3945 Router Issue between WAAS Module and IOS Firewall

Similar Messages

• Routing issue between Cisco Nexus and Cisco 4510 R+E Chassis

  We have configured Cisco Nexus 7K9 as core and Cisco 4510 R+E as access switches for Server connectivity.
  We are experiencing problem in terms of ARP learning and Ping issues between Cisco Nexus and end hosts.

  Hi,
  So you have N7k acting as L3 with servers connected to 4510?.
  Do you see the MAC associated with failing ARP in 4510?. Is it happening with all or few servers?. Just to verify if it is connectivity issue between N7k and 4510, you can configure an SVI on 4510 and assign address from same raneg (server/core range) and perform a ping.
  This will help narrow down if issue is between server to 4510 or 4510 to N7k.
  Thanks,
  Nagendra

• Routing issue between Cisco device and Virtual machine

  Hi Guys,
  We have two local subnets in a virtualized environment, subnet 1 has a VM operating as a firewall, we would like all traffic for subnet 2 to go via VM on subnet 1, this will police traffic on subnet 2 and then reroute.  
  The infrastructure involved comprises,
  Internet Edge Switch -> ASA -> Core Switch -> IBM Flex chassis
  The Internet edge switch is directly connected between the ISP routers and the Cisco ASA firewall pair (A/S). The ASA is then connected to the Core switch. Connected from the core switch is an IBM Flex chassis, via a port channel (all vlans allowed)
  The local subnets in question are as follows:
  Vlan 101 (10.1.1.0/24)
  Vlan 102 (10.2.1.0/24)
  The VM in question has two NIC cards having IP address of both subnets.
  NIC 1:  10.1.1.1
  NIC 2: 10.2.1.1
  We would like packets destined for 10.2.1.1 to land on 10.1.1.1 IP address. At the moment traffic for each vlan routes from the outside to their respective local subnets successfully, what we are having difficulty with is directing traffic for subnet 2 via subnet 1 VM firewall.
  At the moment we have tried adding a static route on the core switch but it didn’t work
  ip route 10.2.0.0 255.255.255.0 10.1.1.1
  I will appreciate if you could share your knowledge and guide me how to achieve this goal.
  Thanks in advance :-)

  Hi,
  I think for this to work you need a transit vlan between the VMs and the core switch. So, if you have 2 vlans on the VM (101 and 102) you use the VM switch to route between the vlans and in order to go outside the local vlans you would use the core switch.  In this scenario you would not have an SVI (layer-3) interface on the core.  The only thing that core will have is the layer-2 vlans (101 and102).  You would than need a static route on the core switch to point to the transit vlan on the VM side.
  so, for example, if the transit vlan is vlan 110 and the ip is 192.168.1.0/24
  on the core you have static routes:
  ip route 10.1.1.0/24 192.168.1.2 (VM side)
  ip route 10.1.2.0/24 192.168.1.2 (VM side)
  You also need an SVI for vlan 110 with ip address 192.168.1.1/24 on the core.
  on the VM you need a default route to point to the core (192.168.1.1).
  Is this what you are trying to do?
  HTH

• Interworking between WCCP and IOS firewall on ISR and ASR routers?

  I ran into a problem last year when running WAAS WCCP and IOS firewall IP inspection on the same 3945 router. They couldn't function at the same time. Cisco indicated that router IOS firewall and WCCP were compatible only when IOS zone-based policy configuration was used. Back then I was using IOS 15.1(1)T1 on the 3945 router and WAAS was version 4.2.3.
  I now have some sites with 2921, 3945, and ASR1002 routers that need to be both IOS firewall and WCCP for WAAS. Now with newer IOS releases, does the IOS firewall estill have to be zone-based policy configuration? Because classic classic IOS firewall is easier to configure for WAAS, just "ip inspection waas enable" command, I'd prefer the easier configuration.
  What about ASR1002 router IOS firewall with WCCP? I have never implemented that before. I was trying to find some deployment examples or configuration guides from Cisco, but was not able to.
  Thanks for any help.
  Gary

  I'm assuming you placed service group 61 and 62 on the router LAN, WAN inbound directions. Did you apply inspection to LAN to WAN direction or WAN to LAN direction?
  Did you also used WCCP and IOS firewall on ASR routers?
  Thanks a lot

• Score Issues between Captivate 4 and 5

  Hi Everyone,
  We are noticing an issue between Captivate 4 and 5 and we can't seem to figure out what is going on, this issue is with Captivate modules that have no quiz and the completion status is based only on a % of slide views.  We publish as SCORM with complete/incomplete and report percent.
  With these types of modules created in Captivate 4, the LMS would record a completion and a N/A score.  Now, for those created in Captivate 5, the LMS receives a 0% score and the completion.  Our end users are really confused as to why they see a 0%.  Any ideas on what may be causing this?  The LMS is Taleo Learn, formerly Learn.com's LearnCenter.
  Any assitance would be greatly appreciated.
  Thanks,
  Connor

  If you can't download any old versions by logging into your account then clearly these have been discontinued.  Your best bet is ask somebody to lend you their CD/DVD which you can copy for your safe keeping.
  Old products are always discontinued and that is why you should always buy them on a CD/DVD so that they can installed whenever you have a new system or you have a system crash.
  Good luck.

• Configure port channel between IO Module and FI

                     Hi,
  I have the current setup
  UCS chassis (4 uplinks) --> FI --> (Port channel) --> N5K --> (port channel) --> VSS 6500
  I configure port channel between IO Module and the FI by changing to policy to "Port Channel" and set the link to 4
  FI has created a portchannel under "Internal" containing all the FI interfaces that are connected to the IO module.
  I have installed ESXI on a blade but i was unable to reach it, even the esx was unable to ping the gateway.
  VLAN tagging is enabled from the ESX server.
  I have issued the command "show mac address-table | inc <mac address of the vnic assigned from thre service profile> on both the N5K and thr 6500 and the mac is there.
  I have allowed all the vlans on the vNIC from the service profile.
  am I missing anything?
  thanks

  Hello,
  Can you please check whether your ESXi vmkernel interface ip address learned on right VLAN on FI / upstream switch or not.
  connect nxos
  show mac-address-table | inc 
  Padma

• My 1st Generation time capsule won't connect to the internet thru a new motorola sb6121 - get continuously flashing yellow light. Using a router in between the modem and capsule yields good but slower connection to internet. Any thoughts?

  My 1st Generation time capsule won't connect to the internet thru a new motorola sb6121 - get continuously flashing yellow light. Using a router in between the modem and capsule yields good but slower connection to internet. Any thoughts?

  Thanks for your response
  Let me give the history - I started with an Apple Express being fed thru a D-Link  EBTR 2310 cable Router from an RCA DCM315 Modem (Pure). Comcast service all the way.
  Got the 1st generation TC in 2008 and merely replaced the Airport Express with the TC. Worked ok
  A year or two ago I did try removing the modem and feeding the TC directly from the modem. Resulted in the same condition I have now - Continuous flashing amber on the TC. So I put the router back in the chain.
  Some time later, at the recommendation of a Comcast rep, I replaced the router with (a Belkin F5D 5231) to see if speed and dropout problems would be improved. I thought it helped some at the time but now I am not so sure.
  Last week I decided to see if a new modem would help with download speeds. So I got another pure cable modem (Motorola SB 6121- high on the Comcast recommended list).
  Got up and running easily with Comcast help and with the modem connected directly to a computer.
  Next I put the TC in the link and again could not get past the TC continuing to flash amber. Although I did get connected to the internet with this configuration I lost connection two both of my printers - one connected by USB and the other wirelessly to the TC. Again everything works fine when I put the Belkin router back in the system.
  However with the router in there, the modem shows the downstream connection to be 10/100 ethernet speed. (Modem light changes color for indicating speeds.}
  I have gone thru all of the combinations of powering down/ up, but all stays the same.
  I can live with what I have but something still doesn’t seem right.
  Thanks again

• After mail was moved to iCloud on jan 1, my mail app emails received have 23 lines of "routing info" between the address and the message. How can I get rid of this info?

  After my mail was moved to iCloud, my mail app emails received have 23 lines of "routing data between the address and the message how can Imget rid of this "data"?

  Found the answer a Mail>preferances>Viewing>Show header detail. Changed it to Default.

• Firewall between WAAS 7341s and Central Manager.

  Is there a white paper that describes having a firewall between a Central Manager and the WAAS devices it is managing?  I need to know all the ports and protocals that need to be allowed through the firewall. - Thanks

  Hi Jeff,
  I am searchign for white paper for you but you need following ports bi-directionally open between WAAS CM and WAAS to communicate to each other.
  1. TCP 8443
  2. TCP 443
  3. UDP 4050 - if you are using directed mode.
  4. TCP 22 and 23  - If you plan to use SSH / Telnet for management.
  Regards,
  PS: If this answers your question, please mark this as Answered.

• Difference between ACE module and ACE appliance

  Hi All,
  Can someone help to understand the difference between ACE module and ACE appliance, as i am observing ACE module is providing more throughput when compared the ACE appliance, Is the only advantage we getting with contexts ....
  thanks inadvance,
  Narayana Mallidi

  Hi Narayan,
  Apart from providing throughput, ACE module has more to offer ,
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide_--_ACE_Resource_Limits
  The above link will provide a comparision of ACE module and Ace appliance interms of scalability. Apart from that legacy modules wont support compression, but ACE 30 module can support compression.
  The major advantage of ACE 30 module is with resepct to SSL throughput, SSL TPS, L4 & L7 CPS, & Concurent Connections per second, apart from the increased contexts
  ACE 4710 Data Sheet :
  http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps7027/Data_Sheet_Cisco_ACE_4710.html
  ACE20 Data Sheet
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/product_data_sheet0900aecd8045861b.html
  ACE 30 Data Sheet
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/data_sheet_c78_632383.html
  Regards
  Abijith

• Diff between Function Module and subroutine

  sir,
    explain the difference between Function Module and Subroutine.

  Hi Sandeep,
  Subroutines:
     Subroutines are procedures that you can define in any ABAP program and also call from any program. Subroutines are normally called internally, that is, they contain sections of code or algorithms that are used frequently locally. If you want a function to be reusable throughout the system, use a function module.
  Function Modules:
  Function modules are procedures that are defined in function groups (special ABAP programs with type F) and can be called from any ABAP program. Function groups act as containers for function modules that logically belong together. You create function groups and function modules in the ABAP Workbench using the Function Builder.
  Function modules allow you to encapsulate and reuse global functions in the R/3 System. They are stored in a central library.
  Unlike subroutines, you do not define function modules in the source code of your program. Instead, you use the Function Builder.
  Regards,
  Sunil

• "permit tcp any any established" and IOS Firewall

  Guys, I need some clarification here. I have already asked couple TAC guys but they either did not know the answer right away or they wanted to send me to another team who might answer it...
  I have a single router. One LAN, one WAN. It is an 800 series router and IOS Firewall feature is turned on as follows:
  ip inspect name IOS_Firewall tcp
  ip inspect name IOS_Firewall udp
  ip inspect name IOS_Firewall icmp
  interface FastEthernet4
  ip address dhcp
  ip access-group 161 in
  ip nat outside
  ip inspect IOS_Firewall out
  ip virtual-reassembly
  duplex auto
  speed auto
  no cdp enable
  crypto map mymap
  access-list 161 permit udp any any eq ntp
  access-list 161 permit udp any any eq bootpc
  access-list 161 permit tcp any any established
  access-list 161 permit icmp any any
  access-list 161 permit esp any any
  access-list 161 permit gre any any
  access-list 161 permit udp any any eq isakmp
  access-list 161 permit udp any any eq non500-isakmp
  access-list 161 permit udp any eq non500-isakmp any
  access-list 161 permit udp any eq isakmp any
  access-list 161 permit udp any eq domain any
  access-list 161 permit tcp any any eq telnet
  access-list 161 permit tcp any any eq 1723
  access-list 161 permit tcp any any eq 4500
  access-list 161 permit tcp any any eq 5000
  access-list 161 permit tcp any any eq 5500
  access-list 161 deny   ip any any log
  My question is, is the statement "access-list 161 permit tcp any any established"  required since I already have the IOS Firewall feature turned on?
  Thank you

  No you do not need it with CBAC's TCP inspection enabled.

• Routing issue between two satellites sites and one central hub

  Hi,
  I have 3 Ad sites with one exchange 2010 hub,cas,mailbox server on each sites.
  One of this site (site A) is central Hub and the two other sites  ( B and C) are two satellites of site A.
  The is no connectivity between site B and C, only connectivity between A and B, and A and C.
  When I send a mail from Site B to Site C, Exchange try to deliver the mail directly to site C and don't pass to site A to deliver to site C, some mail stay in queue in site B, and the the queue is in retry.
  I flag the site A as HUB.
  Site toplogy is correct and the cost too.
  Can someone help me??
  Thanks

  what are your AD costs between A, B and C?
  In Exchange 2010, each message recipient is always associated with only one Active Directory site, and there is only one least cost routing
  from the source Active Directory site to the destination Active Directory site
   If the least-cost routing path to the primary site contains any hub sites, the message must be
  routed through the hub sites

• Routing Issue between router and Access Server

  Hi,
  We have a Lucent MAX TNT access server, having TAOS version 9.0.9. I
  have configured
  the default route so that all dialup user traffic is diverted towards
  cisco 2611 series router but this
  only happens with the IP subnets configured on MAX TNT and cisco router
  ethernet interfaces.
  We need a solution in which dailup users on MAX TNT with IPs from any network can
  be routed towards the cisco router in order to reach the internet cloud accross the Router.

  Muhammad
  Your message states that you have configured the access server with a default route pointing to the 2611 router. But it does not say whether you have configured a route on the 2611 pointing to the access server for the address range used by the dial pool which the access server uses to assign addresses to dial up users. I suspect this is your problem. I believe that the 2611 needs a route to that address space and that the 2611 needs to advertise that address range if there are any other routers in your network.
  HTH
  Rick

• Connectivity issues between Cisco 2901 and Cisco SG300-52

  Hello,
  I am having some serious connectivity issues between the hosts in my LAN.
  My LAN is based on a Cisco 2901 router and a Cisco SG300-52 port switch.
  The issue that has been happening is that connections between hosts on the LAN (remote desktop, extended ping, etc) is very unstable, at some point I can see a 35% lost packets on an extended ping. This happens at any time of the day and from any host.
  All hosts are on the same Vlan(default Vlan) and on the same subnet. Some hosts have fixed IP addresses (servers and network equipment) and others obtain their IP address trough a DHCP reservation  established on the router (reserved with the MAC address of every host).
  I can provide further details if needed, because this issue is very serious and I would really appreciate any insight or support.
  Many thanks in advanced.
  Sair Amer
  EDIT:  After doing every test we could think of, we finally found the reason behind this problem.
  It turns out that the switch has problems handling communications between clients at different speeds, because most of the hosts connected were working at 100 Mbps but the servers were working at 1000 Mbps (and the communication between host and servers wasn't stable).
  After manually setting the speed on all ports to 100 Mbps the problems have stopped.
  Many thanks for you help on this issue. 

  Building configuration...
  Current configuration : 4123 bytes
  ! Last configuration change at 12:06:16 PCTime Sat Jul 19 2014 by ccp
  version 15.2
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Foninsa
  boot-start-marker
  boot-end-marker
  no logging buffered
  enable secret 5 $1$BDbJ$HN3VP8nmywrGB55RCxPd30
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local 
  aaa session-id common
  clock timezone PCTime -4 0
  clock summer-time PCTime date Apr 6 2003 2:00 Oct 12 2003 12:00
  no ip cef
  ip dhcp excluded-address 192.168.1.1 192.168.1.10
  ip dhcp excluded-address 192.168.1.151 192.168.1.255
  ip dhcp pool FONINSA
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   dns-server 8.8.8.8 8.8.4.4 
  ip dhcp pool Laptop-Sporta-Wifi
   host 192.168.1.10 255.255.255.0
  ip name-server 8.8.8.8
  ip name-server 8.8.4.4
  no ipv6 cef
  multilink bundle-name authenticated
  crypto pki trustpoint TP-self-signed-213585710
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-213585710
   revocation-check none
   rsakeypair TP-self-signed-213585710
  crypto pki certificate chain TP-self-signed-213585710
   certificate self-signed 01
    30820229 30820192
    quit
  license udi pid CISCO2901/K9 sn
  license boot module c2900 technology-package securityk9
  username ccp privilege 15 password
  redundancy
  interface Embedded-Service-Engine0/0
   no ip address
   shutdown
  interface GigabitEthernet0/0
   ip address 190.196.21.98 255.255.255.248
   ip nat outside
   ip virtual-reassembly in
   duplex auto
   speed auto
  interface GigabitEthernet0/1
   ip address 192.168.1.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   duplex auto
   speed auto
  no ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat inside source list 1 interface GigabitEthernet0/0 overload
  ip nat inside source static tcp 192.168.1.3 21 190.196.21.98 21 extendable
  ip nat inside source static tcp 192.168.1.3 80 190.196.21.98 80 extendable
  ip nat inside source static udp 192.168.1.8 1194 190.196.21.98 1194 extendable
  ip nat inside source static tcp 192.168.1.4 3389 190.196.21.98 3389 extendable
  ip nat inside source static tcp 192.168.1.9 3389 190.196.21.98 10000 extendable
  ip nat inside source static tcp 192.168.1.3 3389 190.196.21.98 20000 extendable
  ip route 0.0.0.0 0.0.0.0 190.196.21.97
  access-list 1 permit 192.168.1.0 0.0.0.255
  control-plane
  line con 0
   password $
  line aux 0
  line 2
   no activation-character
   no exec
   transport preferred none
   transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
   stopbits 1
  line vty 0 5
   access-class 23 in
   privilege level 15
   password #
   transport input telnet ssh
  no scheduler allocate
  end