ASA 5520 packets Flood TCP/ASA

I 'm flood from random adresse IP in TCP/61137
what can i do with the asa5520 my appliance security ?

You must use the shun command

Similar Messages

Why is the AEBS bottlenecking my ReadyNAS devices leading to bad packets and TCP Retransmits?

Bad Packets Unrecovered TCP Retransmits TCP Retransmits w ReadyNAS NV NV+ and Airport Extreme Base Station 5th Generation
I got an Airport Extreme Base Station (AEBS), 5th generation this past November to bring my entire network up to gigE standards and extend my wireless range a bit. I have really liked the AEBS 5th Gen overall since I got it 3 months ago. It was easy to setup and update and things have been noticeably faster. I can also easily take my netbook, laptop, and iPad out to my shop some 80 feet away from my AEBS and still surf rather well wirelessly too. I couldn't do this even with my previous D-Link wireless-n setup.
In December I picked up an old ReadyNAS NV+ to go along with my old ReadyNAS NV. When I finally started to setup the new network for my business in February, I noticed in the logs that I was getting a large numbers of bad packets, TCP retransmits, and unrecovered TCP retransmits. Previously, I had never had errors of any sort with any older network setups using linksys, dlink and netgear routers during the last 6 years.
Eventually cables, switches, and routers can go bad which results in the errors I have been getting so I went through the "Troubleshoot My Performance Problem/Check for Network Errors" section of the link below to try and figure out what was causing my problem.
(http://www.readynas.com/?p=310#Troubleshoot)
My Initial Setup:
Airport Extreme Base Station (AEBS):
- 1 incoming Cat5e from Motorola Surfboard 6120,
- 2 Cat5e connections to my wifes work network with her business computer and VOIP phone.
- 1 Cat 5e interconnecting the AEBS to my wired network on the HP Procurve Switch.
The AEBS manages addresses via DHCP on my wired network for all of my devices on the HP Procurve 14008G Switch:
- 1 to NV
- 1 NV+
- 1 MacMini 2010
- 1 MacMini 2005
- 1 networked Epson R-3000 printer
1. Simple things first. Since I have always made all my own Cat 5e cable I figured I'd better get some better(?) cabling strait away. I went ordered new Cat 6 and Cat 6a cables to connect the NV, NV+, and my main Mac to the switch and connect the switch to the AEBS. The errors kept coming.
2. Then I separately connected each NAS unit directly to my computer by setting up the static IP on my computer first. Once I reconnected each ReadyNAS with the computer directly they defaulted to a static IP. Neither NAS had errors.
(http://sphardy.com/web/readynas/how-to-direct-connect-to-your-readynas/)
3. Errors were coming from either a bad Procurve 1400 switch or a bad AEBS. I hooked everything directly to my Airport Extreme and got lots of errors.
4. I decided to check the switch also. I altered each ReadyNAS's default static IP to one of my choosing individually. Then I hooked both ReadyNAS units to my HP Procurve 1400 switch. I hooked the switch directly to my computer and got no errors from either NAS. I continue to get no errors the next day.
5. When I first ran my tests I had Jumbo Frames turned Off. Currently, Jumbo Frames are On and there are still no errors and seems to be no slowness either.
Conclusion:
The Airport Extreme is the bottleneck causing the errors in my network.
Perhaps there is something I can alter which will rid me of the errors, but this type of error makes the AE seem to be pretty shoddy. A newer state-of-the-art router should not be bottlenecking my rather archaic slow network devices. Apparently, the 4th Gen AEBS's couldn't do Jumbo Frames, but this current model is supposed to, but I see no setting for changing the MTU.
Questions:
What could be causing the bottleneck?
Do I have a bad router?
How could I analyze this problem?
Has anyone else had similar issues and if so how were they resolved?
Current Setup:
All of my computers and NAS devices are hooked to my Procurve Switch each with its own Static IP.
The switch is working flawlessly with no Errors.
The network printer is now wireless and connected via the AEBS.
I am using wireless-n to connect to internet via the AEBS on my main machine.
I am sharing the internet connection with the other Mac Mini on the switch and any other machine I plug into the switch (not ideal).
Problem is:
I am not a systems administrator and don't really want to tinker with setting up Static IP's for the machines I hook and unhook to the switch.
I want the AEBS to manage addresses via DHCP so everything accessing my router will mindlessly be able to access all things on my network.
Can the AEBS be made to not produce errors or do I just have a lemon.

Hi Bob,
That's the strange thing. When I had both GHz channels working on one SSID, once in a while my iMAC would pick the 5 GHz channel (44 seems the best for me). I always use channel 1 for 2.4 GHz because I get the fastest speeds with it.
When the iMac would pick 5 GHz, the slowdown was very obvious. As I explained in my (long) first post, I immediately felt the difference. Now the $50K question - since the 5 GHz channel at that point was stronger than the 2.4 GHz one, why wasn't the speed faster? Why was it so slow compared to 2.4 GHz? That's what rattling my brain. If the 5 GHz signal's strong enough to get picked by my iMac, then why isn't there a commensurate speed increase? There must be something else going on here besides signal strength. If the 5 GHz spec says that I must have full strength to get 5 GHz speeds, then that makes sense. But I think it doesn't, that's why I believe I have a configuration problem somewhere, or a faulty AEBS.
I might add that my firmware's up-to-date in the AEBS and AX, and Airport Utility too.
I think heading to 4Runner's camp - even with high signal strength (and I would consider 3 of 4 bars high), the 5 GHz speeds aren't showing themselves.
Here's some snap's of my AEBX's setup:
I think my configuration's fine, although I've tried so many different options, I'm a little confused, but I know that changing the Multicast Rate doesn't have any noticeable effect on the speed. I also have "Use Wide Channels" checked, but as I said, the 5 GHz band is awfully slow for using both channels. I have set "N" only, so no "G" clients to slow it down.
Mind boggling!

Send xML packet to TCP/IP socket in SOA 11g

Send xML packet to TCP/IP socket in SOA 11g
Hi,
I have a requirement like
I need to pass xml data to TCP/IP socket in the form of packets in SOA11g.
How we can do this.Please advise me.step by step procedure helps more.

Hi,
There is a JCA Adapter for Sockets available... Have a look at this doc...
http://docs.oracle.com/cd/E23943_01/integration.1111/e10231/adptr_sock.htm#BABEBEJH
Cheers,
Vlad

UC320 Packet Flood

Hi.
I have just setup a UC320 for a client and it was working without trouble for the last few days up until last night. It is now taking out my entire network and causing a packet flood. When i disconnect the device from the network all comes back up ok and i can then reconnect the UC320 and all goes back to normal for a while until it happens again. I cant seem to see any pattern to it though.
I have a few things that i can think of that might be causing it. First of all, the WAN port IP is on the same subnet as the LAN IP. This is because the router i am using doesnt support a seperate WAN subnet. (Topology is Route Voice Only) I am only using the device for voice so i could always put these on seperate subnets but my thinking up until now has been that i need to be able to access the config remotely from a machines within that subnet.
Both the WAN and the LAN ports on the device is connected to an SG300-10P and all handsets are powered via POE. The SG300 is also connected back into the main network. I would have thouht that if there was an issue with the UC320 flooding the SG300 would shut that port down using Spanning Tree.
I also figured that the WAN and LAN port must be routed seperately within the device therfor not causign a loop. If this wasnt the case then i would have a constant loop but the device has and does work in the configuration just not all the time.
As you can tell by now im pretty new at this and this is my first of hopefully many installs.
Any advice would be greatly appreciated as i am struggling to get on top of this one.
Thanks.

Paul,
The UC320 is not only a PBX, but it is also a router. So the WAN and the LAN ports have to be on different Subnets. The correct design for your case is defined in the Smart Design Document " Deploying UC320 in an Existing Network". If you do not have a router that meets the criteria, I would recommend eliminating the router and using the UC320 as the router.
Documentation: https://supportforums.cisco.com/docs/DOC-14783
If that is not possible then the only other option you have is to unplug the WAN interface on the UC320. This is going to cause following side effects
* No voicemail to email
* Time has to be set manually ( since NTP goes through WAN) or a local NTP server needs to be created.
* No Cloud Services ( Auto upgrade, upload WAV file)

How to send packet using tcp socket ?

hi ,
i want to using tcp socket to send data in ipv6 environment. but why the data transfer is less than ipv4 environment?
socket = new Socket("2001:0238:0600::2", 1234);am i wrong ?

bobby92 wrote:
why the data transfer is less than ipv4 environment?What do you mean?
>
socket = new Socket("2001:0238:0600::2", 1234);am i wrong ?No idea, since I've no idea what you're asking.

ASA 5505 Site-to-Site VPN to remote dmz access

I don't have a ton of experience with ASA firewalls, but I've searched everywhere and I can't seem to find a solution to this.
I have 2 sites connected by a Site-to-Site VPN with ASAs (5540 on Site 1, 5505 on Site 2). I'm using ASDM.
Lets call:
Site 1 LAN: 192.168.1.0
Site 2 LAN: 192.168.2.0
Site 2 DMZ: 172.16.2.0
Traffic from Site 1 to Site 2 is perfect moving across the LANs. My workstation (192.168.1.10) can ping anything in site 2s LAN (192.168.2.0/24).
Recently, I added a UniFi WAP device to Site 2 DMZ. Since I want to be able to manage this DMZ WAP from the LAN with a management server, I created a network object in Site 2s ASA. I called this object DMZ_WAP. IP address 172.16.2.2. I checked the box for "Add Automatic Address Translation Rules" and configured Type to "Static" and Translated Addr to "192.168.2.8." Source interface DMZ to Any destination interface. This of course created 2 "Network Object" NAT rules.
I then created a DMZ incoming rule that says Source: DMZ_WAP, Destination: net_site1_lan (this object was of course created for the site to site vpn), allow all IP traffic. I created an Outside incoming rule that says net_site1_lan can access DMZ_WAP.
Awesome, I can now ping 192.168.2.8 from anywhere within Site 2. The problem is... I can't ping 192.168.2.8 from my workstation in site 1 (192.168.1.10). If I run Packet Tracer (interface dmz, packet type TCP, source 172.16.2.2 port "echo", destination 192.168.1.10 port "echo") everything turns up green checkmark, the packet is allowed. So why do I have no contact?
I apologize, as I realize ASDM isnt what most of you probably use. But anyone have any ideas? Been researching this for about 4 hours now, perhaps I'm barking up the wrong tree.
Thanks,
Garrick

Here's my sanitized config. Any help would be greatly appreciated. Again, the point is simply to make the object SITE2_DMZ_WAP that is off of the "dmz" interface talk with SITE1 over the site to site VPN. I can't let any other traffic through except this one IP. I currently have it NATd.
ASA Version 8.4(1)
no names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.21.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address -OMITTED- 255.255.255.248
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.21.1 255.255.255.0
interface Ethernet0/0
description Outside WAN1 port
switchport access vlan 2
interface Ethernet0/1
description Inside LAN port
interface Ethernet0/2
description Inside LAN port
interface Ethernet0/3
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/4
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/5
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/6
description Outside DMZ port
switchport access vlan 3
interface Ethernet0/7
description Outside DMZ port
switchport access vlan 3
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name -OMITTED-
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network net_SITE1_lan
subnet 192.168.1.0 255.255.255.0
object network net_SITE2_lan
subnet 192.168.21.0 255.255.255.0
object network net_SITE1_dmz
subnet 172.16.1.0 255.255.255.0
object network net_SITE2_dmz
subnet 172.16.21.0 255.255.255.0
object network SITE2_DMZ_WAP
host 172.16.21.2
object network 192.168.21.8
host 192.168.21.8
description FOR SITE2 WAP
access-list inside_access_in extended permit ip object net_SITE2_lan any
access-list inside_access_in extended deny tcp any any eq smtp
access-list outside_cryptomap extended permit ip object net_SITE2_lan object net_SITE1_lan
pager lines 24
logging enable
logging buffer-size 16384
logging buffered notifications
logging asdm notifications
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside 192.168.1.35 2055
flow-export template timeout-rate 1
flow-export delay flow-create 15
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-643.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static net_SITE2_lan net_SITE2_lan destination static net_SITE1_lan net_SITE1_lan
object network obj_any
nat (inside,outside) dynamic interface
object network SITE2_DMZ_WAP
nat (dmz,any) static 192.168.21.8
nat (inside,outside) after-auto source dynamic any interface
nat (dmz,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 162.227.34.22 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authorization exec LOCAL
http server enable
http server idle-timeout 60
http 192.168.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
snmp-server host inside 192.168.1.35 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map CMAP_OUTSIDE 1 match address outside_cryptomap
crypto map CMAP_OUTSIDE 1 set peer -PEER OMITTED-
crypto map CMAP_OUTSIDE 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map CMAP_OUTSIDE 1 set reverse-route
crypto map CMAP_OUTSIDE interface outside
crypto ikev1 enable outside
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 2
console timeout 60
management-access inside
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd dns 192.168.2.2 192.168.1.6 interface inside
dhcpd lease 34000 interface inside
dhcpd domain -DOMAIN OMITTED- interface inside
dhcpd update dns both interface inside
dhcpd address 172.16.21.100-172.16.21.200 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd lease 34000 interface dmz
dhcpd enable dmz
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server -NTP SERVERS OMITTED-
ntp server -NTP SERVERS OMITTED-
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username -OMITTED- password -OMITTED- encrypted privilege 15
tunnel-group -IP OMITTED- type ipsec-l2l
tunnel-group -IP OMITTED- general-attributes
default-group-policy GroupPolicy1
tunnel-group -IP OMITTED- ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 5
class-map netflow-export-class
match any
class-map inspection_default
match default-inspection-traffic
class-map QoS_RDP
match access-list QoS_RDP_Server_Branch
class-map QoS_EA
match port tcp eq 2000
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns
inspect ftp
inspect http
inspect icmp
inspect icmp error
inspect ils
inspect ip-options
inspect ipsec-pass-thru
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect snmp
inspect xdmcp
class netflow-export-class
flow-export event-type all destination 192.168.1.35
class QoS_RDP
priority
class QoS_EA
priority
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Logoff

WCCP does not work between WSA and ASA

I have configured WCCPv2 between WSA S160 ( 6.3.1-025) and ASA5540 (8.2(1)109).
Everything seems to be OK by "show wccp *" on ASA and showing wccp debugging messages (level 4) on S160. Despite of it, WCCP redirection does not work.
If I use packet-capture I figure out that S160 receives GRE packets with TCP SYN from particular LAN host to WWW sites but S160 does not handle them and does not send anything back to ASA.
It is an Exempt from authentication for this LAN host and in Forward proxy mode everything works well.
I have attached an example of a packet-capture (S160.txt - renamed from .cap) and debugging messages from S160 & "show" from ASA.
Does anybody have any idea what the problem is and how I can resolve it ?

IronPort Support team helped me to find the trouble:
If I wish to handle specific port's (80, 8080, etc.) traffic by the transparent proxy I need to configure this port like a listener for the FORWARD proxy
("Security Services" -> "Proxy Settings" -> "HTTP Ports to Proxy")
The WSA guide doesn't clearly say about it.
So the Discussion can be closed ...

TCP Listen only accepts 1 packet

Hello,
I am trying to create a RS232 to TCP/IP converter VI. I am trying to use this VI to allow my main VI to communicate with a microcontroller (using rs232) over a network and I do not have access to a hardware converter. The VI works great for sending data from the microcontroller ( rs232 -->TCP) but I am having problems getting information to the microcontroller (TCP --> rs232). I have tried numerous server configurations using the TCP Listen and Create Socket. For some reason I can only seem to receive a packet when using TCP Listen and no while loop but then it only receives 1 packet and none after that. I have used other programs to verify that the main VI is correctly sending the packet to that port and have verified that the problem is in this VI.
The following image is the "working" version that only receives the first packet sent to it
The following two pictures are the other configurations I've tried but they receive no packets.
TCP Listen with while loop
TCP Wait on Listener
If you can provide any help it will be much appreciated.
Thank you,
meanmon13
Solved!
Go to Solution.

Those wont work because you aren't thinking dataflow. Dataflow means each piece will execute when all the inputs to it are available. Your first while loop runs forever. There is an input to the second while loop coming from the first while loop. Hence, it will never get to your second while loop, and thats why you aren't receiving anything.
Put everything in one loop and use error wires to control the order
Message Edited by for(imstuck) on 06-09-2010 11:26 AM
CLA, LabVIEW Versions 2010-2013

Getting huge number tcp-retransmissions 7& TCP Dup ACK packets.

Hi,
I was working with a issue, in which we were observing that the citrix application page is freezing intermittently for 5-10secs and again working without any discosnnections.
On troubleshooting I did nt observe any abnormal latency or packet loss on the GRE tunnel from source vlan till server destiantions.
The citrix traffic flows via a GRE tunnel to remote location then via plain internet flows to a internet facing citrix server behind a firewall.
On analyzing the traffic using Ethereal I have observed huge number of duplicate ACK packets and TCP retransmissions, hence i derived it has some thing to do with packet fragmentations.Hence I modified that TCP MSS size to 1400 from 1412.
Hence I modified the GRE tunnel configs as below
Router#sh run int tu 691
interface Tunnel691
description XXXX
ip address X.X.X.41 255.255.255.252
ip mtu 1500
ip tcp adjust-mss 1400
tunnel source Loopback69
tunnel destination X.X.X.X
end
Still there is intermittent issue.Can you pls help me to find out where excatly the issue can lie.

We had a similar issue and issued the following commands and everything is working well.
ip mtu 1476
ip tcp adjust-mss 1436

Can a file be sent in TCP as a stream?

I am trying to implement a simple file transfer operation using TCP/IP sockets. I have found information about sending streams, but not packets. Is it possible to send files as streams? or even better, how do i implement sending packets using TCP/IP?

I am trying to implement a simple file transfer
operation using TCP/IP sockets. I have found
information about sending streams, but not packets. Is
it possible to send files as streams? or even better,
how do i implement sending packets using TCP/IP?TCP/IP has a layered design so you don't have to worry about the detail. When you use a stream, the data written to it (transparently to you) divided into packets, sent across the network and reassembled at the other end.
Good eh?
You need to read up on how to create a Socket and write data into its output stream.
And for the other end of the connection how to have a ServerSocket listening for such connections and doing something with data when it is received.

ME 3400 PACKET LOSS

e3400 packet loss
I have a me3400 connected as follows:
in port G1 / 0 fiber optic switch connects 7 WS-C2960-24TC-s.
The switches are running vlans 2960 and serves to intervlan ME3400 routing.
All of the GTW vlans are defined in the ME3400, in addition this does dhcp for network VLANs.
In the port f0 / 1 is defined as non-me3400 swichport and create an interconnection network with a firewall that outputs the internet
in ports f0 / 5 f0 / 6 is set up a vlan me3400 additional servers
problem:
When a machine that is in the vlans, located in any switch in 2960, seeking access to the servers connected to the f0 / 5 f0 / 6 has lost and slowly, the same is true if you want to access the internet.
Tests done from a PC on the vlans.
If it pings with size 100 to the servers or the firewall is not a problem.
but if you increase the size of the datagram to 500 or 1000 are lost. \
If ping with size of 1000 from a PC to me3400 no problem.
From me3400 If you ping the router or 100 servers with no loss size, but if it increases to 500 or more lost packets again has all of the above results that both the internet as accceso to this rather slow servers . It is worth mentioning that the vlan voip telephony and servcio not a problem.
Assistant to the configuration of me3400
sh ver
Switch Ports Model SW Version SW Image
* 1 26 ME-3400-24TS-A 12.2(55)SE ME340x-METROIPACCESSK9-M
CPU utilization for five seconds: 9%/3%; one minute: 10%; five minutes: 9%
SWICHT-MAIN#sh run
Building configuration...
Current configuration : 5733 bytes
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname SWICHT-MAIN
boot-start-marker
boot-end-marker
enable secret 5 $1$EBwk$LIAacdQj3VxvaNUUiBuzk1
no aaa new-model
system mtu routing 1500
ip routing
ip dhcp excluded-address 192.168.150.2 192.168.150.33
ip dhcp pool wifi-alumnos
network 192.168.152.0 255.255.255.0
default-router 192.168.152.1
dns-server 190.4.6.194
ip dhcp pool telefonos
network 192.168.151.0 255.255.255.128
default-router 192.168.151.1
ip dhcp pool wifi-administrativa
network 192.168.153.0 255.255.255.128
default-router 192.168.153.1
dns-server 190.4.6.194
ip dhcp pool AP+SIN-IP
network 192.168.150.0 255.255.255.0
default-router 192.168.150.1
crypto pki trustpoint TP-self-signed-2032354048
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2032354048
revocation-check none
rsakeypair TP-self-signed-2032354048
crypto pki certificate chain TP-self-signed-2032354048
certificate self-signed 01
30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32303332 33353430 3438301E 170D3933 30333031 30303031
30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30333233
35343034 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100EC3D 75F8B980 C2788415 51766BB5 17CA2AFC 6FA69FE7 E1CCF252 A82EFFE6
1B2A4B25 F4B93A0F BA1DE932 FEFDA3E6 B2B8A20C 6322D58F 1164F87A 0AC837B3
E602E824 9E692394 F616E907 6779C8C8 12111E3B C8F3BF57 1ED89E10 76767BB0
7658715F B95F2D47 B7986E5B DE1A8C7C 71358900 1A9B7F00 0845E024 170B6031
73650203 010001A3 6C306A30 0F060355 1D130101 FF040530 030101FF 30170603
551D1104 10300E82 0C535749 4348542D 4D41494E 2E301F06 03551D23 04183016
8014D21E 00624A3E A7974522 3D33F971 714928BC 412A301D 0603551D 0E041604
14D21E00 624A3EA7 9745223D 33F97171 4928BC41 2A300D06 092A8648 86F70D01
01040500 03818100 BC45CDE9 CD7B23D8 44B1E597 70D088D6 19935AB0 D8D52735
5BFEC71B C8D688BA 76425E3F C220BAC7 D076C4C1 3EA78927 D35A8CF6 228F69AD
EDB74205 897C32E4 645B788C F20F8247 26DB7755 B280E433 B8BA112D 68510F82
BA44600E DF4A316E C3928098 440870B1 028677FF AF6CBA07 1B66200A EC57221E
1C934403 9900B785
quit
spanning-tree mode rapid-pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 2-6
ip tcp mss 1430
class-map match-any ping-class
match access-group 101
policy-map ping-policy
class ping-class
police cir 1000000
interface FastEthernet0/1
description HACIA FORTINET
port-type nni
no switchport
ip address 192.168.149.2 255.255.255.252
ip accounting output-packets
ip tcp adjust-mss 1430
service-policy input ping-policy
interface FastEthernet0/2
switchport trunk allowed vlan 1-4
switchport mode trunk
service-policy input ping-policy
interface FastEthernet0/3
switchport access vlan 4
switchport trunk allowed vlan 1-4
service-policy input ping-policy
interface FastEthernet0/4
switchport access vlan 5
switchport trunk allowed vlan 1-5
service-policy input ping-policy
interface FastEthernet0/5
switchport access vlan 6
service-policy input ping-policy
interface FastEthernet0/6
switchport access vlan 6
service-policy input ping-policy
interface FastEthernet0/7
shutdown
service-policy input ping-policy
interface FastEthernet0/8
shutdown
service-policy input ping-policy
interface FastEthernet0/9
shutdown
service-policy input ping-policy
interface FastEthernet0/10
shutdown
service-policy input ping-policy
interface FastEthernet0/11
shutdown
service-policy input ping-policy
interface FastEthernet0/12
shutdown
service-policy input ping-policy
interface FastEthernet0/13
shutdown
service-policy input ping-policy
interface FastEthernet0/14
shutdown
service-policy input ping-policy
interface FastEthernet0/15
shutdown
service-policy input ping-policy
interface FastEthernet0/16
shutdown
service-policy input ping-policy
interface FastEthernet0/17
shutdown
service-policy input ping-policy
interface FastEthernet0/18
shutdown
service-policy input ping-policy
interface FastEthernet0/19
shutdown
service-policy input ping-policy
interface FastEthernet0/20
shutdown
service-policy input ping-policy
interface FastEthernet0/21
shutdown
service-policy input ping-policy
interface FastEthernet0/22
shutdown
service-policy input ping-policy
interface FastEthernet0/23
shutdown
service-policy input ping-policy
interface FastEthernet0/24
shutdown
service-policy input ping-policy
interface GigabitEthernet0/1
port-type nni
switchport mode trunk
interface GigabitEthernet0/2
port-type nni
switchport mode trunk
interface Vlan1
description LAN EQUIPOS SWITCH Y APS
ip address 192.168.150.1 255.255.255.192
interface Vlan2
description RED TELEFONOS IP
ip address 192.168.151.1 255.255.255.0
interface Vlan3
description RED WIFI ALUMNOS
ip address 192.168.152.1 255.255.255.0
interface Vlan4
description RED WIFI ADMINISTRATIVA
ip address 192.168.153.1 255.255.255.0
interface Vlan5
description RED LAN CABLEADA
ip address 192.168.154.1 255.255.255.0
interface Vlan6
description LAN HOTELES Y PAGINA WWW
ip address 192.168.155.1 255.255.255.248
ip http server
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.149.1
ip sla enable reaction-alerts
access-list 101 permit ip any any
line con 0
line vty 0 4
password
login
line vty 5 15
login
end

Have you try to remove the service-policy from the interfaces or increase the CIR?

NDIS 6.5 offload checksum test failure - HCK NDIS 6.5 not accepting packet checksum

We are developing NDIS 6.x miniport driver and are running NDIS Test 6.5 and are encountering failures in Offload Checksum when Rx checksum offload is enabled. The failures are as below indicating that the notified packets are not accepted by HCK test ,
even though it receives the packets . We have validated that the checksum is correct by recalculating it in driver and also through wireshark captures on the receiving and send sides.
We hereafter refer to the test adapter as Test10GCard and the support adapter as Support10GCard.
To eliminate the issue, we also have swapped the role of the Test10GCard and Support10GCard . In this case, the Test10GCard became the support adapter and Support10Gcard as the "card under test". In this case, the test failed in send itself,
as the packet notified by Test10Gcard to the stack , even when checksum offload is disabled was not accepted.
We have looked at NET_BUFFER, NET_BUFFER_LIST , packet and checksums as well.
Any suggestions? We have been stuck on this for a long time now.
Thanks
Deva
10001
StartTime: 02:48:48.497
Checksum offload - Test Tcp receive checksum offload with Ipv4 ( Tcp checksum recv offload: On/Tcp Option: Off/Ipv4 Option: Off). Packet count: 30; Packet header size: 54; Packet total size 784
CommunicationHelper::StartReceive
- Name: TestDeviceSimpleCommHelper
- Type: SimpleCommunicationHelper
- Traffic Manager Type: NDT_SIMPLE_TRAFFIC_MGR
- Receive Process Mech: NDT_PROCESS_RECEIVE_AT_PASSIVE
- Configured NetBufferModuleStack:
- [1] NDT_STRESS_PAYLOAD_MODULE
- [2] NDT_TCP_OFFLOAD_MODULE
- [3] NDT_IPV4_HEADER_MODULE
- [4] NDT_ETHERNET_MEDIA_HEADER_MODULE
- STATUS: NDIS_STATUS_SUCCESS
CommunicationHelper::StartSend
- Name: SuppDeviceSimpleCommHelper
- Type: SimpleCommunicationHelper
- Traffic Manager Type: NDT_SIMPLE_TRAFFIC_MGR
- Send Mechanism: NDT_SEND_AT_PASSIVE
- Send Complete Mech: NDT_VERIFY_SEND_COMPLETE_AT_PASSIVE
- NDIS Send Flags: 0
- Send Latency (ms): 0
- Preallocated NBL Count: 1
- Configured NetBufferModuleStack:
- [1] NDT_STRESS_PAYLOAD_MODULE
- [2] NDT_TCP_OFFLOAD_MODULE
- [3] NDT_IPV4_HEADER_MODULE
- [4] NDT_ETHERNET_MEDIA_HEADER_MODULE
- STATUS: NDIS_STATUS_SUCCESS
EndPoint::WaitForSendsToComplete
- Name: SuppDeviceSimpleCommHelper_EndPoint
- Timeout (ms): 300000
EndPoint::StopReceive
- Name: TestDeviceSimpleCommHelper_EndPoint
- Timeout (ms): 5000
EndPoint::GetSendResults
- Name: SuppDeviceSimpleCommHelper_EndPoint
EndPoint::GetReceiveResults
- Name: TestDeviceSimpleCommHelper_EndPoint
EndPoint::GetSendResults
- Name: SuppDeviceSimpleCommHelper_EndPoint
Test Tcp receive checksum offload with Ipv4
Tcp Checksum Offload Enabled
Tcp Option
Ip Option
StressPayload Test Conclusion
StressPayload Test Explanation
Tcp Send Packet Number
Tcp Recv Packet Number
Accepted Checksum Recv Offload Packet Number
Tcp Offload Test Conclusion
Tcp Offload Test Explanation
Yes
No
No
Passed
N/A
30
30
0
Failed
Tcp Module expected to get 30 packets, but only accepted 0;The miniport is expected to report 30 packets with correct checksum, but only gets 0;
50019 Test case failed. For detailed information, please see the above log table
Possible failure reason

Hi Mudit,
Thanks for your replay. I checked the NDIS6.5 Checkconnectivity and Checkconfig these tests were passed. The above Same logic I applied for L3 Check-sum, then all variations were passed. But only the TCP/UDP
packets only NDIS is not accepting. I put the wire-shark on both sides the packets were same i.e integrity is fine.
Regards
Mallesh

Lange files over TCP

Hello!
I am trying to send a lange file (.avi) over tcp. What I am currently doing is using a Fileinputstream to read the entire file at once in order to send it. The problem, as someone would expect, is an outofmemory exception. Is there a better way to send this packet over TCP? I thought of splitting the file into segments but I don't know how I can ensure that the receiver will get all the segments in the right order.
Thanks
Paul

If memory is not an issue, simply allow your application launcher to allocate more memory (current default is 64MB max):
java -Xmx128m myClass
...this will allow myClass to allocate up to 128MB during runtime. This will solve your problem but it is not the best way to
You should follow your intuition about splitting the file into packets. Put a byte or two at the beginning of the packet as an "ID tag" to tell your client (receiver) which packet it is receiving. Your client can buffer the packets (in a Vector, or something similar) and then use the ID tag to figure out how to reassemble them. Make sure you strip out the ID tag before reassembly!
Another advantage to splitting the file and using packet ID's is that of reliable transmission. Should your client receive a bad packet (are you using a checksum?) or drop its connection before the transmission is complete, it can simply request that the server re-send the appropriate packet by referencing its ID.

TCP bad checksum

Hi
Could someone inform me how a CSS 11500 handles a packet with TCP invalid checksum. I have two loadbalanced svrs behind a CSS and im seeing the and ACK with a bad checksum hitting the server VLAN interface of the CSS which appears to send RST 200 micro seconds later to the server but not to the client, Is this normal behaviour ?.
Thanks in advance

Stephen,
don't look at the interval with just the last packet.
The CSS will mark a flow idle if the interval between 2 consecutives packet is bigger than the idle timeout.
At that time, no reset will be sent.
But during the garbage collection process, the CS may reclaim resources hold by connections that were marked idle.
Even if the connection was not idle anymore, the CSS will destroy it if it was marked idle anytime in the past.
Moreover, for http connection, the idle timeout is 8 sec and not 16.
Finally, you can also check with 'show dos' to see if the css consider the connection as illegal - which would trigger a reset as well.
Gilles.

Sending datagram packets over LAN

I have made a client server application.
When running in netbeans both client and server in the same computer the datagram packets get transferred and the transfer works properly.
but when i shift the client application to another computer in the LAN the datagram packets do not reach the Server. What may be the problem ?What can be the solution ?

Broadcast/Multi-cast packets and often blocked by default but routers. i.e. you will see them if you are on the same router but no where else.
This is to prevent such packets flooding the whole network. (Although there are better ways to deal with this, this is the simplest approach)
You need to ensure that all the routers between your two systems allow forwarding of UDP packets.

ASA 5520 packets Flood TCP/ASA

Similar Messages

Maybe you are looking for