5505 stops passing traffic with 9.1.3

I have a 5505 setup in my home office.  It generally works well but I noticed when I upgraded it to 9.1.2.8 it would stop passing traffic after a few days.  I figured this was just the interim release blues and waited until 9.1.3 came out.  However, with 9.1.3 the problem is even worse.  I'm actually not exactly sure what's going on.  Here's what I've noticed:
I get a lot of DNS connections with the "h" flag (H.225 traffic) set.  This seems like it might have some relation to the problem:
UDP outside  216.218.130.2:53 inside  192.168.234.146:50705, idle 0:00:18, bytes 534, flags h
I also get these in 9.1.2 (which works fine), but far fewer.  When traffic stops passing on my ASA, I notice that I have tons of these connections in 9.1.3.
When traffic stops passing, the ASA itself can no longer get to the Internet.  I can't ping my Comcast router (actually in my office, L2 adjacent to ASA).  I also have some SLA probes going to the Internet which fail.  If I do a clear conn all, then everything starts working again for a while.  The BTF (dynamic-filter) feature seems to make it worse.  If I remove it (remove dynamic-filter-snoop part) then it takes a lot longer before it stops passing traffic:
policy-map global_policy
class inspection_default
  inspect dns dns-ipm dynamic-filter-snoop
What's really strange, is even if I remove all service-policy commands, I still get connections with the "h" flag.  I don't believe that should be possible so perhaps a bug?
Ideas?

I have a 5505 setup in my home office.  It generally works well but I noticed when I upgraded it to 9.1.2.8 it would stop passing traffic after a few days.  I figured this was just the interim release blues and waited until 9.1.3 came out.  However, with 9.1.3 the problem is even worse.  I'm actually not exactly sure what's going on.  Here's what I've noticed:
I get a lot of DNS connections with the "h" flag (H.225 traffic) set.  This seems like it might have some relation to the problem:
UDP outside  216.218.130.2:53 inside  192.168.234.146:50705, idle 0:00:18, bytes 534, flags h
I also get these in 9.1.2 (which works fine), but far fewer.  When traffic stops passing on my ASA, I notice that I have tons of these connections in 9.1.3.
When traffic stops passing, the ASA itself can no longer get to the Internet.  I can't ping my Comcast router (actually in my office, L2 adjacent to ASA).  I also have some SLA probes going to the Internet which fail.  If I do a clear conn all, then everything starts working again for a while.  The BTF (dynamic-filter) feature seems to make it worse.  If I remove it (remove dynamic-filter-snoop part) then it takes a lot longer before it stops passing traffic:
policy-map global_policy
class inspection_default
  inspect dns dns-ipm dynamic-filter-snoop
What's really strange, is even if I remove all service-policy commands, I still get connections with the "h" flag.  I don't believe that should be possible so perhaps a bug?
Ideas?

Similar Messages

  • Switch port in dot1x multi-auth mode stops passing traffic

    Dear All,
    I am experiencing a problem on a Catalyst 4510 (cat4500-ipbasek9-mz.122-53.SG.bin) with 802.1x configured. Client PCs are connected via a mini desktop switch to a Cat 4510 switched port in multi-auth mode. The configuration of the port follows:
    interface GigabitEthernet2/34
    switchport mode access
    ip arp inspection limit rate 30
    authentication host-mode multi-auth
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    dot1x pae authenticator
    dot1x timeout tx-period 5
    dot1x max-reauth-req 6
    spanning-tree portfast
    ip verify source vlan dhcp-snooping
    end
    It happens from time to time that the Cat 4510 port stops passing traffic. Reconnecting the mini switch recovers the communication. Client PCs connected to the mini switch seem to be authorized at the moment when the problem occures. The RADIUS Termination-Action attribute is set to RADIUS-Request. The problem is not present if "authentication periodic" is disabled.
    Did anyone experience a simmilar problem? Any advice?
    Thanks.
    Mirek

    We have the same issue on 3750E switch running 12.2.(58)SE

  • Wifi stops passing traffic on original ipad and ipad 2 running ios 5.0.1

    I actually just started having this issue with my Original iPad and my iPad 2. From what I'm seeing is not a loss of signal but a loss of connectivity, they just stop passing traffic. When this is happening its sometimes to both iPads but not always. And both our iPhones do not experience the issue while the iPads are having the problem. (all devices running ios 5 and connected to the same AP). Wired devices also do not have any issues wile this is happening to the iPads.
    What I have tried so far:
    1. Changing Channels on the AP to a less congested channel (didn't help)
    2. Shutting wifi off on ipad, then turning back on, solves issue for a random amount of time, then it happens again
    3. Rebooting ipad, sometimes does not help at all until you turn off the radio on the ipad, then back on
    I was ready to get a new router/ap but after reading some other comments, this may be an issue with other people.

    I have exactly the same issue on my brand new iPad2 running iOS5.
    I have also changed the channel, tried different settings, etc. to no avail.
    It tends to happen when streaming video - Skype, YouTube. Also during movie downloads.
    My pc does not have this problem.
    We're you able to find a reliable solution?
    Thanks!

  • Fiber link fails to pass traffic.

    Hello,
    I am a Systems Engineer working with a Cisco Channel Partner.
    A client of ours has a fiber backbone between two buildings on their campus.
    The fiber terminates on a Catalyst 6509 (at the data centre) and a Catalyst 3750 at the other end. Users at the far-end connect to servers located at the data center over this fiber.
    This connection has been working fine for the past 2 years, until a recent problem came up.
    For two weeks now, the usual occurrence is for the fiber link to stop passing traffic while working until the 3750 is rebooted or the fiber connectors removed from the SFP port and replugged.
    Meanwhile, the interface and line protocol remain UP on both switches during this abnormal behaviour. There are also no log messages occurring. Everything look fine on both switches. They just wouldnt pass traffic. The problem occurs about twice each day.
    It's difficult diagnosing the problem now. I need help pls.
    Regards,
    Felix

    I would do a few things:
    1. Scope and clean the fiber
    2. Measure all TX and RX levels with a power meter
    3. Perhaps replace the SFPs

  • Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic

    hello,
    i am setting up a site to site vpn between two asa 5505's.  the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point.  i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated.  i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
    FYI the asa's are different versions, one is 9.2 the other is 8.2
    Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
    Site A running config:
    Result of the command: "sh run"
    : Saved
    ASA Version 8.2(2)
    hostname csol-asa
    enable password WI19w3dXj6ANP8c6 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 192.168.1.0 san_antonio_inside
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.2.1 255.255.255.0
    interface Vlan2
     nameif outside
     security-level 0
     ip address 1.1.1.1 255.255.255.248
    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns domain-lookup inside
    dns server-group DefaultDNS
     name-server 24.93.41.125
     name-server 24.93.41.126
    object-group network NETWORK_OBJ_192.168.2.0_24
    access-list inside_access_out extended permit ip any any
    access-list outside_access_out extended permit ip any any
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in_1 extended permit icmp any interface outside
    access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
    access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
    access-list outside_access_in_1 extended permit udp any interface outside eq 8100
    access-list outside_access_in_1 extended permit udp any interface outside eq 1025
    access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
    access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
    access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
    access-list outside_access_in_1 extended permit tcp any interface outside eq www
    access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
    access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
    access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat-control
    global (inside) 2 interface
    global (outside) 101 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 101 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
    static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
    static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
    static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
    static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
    static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
    static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
    static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
    access-group inside_access_out out interface inside
    access-group outside_access_in_1 in interface outside
    route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    http 2.2.2.2 255.255.255.255 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map1 1 match address outside_1_cryptomap_1
    crypto map outside_map1 1 set peer 2.2.2.2
    crypto map outside_map1 1 set transform-set ESP-3DES-SHA
    crypto map outside_map1 interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.2.30-192.168.2.155 inside
    dhcpd dns 24.93.41.125 24.93.41.126 interface inside
    dhcpd domain corporatesolutionsfw.local interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
     anyconnect-essentials
    group-policy DfltGrpPolicy attributes
    tunnel-group 2.2.2.2 type ipsec-l2l
    tunnel-group 2.2.2.2 ipsec-attributes
     pre-shared-key *****
    prompt hostname context
    call-home
     profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:021cf43a4211a99232849372c380dda2
    : end
    Site A sh crypto isakmp sa:
    Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    1   IKE Peer: 2.2.2.2
        Type    : L2L             Role    : responder
        Rekey   : no              State   : MM_ACTIVE
    Site A sh ipsec sa:
    Result of the command: "sh ipsec sa"
    interface: outside
        Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
          access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
          local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
          remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
          current_peer: 2.2.2.2
          #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
          #pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
          path mtu 1500, ipsec overhead 58, media mtu 1500
          current outbound spi: C1074C40
          current inbound spi : B21273A9
        inbound esp sas:
          spi: 0xB21273A9 (2987553705)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 1691648, crypto-map: outside_map1
             sa timing: remaining key lifetime (kB/sec): (3914989/27694)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0xC1074C40 (3238480960)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 1691648, crypto-map: outside_map1
             sa timing: remaining key lifetime (kB/sec): (3914999/27694)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
    Site B running config:
    Result of the command: "sh run"
    : Saved
    : Serial Number: JMX184640WY
    : Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
    ASA Version 9.2(2)4
    hostname CSOLSAASA
    enable password WI19w3dXj6ANP8c6 encrypted
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    names
    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.1.1 255.255.255.0
    interface Vlan2
     nameif outside
     security-level 0
     ip address 2.2.2.2 255.255.255.248
    ftp mode passive
    object network NETWORK_OBJ_192.168.1.0_24
     subnet 192.168.1.0 255.255.255.0
    object network mcallen_network
     subnet 192.168.2.0 255.255.255.0
    access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
    access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-731-101.bin
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
    nat (inside,outside) after-auto source dynamic any interface
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec ikev2 ipsec-proposal DES
     protocol esp encryption des
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
     protocol esp encryption 3des
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
     protocol esp encryption aes
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
     protocol esp encryption aes-192
     protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
     protocol esp encryption aes-256
     protocol esp integrity sha-1 md5
    crypto ipsec security-association pmtu-aging infinite
    crypto map outside_map3 1 match address outside_cryptomap
    crypto map outside_map3 1 set peer 1.1.1.1
    crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map3 interface outside
    crypto ca trustpool policy
    crypto ikev2 policy 1
     encryption aes-256
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 10
     encryption aes-192
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 20
     encryption aes
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 30
     encryption 3des
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 policy 40
     encryption des
     integrity sha
     group 5 2
     prf sha
     lifetime seconds 86400
    crypto ikev2 enable outside
    crypto ikev1 enable outside
    crypto ikev1 policy 120
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    telnet timeout 5
    ssh stricthostkeycheck
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    dhcpd address 192.168.1.200-192.168.1.250 inside
    dhcpd dns 24.93.41.125 24.93.41.126 interface inside
    dhcpd domain CSOLSA.LOCAL interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
     anyconnect-essentials
    group-policy DfltGrpPolicy attributes
     vpn-tunnel-protocol ikev1
    tunnel-group 1.1.1.1 type ipsec-l2l
    tunnel-group 1.1.1.1 ipsec-attributes
     ikev1 pre-shared-key *****
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    prompt hostname context
    no call-home reporting anonymous
    call-home
     profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
    : end
    Site B sh crypto isakmp sa:
    Result of the command: "sh crypto isakmp sa"
    IKEv1 SAs:
       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    1   IKE Peer: 1.1.1.1
        Type    : L2L             Role    : initiator
        Rekey   : no              State   : MM_ACTIVE
    There are no IKEv2 SAs
    Site B sh ipsec sa:
    Result of the command: "sh ipsec sa"
    interface: outside
        Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
          access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
          local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
          current_peer: 1.1.1.1
          #pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
          #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #TFC rcvd: 0, #TFC sent: 0
          #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
          path mtu 1500, ipsec overhead 58(36), media mtu 1500
          PMTU time remaining (sec): 0, DF policy: copy-df
          ICMP error validation: disabled, TFC packets: disabled
          current outbound spi: B21273A9
          current inbound spi : C1074C40
        inbound esp sas:
          spi: 0xC1074C40 (3238480960)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, IKEv1, }
             slot: 0, conn_id: 28672, crypto-map: outside_map3
             sa timing: remaining key lifetime (kB/sec): (4373999/27456)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000003
        outbound esp sas:
          spi: 0xB21273A9 (2987553705)
             transform: esp-3des esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, IKEv1, }
             slot: 0, conn_id: 28672, crypto-map: outside_map3
             sa timing: remaining key lifetime (kB/sec): (4373987/27456)
             IV size: 8 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001

    Hi Keegan,
    Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
    I would suggest to do a 'clear xlate'?  Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
    HTH
    "Please rate useful posts"

  • Stop DHCP traffic from passing across interfaces

    I'm having an issue with dhcp traffic passing across my cisco ASA 5510 interfaces.
    Example of setup
    Company 1 connected to interface 1 has its own dhcp server
    Company 2 connected to interface 2 has its own dhcp server.
    Some users are getting there ip address from the other companys dhcp server. The 2 companys should pass traffic to each other but not dhcp.
    Is there anyway to stop dhcp traffic from crossing interfaces
    Shane

    usually have to permit DHCP traffic explicitly. Specification of the DHCP client-server protocol describes several cases when packets must have the source address of 0x00000000 or the destination address of 0xffffffff. Anti-spoofing policy rules and tight inclusive firewalls often stop such packets. Multi-homed DHCP servers require special consideration and further complicate configuration.
    To allow DHCP, network administrators need to allow several types of packets through the server-side firewall. All DHCP packets travel as UDP datagrams; all client-sent packets have source port 68 and destination port 67; all server-sent packets have source port 67 and destination port 68. For example, a server-side firewall should allow the following types of packets:
    * Incoming packets from 0.0.0.0 or dhcp-pool to dhcp-ip
    * Incoming packets from any address to 255.255.255.255
    * Outgoing packets from dhcp-ip to dhcp-pool or 255.255.255.255
    where dhcp-ip represents any address configured on a DHCP server host and dhcp-pool stands for the pool from which a DHCP server assigns addresses to clients
    An example in an ASA would similar to the following.
    For blocking client:
    access-list TEST extended deny udp any any eq bootpc
    For blocking server:
    or access-list TEST extended deny udp any any eq bootps
    Hope that helps.

  • Cisco ASA 5520s in Cluster Outside interface stops sending traffic

    Hi,
    We are running a Pair of ASA 5520s in active/standby mode.  In the last couple days the active device will just stop communicating on the outside interface.  Because the rest of the interfaces are still up,  it will not fail over, so we have to fail it manually.  The secondary unit works and passes traffic correctly.  We then reboot the Primary. 
    Then after some undetermined time,  it happens again and we have to manually fail it the other way,  reboot the affected ASA and wait for it to happen again.
    We have a case with TAC but they have not been able to figure this one out.  Has anyone else seen this behavior?
    This is the version info:
    Cisco Adaptive Security Appliance Software Version 8.4(7)
    Device Manager Version 7.3(1)100
    Thanks

    Hi,
    There are various possibilities on the ASA device which might be causing this issue:-
    1) Block depletion
    2) Memory depletion
    Other things might be related to the external ISP as well.
    Can we collect some outputs from the ASA device at the time when the issue is seen on the ASA device.
    If you can share the output , i can have a look at it otherwise you can open a TAC case.
    Thanks and Regards,
    Vibhor Amrodia

  • Ethernet not able pass traffic after Mountain Lion upgrade.

    I used the ethernet on my display to download Mountain Lion. Ran the install, rebooted, now nothing. Wifi works fine from my connected MBP15. The display adapter shows connected, but doesn't get a DHCP IP. If I set one manually, it doesn't pass traffic. Any updates I've missed? What else could it be?

    Hi
    Thanks for your replies. It isn't a gmail account - it's a domain account hosted by Domainmonster. Also my iCloud email is now intermittent :(
    I've checked the SSL settings/authentication settings and everything is as it should be according to the email provider.  It's frustrating as it was working fine for exactly a week following the upgrade and then just stopped sending mail. Also, the intermittent nature of the problem on the iCloud account now suggests to me at least that this is a problem that isn't the users fault?
    I've downloaded thunderbird and all my accounts are working perfectly through that so for the time being at least I'm staying with the upgrade and hoping that a future apple update might address the issue. From the reading around I've done this seems to be a problem some people are having that tends to be intermittent in nature and resolved temporarily but not completely at the users end of things.
    I've given up for now thanks to the fact that Thunderbird is working and I can still access my accounts on my iPhone. Very frustrating though when things don't make sense :) I mean, if it was going to stop working I would expect it to have stopped when I upgraded - not functioned fine for a while afterwards and then just literally send a mail one minute and refuse to send the next five minutes later. Also with my new problem today of Mail and my .me account - randomly sending mail when it feels like it and stacking mails up in the outbox the next - just doesn't make sense to me :)
    If anyone does figure out what's going on I'd be grateful for any ideas/suggestions.  Seems weird that all the email accounts function fine through thunderbird but not Mail. So far anyway :)

  • L2L tunnel up, not passing traffic...all of a sudden

    I've had a tunnel in place on a 5505 to a remote network i don't control...so my troubleshooting there is limited.  But the tunnel has been in place for over a year without issue.  Suddenly it doesn't appear to be passing traffic.  But it is in at least one direction.  
    Remote network:192.168.191.0/24
    Local ASA side: 10.220.78.0/24
    I had a constant ping started from 192.168.191.10 > 10.220.78.23
    Which is a Windows server pinging a Windows workstation.
    When i debug icmp on the ASA i get:
    ICMP echo request from outside:192.168.191.10 to inside:10.220.78.23 ID=1 seq=2866 len=32
    ICMP echo reply from inside:10.220.78.23 to outside:192.168.191.10 ID=1 seq=2866 len=32
    Which confirms to me that the remote network is in fact traversing the tunnel and hitting the 10.220.78.23 device, which is in fact responding, and the reply is being sent out the ASA.
    The tunnel negotiates and comes up any time I reset it, by all accounts it looks correct.
    The problem is not limited to ICMP as I'm unable to net use or map drives, nor can 192.168.191.10 print to the printer at 10.220.78.20.
    But once i saw the icmp trace output I pretty much figured it has to be on the remote end...so....
    My question, can I absolutely infer from this that the issue resides on the remote end?

    Some additional info.  Aside from the ping they have running from the remote network, which is shown in the above icmp trace, if i run packet tracer from the local network to the remote, tunnel's up/traffic is allowed.  Not a big surprise since the tunnel does negotiate and stay up.
    I captured packets from the ASA and I can see the local 10.220.78.23 device sending the reply to 192.168.191.10.  Matching up with the icmp trace.
    I had them run a packet capture on their firewall and confirmed, the ICMP requests from 192.168.191.10 are being encapsulated and sent on the tunnel.  Again confirmed in my mind since i see the requests on the ASA.  But they don't ever see the response.
    There's no tcp adjust mss command on the ASA but there's this in the config:
    ASA# sh run all sys
    no sysopt connection timewait
    sysopt connection tcpmss 1380
    sysopt connection tcpmss minimum 0
    sysopt connection permit-vpn
    sysopt connection reclassify-vpn
    no sysopt connection preserve-vpn-flows
    no sysopt nodnsalias inbound
    no sysopt nodnsalias outbound
    no sysopt radius ignore-secret
    no sysopt noproxyarp inside
    no sysopt noproxyarp outside
    Any other ideas?

  • Vlan passing traffic between switches

    I have a client that has two WAP321s, two Catalyst 2960s, one SG500X-48, and a Watchguard Router/Firewall (Model is not important).
    I am trying to get the guest wireless network setup to pass traffic on VLAN2 to the router across the network. All regular traffic is on VLAN1. (yes I know it really should be on a different VLAN)
    Background:  I had originally had everything working till one of the unmanaged switches died. I move one of the Catalyst 2960s to replace the dead switch and then replaced the Catalyst 2960 with a SG500X-48.
    Network layout: One WAP321 is connected to one of the Catalyst 2960s, which is connected to the Firewall/Router. (All traffic is passed as expected on both VLANS)
    The second WAP321 is connected to the second Catalyst 2960, which connects to the SG500X-48, which connects to the first Catalyst 2960, and then to the Firewall/Router. The Default VLAN 1 works fine. VLAN2 does not.
    What I have tried to do is set the ports on the second Catalyst 2960 which is connected to the WAP321 and the SG500X-48 to Trunk. I also set the port on the first Cataylst 2960 that connects to the SG500X-48 to trunk. (Although it was not set and passing traffic before moving switches around.) When I do this all traffic between the first Catalyst 2960 and the SG500X-48 stops. The Catalyst 2960 reports a port error and then shuts down the port. Only way to recover is to clear the port setting and then reboot the switch.
    Does anyone have any ideas as to what is happening and what I am doing wrong?  

    Aniketalashe
    I was able to get the port on the Catalyst 2960 set to trunk finally, not sure what did the trick, although that does not seem to be my problem.
    Back to your question of the error report. I am unable to figure out how to get the log out of the 2960. I saw the error in the webGUI, when I moused over the port in question when the problem was happening.
    I am starting to think that maybe the switch is starting to go.

  • Having issues on ASA 5510 pass traffic between interfaces

    I am trying to pass traffic between two internal interfaces but am unable to.  Been searching quite a bit and have tried several things to no avail. I feel like there is a simple solution here I am just not seeing. Here is the relevant portion of my config:
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.5.1 255.255.255.0
    interface Ethernet0/2
    nameif ct-users
    security-level 100
    ip address 10.12.0.1 255.255.0.0
    same-security-traffic permit inter-interface
    access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any 10.12.0.0 255.255.0.0
    access-list inside_access_in extended permit ip any any
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (ct-users) 0 access-list inside_nat0_outbound
    nat (ct-users) 1 0.0.0.0 0.0.0.0
    static (inside,ct-users) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
    static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
    access-group outside_access_in in interface outside
    access-group outside_access_ipv6_in in interface outside
    access-group inside_access_in in interface inside
    access-group inside_access_ipv6_in in interface inside
    access-group inside_access_in in interface ct-users
    access-group inside_access_ipv6_in in interface ct-users
    On both networks I am able to access the internet, just not traffic between each other.
    A packet-tracer reveals the following (it's hitting some weird rules on the way):
    cybertron# packet-tracer input inside tcp 192.168.5.2 ssh 10.12.0.2 ssh detailed
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xab827020, priority=1, domain=permit, deny=false
    hits=8628156090, user_data=0x0, cs_id=0x0, l3_type=0x8
    src mac=0000.0000.0000, mask=0000.0000.0000
    dst mac=0000.0000.0000, mask=0100.0000.0000
    Phase: 2
    Type: UN-NAT
    Subtype: static
    Result: ALLOW
    Config:
    static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
    match ip ct-users 10.12.0.0 255.255.0.0 inside any
    static translation to 10.12.0.0
    translate_hits = 0, untranslate_hits = 6
    Additional Information:
    NAT divert to egress interface ct-users
    Untranslate 10.12.0.0/0 to 10.12.0.0/0 using netmask 255.255.0.0
    Phase: 3
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group inside_access_in in interface inside
    access-list inside_access_in extended permit ip any any
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xad5bec88, priority=12, domain=permit, deny=false
    hits=173081, user_data=0xa8a76ac0, cs_id=0x0, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 4
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xab829758, priority=0, domain=inspect-ip-options, deny=true
    hits=146139764, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 5
    Type: NAT-EXEMPT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xad48c860, priority=6, domain=nat-exempt-reverse, deny=false
    hits=2, user_data=0xad4b5e98, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip=192.168.5.0, mask=255.255.255.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 6
    Type: NAT-EXEMPT
    Subtype:
    Result: ALLOW
    Config:
    match ip inside any ct-users 10.12.0.0 255.255.0.0
    NAT exempt
    translate_hits = 2, untranslate_hits = 2
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xad3b1f70, priority=6, domain=nat-exempt, deny=false
    hits=2, user_data=0xad62b7a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=10.12.0.0, mask=255.255.0.0, port=0, dscp=0x0
    Phase: 7
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    static (inside,ct-users) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
    match ip inside 192.168.5.0 255.255.255.0 ct-users any
    static translation to 192.168.5.0
    translate_hits = 1, untranslate_hits = 15
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xadf7a778, priority=5, domain=nat, deny=false
    hits=6, user_data=0xad80cfd0, cs_id=0x0, flags=0x0, protocol=0
    src ip=192.168.5.0, mask=255.255.255.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 8
    Type: NAT
    Subtype: host-limits
    Result: ALLOW
    Config:
    static (inside,outside) udp 184.73.2.1 1514 192.168.5.2 1514 netmask 255.255.255.255
    match udp inside host 192.168.5.2 eq 1514 outside any
    static translation to 184.73.2.1/1514
    translate_hits = 0, untranslate_hits = 0
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0xab8e2928, priority=5, domain=host, deny=false
    hits=9276881, user_data=0xab8e1d20, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=192.168.5.2, mask=255.255.255.255, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 9
    Type: NAT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
    match ip ct-users 10.12.0.0 255.255.0.0 inside any
    static translation to 10.12.0.0
    translate_hits = 0, untranslate_hits = 6
    Additional Information:
    Forward Flow based lookup yields rule:
    out id=0xad158dc0, priority=5, domain=nat-reverse, deny=false
    hits=6, user_data=0xac0fb6b8, cs_id=0x0, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=10.12.0.0, mask=255.255.0.0, port=0, dscp=0x0
    Phase: 10
    Type: NAT
    Subtype: host-limits
    Result: ALLOW
    Config:
    static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
    match ip ct-users 10.12.0.0 255.255.0.0 inside any
    static translation to 10.12.0.0
    translate_hits = 0, untranslate_hits = 6
    Additional Information:
    Reverse Flow based lookup yields rule:
    in id=0xada0cd38, priority=5, domain=host, deny=false
    hits=131, user_data=0xac0fb6b8, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=10.12.0.0, mask=255.255.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 11
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Reverse Flow based lookup yields rule:
    in id=0xad5c1ab0, priority=0, domain=inspect-ip-options, deny=true
    hits=130, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
    Phase: 12
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 189385494, packet dispatched to next module
    Module information for forward flow ...
    snp_fp_tracer_drop
    snp_fp_inspect_ip_options
    snp_fp_tcp_normalizer
    snp_fp_translate
    snp_fp_adjacency
    snp_fp_fragment
    snp_ifc_stat
    Module information for reverse flow ...
    snp_fp_tracer_drop
    snp_fp_inspect_ip_options
    snp_fp_translate
    snp_fp_tcp_normalizer
    snp_fp_adjacency
    snp_fp_fragment
    snp_ifc_stat
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: ct-users
    output-status: up
    output-line-status: up
    Action: allow

    how are you testing? if you are pinging between the subnets, make sure you have disabled windows firewall and/or any other firewall that is installed on the PCs (remember to re-enable it later).
    Are the NAT commands there because you were trying different things to get this working?  I suggest you use the command no nat-control instead.  Depending on the version of ASA you are running it may already be disabled by default.  In version 8.4 and later nat-control has been removed completely.
    Please remember to select a correct answer and rate helpful posts

  • LMS 4.0.1 software distribution 3 out of 7 fail to pass traffic after reload

    I've distributed (7) IOS C3560-ipbasek9-mz.150-1.SE2.bin upgrades on identical 3560G PS-S platform using LMS 4.0.1. All jobs come back successfully completed with the /MD5 hash matching exactly what Cisco has on their website. All devices have sufficient 32MB worth of Flash and verified enough was available prior to distribution.
    Issue: After reload 2 of these 3560G devices would not pass traffic. Also, neighboring devices could see these devices through "show cdp neighbors detail" but the management IP was not being displayed. After consoling into these devices via (console port) the management IP address was there but was unable to ping this address locally and neighboring devices were unable to be pinged as well. Performed the "sh run" command and verified the config was correct.
    ***Cisco's engineers suggestion was to load a lower IOS.***
    ***I've perused the caveats with this release and have not found any solutions.***
    I've already replaced the offending switches with new devices but don't want to keep upgrading with this many failures after reloading.

    Your devices with the NX-OS versions you indicate should be OK per the LMS 4.0.1 Supported Devices Table.
    Have you updated your LMS with the latest device packages? See the procedure here.

  • CCE 507 stops forwarding traffic to internet

    Our CE (which is our proxy server) constantly stops forwarding traffic to the internet. The engine does not freeze or lock up because I can telnet into it and reload and everything is fine then. This has starting happening in the last two weeks. The engine is integraded with Websense filtering. Could I be experiencing hardware issues? I did recently upgraded websense to the latest version and also upgraded the PIX 515 Firewall IOS to the latest. I am thinking maybe upgrade the IOS on the engine. Any guidance would be appreciated. Thanks in advance.

    Apparently the version of Websense that I was running was not making the CE very happy. I upgraded to a new version and ever since the problem has not arise. But I am having one issue with the CE. There is one website that generates errors when going through the CE proxy server. Although when bypassing the proxy server(CE), there are no errors generated. It is only when going through the proxy that the error is generated. The error does not reflect a Websense blocking page. So it only leads me to believe that the problem is on the CE. I would like to upgrade the IOS on the CE to the latest software in an effort to resolve this. If I upgrade, should I be aware of any problems with the configuration not working after the upgrade. The device is a CE 507 with software version 2.51. Any history on this type of problem? Any help would be appreciated. I have pasted the exact error generated from the site. Thanks again.
    Network Error
    The server yearbookavenue1.jostens.com returned an invalid response to your request for http://yearbookavenue1.jostens.com/cgi-bin/exe2004/year2004.exe?f_4194e967209

  • Can I capture USP traffic with NI-SPY

    11-14-07
    Can I capture USB traffic with NI-Spy? if so how?
    Thanks
    TeBlues

    Hi TeBlues,
    NI-Spy captures return a log of low-level driver calls being made to National Instruments drivers.  It does not track the serial data passed along the USB bus.  To capture the serial traffic on the USB bus, I would recommend Portmon (if you are using a Windows OS).  This program monitors all serial and parallel port activity on a system.
    Donovan

  • Prevent PPPoE encapsulation of traffic with specific destination

    My ISP requires a PPPoE tunnel to connect and the modem I use is in Transparent bridging mode. If I connect a dedicated interface and specify the network/IP and use NAT, I can connect to the modem management. However, this isn't my preferred setup as my previous cable ISP used DHCP and any routed traffic out the outside interface destined to 192.168.100.1 would be responded to by the cable modem. I'm assuming that since the traffic with PPPoE is encapsulated, the modem is forwarding everything right out to the link since I get an ISP router responding with traffic destined 192.168.0.1 no route to host.
    Is there a way to exclude 192.168.0.0/24 from being encapsulated by PPPoE while all other traffic isn't? If I have to have multiple vlans to do this properly that is fine, I'm just lost in finding a way to use one physical port on my ASA 5505. Setting trunking with with either the outside or modem vlan as native on the interface doesn't appear to allow the modem to connect unless outside is the native vlan
    Thanks for any help.

    Hi Bro
    Yes, in the old/former way of doing things, the PPPoE is being handled by the Modem, provided by your ISP. For this reason, your Cisco Firewall OUTSIDE interface is able to grab a dynamic private IP Address i.e. 192.168.0.XXX/24 from the Modem (acting as the DHCP server). With dynamic NAT being enabled in your Cisco Firewall, LAN users on the INSIDE of your Cisco Firewall can now browse the internet and also access the Modem’s management webpage.
    Now, the PPPoE is being handled by your Cisco Firewall directly. This means, your Cisco Firewall OUTSIDE interface will now grab a dynamic public IP Address from your ISP directly, via your Modem (acting as transparent/bridging device). With dynamic NAT being enabled in your Cisco Firewall, LAN users on the INSIDE of your Cisco Firewall can now browse the internet but cannot access the Modem’s management webpage anymore. This is because the LAN users will appear as public IP, while your Modem is still on private IP, no route. There’s no way to exclude 192.168.0.XXX/24 from being encapsulated by PPPoE.
    What I have in mind for you is, use another spare interface in your Cisco Firewall, and connect it directly to the Modem. This interface is strictly for the Modem’s management purposes. With dynamic NAT being enabled in your Cisco Firewall, LAN users on the INSIDE of your Cisco Firewall can now access the Modem’s management webpage.
    Here’s a sample;
    interface Vlan3
    nameif outside
    security-level 0
    pppoe client vpdn group TEST
    ip address pppoe setroute
    interface Vlan2
    nameif mgmt
    security-level 10
    ip address 192.168.0.10 255.255.255.0
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.100.10 255.255.255.0
    interface Ethernet0/0
    description ### Link to Modem for Internet ###
    switchport access vlan 3
    interface Ethernet0/1
    description ### Link to Modem's Management Port for Management Purposes ###
    switchport access vlan 2
    interface Ethernet0/2
    description ### Link to L2 LAN Hub/Switch ###
    interface Ethernet0/3
    shutdown
    interface Ethernet0/4
    shutdown
    interface Ethernet0/5
    shutdown
    interface Ethernet0/6
    shutdown
    interface Ethernet0/7
    shutdown
    mtu outside 1492
    mtu inside 1500
    global (outside) 1 interface
    global (mgmt) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    vpdn group TEST request dialout pppoe
    vpdn group TEST localname cisco
    vpdn group TEST ppp authentication pap
    vpdn username cisco password cisco123
    access-list inside extended permit ip any any
    access-list mgmt extended permit ip any any
    access-list outside extended permit ip any any
    access-group inside in interface inside
    access-group outside in interface outside
    access-group mgmt in interface mgmt

Maybe you are looking for

  • HP's support, even with a warranty, is USELESS: do not buy a printer from this company!

    I just purchased an Officeject Pro 8600 N911g with a 2 year warranty.  It works fine with my PC via wireless router.  It does not work with my laptop (windows 7).  I was able to print one thing but the next time and ever since, the printer is offline

  • PO History Data

    Hi Folks, I have a problem in selecting the PO hitstory data.For a PO there are two bewtp for 0010 and 0020 item.But I am getting only one BEWTP not both. Moreover at the time of filtering the internal table w.r.t to BEWTP it is not checking for itfi

  • Editing in Photoshop CS2 and Viewing in iPhoto

    I have iPhoto 6 and Photoshop CS2. I would like to do my RAW file edits in Photoshop CS2, but if that image is already in my iPhoto library and I make changes to the file in Photoshop, will iPhoto regenerate a new thumbnail for the changes when I ope

  • Parent/Child Master Data Type

    I recently created a new master data type in my model, which included one attribute with the 'parent' check box checked - to signify that it was to be used as the parent. Upon activating the master data type - the system auto generated several other

  • Multiple Creative sound devices in one system

    -Multiple Creative sound devices in one systemrHello community, I recently tried to get two X-Fi Titanium PCI-Express cards to work in one computer. One card worked well. As soon as i plugged in the second card and booted the system, i got a quite re