3845 router failing to look up routes from routing table correctly!

Hi all,
Got a really strange issue which I am wondering if someone can point me in the right direction for. Facts of the issue:
- Some customers, all with a specific ISP, cannot access a hosted service we host internally
- External user can reach service but never gets a response - hence focussing on reachability of their public IP
- Cisco 3845 router used, peers with service provider over BGP - receives full internet routing tables
- All affected customers receive dynamic IP addresses within the same /10 public IP range
I received an example IP address and when doing "show ip route x.x.x.x" for this IP, the router responds "Subnet not in table". When trying to traceroute to the IP, the router doesnt even go to the next hop. However, the subnet is definitely in the routing table with the correct next hop (and, for complete information, is also within the BGP updates). Before anyone asks the question :) - yes I have definitely verified that the hosts are within this subnet.
If I put a static /32 route in for this specific IP address, everything works fine - then fails again once its taken out.
I literally cannot understand why the router is not correctly performing the lookup for the hosts within this subnet. I can understand a lot of potential reasons why the BGP received route wouldnt be placed in the routing table, but that is not the case here.
Some other factors (if applicable):
- Nothing showing in the logs
- Plenty memory available (despite the high number of routes)
- Plenty CPU resource available
- No default route is ran
I am going to restart the router and really expect this to resolve the issue (would log a TAC but this one is a bit time precious) - but it is frankly doing my head in and I assume I am missing something!
Any help or guidance would be appreciated!

Similar Messages

RADIUS COA on software version 12.4 using 3845 router

We working to provide dynamic badwidth control by using RADIUS COA to 3845 router.
When we issue the COA 3845 rejects the message with invalid session id message.
We are using following instructions to craft RADIUS COA message.
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/htipmaaa.html

Hi Manuel,
I have PPPOE client running directly against 3845 and terminating PPOE. Authentication, authorization and accounting work against FreeRADIUS.
Next step for us is to manage subscriber connections by sending COA to change service parameters.
Our system sends RADIUS COA as in below.
You can find the packet dumps, configuration and Cisco log below.
Thank you for responding and looking forware to your next response.
Igor
*** Example with Shaping ***
policy-map SHAPE-TEST
class class-default
shape average 48000
Using: cisco-avpair = "ip:sub-qos-policy-out=SHAPE-TEST"
======================== Packet capture =================================
No.     Time                          Source                Destination           Protocol Info
      1 2000-01-01 08:46:03.257911000 172.16.2.218          172.20.2.55           RADIUS   CoA-Request(43) (id=1, l=49)
Frame 1: 91 bytes on wire (728 bits), 91 bytes captured (728 bits)
    Arrival Time: Jan 1, 2000 08:46:03.257911000 Eastern Standard Time
    Epoch Time: 946734363.257911000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 91 bytes (728 bits)
    Capture Length: 91 bytes (728 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:radius]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: HewlettP_af:82:b5 (2c:27:d7:af:82:b5), Dst: IntelCor_b3:18:58 (00:1b:21:b3:18:58)
    Destination: IntelCor_b3:18:58 (00:1b:21:b3:18:58)
        Address: IntelCor_b3:18:58 (00:1b:21:b3:18:58)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)
        Address: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 172.16.2.218 (172.16.2.218), Dst: 172.20.2.55 (172.20.2.55)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 77
    Identification: 0x5b26 (23334)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: UDP (17)
    Header checksum: 0x8244 [correct]
        [Good: True]
        [Bad: False]
    Source: 172.16.2.218 (172.16.2.218)
    Destination: 172.20.2.55 (172.20.2.55)
User Datagram Protocol, Src Port: 57459 (57459), Dst Port: radius-dynauth (3799)
    Source port: 57459 (57459)
    Destination port: radius-dynauth (3799)
    Length: 57
    Checksum: 0x6ec3 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Radius Protocol
    Code: CoA-Request (43)
    Packet identifier: 0x1 (1)
    Length: 49
    Authenticator: f8ce880960a402b9809f0c173c6c8530
    [The response to this request is in frame 2]
    Attribute Value Pairs
        AVP: l=10 t=Acct-Session-Id(44): 000000C3
            Acct-Session-Id: 000000C3
        AVP: l=19 t=Vendor-Specific(26) v=Cisco(9)
            VSA: l=13 t=Cisco-Policy-Down(38): POLICE-TEST
                Cisco-Policy-Down: POLICE-TEST
0000 00 1b 21 b3 18 58 2c 27 d7 af 82 b5 08 00 45 00   ..!..X,'......E.
0010 00 4d 5b 26 00 00 80 11 82 44 ac 10 02 da ac 14   .M[&.....D......
0020 02 37 e0 73 0e d7 00 39 6e c3 2b 01 00 31 f8 ce   .7.s...9n.+..1..
0030 88 09 60 a4 02 b9 80 9f 0c 17 3c 6c 85 30 2c 0a   ..`.......
0040 30 30 30 30 30 30 43 33 1a 13 00 00 00 09 26 0d   000000C3......&.
0050 50 4f 4c 49 43 45 2d 54 45 53 54                  POLICE-TEST
No.     Time                          Source                Destination           Protocol Info
      2 2000-01-01 08:46:03.259029000 172.20.2.55           172.16.2.218          RADIUS   CoA-NAK(45) (id=1, l=47)
Frame 2: 89 bytes on wire (712 bits), 89 bytes captured (712 bits)
    Arrival Time: Jan 1, 2000 08:46:03.259029000 Eastern Standard Time
    Epoch Time: 946734363.259029000 seconds
    [Time delta from previous captured frame: 0.001118000 seconds]
    [Time delta from previous displayed frame: 0.001118000 seconds]
    [Time since reference or first frame: 0.001118000 seconds]
    Frame Number: 2
    Frame Length: 89 bytes (712 bits)
    Capture Length: 89 bytes (712 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:radius]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: IntelCor_b3:18:58 (00:1b:21:b3:18:58), Dst: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)
    Destination: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)
        Address: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: IntelCor_b3:18:58 (00:1b:21:b3:18:58)
        Address: IntelCor_b3:18:58 (00:1b:21:b3:18:58)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 172.20.2.55 (172.20.2.55), Dst: 172.16.2.218 (172.16.2.218)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 75
    Identification: 0xe66e (58990)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 254
    Protocol: UDP (17)
    Header checksum: 0x78fd [correct]
        [Good: True]
        [Bad: False]
    Source: 172.20.2.55 (172.20.2.55)
    Destination: 172.16.2.218 (172.16.2.218)
User Datagram Protocol, Src Port: radius-dynauth (3799), Dst Port: 57459 (57459)
    Source port: radius-dynauth (3799)
    Destination port: 57459 (57459)
    Length: 55
    Checksum: 0xa044 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Radius Protocol
    Code: CoA-NAK (45)
    Packet identifier: 0x1 (1)
    Length: 47
    Authenticator: 8edb97b90c05e6ed7c1ce06688723520
    [This is a response to a request in frame 1]
    [Time from request: 0.001118000 seconds]
    Attribute Value Pairs
        AVP: l=21 t=Reply-Message(18): No Matching Session
            Reply-Message: No Matching Session
        AVP: l=6 t=Error-Cause(101): Session-Context-Not-Found(503)
            Error-Cause: Session-Context-Not-Found (503)
0000 2c 27 d7 af 82 b5 00 1b 21 b3 18 58 08 00 45 00   ,'......!..X..E.
0010 00 4b e6 6e 00 00 fe 11 78 fd ac 14 02 37 ac 10   .K.n....x....7..
0020 02 da 0e d7 e0 73 00 37 a0 44 2d 01 00 2f 8e db   .....s.7.D-../..
0030 97 b9 0c 05 e6 ed 7c 1c e0 66 88 72 35 20 12 15   ......|..f.r5 ..
0040 4e 6f 20 4d 61 74 63 68 69 6e 67 20 53 65 73 73   No Matching Sess
0050 69 6f 6e 65 06 00 00 01 f7                        ione.....
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.21 10:00:43 =~=~=~=~=~=~=~=~=~=~=~=
ABN-3845#
ABN-3845#sho run
Building configuration...
Current configuration : 2831 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname ABN-3845
boot-start-marker
boot-end-marker
enable password ipdradm
aaa new-model
aaa authentication ppp default local group radius
aaa authentication ppp mounir group radius local
aaa authorization network default local group radius
aaa authorization network mounir group radius
aaa accounting update periodic 1
--More--
aaa accounting exec mounir start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting network mounir start-stop group radius
aaa server radius dynamic-author
client 172.16.2.183
client 172.20.2.234
client 172.20.2.204
client 172.16.2.218
server-key ipdradm
port 3799
auth-type session-key
aaa session-id common
dot11 syslog
ip cef
ip domain name a-bb.net
ip name-server 172.16.0.25
multilink bundle-name authenticated
--More--
vpdn-group mounir
! Default L2TP VPDN group
accept-dialin
protocol pppoe
virtual-template 11
l2tp tunnel receive-window 1024
voice-card 0
no dspfarm
--More--
archive
log config
hidekeys
policy-map POLICE-TEST
class class-default
    police 48000 9000 18000 conform-action transmit exceed-action drop violate
-action drop
bba-group pppoe global
--More--
virtual-template 11
interface Loopback0
ip address 172.29.1.5 255.255.255.255
interface GigabitEthernet0/0
ip address 172.20.2.55 255.255.255.0
duplex auto
speed auto
media-type rj45
interface GigabitEthernet0/1
ip address 10.30.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
pppoe enable group global
interface GigabitEthernet0/1.1
encapsulation dot1Q 2
interface Virtual-Template11
--More--
ip unnumbered GigabitEthernet0/1
ppp authentication pap mounir
ppp authorization mounir
ppp accounting mounir
interface Virtual-Template15
ip unnumbered Loopback0
no peer default ip address
ppp authentication pap mounir
ppp authorization mounir
ppp accounting mounir
router ospf 1
router-id 172.29.1.5
log-adjacency-changes
redistribute connected subnets
network 172.20.2.0 0.0.0.255 area 0
network 172.29.1.5 0.0.0.0 area 0
ip forward-protocol nd
no ip http server
--More--
no ip http secure-server
logging 172.20.2.150
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 25 access-request include
radius-server attribute nas-port format d
radius-server host 172.20.2.204 auth-port 1812 acct-port 1813 key ipdradm
radius-server key ipdradm
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
--More--
line con 0
line aux 0
line vty 0 4
password ipdradm
scheduler allocate 20000 1000
end
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#debug aaa coa
AAA CoA packet processing debugging is on
ABN-3845#debug radius
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol debugging is on
Radius elog debugging debugging is off
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Radius elog debugging debugging is off
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
*Sep 21 13:59:05.380: RADIUS/ENCODE(000000BA):Orig. component type = PPoE
*Sep 21 13:59:05.380: RADIUS/ENCODE(000000BA): Acct-session-id pre-pended with N
as Port = 0/0/1/1
*Sep 21 13:59:05.380: RADIUS(000000BA): Config NAS IP: 0.0.0.0
*Sep 21 13:59:05.380: RADIUS(000000BA): Config NAS IP: 0.0.0.0
*Sep 21 13:59:05.380: RADIUS(000000BA): sending
*Sep 21 13:59:05.380: RADIUS/ENCODE: Best Local IP-Address 172.20.2.55 for Radiu
s-Server 172.20.2.204
*Sep 21 13:59:05.380: RADIUS(000000BA): Send Accounting-Request to 172.20.2.204:
1813 id 1646/40, len 322
*Sep 21 13:59:05.380: RADIUS: authenticator 65 F4 15 61 6F AD B1 76 - 45 35 D5
42 9A 3E 2F C7
*Sep 21 13:59:05.380: RADIUS: Acct-Session-Id     [44] 18 "0/0/1/1_000000C3"
*Sep 21 13:59:05.380: RADIUS: Vendor, Cisco       [26] 41
*Sep 21 13:59:05.380: RADIUS:   Cisco AVpair       [1]   35 "client-mac-address
=f8d1.11a7.167a"
*Sep 21 13:59:05.380: RADIUS: Framed-Protocol     [7]   6   PPP
       [1]
*Sep 21 13:59:05.380: RADIUS: Framed-IP-Address   [8]   6   10.30.1.2
*Sep 21 13:59:05.380: RADIUS: User-Name           [1]   9   "ipdradm"
*Sep 21 13:59:05.380: RADIUS: Vendor, Cisco       [26] 35
*Sep 21 13:59:05.380: RADIUS:   Cisco AVpair       [1]   29 "connect-progress=L
AN Ses Up"
*Sep 21 13:59:05.380: RADIUS: Vendor, Cisco       [26] 31
*Sep 21 13:59:05.380: RADIUS:   Cisco AVpair       [1]   25 "nas-tx-speed=10000
00000"
*Sep 21 13:59:05.380: RADIUS: Vendor, Cisco       [26] 31
*Sep 21 13:59:05.380: RADIUS:   Cisco AVpair       [1]   25 "nas-rx-speed=10000
00000"
*Sep 21 13:59:05.380: RADIUS: Acct-Session-Time   [46] 6   143522
*Sep 21 13:59:05.380: RADIUS: Acct-Input-Octets   [42] 6   6382156
*Sep 21 13:59:05.380: RADIUS: Acct-Output-Octets [43] 6   2559911
*Sep 21 13:59:05.380: RADIUS: Acct-Input-Packets [47] 6   224941
*Sep 21 13:59:05.380: RADIUS: Acct-Output-Packets [48] 6   161500
*Sep 21 13:59:05.380: RADIUS: Acct-Authentic      [45] 6   RADIUS
       [1]
*Sep 21 13:59:05.380: RADIUS: Acct-Status-Type    [40] 6   Watchdog
       [3]
*Sep 21 13:59:05.380: RADIUS: NAS-Port-Type       [61] 6   Ethernet
       [15]
*Sep 21 13:59:05.380: RADIUS: Vendor, Cisco       [26] 15
*Sep 21 13:59:05.380: RADIUS:   cisco-nas-port     [2]   9   "0/0/1/1"
*Sep 21 13:59:05.380: RADIUS: NAS-Port            [5]   6   16777217
*Sep 21 13:59:05.380: RADIUS: NAS-Port-Id         [87] 9   "0/0/1/1"
*Sep 21 13:59:05.380: RADIUS: Service-Type        [6]   6   Framed
       [2]
*Sep 21 13:59:05.380: RADIUS: NAS-IP-Address      [4]   6   172.20.2.55
*Sep 21 13:59:05.380: RADIUS: Unsupported         [151] 10
*Sep 21 13:59:05.380: RADIUS:   44 36 34 41 36 36 31 33
[D64A6613]
*Sep 21 13:59:05.380: RADIUS: Nas-Identifier      [32] 19 "ABN-3845.a-bb.net"
*Sep 21 13:59:05.380: RADIUS: Acct-Delay-Time     [41] 6   0
*Sep 21 13:59:09.804: RADIUS: acct-timeout for 2DC0CAF4 now 5, acct-jitter -1, a
cct-delay-time (at 2DC0CC30) now 4
ABN-3845#
ABN-3845#
*Sep 21 13:59:32.708: RADIUS: COA received from id 1 172.16.2.218:50186, CoA Re
quest, len 49
*Sep 21 13:59:32.708: COA: 172.16.2.218 request queued
*Sep 21 13:59:32.708: ++++++ CoA Attribute List ++++++
*Sep 21 13:59:32.708: 65F0A840 0 00000009 string-session-id(337) 8 000000C3
*Sep 21 13:59:32.708: 670B2A10 0 00000009 sub-policy-Out(345) 11 POLICE-TEST
*Sep 21 13:59:32.708:
*Sep 21 13:59:32.708: COA: No matching entry found
*Sep 21 13:59:32.708: COA: Added Reply Message: No Matching Session
*Sep 21 13:59:32.708: COA: Added NACK Error Cause: Session Context Not Found
*Sep 21 13:59:32.708: COA: Sending NAK from port 3799 to 172.16.2.218/50186
*Sep 21 13:59:32.708: RADIUS: 18 21 4E6F204D61746368696E672053657373696F6E
*Sep 21 13:59:32.708: RADIUS: 101 6   000001F7
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
===================A

Cisco 3845 Router, SSH, Secure HTTP & CS-MARS

Hello,
I have a 3845 router (Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)) which I have configured SSH access through vty. Th e problem is that SSH access fails when I try to connect to it using Putty. It also fails to connect using ip http secure-server both from a browser & through CS-MARS (IOS IPS). All user names exist and are working fine with telnet.
Does IOS 12.3 have issues with SSH * secure http?
I get this error in MARS:
"Error in INIT GET. Check the username/password"

Hi -
I searched all open/closed TAC cases for you with that error message - I found 1 similar case.
Here's the results of their case:
"we managed to fix the issue it was ip http authentication enable command (change to accept local usernames/passwords)."
Can you review this and see if you need to tell SSH and HTTPs to use the local database?
Please let us know.
thxs
peter

Configuring QoS on Cisco 3845 router for Polycom Video Conferecing

Dear All,
We have implemented a Polycom Video Conferecing solution at our Head Office. Using this we communicate with other branch offices through WAN (2mbps, MPLS).
The problem is that this WAN link is also used for data. When the traffic is high on the link, the voice and the video quality goes down drastically and we experience connection drops.
At the moment we have configured our Polycom box to communicate at 512kbps speed and we would like to reserve it in our WAN link. In case, video conferencing is not happening we would like it to be utilised by other traffic.
Can we configure QoS on our Cisco 3845 router to do this? I'm not a Cisco expert and have pressures from Management to correct this before the next conference.
I have already googled a fair bit but couldn't find something for me.
Could someone please tell me the exact commands that need to be given on our router to achieve this.
I'll be very thankful for this help.
Best Regards.

Hi,
You can use something like the following to guarantee 5122k of bandwidth to your video-conferencing bandwidth but to allow that bandwidth to be used by other traffic when it is not being used for video-conferencing:
class-map VDOConf
match ip dscp af41
policy-map WANPolicy
class VDOConf
bandwidth 512
interface
service-policy output WANPolicy
Note that the above assumes that your video conferencing traffic is being marked to AF41. If that is not the case, you can always match on the IP address of your polycom device using an ACL:
class-map VDOConf
match access-group 101
access-list 101 permit ip .....
Hope that helps - pls rate the post if it does.
Paresh

Setting up SSH on a 3845 router?

Greetings everyone!
Just curious, how does one set up SSH on a cisco 3845 router? Specifically, how does one generate the RSA keys?
It seems to be missing the "generate" subcommand for crypto. When I type crypto key the only sub-commands are lock and unlock. I'm unfamiliar with this and don't want to mess around too much since it's a production box.
I'm running c3845-spservicesk9-mz.124-11.T2.bin so I should have the ability, yes? Any guidance would be appreciated. I really would prefer not to use telnet.

you have k9 image , it should support crypto commands, are you sure you were at the configuration mode?
try again.., here is a link for setting up ssh in IOS.
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml
way to do it is open two telnet sessions to the router, in one session be in the enable mode and leave the session opened. On the other telnet session work with the SSH configuration implementation. When finished do not save the config , exit the session and open a new session using ssh to ensure you can connect and login to the router via ssh... if for any reason fails you still have the other telnet session opened to undo the ssh changes or correct them.
also for making sure your telnet sessions do not time out while working with configs permit yourself more time by entering exec-time out 60 <-- one hour for your vty lines.
line vty 0 4
exec-timeout 60
you can also do the complete ssh implementation via console port as well.
Regards
PLS rate any helpful posts if it helps

3845 Router do not work with NME-X23ES-1GP Interface card

Need help!
I Trying install interface card NME-X 23ES-1GP on 3845 Router. I installed this card in slot 4, but router could not communicate with this card.
IOS version in Router 12.3
Here is results show diag command:
Slot 4:
Unknown (type 1187) Port adapter
Port adapter is disabled deactivated
Port adapter insertion time unknown
EEPROM contents at hardware discovery:
Hardware Revision : 1.0
Top Assy. Part Number : 800-25011-01
Board Revision : A0
Deviation Number : 0-0
Fab Version : 03
PCB Serial Number : FOC090009VC
RMA Test History : 00
RMA Number : 0-0-0-0
RMA History : 00
Product (FRU) Number : NME-X-23ES-1G-P
Version Identifier : V01
Base MAC Address : 0013.8088.9f80
MAC Address block size : 128
EEPROM format version 4
EEPROM contents (hex):
Possibly IOS release too old?

Thank you for link. I read all information on this link. But I can't solve the problem.
Commands "show version" and "show flash:" show my the IOS image file version on Router (but not on interface modules). Here is Routers IOS image:
c3845-advipservicesk9-mz.123-11.T5.bin
I Can't connect to and open a session on the interface module. Command service-module interface slot/port session don't work.
What I should do next?
May is ncessarily upgrade Software on router?
Here is results show version and show flash:
BIG1#show flash:
-#- --length-- -----date/time------ path
1 29801400 Jun 28 2005 04:47:46 +00:00 c3845-advipservicesk9-mz.123-11.T5.bin
2 1651 Jun 28 2005 04:55:18 +00:00 sdmconfig-38xx.cfg
3 3085312 Jun 28 2005 04:55:40 +00:00 sdm.tar
4 763392 Jun 28 2005 04:55:56 +00:00 es.tar
5 820224 Jun 28 2005 04:56:10 +00:00 common.tar
6 1038 Jun 28 2005 04:56:24 +00:00 home.shtml
7 113152 Jun 28 2005 04:56:36 +00:00 home.tar
8 749101 Jun 28 2005 04:56:52 +00:00 256MB.sdf
9 1208320 Jun 28 2005 04:57:08 +00:00 ips.tar
27451392 bytes available (36560896 bytes used)
BIG1#show version
Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.3(11)T5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Sat 02-Apr-05 15:14 by yiyan
ROM: System Bootstrap, Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)
BIG1 uptime is 57 minutes
System returned to ROM by reload at 07:11:45 UTC Tue Jul 12 2005
System image file is "flash:c3845-advipservicesk9-mz.123-11.T5.bin"
Cisco 3845 (revision 1.0) with 223232K/38912K bytes of memory.
Processor board ID FCZ0927714C
2 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
4 Voice FXS interfaces
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
62720K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x2102

VPN connection created with CMAK fails to update routing table on Windows 8.1 with error 8000ffff

When my clients connect their CMAK-created VPN, it fails to run the script to set their routing table with the following error:
Custom script (to update your routing table) failed (8000ffff)
My objective is to create a VPN connection with split tunneling - does not use the VPN connection as the client's default gateway.
All my clients are on Windows 8.1 64-bit, and are logged in with Administrative privileges
My VPN Clients are on 10.242.2.0/24, my internal network is on 10.172.16.0/24
I want only traffic for 10.172.16.0 to go via the VPN. Everything else should go via the client's internet connection
My Connection Manager Administration Kit profile, was created on Windows 2012 R2 CMAK with the following settings:
"Make this connection the client's default gateway" is UNticked on the IPv4 tab.
Define a routing table update is specified with a text file containing:
+++ Start of txt file +++
REMOVE_GATEWAY
add 10.172.16.0 mask 255.255.255.0 default metric default if default
+++ End of txt file +++
The txt file is saved in DOS/Windows format (not Unicode or UTF-8 which I've read causes problems)
I've tried everything in lower and upper case in the txt file after reading that the file might be case sensitive
The following appears on the client with logging enabled:
[cmdial32] 10:42:34
03 Pre-Init Event CallingProcess = C:\WINDOWS\system32\rasautou.exe
[cmdial32] 10:42:40
04 Pre-Connect Event ConnectionType = 1
[cmdial32] 10:42:40
06 Pre-Tunnel Event UserName = UserName Domain = DUNSetting = VPN (L2TP x64 NoGW) Tunnel DeviceName = TunnelAddress = vpn.mydomain.tld
[cmdial32] 10:42:43
07 Connect Event
[cmdial32] 10:42:43
09 Custom Action Exe ActionType = Connect Actions Description = (none) ActionPath = CMDL32.EXE. The program was launched successfully.
[cmdial32] 10:42:43
08 Custom Action Dll ActionType = Connect Actions Description = to update your routing table ActionPath = C:\Users\UserName\AppData\Roaming\Microsoft\Network\Connections\Cm\VPN64\CMROUTE.DLL ReturnValue
= 0x8000ffff
[cmdial32] 10:42:43
21 On-Error Event ErrorCode = -2147418113 ErrorSource = to update your routing table
[cmdial32] 10:42:43
13 Disconnect Event CallingProcess = C:\WINDOWS\system32\cmdial32.dll
Where can I find out what error codes 8000ffff or -2147418113 mean?

That was it. Thanks, Steven
"By default, the dial-up entry and the VPN entry have Make this connection the default gateway selected.
Leave this default in place, and remove any gateways by using the REMOVE_GATEWAY command in the routing table update file itself."
It seems counter-intuitive to leave
Make this connection the default gateway selected, when I specifically don't want that behaviour, but leaving it selected and using REMOVE_GATEWAY works for me.

Cisco cme paging security 3845 router password for paging access voip

Hi,
We have a Cisco 3845 router running CME, ephones and ephone-dn are configured, there is ephone-dn is configured for paging. The system and paging work fine. We want to give password for those who make announcement. There are currently more than 30 extensions but we only want to give paging access to three users. How can we do this?
Thank you

Sure. Using the same (or similar) example:
Extensions: 2XXX
Primary Phone: 2025552000
We can address the need with the following:
voice translation-rule 10
rule 1 /^2...$/ /2025552000/
voice translation-profile cme-to-itsp
translate calling 10
dial-p v 100 voip
description Example Egress Dial Peer to ITSP
destination-patt
translation-profile out cme-to-itsp
HTH.
-Bill (http://ucguerrila.com)

3845 Router redundant power supply question

Is it possible to swap out a bad redundant power supply on a 3845 router without powering down the router?

The FAQ at this URL indicates that they ARE in fact hot-swappable. Please review it here, under "System Power (AC/DC)".

How to delete routing history from MAPL table ?

Hi,
I have one typical case: for one routing entry is available in MAPL table but not in table: PLPO & PLKO. Now user want to change UOM in MM and routing history is restricting him for changing the same.
I tried to delete the history with Tac: CA98 with correct selection criteria and key date but it's saying no task list exist. Also used ca99 but that also didn't work and say the same thing as above. In CA02 & CA03 also, it's not showing the data.
I created one more routing for the same material and than deleted with CA98. It worked and entries were deleted from all the three table.
Can anybody suggest how to delete history from MAPL table ?
Thanks & regards
Edited by: VINAY TAILOR on Jan 22, 2008 8:00 AM

The solution is: there is no T code available for removing the history only from MAPL table. Infact, it's very strange case and we are also not able to find out how it happened.
When we asked user to repeat the procedure, everything work well and no such repetation of problem.
Only solution could be, developing special program which can remove the history. This is just for your information and thanks for putting your efforts & time.
I am rewarding points to you all for the same.
Vinay.

3825 and 3845 router duplex issue?

We are currently having a new 10Mbps "LANLink" service installed in our office. Our WAN provider terminates in our comms room on a Lucent MUX, which then connects via RJ45 Ethernet to our Cisco 3825 router.
Our provider has asked us to set our router to 10Mb/full duplex. However, when we do, the Gigabit Ethernet interface on our 3825 goes down. If I set the interface to autonegotiate, it resolves to 10/half. Traffic will run at 10/half, but with muchos collisions.
We have exactly that same problem at the other end of the line, on a 3845 router. The router interface will only come up when running half duplex.
The engineer has been in and proved to me that the Lucent MUX is running 10/full. We have also switched out the ethernet cables a number of times.
We have stabilised the line somewhat by running all Lucent and Cisco equipment at half duplex. But surely there's a fix for this?
The interface config is shown below. Can anyone tell me what the 'negotiate auto' line means - despite 'speed 10' and 'duplex half' commands elsewhere?
interface GigabitEthernet0/1
description **Colt LANLink - London City Office**
ip address 192.168.254.246 255.255.255.252
duplex half
speed 10
media-type rj45
negotiation auto
service-policy output llq
Thanks
Richard

Hi Ankur -
Thanks for posting.
That's why I was confused - the 'negotiation auto' was already in the config when the router arrived. I don't see why it's even necessary: surely it's either 'duplex half/full/auto' and 'speed 10/100/1000/auto'? Why do Cisco need to provide another command for 'negotiation?

3845 router and ios 15.1(4)m9

Who can tell me if it is needed to purchase a license for IOS 15.1(4)M9 which is going to be installed on cisco 3845 router?

Dear Customer,
Unfortunately your question was raised in the wrong supportforum.
Cisco ServiceGrid is part of Software Enabled Services. We provide Integration Services.
However, you can raise your question in the right forum: https://supportforums.cisco.com/community/6016/lan-switching-and-routing
Our hardware professionals will be happy to provide you any answer you need.
thanks
Patrick

Issues with 3845 Router

I have a 3845 Router that my company just purchased. Once I log in, it says the SDM is installed on it, but I cant enable SSH on it. (2), When I configured it via the console, it did prompt for enable password, but since i took it to a region, it does not prompt for enable password again, it simply takes me to the enable mode, with the username password. I configured the enable password as ********, but it does not prompt for it. Can any one help me with these two issues? Thanks in advance.

RICK,
Thank you very much for your prompt response to my request. Pls find below the reports of the various "shows" that i performed.
Cisco IOS Software, 3800 Software (C3845-IPBASE-M), Version 12.4(3g), RELEASE SOFTWARE (fc
2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Mon 06-Nov-06 05:34 by alnguyen
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
ROUTER uptime is 22 hours, 33 minutes
System returned to ROM by reload at 01:06:07 UTC Wed Mar 17 1993
System restarted at 01:06:57 UTC Wed Mar 17 1993
System image file is "flash:c3845-ipbase-mz.124-3g.bin"
Cisco 3845 (revision 1.0) with 222208K/39936K bytes of memory.
Processor board ID FCZ110471QE
2 Gigabit Ethernet interfaces
4 Serial interfaces
4 Channelized E1/PRI ports
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
62720K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x2102
#show crypto key mypubkey rsa ?
% Unrecognized command
#show crypto key mypubkey rsa
^
% Invalid input detected at '^' marker.
#sh line vty 0 15
Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 450 450 VTY - - - - 23 2 0 0/0 -
451 451 VTY - - - - 23 0 0 0/0 -
452 452 VTY - - - - 23 0 0 0/0 -
453 453 VTY - - - - 23 0 0 0/0 -
454 454 VTY - - - - 23 0 0 0/0 -
455 455 VTY - - - - 23 0 0 0/0 -
456 456 VTY - - - - 23 0 0 0/0 -
457 457 VTY - - - - 23 0 0 0/0 -
458 458 VTY - - - - 23 0 0 0/0 -
459 459 VTY - - - - 23 0 0 0/0 -
460 460 VTY - - - - 23 0 0 0/0 -
461 461 VTY - - - - 23 0 0 0/0 -
462 462 VTY - - - - 23 0 0 0/0 -
463 463 VTY - - - - 23 0 0 0/0 -
464 464 VTY - - - - 23 0 0 0/0 -
465 465 VTY - - - - 23 0 0 0/0 -

Redundant access from MPLS VPN to global routing table

Several our customers have MPLS VPNs deployed over our infrastructure. Part of them requires access to Internet (global routing table in our case).
As I'm not aware of any methods how to dynamicaly import/export routes between VRF/Global routing tables, at the moment there are static routes configured - one inside VRF pointing to global next hop, another one in global routing table, pointing to interface inside VRF.
Task is to configure redundant access to Internet. By redundancy I mean using several exit points (primary and backup), what physically represents separate boxes.
Here comes tricky part - both global static routes (on both boxes, meaning) are valid and reachable in all cases - no matter if specific prefix is reachable in VRF or not. What I'd like to achieve is that specific static route becomes valid only if specific prefix is reachable inside VRF. Yea, sounds like dynamic routing :), I know
OK, hope U got the idea. Any solutions/recommendations ? Running all Internet routing inside VRF isn't an option, at least for now :(

Hi Andris,
I did not mean to have a VRF on the CE. The CE would have both PVCs in the global routing table - his ONLY routing table in fact. One PVC would be used to announce routes into the customer specific VPN (VRF configured on the PE). The other PVC would allow for internet access through the PE (global IP routing table on the PE).
dot1q will be ok as well.
This way the CE can be a normal BGP peer to the PE, i.e. there is no MPLS VPN involved here. This allows all options of customer-ISP connectivity.
Example:
PE config:
interface Serial0/0
encapsulation frame-relay
interface Serial0/0.1 point-to-point
description customer VPN access
ip vrf customer
ip address 10.1.1.1 255.255.255.252
interface Serial0/0.2 point-to-point
description customer Internet access
ip address 192.168.1.1 255.255.255.252
router rip
address-family ipv4 vrf customer
version 2
network 10.0.0.0
no auto-summary
redistribute bgp 65000 metric 5
router bgp 65000
neighbor 192.168.1.2 remote-as 65001
address-family ipv4 vrf customer
redistribute rip
CE config:
interface Serial0/0
encapsulation frame-relay
interface Serial0.1 point-to-point
description VPN access
ip address 10.1.1.2 255.255.255.252
interface Serial0.2 point-to-point
description Internet access
ip address 192.168.1.2 255.255.255.252
router bgp 65001
neighbor 192.168.1.1 remote-as 65000
router rip
version 2
network 10.0.0.0
no auto-summary
Of course you can replace RIP with whatever is suitable for you. And don´t sue me when you do not apply required BGP filters for internet access... ;-)
The other option ("mini internet") would be feasible as well. Just make sure your BGP filters are NEVER messed up and additionally apply a limit on the numbers of prefixes in your VRF mini-internet.
Regards
Martin

ISCSI boot with Intel NICs added to windows 2008 r2 routing table causes non iscsi traffic to attempt default routes on iscsi networks

I have a server with Intel 82576 Gigabit Dual Port Nics. I have configured them to use iSCSI boot the primary looks to 10.0.0.1/24 and the secondary looks to 10.0.1.1/24. The target is configured correctly. Everything boots as expected.
I have added the MPIO feature and configured MPIO for the iscsi initiator as per: http://blogs.technet.com/b/migreene/archive/2009/08/29/3277914.aspx.
My issue is that the iSCSI networks show up in the routing table like so:
I did not configure a default route in the Intel setup utility:
I tried to explicitly remove the 0.0.0.0 entry and leave blank, with no change. As you can see with the above routing table traffic attempts to travel over these routes:
C:\Users\Administrator>ping google.com
Pinging google.com [209.85.145.99] with 32 bytes of data:
Reply from 10.0.0.201: Destination host unreachable.
Reply from 10.0.1.201: Destination host unreachable.
Reply from 209.85.145.99: bytes=32 time=23ms TTL=51
Reply from 209.85.145.99: bytes=32 time=22ms TTL=51
Ping statistics for 209.85.145.99:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
A ping to the outside world first attempts on 10.0.0.x/24 network, then on 10.0.1.x/24 network and then finally on the network the traffic should go over. I don't want my iSCSI traffic to ever show up with a default route. How do I get rid of it?
route delete 0.0.0.0 mask 0.0.0.0 "on-link" results in: The route deletion failed: The parameter is incorrect.
route delete 0.0.0.0 mask 0.0.0.0 on-link results in: The route deletion failed: The parameter is incorrect.
route delete 0.0.0.0 deletes all default routes, then I have to add back in the "valid default route" of 192.168.100.6.
I would like to not have to do a route delete though.

So I've sort of given up on fixing the gateway assignment in the route for iSCSI boot. I configured a DHCP server to give out the information required by iSCSI boot and configured the network cards to use DHCP for their configuration. I insured
that my DHCP server gave out no default gateway entry. However, I still got the undesired routes in the routing table. This makes me assume that there isn't a "fix" for it, only the workaround.
Here is the script I run on each iSCSI Boot initiator (you would obviously change the ip number to suit your environment):
@Echo off
Rem fixes iscsi route problem as shown below:
Rem IPv4 Route Table
REM ===========================================================================
REM Active Routes:
REM Network Destination Netmask Gateway Interface Metric
REM 0.0.0.0 0.0.0.0 On-link 10.0.0.200 10255
REM 0.0.0.0 0.0.0.0 On-link 10.0.1.200 266
REM 0.0.0.0 0.0.0.0 192.168.100.6 192.168.100.98 266
REM The top 2 lines are on the iscsi interface and traffic tries to go out it
REM We need to delete the routes, so we'll just delete all gateway routes and
REM add back in the one we care about.
route delete 0.0.0.0 >c:\iscsibootroutefix.log
route -p add 0.0.0.0 mask 0.0.0.0 192.168.100.6 >>c:\iscsibootroutefix.log
After running it I get:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.100.6 192.168.100.98 11
10.0.0.0 255.255.255.0 On-link 10.0.0.200 10255
10.0.0.1 255.255.255.255 On-link 10.0.0.200 10255
10.0.0.200 255.255.255.255 On-link 10.0.0.200 10255
Then I added a task in “task scheduler” of "administrative tools" that ran as the user “system” “when the computer starts” that runs this script.

3845 router failing to look up routes from routing table correctly!

Similar Messages

Maybe you are looking for