
Target IP address: 192.168.57.2
Repeat count [5]: 1000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.57.2, timeout is 2 seconds:
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/1/4 ms
PE_Mty#
Thanks for all.
Jesus Ibar
Similar Messages
-
I want to make sure: Send/Recve Errors and Lost Packets on Ping - HOW BAD?
Greetings!
Still relatively new to MBP and Mac OS - ramping up fast on account of having to troll Forums for info about MBP's not so reliable WiFi performance...
*ANOTHER QUESTION:* I get a lot of Send and Receive errors - as monitored by Network Utility.app when on my wireless network. Actually 10-20 after just 1/2 hour of WiFi activity. Going thru a Linksys WRT54GL router into a HughesNet satellite modem. AND, if I PING another device on my wireless network, I often get LOST PACKETS. All an indication that at least in my case - and I hear the same many Forums denizens complain about similar issues.
N*ow, as I download important stuff* through the wireless network - say, the current many updates/upgrades for Mac OS X and the MBP, do such occurrences render the downloads unreliable? I do not get any message of incomplete download or such as Install such wirelessly downloaded upgrades, but I am concerned about applying upgrades which would have been damaged by such xmission errors. OR, perhaps errors are flagged and "corrected" somehow??
Meanwhile, I have recently started to download -especially upgraged - via a direct LAN connection between my MBP and the satellite modem. However, seems to be a setback to me, especially since my most mundane among my Win machines have no trouble communicating over the wireless network.
I'll appreciate assistance!
- Roger TI don't know about wireless, as I only have dial up. And I have an iBook and not a MBP. But I frequently lose internet connection part way through a software update, probably due to the local antiquated phone lines. About all that happens is that the download has to be done over completely. It never picks up where it left off, so I assume the partial download is just gone as if it had never been downloaded. I would guess the same would be true of wireless downloads.
Good luck! -
Packet loss when pinging from/to a cisco 3560e switch
I see Packet loss when pinging from/to a cisco 3560e switch. CPU utilization is normal.
Switches are running with IOS c3560e-universalk9-mz.122-35.SE5.bin.
Packet loss is observed for all the devices irrespective of directly connected or remote devices.
If i do self pinging, there are no packet loss.
I don't see any error on interface.
Can anyone please help me in resolving this issue.TCB Local Address Foreign Address (state)
03737C48 10.47.0.229.60053 10.41.81.55.49 CLOSEWAIT
039ACDC4 10.47.0.229.61929 10.41.35.250.49 CLOSEWAIT
03B316C0 10.47.0.229.27544 10.41.81.55.49 CLOSEWAIT
038228F0 10.47.0.229.16506 10.41.35.250.49 CLOSEWAIT
039C3D04 10.47.0.229.15207 10.41.81.55.49 CLOSEWAIT
039A9BD0 10.47.0.229.52983 10.41.81.55.49 CLOSEWAIT
0394152C 10.47.0.229.22425 161.61.35.250.49 CLOSEWAIT
037D811C 10.47.0.229.21117 10.41.81.55.49 CLOSEWAIT
039C12BC 10.47.0.229.37437 10.41.81.55.49 CLOSEWAIT
03933B84 10.47.0.229.34085 161.61.35.250.49 TIMEWAIT
03B32340 10.47.0.229.45729 10.41.81.55.49 CLOSEWAIT
038247D0 10.47.0.229.32816 10.41.81.55.49 CLOSEWAIT
039A92D8 10.47.0.229.38680 161.61.35.250.49 CLOSEWAIT
037370F0 10.47.0.229.13212 10.41.81.55.49 CLOSEWAIT
037D85F0 10.47.0.229.38728 10.41.81.55.49 CLOSEWAIT
03B2B284 10.47.0.229.23428 10.41.81.55.49 CLOSEWAIT
03B2ADB0 10.47.0.229.56836 10.41.81.55.49 CLOSEWAIT
0394BFF0 10.47.0.229.23257 161.61.35.250.49 CLOSEWAIT
036604DC 10.47.0.229.44437 10.41.81.55.49 CLOSEWAIT
0394C700 10.47.0.229.22 192.37.184.211.61639 ESTAB
039B9A68 10.47.0.229.20543 10.41.81.55.49 CLOSEWAIT
03739B28 10.47.0.229.15392 10.41.81.55.49 CLOSEWAIT
TCB Local Address Foreign Address (state)
0392EA48 10.47.0.229.13862 10.41.81.55.49 CLOSEWAIT
0365E23C 10.47.0.229.27856 10.41.81.55.49 CLOSEWAIT
03817C0C 10.47.0.229.64929 10.41.81.55.49 CLOSEWAIT
039357C8 10.47.0.229.22088 10.41.81.55.49 CLOSEWAIT
037375C4 10.47.0.229.21832 10.41.81.55.49 CLOSEWAIT
039C20E8 10.47.0.229.18169 10.41.81.55.49 CLOSEWAIT
03716D08 10.47.0.229.61993 10.41.81.55.49 CLOSEWAIT
039A74E4 10.47.0.229.62948 10.41.81.55.49 CLOSEWAIT
03655480 10.47.0.229.14052 10.41.81.55.49 CLOSEWAIT
039407F0 10.47.0.229.49643 161.61.35.250.49 CLOSEWAIT
039A53AC 10.47.0.229.13233 10.41.81.55.49 CLOSEWAIT
03739FFC 10.47.0.229.16605 10.41.81.55.49 CLOSEWAIT
039B82B8 10.47.0.229.16458 10.41.35.250.49 CLOSEWAIT
039BEBA4 10.47.0.229.64377 10.41.81.55.49 CLOSEWAIT
03741980 10.47.0.229.13866 10.41.81.55.49 CLOSEWAIT
03B3ABF8 10.47.0.229.19365 10.41.81.55.49 CLOSEWAIT
039B5810 10.47.0.229.24768 10.41.81.55.49 CLOSEWAIT
03956E48 10.47.0.229.55980 161.61.35.250.49 CLOSEWAIT
03946820 10.47.0.229.65053 161.61.35.250.49 CLOSEWAIT
037DBE94 10.47.0.229.15283 10.41.81.55.49 CLOSEWAIT
039A4854 10.47.0.229.48562 10.41.81.55.49 CLOSEWAIT
TCB Local Address Foreign Address (state)
03B33320 10.47.0.229.29803 10.41.81.55.49 CLOSEWAIT
03B3B79C 10.47.0.229.12142 10.41.81.55.49 CLOSEWAIT
03713C9C 10.47.0.229.63799 10.41.81.55.49 CLOSEWAIT
039BBECC 10.47.0.229.14763 10.41.81.55.49 CLOSEWAIT
03656E40 10.47.0.229.16357 10.41.81.55.49 CLOSEWAIT
0362A73C 10.47.0.229.62450 10.41.81.55.49 CLOSEWAIT
039B878C 10.47.0.229.64402 161.61.35.250.49 CLOSEWAIT
03826CFC 10.47.0.229.16108 10.41.81.55.49 CLOSEWAIT
03B2CA34 10.47.0.229.17634 10.41.81.55.49 CLOSEWAIT
03AD78D0 10.47.0.229.15249 161.61.35.250.49 CLOSEWAIT
03AD967C 10.47.0.229.20389 161.61.35.250.49 CLOSEWAIT
03B2C560 10.47.0.229.37079 10.41.81.55.49 CLOSEWAIT
039C5128 10.47.0.229.24711 10.41.81.55.49 CLOSEWAIT
03822F74 10.47.0.229.54866 10.41.81.55.49 CLOSEWAIT
0372C5FC 10.47.0.229.13298 10.41.81.55.49 CLOSEWAIT
0372D278 10.47.0.229.12407 10.41.81.55.49 CLOSEWAIT
039A33D0 10.47.0.229.36573 10.41.81.55.49 CLOSEWAIT
039BCEF8 10.47.0.229.53853 10.41.81.55.49 CLOSEWAIT
039C02D8 10.47.0.229.53725 10.41.81.55.49 CLOSEWAIT
039B5CE4 10.47.0.229.58027 10.41.81.55.49 CLOSEWAIT
0381866C 10.47.0.229.17100 10.41.81.55.49 CLOSEWAIT
TCB Local Address Foreign Address (state)
039BB374 10.47.0.229.53148 10.41.81.55.49 CLOSEWAIT
03AD3634 10.47.0.229.19716 161.61.35.250.49 CLOSEWAIT
0362DAA4 10.47.0.229.19479 10.41.81.55.49 CLOSEWAIT
0365AE60 10.47.0.229.62209 10.41.81.55.49 CLOSEWAIT
0362D5D0 10.47.0.229.41327 10.41.81.55.49 CLOSEWAIT
037D7C48 10.47.0.229.58283 10.41.81.55.49 CLOSEWAIT
03955474 10.47.0.229.33810 161.61.35.250.49 CLOSEWAIT
0373B15C 10.47.0.229.23331 10.41.81.55.49 CLOSEWAIT
036628D0 10.47.0.229.46856 10.41.81.55.49 CLOSEWAIT
03819584 10.47.0.229.19861 10.41.81.55.49 CLOSEWAIT
0394D000 10.47.0.229.64732 10.41.35.250.49 CLOSEWAIT
0394B760 10.47.0.229.19967 161.61.35.250.49 CLOSEWAIT
039B6BD4 10.47.0.229.40096 10.41.81.55.49 CLOSEWAIT
03AD7150 10.47.0.229.65184 10.41.35.250.49 CLOSEWAIT
039BC3A0 10.47.0.229.64702 10.41.81.55.49 CLOSEWAIT
03B3A724 10.47.0.229.60399 10.41.81.55.49 CLOSEWAIT
037145E0 10.47.0.229.43951 10.41.81.55.49 CLOSEWAIT
03955EDC 10.47.0.229.29015 161.61.35.250.49 TIMEWAIT
0365FB34 10.47.0.229.13961 10.41.81.55.49 CLOSEWAIT
03828D54 10.47.0.229.12743 10.41.81.55.49 CLOSEWAIT
037DB40C 10.47.0.229.23708 10.41.81.55.49 CLOSEWAIT
TCB Local Address Foreign Address (state)
039AF814 10.47.0.229.15100 10.41.81.55.49 CLOSEWAIT
0392E344 10.47.0.229.23399 10.41.35.250.49 CLOSEWAIT
0393DC3C 10.47.0.229.15393 161.61.35.250.49 CLOSEWAIT
03AD85D0 10.47.0.229.40932 161.61.35.250.49 TIMEWAIT
039574CC 10.47.0.229.25935 10.41.35.250.49 CLOSEWAIT
03738B74 10.47.0.229.58656 10.41.81.55.49 CLOSEWAIT
039AD91C 10.47.0.229.56760 10.41.81.55.49 CLOSEWAIT
03B3BC70 10.47.0.229.15058 10.41.81.55.49 CLOSEWAIT
03B2DC54 10.47.0.229.51131 161.61.35.250.49 CLOSEWAIT
03B393F0 10.47.0.229.11957 10.41.35.250.49 CLOSEWAIT
039B2610 10.47.0.229.33728 10.41.81.55.49 CLOSEWAIT
03B311EC 10.47.0.229.18047 10.41.81.55.49 CLOSEWAIT
039A8E04 10.47.0.229.52022 161.61.35.250.49 CLOSEWAIT
0365D460 10.47.0.229.12241 10.41.81.55.49 CLOSEWAIT
03B33E78 10.47.0.229.47640 10.41.81.55.49 CLOSEWAIT
0372C128 10.47.0.229.60323 10.41.81.55.49 CLOSEWAIT
03661CD8 10.47.0.229.39923 10.41.81.55.49 CLOSEWAIT
0393C73C 10.47.0.229.41864 10.41.35.250.49 CLOSEWAIT
03829584 10.47.0.229.56673 161.61.35.55.49 CLOSEWAIT
0362AC10 10.47.0.229.31952 10.41.81.55.49 CLOSEWAIT
039BF078 10.47.0.229.22636 10.41.81.55.49 CLOSEWAIT
TCB Local Address Foreign Address (state)
0365CF8C 10.47.0.229.14476 10.41.81.55.49 CLOSEWAIT
039B443C 10.47.0.229.59226 10.41.81.55.49 CLOSEWAIT
0393E794 10.47.0.229.56282 10.41.35.250.49 CLOSEWAIT
03657740 10.47.0.229.25769 10.41.81.55.49 CLOSEWAIT
03B2F6E8 10.47.0.229.19328 10.41.81.55.49 CLOSEWAIT
0373AC88 10.47.0.229.25766 10.41.81.55.49 CLOSEWAIT
039B213C 10.47.0.229.28882 10.41.81.55.49 CLOSEWAIT
039C07AC 10.47.0.229.38201 10.41.81.55.49 CLOSEWAIT
03AD8DD0 10.47.0.229.23002 10.41.35.250.49 CLOSEWAIT
03739048 10.47.0.229.29572 10.41.35.250.49 CLOSEWAIT
039BA464 10.47.0.229.32273 10.41.81.55.49 CLOSEWAIT
03B31E6C 10.47.0.229.32521 10.41.81.55.49 CLOSEWAIT
0365EBE0 10.47.0.229.41319 10.41.81.55.49 CLOSEWAIT
03938804 10.47.0.229.62841 10.41.35.250.49 CLOSEWAIT
039A1AF8 10.47.0.229.12758 10.41.81.55.49 CLOSEWAIT
039B7DE4 10.47.0.229.20921 10.41.81.55.49 CLOSEWAIT
036549F8 10.47.0.229.51903 10.41.81.55.49 CLOSEWAIT
03714CC8 10.47.0.229.45145 10.41.81.55.49 CLOSEWAIT
037425F8 10.47.0.229.56492 10.41.81.55.49 CLOSEWAIT
03B39D74 10.47.0.229.18174 10.41.81.55.49 CLOSEWAIT -
Connectivity issues between Cisco 2901 and Cisco SG300-52
Hello,
I am having some serious connectivity issues between the hosts in my LAN.
My LAN is based on a Cisco 2901 router and a Cisco SG300-52 port switch.
The issue that has been happening is that connections between hosts on the LAN (remote desktop, extended ping, etc) is very unstable, at some point I can see a 35% lost packets on an extended ping. This happens at any time of the day and from any host.
All hosts are on the same Vlan(default Vlan) and on the same subnet. Some hosts have fixed IP addresses (servers and network equipment) and others obtain their IP address trough a DHCP reservation established on the router (reserved with the MAC address of every host).
I can provide further details if needed, because this issue is very serious and I would really appreciate any insight or support.
Many thanks in advanced.
Sair Amer
EDIT: After doing every test we could think of, we finally found the reason behind this problem.
It turns out that the switch has problems handling communications between clients at different speeds, because most of the hosts connected were working at 100 Mbps but the servers were working at 1000 Mbps (and the communication between host and servers wasn't stable).
After manually setting the speed on all ports to 100 Mbps the problems have stopped.
Many thanks for you help on this issue.Building configuration...
Current configuration : 4123 bytes
! Last configuration change at 12:06:16 PCTime Sat Jul 19 2014 by ccp
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Foninsa
boot-start-marker
boot-end-marker
no logging buffered
enable secret 5 $1$BDbJ$HN3VP8nmywrGB55RCxPd30
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock timezone PCTime -4 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 12 2003 12:00
no ip cef
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.151 192.168.1.255
ip dhcp pool FONINSA
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool Laptop-Sporta-Wifi
host 192.168.1.10 255.255.255.0
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-213585710
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-213585710
revocation-check none
rsakeypair TP-self-signed-213585710
crypto pki certificate chain TP-self-signed-213585710
certificate self-signed 01
30820229 30820192
quit
license udi pid CISCO2901/K9 sn
license boot module c2900 technology-package securityk9
username ccp privilege 15 password
redundancy
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 190.196.21.98 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.1.3 21 190.196.21.98 21 extendable
ip nat inside source static tcp 192.168.1.3 80 190.196.21.98 80 extendable
ip nat inside source static udp 192.168.1.8 1194 190.196.21.98 1194 extendable
ip nat inside source static tcp 192.168.1.4 3389 190.196.21.98 3389 extendable
ip nat inside source static tcp 192.168.1.9 3389 190.196.21.98 10000 extendable
ip nat inside source static tcp 192.168.1.3 3389 190.196.21.98 20000 extendable
ip route 0.0.0.0 0.0.0.0 190.196.21.97
access-list 1 permit 192.168.1.0 0.0.0.255
control-plane
line con 0
password $
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 5
access-class 23 in
privilege level 15
password #
transport input telnet ssh
no scheduler allocate
end -
Cant ping behind cisco router (site2site vpn)
Dears;
After configure site to site vpn between cisco router and fortigate firewall,
site A : 10.0.0.0/24 behind fortigate
site B: 10.10.10.0/24 behind cisco router
the tunnel is up and I can ping 10.0.0.1 from site B and can ping 10.10.10.1 from site A but I cant ping any ip inside 10.0.0.0/24 form site B or network 10.10.10.0/24 from site A
my cisco router configuration is
Current configuration : 2947 bytes
! No configuration change since last restart
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
boot-start-marker
boot-end-marker
enable secret 4 EE103as6FtdocdBefpgugX6P9eGaDKDyBvwz7AywH5Q
no aaa new-model
memory-size iomem 10
clock timezone cairo 2 0
crypto pki token default removal timeout 0
ip source-route
ip dhcp excluded-address 192.168.16.1
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp pool GUEST
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool LAN
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 8.8.8.8 8.8.4.4
ip cef
controller VDSL 0
ip ssh version 2
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 5
crypto isakmp key 6 *********** address 4.x.x.x no-xauth
crypto ipsec transform-set myset esp-aes esp-sha256-hmac
crypto map kon-map 10 ipsec-isakmp
set peer 4.x.x.x
set transform-set myset
set pfs group5
match address 105
interface Ethernet0
no ip address
no fair-queue
interface ATM0
no ip address
ip mtu 1452
ip tcp adjust-mss 1452
no atm ilmi-keepalive
interface ATM0.1 point-to-point
ip flow ingress
pvc 0/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
interface FastEthernet0
switchport mode trunk
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
switchport access vlan 2
no ip address
interface FastEthernet3
no ip address
interface Vlan1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Vlan2
ip address 192.168.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 0
ppp pap sent-username
crypto map kon-map
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 100 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
access-list 105 permit ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
banner motd ^C^C
end
when ping from cisco router
konsuler#ping 10.0.0.27 source vlan1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.27, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
Success rate is 0 percent (0/5)
help pleaseThank you karsten
I can ping interface of router from remote site but cant ping any device behind the router and can ping firewall interface but cant ping any device behind the firewall
-counters in
# sh crypto ipsec sa
increased only while ping 10.0.0.1 or 10.10.10.1 from both sides
r#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Dialer1
Uptime: 00:03:12
Session status: UP-ACTIVE
Peer: 4.x.x.x port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.x.x.x
Desc: (none)
IKEv1 SA: local 6.x.x.x/500 remote 4.x.x.x/500 Active
Capabilities:(none) connid:2001 lifetime:22:39:59
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 10.0.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 9 drop 0 life (KB/Sec) 4605776/3407
Outbound: #pkts enc'ed 14 drop 0 life (KB/Sec) 4605775/3407 -
Routing issue between Cisco Nexus and Cisco 4510 R+E Chassis
We have configured Cisco Nexus 7K9 as core and Cisco 4510 R+E as access switches for Server connectivity.
We are experiencing problem in terms of ARP learning and Ping issues between Cisco Nexus and end hosts.Hi,
So you have N7k acting as L3 with servers connected to 4510?.
Do you see the MAC associated with failing ARP in 4510?. Is it happening with all or few servers?. Just to verify if it is connectivity issue between N7k and 4510, you can configure an SVI on 4510 and assign address from same raneg (server/core range) and perform a ping.
This will help narrow down if issue is between server to 4510 or 4510 to N7k.
Thanks,
Nagendra -
Error Routing protocol - EIGRP between Cisco ASA with Switch 4506
Dear Cisco Team,
I have problem when I configed EIGRP between cisco ASA 5510 with core switch 4506. This is below error
*Nov 4 05:08:09.898: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
*Nov 4 05:09:29.409: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is down: retry limit exceeded
*Nov 4 05:09:29.499: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
*Nov 4 05:10:35.609: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.18 (GigabitEthernet2/42) is down: holding time expired
*Nov 4 05:10:49.009: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is down: retry limit exceeded
*Nov 4 05:10:53.230: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
quang huy2004: *Nov 4 05:08:09.898: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
*Nov 4 05:09:29.409: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is down: retry limit exceeded
*Nov 4 05:09:29.499: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
*Nov 4 05:10:35.609: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.18 (GigabitEthernet2/42) is down: holding time expired
*Nov 4 05:10:49.009: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is down: retry limit exceeded
*Nov 4 05:10:53.230: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.20 (GigabitEthernet2/42) is up: new adjacency
the tech Spec
ASA, IOS : 8.0.2
4506, License IP Base; OS: Unisal 15 M.2
I checked between ASA with Router ok; but between ASA with 4506 error
Can you help me ?Hello,
This logs means that the hold time expired so the hello packets are not being received, usually means multicast packets are missed-224.0.0.10)
I would recommend you to try another cable because this ussualy is a phisical or congestion issue.
Can you try that and let us know the result, also if that does not help can you send us the following outputs:
-Show ip EIGPR neighbors
-Debug EIGRP packet hello
Regards,
Julio -
NI VBAI GigE Camera Lost Packets
We are running VBAI on a fast PC through an Intel Pro/1000 card and a jumbo-frame GigE switch to a large number of Basler Ace GigE cameras.
It is understandable that multiple cameras can not simultaneously transfer complete images to the PC at the full 1000 MHz data rate due to the limited bandwith between the PC and switch.
One way around this is to throttle the max data rate for each camera down so that the sum is not greater than 1000 MHz.
However, this means that image transfers always take longer, even if only one camera happens to be in operation much of the time.
Is this a fundamental limitation of GigE Vision, or are GigE Vision cameras clever enough to operate as fast as possible...via resends of the occasional lost packet???
NelsonWe have come up with a solution.
The issue is that the cameras, switch, network card, and VisionBuiilder cannot handle any instance where more than one camera is sending images to VisionBuilder where the total of the data rates for those cameras is ever in excess of the 1GB network card bandwidth.
(It would be nice if someone made a network switch that has slightly more packet buffer memeory...100MB?...so that the occasional collision does not result in garbage images while allowing most captures to operate at maximum speed.)
Solution:
(1) We added 3 additional 1Gb network ports to our vison pc.
(2) In order to redistribute camera traffic to more than one network port, we assigned each network card, and the corresponding cameras, to a different subnet.
(3) We lowered the data rate for the less time-critical cameras.
Even after lowering the data rates for several cameras in NI-MAX down to 200 Mb/s such that lost packets should no longer be possible, we stil saw them.
After a detailed examination we found that the VisionBuilder image acquisition steps do not pay attention the the data rates that you assign in NI-MAX, and alwasy default to the maximum 1000 Mb/s rate, hence the saturated data rates and lost packets.
The solution to this problem turns out to be to explicity set the desired data rate in each VisionBuilder Image Acquistion step, using the attributes tab. While you are at it, you should also check that other critical parameters, such as the packet size, are also correct, and update them if not.
After explicitly correcting the data rates in all image acquisition steps, we ran an image capture stress test that ran all the vision processes (several programs running simultaneously) about 10x faster than required, and observed no lost packets at all.
Problem solved.
-
Lost Packets in certain customer VLANs Trunked over ME
I work for a service provider that configures CPE networks for our customers. We have one customer that we are setting up a Disaster Recovery site over Metro Ethernet. The customers servers need L2 connectivity to the data center for redundancy. The customer wants their VLANs on their 4510 mirrored on a 3750 at the DR site. A gigabit ME VLAN was setup through our ME network between the 2 sites. The 3750 and 4510 were staged at the customer site and tested before the 3750 was moved to the remote DR site and connected by ME.
The 3750 and 4510 were directly connected on a dot1q trunk between the two switches. About 18 vlans are trunked between the 2 switches, about 15 of which have L3 Vlan interfaces configured.
The issue we are having is that packets are getting dropped, on certain customer vlans, but not others. All Vlans worked properly when the 3750 was directly connected to the 4510 at the datacenter.
Our network engineers in charge of the ME noticed MAC-Flap errors on ME switches at the Data Center and the DR site. It see the Mac Address of Interface Vlan 101 and Interface Vlan 318 of the 3750 switch on both the customer access port on both ME 3400 switches (uni) and the ME trunk ports (nni). No other vlans are having issues with lost packets, or connectivity.
On ME 3400 switch uni tunnel port is vlan 459. Native vlan is 540 on 3400 and is the switch mgt vlan.
Has anyone run into this before?I think commonsense101 means the "Customer Agreement" and the following passage in particular.
"Where and How Does Verizon Wireless Service Work?
Wireless devices use radio transmissions, so unfortunately you can't get Service if your device isn't in range of a transmission signal. And please be aware that even within your Coverage Area, many things can affect the availability and quality of your Service, including network capacity, your device, terrain, buildings, foliage and weather." -
EtherChannel between cisco devices need help
Hello,
At our company we use 2 asa 5525 firewalls in active/standby mode.
Both of them are connected to a single cisco router.
The goal is to have the cisco router to automatically send traffic to the active firewall (regardless which firewall is active at that point).
To solve this would it be possible to create an EtherChannel with 2 ports on the cisco router and then have 1 link going to the active firewall and 1 link to the standby firewall.
If the active firewall fails and the standby firewall takes over, will the standby firewall receive all the traffic that normally would go to the active firewall without any downtime?
Will this work or does another solution exists for this? Its important for us that the hosts on the network suffer small to none downtime at all.
The topology can be found in the following image.Hello
"You could possibly use bridging on the router which would allow you to have two interfaces on the same router in the same IP subnet and connect one interface to the active firewall and one to the standby. But i cannot say for sure this would work as i have never done it with ASAs"
Please see below:
ASA1
====
.interface GigabitEthernet0
nameif inside1
security-level 100
ip address 192.168.1.10 255.255.255.0
ASA2
====
.interface GigabitEthernet0
nameif inside2
security-level 100
ip address 192.168.1.11 255.255.255.0
router
=====
bridge irb
bridge 100 protocol ieee
bridge 100 route ip
interface FastEthernet0/0
Description Link to ASA1
bridge-group 100
interface FastEthernet0/1
Description Link to ASA2
bridge-group 100
interface BVI100
ip address 192.168.1.254 255.255.255.0
R1#ping 192.168.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/34/72 ms
R1#ping 192.168.1.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/38/88 ms
asa1# ping 192.168.1.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
asa1#ping 192.168.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/34/50 ms
NOTE:
You can also NOT apply an ip address to the BVI interface and you would still be able to ping between the FW'S
res
Paul -
Connection issue between Cisco 515 Pix and Cisco 1841 router
Hi,
I am having a problem getting a Cisco Pix 515 communicating to a Cisco 1841. I am currently studying for CCNA so forgive me if it's obvious to the rest of you where the problem lies.
The client currently has an ISDN service which is being moved over to a 2MB E1 connection.
I have configured the 1841 router with G.703 WIC according to the information given to me by the ISP. I have configured the 1841 to have the same internal IP as the ISDN Cisco 800 series router, hoping for a simple swap over. The Pix 515 sits behind the ISDN at present and will be behind the 1841 when it is active.
Once I unplug the 800 series ISDN router and plug the 1841 into the pix, I cannot get any response what so ever. I have tried changing the ethernet connection speeds between the pix and 1841 hoping it would be as simple as that without success. Can't get ping responses from either end but I can when the ISDN service is plugged in. Both ISDN and E1 link are supplied by the same ISP, Telstra Australia and the fixed IP's are able to move over to the E1 service.
I have not touched the pix in any way. A seperate company configured the router a couple of years ago.
I have included the configurations of the existing ISDN, Pix and the 1841 for you to review. Any advise/solutions would be greatly appreciated.
Thanks in Advance,Hi,
The outside interface on your PIX is configured as 10BaseT which would be fine when using the original 800 series ISDN router.
Now with your new 1841, the interface that the PIX connects to is Fast Ethernet so you need to change your outside interface on the PIX to the same
If you want to use auto negotiation between the PIX and router then the command to do this on the PIX is
interface ethernet0 auto
I recommend using hard coded settings between the PIX and router and the command to do this on this PIX is
interface ethernet0 100full
You will also need to change your router as:
interface FastEthernet0/0
speed 100
duplex full
If you can't configure the PIX as you mentioned an external company did it, then i guess you could change your Fast Ethernet interface to "speed 10", "duplex half".
This won't create a bottleneck as you only have a 2 MB connection to your ISP
Everything else looks good, don't worry about asking questions on the forum, this is what its for.
HTH
Paddy -
VPN client connect to CISCO 887 VPN Server but I can't ping Local LAN
Hi
my scenario is as follows
SERVER1 on lan (192.168.1.4)
|
|
CISCO-887 (192.168.1.254)
|
|
INTERNET
|
|
VPN Cisco client on windows 7 machine
My connection have public ip address assegned by ISP, after ppp login.
I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN. I can't even ping the gateway 192.168.1.254
I'm using Cisco VPN client (V5.0.07) with "IPSec over UDP NAT/PAT".
What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
Perhaps ACL problem?
Building configuration...
Current configuration : 4921 bytes
! Last configuration change at 14:33:06 UTC Sun Jan 26 2014 by NetasTest
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname TestLab
boot-start-marker
boot-end-marker
enable secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-3013130599
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3013130599
revocation-check none
rsakeypair TP-self-signed-3013130599
crypto pki certificate chain TP-self-signed-3013130599
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303133 31333035 3939301E 170D3134 30313236 31333333
35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30313331
33303539 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A873 940DE7B9 112D7C1E CEF53553 ED09B479 24721449 DBD6F559 1B9702B7
9087E94B 50CBB29F 6FE9C3EC A244357F 287E932F 4AB30518 08C2EAC1 1DF0C521
8D0931F7 6E7F7511 7A66FBF1 A355BB2A 26DAD318 5A5A7B0D A261EE22 1FB70FD1
C20F1073 BF055A86 D621F905 E96BD966 A4E87C95 8222F1EE C3627B9A B5963DCE
AE7F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14E37481 4AAFF252 197AC35C A6C1E8E1 E9DF5B35 27301D06
03551D0E 04160414 E374814A AFF25219 7AC35CA6 C1E8E1E9 DF5B3527 300D0609
2A864886 F70D0101 05050003 81810082 FEE61317 43C08637 F840D6F8 E8FA11D5
AA5E49D4 BA720ECB 534D1D6B 1A912547 59FED1B1 2B68296C A28F1CD7 FB697048
B7BF52B8 08827BC6 20B7EA59 E029D785 2E9E11DB 8EAF8FB4 D821C7F5 1AB39B0D
B599ECC1 F38B733A 5E46FFA8 F0920CD8 DBD0984F 2A05B7A0 478A1FC5 952B0DCC
CBB28E7A E91A090D 53DAD1A0 3F66A3
quit
no ip domain lookup
ip cef
no ipv6 cef
license udi pid CISCO887VA-K9 sn ***********
username ******* secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
username ******* secret 4 Qf/16YMe96arcCpYI46YRa.3.7HcUGTBeJB3ZyRxMtE
controller VDSL 0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group EXTERNALS
key NetasTest
dns 8.8.4.4
pool VPN-Pool
acl 120
crypto isakmp profile ciscocp-ike-profile-1
match identity group EXTERNALS
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
hold-queue 224 in
pvc 8/35
pppoe-client dial-pool-number 1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Virtual-Template1 type tunnel
ip address 192.168.2.1 255.255.255.0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ****
ppp chap password 0 *********
ppp pap sent-username ****** password 0 *******
no cdp enable
ip local pool VPN-Pool 192.168.2.210 192.168.2.215
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 100 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 100 remark
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 remark
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 remark
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
line con 0
exec-timeout 5 30
password ******
no modem enable
line aux 0
line vty 0 4
password ******
transport input all
end
Best Regards,I've updated ios to c870-advipservicesk9-mz.124-24.T8.bin and tried to ping from rv320 to 871 and vice versa. Ping stil not working.
router#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Dialer0
Uptime: 00:40:37
Session status: UP-ACTIVE
Peer: 93.190.178.205 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 192.168.1.100
Desc: (none)
IKE SA: local 93.190.177.103/500 remote 93.190.178.205/500 Active
Capabilities:(none) connid:2001 lifetime:07:19:22
IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 10.1.2.0/255.255.255.0
Active SAs: 4, origin: dynamic crypto map
Inbound: #pkts dec'ed 0 drop 30 life (KB/Sec) 4500544/1162
Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4500549/1162 -
Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)
Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
Please help me to find where is the issue.
I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
Here is my current configuration.
Thanks for your help.
IOS Configuration
version 15.2
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key cisco address 198.0.183.225
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
mode transport
crypto map static-map 1 ipsec-isakmp
set peer S2.S2.S2.S2
set transform-set AES-SET
set pfs group2
match address 100
interface GigabitEthernet0/0
ip address S1.S1.S1.S1 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map static-map
interface GigabitEthernet0/1
ip address 192.168.17.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
ASA Configuration
ASA Version 8.4(3)
interface Ethernet0/0
switchport access vlan 2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.83.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address S2.S2.S2.S2 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object network inside-network
subnet 192.168.83.0 255.255.255.0
object network datacenter
host S1.S1.S1.S1
object network datacenter-network
subnet 192.168.17.0 255.255.255.0
object network NETWORK_OBJ_192.168.83.0_24
subnet 192.168.83.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any log
access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic inside-network interface
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set vpn-transform-set mode transport
crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2L_SET mode transport
crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
crypto map vpn 1 match address outside_cryptomap
crypto map vpn 1 set pfs
crypto map vpn 1 set peer S1.S1.S1.S1
crypto map vpn 1 set ikev1 transform-set L2L_SET
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy GroupPolicy_S1.S1.S1.S1 internal
group-policy GroupPolicy_S1.S1.S1.S1 attributes
vpn-tunnel-protocol ikev1
group-policy remote_vpn_policy internal
group-policy remote_vpn_policy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
username admin password rqiFSVJFung3fvFZ encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool vpn_pool
default-group-policy remote_vpn_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group S1.S1.S1.S1 type ipsec-l2l
tunnel-group S1.S1.S1.S1 general-attributes
default-group-policy GroupPolicy_S1.S1.S1.S1
tunnel-group S1.S1.S1.S1 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f55f10c19a0848edd2466d08744556eb
: endThanks for helping me again. I really appreciate.
I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
Because on Cisco ASA I guess I have everything.
Here is show crypto session detail
router(config)#do show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Should I see something in crypto isakmp sa?
pp-border#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
Thanks again for your help. -
The difference of the IEEE802.1x Auth between Cisco Routers and Catalyst switches
Hello
I am investigating the difference of the IEEE802.1x Auth between Routers and Switches.
Basically dot1x auth is availlable on Catalyst Switches. however if I want to check to
PortBased Multi-Auth , MAC address Auth and any certification Auth with this feature,
Is it possible to integrate into Cisco Router such as Cisco 891F ?
In my opinion Cisco891F is also available to use basic IEEE802.1x but if it compares with Catalyst switches such as Cat3560X
I think there might be any unsupported feature on Cisco 891F.
I appreciate any information. thank you very much in advance.
Best Regards,
Masanobu HiyoshiMany time in interviews asked comaprison between cisco routers and switches that i was answerless bcoz i dont have much knowledge about that.Can anyone provide me the compariosin sheet of the same.how are the cisco devices differ with each other how much Bandwidth each routres support and Etc...
Ummmm ... The most common question I get is "what is the difference between a router and a switch".
However, if you get a question like this, then my impression to this line of questioning are:
1. The candidate they are looking for has in-depth knowledge of routers and switches. And I mean IN-DEPTH!;
2. They are not looking for a candidate. They just want to stroke their ego. There is not alot of people who can give you the "names and numbers" of routers and switches at a snap of a finger. And if you do happen to know the answer, then and there, then expect a tougher follow-up question. -
No ping between host in the same subnet
Hello,
I have a question about the ASA and the ARP traffic in IOS 9.1.2 for ASA 5585-X and multicontext. I have discovered a curious behaviour about the traffic ARP in the my CLUSTER of ASA's. When I try to send a ping between host in the same subnet and these host have as Gateway the interface of the ASA (ASA is his router) don't works, if I mark the check to enable the comunications between host connected to the same interface this cotinues without work. The only way to get my aim (ping between host), I need to implement and Access Rule allowing the traffic IP between my origin network and destination the same network.
I think that this is some feature of ASA that filter the ARP Request but I don't understand!!! Can I help me, please?
Thanks.Hi,
Your firewall should not see any traffic between the hosts on the same subnet.
If it is seeing traffic between the hosts then its likely that Proxy ARP on the ASA is the problem. Proxy ARP is enabled on the ASA by default on all interfaces. This essentially means that when the host connecting to the other host on the same subnet sends an ARP request the ASA might reply to that ARP request instead of the actual destination host. This is why traffic might get forwarded to the ASA instead of the actual host.
If you want to disable the Proxy ARP on some ASA interface then you can use
sysopt norpoxyarp
Where you replace the with the actual name you have given to the interface on the ASA. This disables the Proxy ARP
- Jouni
Maybe you are looking for
-
Hi to all, I'm trying to do ssl in a intranet. I have tomcat 4.1 and JDK 4.1_02. I have following all steps thats indicate the tomcat ssl documentation, I have copied the jcert.jar jnet.jar and jsse.jar to the directorie jre\lib\ext I have generated
-
Hello Experts, There are 2 issues 1)More than one copy of Print of Export invoices 2)A Contract number to be mentioned/flown into Export Invoice Are they both done by ABAPers or SD has a role in that.Kindly guide. Regards, Raj
-
Acrobat 8 Crashes when Inserting a page
This has never happened to me before, but now whenever I try to insert a page in any of my files, I get an error: Adobe Acrobat 8.1 has encountered a problem and needs to close. We are sorry for the inconvenience. It happens every time. Any one know
-
Unlock animation problem iPad mini iOS 8
Hello! I'm suffering from iOS 8 bug. When I'm unlocking my iPad mini without a passcode animation is so short, unsuitable with this minimalistic design. It's really annoying and comparing to iOS 7.1.2 looks terrible. I tried to restore settings,conte
-
try byte[] auth = Encoding.UTF8.GetBytes("mobtest" + ":" + "welcome1"); HttpWebRequest request = (HttpWebRequest)WebRequest.Create("http://Server:8000/sap/opu/odata/sap/ZCUST_TESTING_SRV/post_cust");