5505 stops passing traffic with 9.1.3
I have a 5505 setup in my home office. It generally works well but I noticed when I upgraded it to 9.1.2.8 it would stop passing traffic after a few days. I figured this was just the interim release blues and waited until 9.1.3 came out. However, with 9.1.3 the problem is even worse. I'm actually not exactly sure what's going on. Here's what I've noticed:
I get a lot of DNS connections with the "h" flag (H.225 traffic) set. This seems like it might have some relation to the problem:
UDP outside 216.218.130.2:53 inside 192.168.234.146:50705, idle 0:00:18, bytes 534, flags h
I also get these in 9.1.2 (which works fine), but far fewer. When traffic stops passing on my ASA, I notice that I have tons of these connections in 9.1.3.
When traffic stops passing, the ASA itself can no longer get to the Internet. I can't ping my Comcast router (actually in my office, L2 adjacent to ASA). I also have some SLA probes going to the Internet which fail. If I do a clear conn all, then everything starts working again for a while. The BTF (dynamic-filter) feature seems to make it worse. If I remove it (remove dynamic-filter-snoop part) then it takes a lot longer before it stops passing traffic:
policy-map global_policy
class inspection_default
inspect dns dns-ipm dynamic-filter-snoop
What's really strange, is even if I remove all service-policy commands, I still get connections with the "h" flag. I don't believe that should be possible so perhaps a bug?
Ideas?
I have a 5505 setup in my home office. It generally works well but I noticed when I upgraded it to 9.1.2.8 it would stop passing traffic after a few days. I figured this was just the interim release blues and waited until 9.1.3 came out. However, with 9.1.3 the problem is even worse. I'm actually not exactly sure what's going on. Here's what I've noticed:
I get a lot of DNS connections with the "h" flag (H.225 traffic) set. This seems like it might have some relation to the problem:
UDP outside 216.218.130.2:53 inside 192.168.234.146:50705, idle 0:00:18, bytes 534, flags h
I also get these in 9.1.2 (which works fine), but far fewer. When traffic stops passing on my ASA, I notice that I have tons of these connections in 9.1.3.
When traffic stops passing, the ASA itself can no longer get to the Internet. I can't ping my Comcast router (actually in my office, L2 adjacent to ASA). I also have some SLA probes going to the Internet which fail. If I do a clear conn all, then everything starts working again for a while. The BTF (dynamic-filter) feature seems to make it worse. If I remove it (remove dynamic-filter-snoop part) then it takes a lot longer before it stops passing traffic:
policy-map global_policy
class inspection_default
inspect dns dns-ipm dynamic-filter-snoop
What's really strange, is even if I remove all service-policy commands, I still get connections with the "h" flag. I don't believe that should be possible so perhaps a bug?
Ideas?
Similar Messages
-
Switch port in dot1x multi-auth mode stops passing traffic
Dear All,
I am experiencing a problem on a Catalyst 4510 (cat4500-ipbasek9-mz.122-53.SG.bin) with 802.1x configured. Client PCs are connected via a mini desktop switch to a Cat 4510 switched port in multi-auth mode. The configuration of the port follows:
interface GigabitEthernet2/34
switchport mode access
ip arp inspection limit rate 30
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-reauth-req 6
spanning-tree portfast
ip verify source vlan dhcp-snooping
end
It happens from time to time that the Cat 4510 port stops passing traffic. Reconnecting the mini switch recovers the communication. Client PCs connected to the mini switch seem to be authorized at the moment when the problem occures. The RADIUS Termination-Action attribute is set to RADIUS-Request. The problem is not present if "authentication periodic" is disabled.
Did anyone experience a simmilar problem? Any advice?
Thanks.
MirekWe have the same issue on 3750E switch running 12.2.(58)SE
-
Wifi stops passing traffic on original ipad and ipad 2 running ios 5.0.1
I actually just started having this issue with my Original iPad and my iPad 2. From what I'm seeing is not a loss of signal but a loss of connectivity, they just stop passing traffic. When this is happening its sometimes to both iPads but not always. And both our iPhones do not experience the issue while the iPads are having the problem. (all devices running ios 5 and connected to the same AP). Wired devices also do not have any issues wile this is happening to the iPads.
What I have tried so far:
1. Changing Channels on the AP to a less congested channel (didn't help)
2. Shutting wifi off on ipad, then turning back on, solves issue for a random amount of time, then it happens again
3. Rebooting ipad, sometimes does not help at all until you turn off the radio on the ipad, then back on
I was ready to get a new router/ap but after reading some other comments, this may be an issue with other people.I have exactly the same issue on my brand new iPad2 running iOS5.
I have also changed the channel, tried different settings, etc. to no avail.
It tends to happen when streaming video - Skype, YouTube. Also during movie downloads.
My pc does not have this problem.
We're you able to find a reliable solution?
Thanks! -
Fiber link fails to pass traffic.
Hello,
I am a Systems Engineer working with a Cisco Channel Partner.
A client of ours has a fiber backbone between two buildings on their campus.
The fiber terminates on a Catalyst 6509 (at the data centre) and a Catalyst 3750 at the other end. Users at the far-end connect to servers located at the data center over this fiber.
This connection has been working fine for the past 2 years, until a recent problem came up.
For two weeks now, the usual occurrence is for the fiber link to stop passing traffic while working until the 3750 is rebooted or the fiber connectors removed from the SFP port and replugged.
Meanwhile, the interface and line protocol remain UP on both switches during this abnormal behaviour. There are also no log messages occurring. Everything look fine on both switches. They just wouldnt pass traffic. The problem occurs about twice each day.
It's difficult diagnosing the problem now. I need help pls.
Regards,
FelixI would do a few things:
1. Scope and clean the fiber
2. Measure all TX and RX levels with a power meter
3. Perhaps replace the SFPs -
Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic
hello,
i am setting up a site to site vpn between two asa 5505's. the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point. i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated. i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
FYI the asa's are different versions, one is 9.2 the other is 8.2
Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
Site A running config:
Result of the command: "sh run"
: Saved
ASA Version 8.2(2)
hostname csol-asa
enable password WI19w3dXj6ANP8c6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.0 san_antonio_inside
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 24.93.41.125
name-server 24.93.41.126
object-group network NETWORK_OBJ_192.168.2.0_24
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in_1 extended permit icmp any interface outside
access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
access-list outside_access_in_1 extended permit tcp any interface outside eq www
access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (inside) 2 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 2.2.2.2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_1_cryptomap_1
crypto map outside_map1 1 set peer 2.2.2.2
crypto map outside_map1 1 set transform-set ESP-3DES-SHA
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.30-192.168.2.155 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain corporatesolutionsfw.local interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:021cf43a4211a99232849372c380dda2
: end
Site A sh crypto isakmp sa:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Site A sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: C1074C40
current inbound spi : B21273A9
inbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914989/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914999/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Site B running config:
Result of the command: "sh run"
: Saved
: Serial Number: JMX184640WY
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.2(2)4
hostname CSOLSAASA
enable password WI19w3dXj6ANP8c6 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
ftp mode passive
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network mcallen_network
subnet 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set peer 1.1.1.1
crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map3 interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.200-192.168.1.250 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain CSOLSA.LOCAL interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
: end
Site B sh crypto isakmp sa:
Result of the command: "sh crypto isakmp sa"
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
Site B sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B21273A9
current inbound spi : C1074C40
inbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373999/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000003
outbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373987/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Hi Keegan,
Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
I would suggest to do a 'clear xlate'? Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
HTH
"Please rate useful posts" -
Stop DHCP traffic from passing across interfaces
I'm having an issue with dhcp traffic passing across my cisco ASA 5510 interfaces.
Example of setup
Company 1 connected to interface 1 has its own dhcp server
Company 2 connected to interface 2 has its own dhcp server.
Some users are getting there ip address from the other companys dhcp server. The 2 companys should pass traffic to each other but not dhcp.
Is there anyway to stop dhcp traffic from crossing interfaces
Shaneusually have to permit DHCP traffic explicitly. Specification of the DHCP client-server protocol describes several cases when packets must have the source address of 0x00000000 or the destination address of 0xffffffff. Anti-spoofing policy rules and tight inclusive firewalls often stop such packets. Multi-homed DHCP servers require special consideration and further complicate configuration.
To allow DHCP, network administrators need to allow several types of packets through the server-side firewall. All DHCP packets travel as UDP datagrams; all client-sent packets have source port 68 and destination port 67; all server-sent packets have source port 67 and destination port 68. For example, a server-side firewall should allow the following types of packets:
* Incoming packets from 0.0.0.0 or dhcp-pool to dhcp-ip
* Incoming packets from any address to 255.255.255.255
* Outgoing packets from dhcp-ip to dhcp-pool or 255.255.255.255
where dhcp-ip represents any address configured on a DHCP server host and dhcp-pool stands for the pool from which a DHCP server assigns addresses to clients
An example in an ASA would similar to the following.
For blocking client:
access-list TEST extended deny udp any any eq bootpc
For blocking server:
or access-list TEST extended deny udp any any eq bootps
Hope that helps. -
Cisco ASA 5520s in Cluster Outside interface stops sending traffic
Hi,
We are running a Pair of ASA 5520s in active/standby mode. In the last couple days the active device will just stop communicating on the outside interface. Because the rest of the interfaces are still up, it will not fail over, so we have to fail it manually. The secondary unit works and passes traffic correctly. We then reboot the Primary.
Then after some undetermined time, it happens again and we have to manually fail it the other way, reboot the affected ASA and wait for it to happen again.
We have a case with TAC but they have not been able to figure this one out. Has anyone else seen this behavior?
This is the version info:
Cisco Adaptive Security Appliance Software Version 8.4(7)
Device Manager Version 7.3(1)100
ThanksHi,
There are various possibilities on the ASA device which might be causing this issue:-
1) Block depletion
2) Memory depletion
Other things might be related to the external ISP as well.
Can we collect some outputs from the ASA device at the time when the issue is seen on the ASA device.
If you can share the output , i can have a look at it otherwise you can open a TAC case.
Thanks and Regards,
Vibhor Amrodia -
Ethernet not able pass traffic after Mountain Lion upgrade.
I used the ethernet on my display to download Mountain Lion. Ran the install, rebooted, now nothing. Wifi works fine from my connected MBP15. The display adapter shows connected, but doesn't get a DHCP IP. If I set one manually, it doesn't pass traffic. Any updates I've missed? What else could it be?
Hi
Thanks for your replies. It isn't a gmail account - it's a domain account hosted by Domainmonster. Also my iCloud email is now intermittent :(
I've checked the SSL settings/authentication settings and everything is as it should be according to the email provider. It's frustrating as it was working fine for exactly a week following the upgrade and then just stopped sending mail. Also, the intermittent nature of the problem on the iCloud account now suggests to me at least that this is a problem that isn't the users fault?
I've downloaded thunderbird and all my accounts are working perfectly through that so for the time being at least I'm staying with the upgrade and hoping that a future apple update might address the issue. From the reading around I've done this seems to be a problem some people are having that tends to be intermittent in nature and resolved temporarily but not completely at the users end of things.
I've given up for now thanks to the fact that Thunderbird is working and I can still access my accounts on my iPhone. Very frustrating though when things don't make sense :) I mean, if it was going to stop working I would expect it to have stopped when I upgraded - not functioned fine for a while afterwards and then just literally send a mail one minute and refuse to send the next five minutes later. Also with my new problem today of Mail and my .me account - randomly sending mail when it feels like it and stacking mails up in the outbox the next - just doesn't make sense to me :)
If anyone does figure out what's going on I'd be grateful for any ideas/suggestions. Seems weird that all the email accounts function fine through thunderbird but not Mail. So far anyway :) -
L2L tunnel up, not passing traffic...all of a sudden
I've had a tunnel in place on a 5505 to a remote network i don't control...so my troubleshooting there is limited. But the tunnel has been in place for over a year without issue. Suddenly it doesn't appear to be passing traffic. But it is in at least one direction.
Remote network:192.168.191.0/24
Local ASA side: 10.220.78.0/24
I had a constant ping started from 192.168.191.10 > 10.220.78.23
Which is a Windows server pinging a Windows workstation.
When i debug icmp on the ASA i get:
ICMP echo request from outside:192.168.191.10 to inside:10.220.78.23 ID=1 seq=2866 len=32
ICMP echo reply from inside:10.220.78.23 to outside:192.168.191.10 ID=1 seq=2866 len=32
Which confirms to me that the remote network is in fact traversing the tunnel and hitting the 10.220.78.23 device, which is in fact responding, and the reply is being sent out the ASA.
The tunnel negotiates and comes up any time I reset it, by all accounts it looks correct.
The problem is not limited to ICMP as I'm unable to net use or map drives, nor can 192.168.191.10 print to the printer at 10.220.78.20.
But once i saw the icmp trace output I pretty much figured it has to be on the remote end...so....
My question, can I absolutely infer from this that the issue resides on the remote end?Some additional info. Aside from the ping they have running from the remote network, which is shown in the above icmp trace, if i run packet tracer from the local network to the remote, tunnel's up/traffic is allowed. Not a big surprise since the tunnel does negotiate and stay up.
I captured packets from the ASA and I can see the local 10.220.78.23 device sending the reply to 192.168.191.10. Matching up with the icmp trace.
I had them run a packet capture on their firewall and confirmed, the ICMP requests from 192.168.191.10 are being encapsulated and sent on the tunnel. Again confirmed in my mind since i see the requests on the ASA. But they don't ever see the response.
There's no tcp adjust mss command on the ASA but there's this in the config:
ASA# sh run all sys
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp inside
no sysopt noproxyarp outside
Any other ideas? -
Vlan passing traffic between switches
I have a client that has two WAP321s, two Catalyst 2960s, one SG500X-48, and a Watchguard Router/Firewall (Model is not important).
I am trying to get the guest wireless network setup to pass traffic on VLAN2 to the router across the network. All regular traffic is on VLAN1. (yes I know it really should be on a different VLAN)
Background: I had originally had everything working till one of the unmanaged switches died. I move one of the Catalyst 2960s to replace the dead switch and then replaced the Catalyst 2960 with a SG500X-48.
Network layout: One WAP321 is connected to one of the Catalyst 2960s, which is connected to the Firewall/Router. (All traffic is passed as expected on both VLANS)
The second WAP321 is connected to the second Catalyst 2960, which connects to the SG500X-48, which connects to the first Catalyst 2960, and then to the Firewall/Router. The Default VLAN 1 works fine. VLAN2 does not.
What I have tried to do is set the ports on the second Catalyst 2960 which is connected to the WAP321 and the SG500X-48 to Trunk. I also set the port on the first Cataylst 2960 that connects to the SG500X-48 to trunk. (Although it was not set and passing traffic before moving switches around.) When I do this all traffic between the first Catalyst 2960 and the SG500X-48 stops. The Catalyst 2960 reports a port error and then shuts down the port. Only way to recover is to clear the port setting and then reboot the switch.
Does anyone have any ideas as to what is happening and what I am doing wrong?Aniketalashe
I was able to get the port on the Catalyst 2960 set to trunk finally, not sure what did the trick, although that does not seem to be my problem.
Back to your question of the error report. I am unable to figure out how to get the log out of the 2960. I saw the error in the webGUI, when I moused over the port in question when the problem was happening.
I am starting to think that maybe the switch is starting to go. -
Having issues on ASA 5510 pass traffic between interfaces
I am trying to pass traffic between two internal interfaces but am unable to. Been searching quite a bit and have tried several things to no avail. I feel like there is a simple solution here I am just not seeing. Here is the relevant portion of my config:
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
interface Ethernet0/2
nameif ct-users
security-level 100
ip address 10.12.0.1 255.255.0.0
same-security-traffic permit inter-interface
access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.12.0.0 255.255.0.0
access-list inside_access_in extended permit ip any any
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (ct-users) 0 access-list inside_nat0_outbound
nat (ct-users) 1 0.0.0.0 0.0.0.0
static (inside,ct-users) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
access-group outside_access_in in interface outside
access-group outside_access_ipv6_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_ipv6_in in interface inside
access-group inside_access_in in interface ct-users
access-group inside_access_ipv6_in in interface ct-users
On both networks I am able to access the internet, just not traffic between each other.
A packet-tracer reveals the following (it's hitting some weird rules on the way):
cybertron# packet-tracer input inside tcp 192.168.5.2 ssh 10.12.0.2 ssh detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab827020, priority=1, domain=permit, deny=false
hits=8628156090, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
match ip ct-users 10.12.0.0 255.255.0.0 inside any
static translation to 10.12.0.0
translate_hits = 0, untranslate_hits = 6
Additional Information:
NAT divert to egress interface ct-users
Untranslate 10.12.0.0/0 to 10.12.0.0/0 using netmask 255.255.0.0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad5bec88, priority=12, domain=permit, deny=false
hits=173081, user_data=0xa8a76ac0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab829758, priority=0, domain=inspect-ip-options, deny=true
hits=146139764, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad48c860, priority=6, domain=nat-exempt-reverse, deny=false
hits=2, user_data=0xad4b5e98, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=192.168.5.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside any ct-users 10.12.0.0 255.255.0.0
NAT exempt
translate_hits = 2, untranslate_hits = 2
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad3b1f70, priority=6, domain=nat-exempt, deny=false
hits=2, user_data=0xad62b7a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.12.0.0, mask=255.255.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,ct-users) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
match ip inside 192.168.5.0 255.255.255.0 ct-users any
static translation to 192.168.5.0
translate_hits = 1, untranslate_hits = 15
Additional Information:
Forward Flow based lookup yields rule:
in id=0xadf7a778, priority=5, domain=nat, deny=false
hits=6, user_data=0xad80cfd0, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.5.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) udp 184.73.2.1 1514 192.168.5.2 1514 netmask 255.255.255.255
match udp inside host 192.168.5.2 eq 1514 outside any
static translation to 184.73.2.1/1514
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab8e2928, priority=5, domain=host, deny=false
hits=9276881, user_data=0xab8e1d20, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.5.2, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
match ip ct-users 10.12.0.0 255.255.0.0 inside any
static translation to 10.12.0.0
translate_hits = 0, untranslate_hits = 6
Additional Information:
Forward Flow based lookup yields rule:
out id=0xad158dc0, priority=5, domain=nat-reverse, deny=false
hits=6, user_data=0xac0fb6b8, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.12.0.0, mask=255.255.0.0, port=0, dscp=0x0
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
match ip ct-users 10.12.0.0 255.255.0.0 inside any
static translation to 10.12.0.0
translate_hits = 0, untranslate_hits = 6
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xada0cd38, priority=5, domain=host, deny=false
hits=131, user_data=0xac0fb6b8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.12.0.0, mask=255.255.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xad5c1ab0, priority=0, domain=inspect-ip-options, deny=true
hits=130, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 189385494, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: ct-users
output-status: up
output-line-status: up
Action: allowhow are you testing? if you are pinging between the subnets, make sure you have disabled windows firewall and/or any other firewall that is installed on the PCs (remember to re-enable it later).
Are the NAT commands there because you were trying different things to get this working? I suggest you use the command no nat-control instead. Depending on the version of ASA you are running it may already be disabled by default. In version 8.4 and later nat-control has been removed completely.
Please remember to select a correct answer and rate helpful posts -
LMS 4.0.1 software distribution 3 out of 7 fail to pass traffic after reload
I've distributed (7) IOS C3560-ipbasek9-mz.150-1.SE2.bin upgrades on identical 3560G PS-S platform using LMS 4.0.1. All jobs come back successfully completed with the /MD5 hash matching exactly what Cisco has on their website. All devices have sufficient 32MB worth of Flash and verified enough was available prior to distribution.
Issue: After reload 2 of these 3560G devices would not pass traffic. Also, neighboring devices could see these devices through "show cdp neighbors detail" but the management IP was not being displayed. After consoling into these devices via (console port) the management IP address was there but was unable to ping this address locally and neighboring devices were unable to be pinged as well. Performed the "sh run" command and verified the config was correct.
***Cisco's engineers suggestion was to load a lower IOS.***
***I've perused the caveats with this release and have not found any solutions.***
I've already replaced the offending switches with new devices but don't want to keep upgrading with this many failures after reloading.Your devices with the NX-OS versions you indicate should be OK per the LMS 4.0.1 Supported Devices Table.
Have you updated your LMS with the latest device packages? See the procedure here. -
CCE 507 stops forwarding traffic to internet
Our CE (which is our proxy server) constantly stops forwarding traffic to the internet. The engine does not freeze or lock up because I can telnet into it and reload and everything is fine then. This has starting happening in the last two weeks. The engine is integraded with Websense filtering. Could I be experiencing hardware issues? I did recently upgraded websense to the latest version and also upgraded the PIX 515 Firewall IOS to the latest. I am thinking maybe upgrade the IOS on the engine. Any guidance would be appreciated. Thanks in advance.
Apparently the version of Websense that I was running was not making the CE very happy. I upgraded to a new version and ever since the problem has not arise. But I am having one issue with the CE. There is one website that generates errors when going through the CE proxy server. Although when bypassing the proxy server(CE), there are no errors generated. It is only when going through the proxy that the error is generated. The error does not reflect a Websense blocking page. So it only leads me to believe that the problem is on the CE. I would like to upgrade the IOS on the CE to the latest software in an effort to resolve this. If I upgrade, should I be aware of any problems with the configuration not working after the upgrade. The device is a CE 507 with software version 2.51. Any history on this type of problem? Any help would be appreciated. I have pasted the exact error generated from the site. Thanks again.
Network Error
The server yearbookavenue1.jostens.com returned an invalid response to your request for http://yearbookavenue1.jostens.com/cgi-bin/exe2004/year2004.exe?f_4194e967209 -
Can I capture USP traffic with NI-SPY
11-14-07
Can I capture USB traffic with NI-Spy? if so how?
Thanks
TeBluesHi TeBlues,
NI-Spy captures return a log of low-level driver calls being made to National Instruments drivers. It does not track the serial data passed along the USB bus. To capture the serial traffic on the USB bus, I would recommend Portmon (if you are using a Windows OS). This program monitors all serial and parallel port activity on a system.
Donovan -
Prevent PPPoE encapsulation of traffic with specific destination
My ISP requires a PPPoE tunnel to connect and the modem I use is in Transparent bridging mode. If I connect a dedicated interface and specify the network/IP and use NAT, I can connect to the modem management. However, this isn't my preferred setup as my previous cable ISP used DHCP and any routed traffic out the outside interface destined to 192.168.100.1 would be responded to by the cable modem. I'm assuming that since the traffic with PPPoE is encapsulated, the modem is forwarding everything right out to the link since I get an ISP router responding with traffic destined 192.168.0.1 no route to host.
Is there a way to exclude 192.168.0.0/24 from being encapsulated by PPPoE while all other traffic isn't? If I have to have multiple vlans to do this properly that is fine, I'm just lost in finding a way to use one physical port on my ASA 5505. Setting trunking with with either the outside or modem vlan as native on the interface doesn't appear to allow the modem to connect unless outside is the native vlan
Thanks for any help.Hi Bro
Yes, in the old/former way of doing things, the PPPoE is being handled by the Modem, provided by your ISP. For this reason, your Cisco Firewall OUTSIDE interface is able to grab a dynamic private IP Address i.e. 192.168.0.XXX/24 from the Modem (acting as the DHCP server). With dynamic NAT being enabled in your Cisco Firewall, LAN users on the INSIDE of your Cisco Firewall can now browse the internet and also access the Modem’s management webpage.
Now, the PPPoE is being handled by your Cisco Firewall directly. This means, your Cisco Firewall OUTSIDE interface will now grab a dynamic public IP Address from your ISP directly, via your Modem (acting as transparent/bridging device). With dynamic NAT being enabled in your Cisco Firewall, LAN users on the INSIDE of your Cisco Firewall can now browse the internet but cannot access the Modem’s management webpage anymore. This is because the LAN users will appear as public IP, while your Modem is still on private IP, no route. There’s no way to exclude 192.168.0.XXX/24 from being encapsulated by PPPoE.
What I have in mind for you is, use another spare interface in your Cisco Firewall, and connect it directly to the Modem. This interface is strictly for the Modem’s management purposes. With dynamic NAT being enabled in your Cisco Firewall, LAN users on the INSIDE of your Cisco Firewall can now access the Modem’s management webpage.
Here’s a sample;
interface Vlan3
nameif outside
security-level 0
pppoe client vpdn group TEST
ip address pppoe setroute
interface Vlan2
nameif mgmt
security-level 10
ip address 192.168.0.10 255.255.255.0
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.10 255.255.255.0
interface Ethernet0/0
description ### Link to Modem for Internet ###
switchport access vlan 3
interface Ethernet0/1
description ### Link to Modem's Management Port for Management Purposes ###
switchport access vlan 2
interface Ethernet0/2
description ### Link to L2 LAN Hub/Switch ###
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
mtu outside 1492
mtu inside 1500
global (outside) 1 interface
global (mgmt) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
vpdn group TEST request dialout pppoe
vpdn group TEST localname cisco
vpdn group TEST ppp authentication pap
vpdn username cisco password cisco123
access-list inside extended permit ip any any
access-list mgmt extended permit ip any any
access-list outside extended permit ip any any
access-group inside in interface inside
access-group outside in interface outside
access-group mgmt in interface mgmt
Maybe you are looking for
-
I just purchased an Officeject Pro 8600 N911g with a 2 year warranty. It works fine with my PC via wireless router. It does not work with my laptop (windows 7). I was able to print one thing but the next time and ever since, the printer is offline
-
Hi Folks, I have a problem in selecting the PO hitstory data.For a PO there are two bewtp for 0010 and 0020 item.But I am getting only one BEWTP not both. Moreover at the time of filtering the internal table w.r.t to BEWTP it is not checking for itfi
-
Editing in Photoshop CS2 and Viewing in iPhoto
I have iPhoto 6 and Photoshop CS2. I would like to do my RAW file edits in Photoshop CS2, but if that image is already in my iPhoto library and I make changes to the file in Photoshop, will iPhoto regenerate a new thumbnail for the changes when I ope
-
Parent/Child Master Data Type
I recently created a new master data type in my model, which included one attribute with the 'parent' check box checked - to signify that it was to be used as the parent. Upon activating the master data type - the system auto generated several other
-
Multiple Creative sound devices in one system
-Multiple Creative sound devices in one systemrHello community, I recently tried to get two X-Fi Titanium PCI-Express cards to work in one computer. One card worked well. As soon as i plugged in the second card and booted the system, i got a quite re