ASA causing OSPF adjacency cycles

Similar Messages

• Does debug ip OSPF adjacency will cause high CPU

  Hello All,
  We are finding a OSPF flapping issue on Cisco 3750x switches. To isolate the issue TAC has suggested "debug ip ospf adj"
  Does this command will cause high CPU utilization?
  There are 12 OSPF neighbours connected to that switch and we have the hello interval of 1 second.
  Any of your help would be appreciable.
  Regards,
  Thiyagu

  It may do... But unlikely. There is always a risk with debug commands that have large output. Especially that you have hello intervals set to 1 second. I would advise to do out of hours if necessary to mitigate risks of impacting production.
  What version of ios are you on and show the output of 'show proc cpu sorted'
  I have had a similar experience and multicast was the problem. It was high CPU and dropping ospf adjacencies. We downgraded to 12.2 55 SE 8
  It helped the problem for CPU utilisation but didn't fix it. Since then we are using 6509Es in VSS

• OSPF adjacency between loopbacks over Layer2 WAN

  Hi Experts,
  I am wondering if some can explain me below scenario please
  you have two routers in different DCs and they only have layer 2 connectivity, hence no the IP addresses assigned to their outside interface, they both have 1 loopback on each router and I want to form an adjacency between their loopbacks.
  Can anyone explain, how to achieve this, or redirect me to the relevant cisco documentation please.

  Hey,
  Just adding my bit to post. You may also explore ip unnumbered option, have a look:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/50sg/configuration/guide/Wrapper-46SG/unnumber.html
  HTH.
  Regards,
  RS.

• Two tunnels, two different mtu values, no OSPF adjacency

  Hi all,
  Well this is an interesting one, i have a tunnel configured between two 2921 routers that used to work just fine, we had an management access issue on one of the routers and it had to be rebooted, all looked fine until one of OSPF adjacencies didn't come up, the one across the tunnel in question, ran a dubug and saw;
  Apr 10 2015 09:58:30.319 AEST: OSPF-100 ADJ   Tu100: Nbr 10.0.6.12 has larger interface MTU
  OK, so i check both ends of the tunnel, MTU different;
  bne-rt01#sh int tunn 100
  Tunnel100 is up, line protocol is up 
    Hardware is Tunnel
    Internet address is 10.0.3.62/30
    MTU 17874 bytes, BW 204800 Kbit/sec, DLY 50000 usec, 
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation TUNNEL, loopback not set
    Keepalive not set
    Tunnel source 10.255.255.1 (GigabitEthernet0/1/0), destination 10.255.255.5
     Tunnel Subblocks:
        src-track:
           Tunnel100 source tracking subblock associated with GigabitEthernet0/1/0
            Set of tunnels with source GigabitEthernet0/1/0, 2 members (includes iterators), on interface <OK>
    Tunnel protocol/transport GRE/IP
      Key disabled, sequencing disabled
      Checksumming of packets disabled
    Tunnel TTL 255, Fast tunneling enabled
    Tunnel transport MTU 1434 bytes
    Tunnel transmit bandwidth 8000 (kbps)
    Tunnel receive bandwidth 8000 (kbps)
    Tunnel protection via IPSec (profile "PTQ-IPSEC-PROFILE-2")
    Last input 00:00:02, output never, output hang never
    Last clearing of "show interface" counters 27w0d
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 103048
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       2526404 packets input, 944901813 bytes, 0 no buffer
       Received 0 broadcasts (0 IP multicasts)
       0 runts, 0 giants, 0 throttles 
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       2701610 packets output, 706777352 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  brn-rt01#sh int tunn 100
  Tunnel100 is up, line protocol is up 
    Hardware is Tunnel
    Description: PIPE_Backup
    Internet address is 10.0.3.61/30
    MTU 17866 bytes, BW 204800 Kbit/sec, DLY 50000 usec, 
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation TUNNEL, loopback not set
    Keepalive not set
    Tunnel source 10.255.255.5 (GigabitEthernet0/1/0), destination 10.255.255.1
     Tunnel Subblocks:
        src-track:
           Tunnel100 source tracking subblock associated with GigabitEthernet0/1/0
            Set of tunnels with source GigabitEthernet0/1/0, 2 members (includes iterators), on interface <OK>
    Tunnel protocol/transport GRE/IP
      Key disabled, sequencing disabled
      Checksumming of packets disabled
    Tunnel TTL 255, Fast tunneling enabled
    Tunnel transport MTU 1426 bytes
    Tunnel transmit bandwidth 8000 (kbps)
    Tunnel receive bandwidth 8000 (kbps)
    Tunnel protection via IPSec (profile "PTQ-IPSEC-PROFILE-2")
    Last input 00:00:00, output never, output hang never
    Last clearing of "show interface" counters 01:04:19
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    5 minute input rate 3000 bits/sec, 1 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       1723 packets input, 1069064 bytes, 0 no buffer
       Received 0 broadcasts (0 IP multicasts)
       0 runts, 0 giants, 0 throttles 
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       962 packets output, 91128 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  checked the IP MTU, different;
  bne-rt01#sh ip int tunn 100
  Tunnel100 is up, line protocol is up
    Internet address is 10.0.3.62/30
    Broadcast address is 255.255.255.255
    Address determined by setup command
    MTU is 1434 bytes
  brn-rt01#sh ip int tunn 100
  Tunnel100 is up, line protocol is up
    Internet address is 10.0.3.61/30
    Broadcast address is 255.255.255.255
    Address determined by non-volatile memory
    MTU is 1426 bytes
  Checked the source interfaces MTU, same;
  bne-rt01#sh int gi0/1/0
  GigabitEthernet0/1/0 is up, line protocol is up 
    Hardware is EHWIC-1GE-SFP-CU, address is 442b.03e5.8870 (bia 442b.03e5.8870)
    Description: OPTUS IPVPN WAN
    Internet address is 10.255.255.1/30
    MTU 1500 bytes, BW 204800 Kbit/sec, DLY 10 usec, 
  brn-rt01#sh int gi0/1/0
  GigabitEthernet0/1/0 is up, line protocol is up 
    Hardware is EHWIC-1GE-SFP-CU, address is 5057.a819.3620 (bia 5057.a819.3620)
    Description: OPTUS IPVPN WAN
    Internet address is 10.255.255.5/30
    MTU 1500 bytes, BW 204800 Kbit/sec, DLY 10 usec, 
  Checked IP MTU on source, same;
  bne-rt01#sh ip int gi0/1/0
  GigabitEthernet0/1/0 is up, line protocol is up
    Internet address is 10.255.255.1/30
    Broadcast address is 255.255.255.255
    Address determined by non-volatile memory
    MTU is 1500 bytes
  brn-rt01#sh ip int gi0/1/0
  GigabitEthernet0/1/0 is up, line protocol is up
    Internet address is 10.255.255.5/30
    Broadcast address is 255.255.255.255
    Address determined by non-volatile memory
    MTU is 1500 bytes
  below is the configuration of the physical source;
  bne-rt01#sh run int gi0/1/0
  Building configuration...
  Current configuration : 209 bytes
  interface GigabitEthernet0/1/0
   description OPTUS IPVPN WAN
   bandwidth 204800
   ip address 10.255.255.1 255.255.255.252
   ip traffic-export apply WAN-Traffic-capture size 1000000
   duplex auto
   speed auto
  end
  brn-rt01#sh run int gi0/1/0
  Building configuration...
  Current configuration : 209 bytes
  interface GigabitEthernet0/1/0
   description OPTUS IPVPN WAN
   bandwidth 204800
   ip address 10.255.255.5 255.255.255.252
   ip traffic-export apply WAN-Traffic-capture size 1000000
   duplex full
   speed 1000
  end
  below is the configuration of the tunnel interfaces;
  bne-rt01#sh run int tunn 100
  Building configuration...
  Current configuration : 245 bytes
  interface Tunnel100
   bandwidth 204800
   ip address 10.0.3.62 255.255.255.252
   ip flow ingress
   ip flow egress
   tunnel source GigabitEthernet0/1/0
   tunnel destination 10.255.255.5
   tunnel protection ipsec profile PTQ-IPSEC-PROFILE-2 shared
  end
  brn-rt01#sh run int tunn 100
  Building configuration...
  Current configuration : 270 bytes
  interface Tunnel100
   description PIPE_Backup
   bandwidth 204800
   ip address 10.0.3.61 255.255.255.252
   ip flow ingress
   ip flow egress
   tunnel source GigabitEthernet0/1/0
   tunnel destination 10.255.255.1
   tunnel protection ipsec profile PTQ-IPSEC-PROFILE-2 shared
  end
  To be honest i'm a bit lost as to the reason, any ideas guys?
  regards
  warren

  Hi Warren,
  According to this thread:
  https://supportforums.cisco.com/discussion/11305311/understanding-mtu-given-gre-tunnel
  the first displayed MTU of over 17000 bytes (let's call it simply tunnel MTU as opposed to the tunnel transport MTU) is computed from platform buffer sizes. I suspect that the memory-size iomem command may have something to do with this. Without this command, the router decides how much memory to set aside for packet buffers depending on the installed interfaces and network modules - and of course, based on the IOS version as well, as this automatic IOMEM sizing is performed by the IOS when booting, and different IOSes may do things differently. With this command configured, a fixed percentage of RAM can be reserved. Could something of this have changed between reboots - a different IOS version, perhaps, or adding/removal of this command, or change in installed network modules and interfaces?
  Nonetheless, the difference between the tunnel MTUs (8 bytes) seems to correspond to the difference between the tunnel transport MTUs and IP MTUs. Somehow, the change in the tunnel MTU could have affected the resulting tunnel transport MTU.
  Yet another question is whether the IPsec policy (transform set, key sizes, etc.) is identical to the IPsec policy before the reload. If my memory serves me, in IPsec, if two peers have identical but differently ordered ISAKMP and IPsec policies, the resulting IPsec operation depends on who first started the ISAKMP negotiation (the idea is: the initiator of the IPsec tunnel proposes all its ISAKMP, and afterwards, all its IPsec policies, and the target of the IPsec tunnel chooses the first one that matches one of its policies). If by any chance the configuration of ISAKMP policies, IPsec transform sets, etc. is not letter-identical on this router and the other endpoint, it is possible that the router now operates the IPsec differently than before the reload, which could affect the overall overhead, and thereby the tunnel transport MTU as well.
  In any case, with tunnels, it is my strong recommendation to configure a conservatively low MTU manually. With IPsec-protected GRE tunnels over IPv4, the recommended manual MTU is 1400 and so the TCP MSS should be clamped to 1360. The recommendation for MTU of 1400 is taken from this document:
  http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html#t16
  I would personally suggest configuring the MTU manually on all your tunnels to 1400. This will both provide for a reasonable reserve in case your own ISP uses some additional overhead to carry your packets, and at the same time, it will prevent your routers from automagically (and obscurely) changing your tunnel transport MTUs between restarts.
  Best regards,
  Peter

• FlexVPN and OSPF issue

  I have an issue with OSPF rountig on routers configured in hub and spoke topology.
  An issue is on a routes which OSPF do not advertise from hub to spokes.
  Subnets created on a hub router are not seen on spokes but new added subnet on spoke is seen in hub routing table.
  Adding ip ospf network brodcast command on a hub virtual-template interface causes OSPF adjacency to down.
  By the way, EIGRP works fine.
  Has anyone encountered this issue with OSPF.
  Please, look short config below;
  -----------------------HUB-------------------------------
  crypto ikev2 authorization policy default
  route set interface
  crypto ikev2 proposal ikev2_prop
  encryption aes-cbc-256
  integrity sha512
  group 16
  crypto ikev2 policy ikev2_policy
  proposal ikev2_prop
  crypto ikev2 keyring Flex_key
  peer Spokes
    address 192.168.50.197
    pre-shared-key local 12345
    pre-shared-key remote 12345
  peer RTB
    address 192.168.50.199
    pre-shared-key local 12345
    pre-shared-key remote 12345
  crypto ikev2 profile Flex_IKEv2
  match identity remote address 192.168.50.197 255.255.255.255
  match identity remote address 192.168.50.199 255.255.255.255
  authentication remote pre-share
  authentication local pre-share
  keyring local Flex_key
  virtual-template 1
  no crypto isakmp default policy
  crypto ipsec transform-set ipsec_trans esp-aes 256 esp-sha512-hmac
  mode tunnel
  crypto ipsec profile default
  set transform-set ipsec_trans
  set ikev2-profile Flex_IKEv2
  interface Loopback1
  ip address 172.16.10.1 255.255.255.0
  ip ospf 10 area 0
  interface Loopback10
  ip address 10.1.1.1 255.255.255.0
  ip ospf 10 area 0
  interface Loopback50
  ip address 50.1.1.1 255.255.255.0
  ip ospf 10 area 50
  interface Embedded-Service-Engine0/0
  no ip address
  interface GigabitEthernet0/1
  bandwidth 100000
  ip address 192.168.50.198 255.255.255.0
  duplex auto
  speed auto
  interface Virtual-Template1 type tunnel
  ip unnumbered Loopback1
  ip mtu 1400
  ip tcp adjust-mss 1360
  tunnel source GigabitEthernet0/1
  tunnel mode ipsec ipv4
  tunnel path-mtu-discovery
  tunnel protection ipsec profile default
  router ospf 10
  redistribute connected subnets
  network 10.1.1.0 0.0.0.255 area 0
  sh cryp ike sa
  IPv4 Crypto IKEv2  SA
  Tunnel-id Local                 Remote                fvrf/ivrf            Status
  1         192.168.50.198/500    192.168.50.197/500    none/none            READY
        Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:16, Auth sign: PSK, Auth verify: PSK
        Life/Active Time: 86400/77565 sec
  Tunnel-id Local                 Remote                fvrf/ivrf            Status
  2         192.168.50.198/500    192.168.50.199/500    none/none            READY
        Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:16, Auth sign: PSK, Auth verify: PSK
        Life/Active Time: 86400/77542 sec
  IPv6 Crypto IKEv2  SA
  sh ip rou
  S*    0.0.0.0/0 [1/0] via 192.168.50.1
        10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C        10.1.1.0/24 is directly connected, Loopback10
  L        10.1.1.1/32 is directly connected, Loopback10
        50.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C        50.1.1.0/24 is directly connected, Loopback50
  L        50.1.1.1/32 is directly connected, Loopback50
        100.0.0.0/32 is subnetted, 1 subnets
  O IA     100.1.1.1 [110/2] via 172.16.10.254, 21:32:58, Virtual-Access1
        172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
  C        172.16.10.0/24 is directly connected, Loopback1
  L        172.16.10.1/32 is directly connected, Loopback1
        192.168.50.0/24 is variably subnetted, 2 subnets, 2 masks
  C        192.168.50.0/24 is directly connected, GigabitEthernet0/1
  L        192.168.50.198/32 is directly connected, GigabitEthernet0/1
        200.1.1.0/32 is subnetted, 1 subnets
  O IA     200.1.1.1 [110/2] via 172.16.10.253, 21:32:38, Virtual-Access2
        201.1.1.0/32 is subnetted, 1 subnets
  O IA     201.1.1.1 [110/2] via 172.16.10.253, 21:32:38, Virtual-Access2
        220.1.1.0/32 is subnetted, 1 subnets
  O IA     220.1.1.1 [110/2] via 172.16.10.253, 00:06:11, Virtual-Access2
  ---------------------------SPOKE---------------------------------------------
  crypto ikev2 proposal ikev2_prop
  encryption aes-cbc-256
  integrity sha512
  group 16
  crypto ikev2 policy ikev2_policy
  proposal ikev2_prop
  crypto ikev2 keyring Flex_key
  peer Spokes
    address 192.168.50.198
    pre-shared-key local 12345
    pre-shared-key remote 12345
  crypto ikev2 profile Flex_IKEv2
  match identity remote address 192.168.50.198 255.255.255.0
  authentication remote pre-share
  authentication local pre-share
  keyring local Flex_key
  virtual-template 1
  no crypto isakmp default policy
  crypto ipsec transform-set ipsec_trans esp-aes 256 esp-sha512-hmac
  mode tunnel
  crypto ipsec profile default
  set transform-set ipsec_trans
  set ikev2-profile Flex_IKEv2
  interface Loopback200
  ip address 200.1.1.1 255.255.255.0
  ip ospf 10 area 200
  interface Loopback201
  ip address 201.1.1.1 255.255.255.0
  ip ospf 10 area 201
  interface Loopback220
  ip address 220.1.1.1 255.255.255.0
  ip ospf 10 area 220
  interface Tunnel1
  ip address 172.16.10.253 255.255.255.0
  ip mtu 1400
  ip tcp adjust-mss 1360
  tunnel source GigabitEthernet0/1
  tunnel mode ipsec ipv4
  tunnel destination 192.168.50.198
  tunnel path-mtu-discovery
  tunnel protection ipsec profile default shared
  interface GigabitEthernet0/1
  ip address 192.168.50.199 255.255.255.0
  duplex auto
  speed auto
  router ospf 10
  network 172.16.10.0 0.0.0.255 area 0
  sh cryp ike sa
  IPv4 Crypto IKEv2  SA
  Tunnel-id Local                 Remote                fvrf/ivrf            Status
  1         192.168.50.199/500    192.168.50.198/500    none/none            READY
        Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:16, Auth sign: PSK, Auth verify: PSK
        Life/Active Time: 86400/77852 sec
  IPv6 Crypto IKEv2  SA
  sh ip route
  S*    0.0.0.0/0 [1/0] via 192.168.50.1
        172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
  C        172.16.10.0/24 is directly connected, Tunnel1
  L        172.16.10.253/32 is directly connected, Tunnel1
        192.168.50.0/24 is variably subnetted, 2 subnets, 2 masks
  C        192.168.50.0/24 is directly connected, GigabitEthernet0/1
  L        192.168.50.199/32 is directly connected, GigabitEthernet0/1
        200.1.1.0/24 is variably subnetted, 2 subnets, 2 masks
  C        200.1.1.0/24 is directly connected, Loopback200
  L        200.1.1.1/32 is directly connected, Loopback200
        201.1.1.0/24 is variably subnetted, 2 subnets, 2 masks
  C        201.1.1.0/24 is directly connected, Loopback201
  L        201.1.1.1/32 is directly connected, Loopback201
        220.1.1.0/24 is variably subnetted, 2 subnets, 2 masks
  C        220.1.1.0/24 is directly connected, Loopback220
  L        220.1.1.1/32 is directly connected, Loopback220
  sh ip ospf database ro  172.16.10.1
              OSPF Router with ID (200.1.1.1) (Process ID 10)
                  Router Link States (Area 0)
    Adv Router is not-reachable in topology Base with MTID 0
    LS age: 336
    Options: (No TOS-capability, DC)
    LS Type: Router Links
    Link State ID: 172.16.10.1
    Advertising Router: 172.16.10.1
    LS Seq Number: 80000065
    Checksum: 0x4B6E
    Length: 60
    Area Border Router
    AS Boundary Router
    Number of Links: 3
      Link connected to: a Stub Network
       (Link ID) Network/subnet number: 10.1.1.1
       (Link Data) Network Mask: 255.255.255.255
        Number of MTID metrics: 0
         TOS 0 Metrics: 1
      Link connected to: another Router (point-to-point)
       (Link ID) Neighboring Router ID: 100.1.1.1
       (Link Data) Router Interface address: 0.0.0.18
        Number of MTID metrics: 0
         TOS 0 Metrics: 1
      Link connected to: another Router (point-to-point)
       (Link ID) Neighboring Router ID: 200.1.1.1
       (Link Data) Router Interface address: 0.0.0.17
        Number of MTID metrics: 0
         TOS 0 Metrics: 1

  I checked it out in the lab, at least the generic OSPF setup.
  A few comments - do not "redistribute connected" not all of them - you can introduce recursive routing (i.e. introduce tunnel endpoint through the tunnel).
  Spoke2#show ip ospf interface tu1Tunnel1 is up, line protocol is up   Internet Address 10.1.1.177/32, Area 0, Attached via Network Statement  Process ID 65001, Router ID 192.168.102.1, Network Type POINT_TO_POINT, Cost: 1000  Topology-MTID    Cost    Disabled    Shutdown      Topology Name        0           1000      no          no            Base  Transmit Delay is 1 sec, State POINT_TO_POINT  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5    oob-resync timeout 40    Hello due in 00:00:03  Supports Link-local Signaling (LLS)  Cisco NSF helper support enabled  IETF NSF helper support enabled  Index 1/1, flood queue length 0  Next 0x0(0)/0x0(0)  Last flood scan length is 1, maximum is 1  Last flood scan time is 0 msec, maximum is 0 msec  Neighbor Count is 1, Adjacent neighbor count is 1     Adjacent with neighbor 172.25.1.1  Suppress hello for 0 neighbor(s)Spoke2#show ip route ospf(...)Gateway of last resort is 172.16.2.1 to network 0.0.0.0      10.0.0.0/32 is subnetted, 3 subnetsO        10.1.1.176 [110/3000] via 10.1.1.1, 00:01:38, Tunnel1O IA  192.168.0.0/24 [110/1010] via 10.1.1.1, 00:01:21, Tunnel1Hub#sh run | s r orouter ospf 65001 network 10.1.1.0 0.0.0.255 area 0 network 192.168.0.0 0.0.0.255 area 10
  then I added
  route-map CONNECTED_TO_OSPF, permit, sequence 10  Match clauses:    interface Loopback999   Set clauses:  Policy routing matches: 0 packets, 0 bytesHub#sh run | s r orouter ospf 65001 redistribute connected subnets route-map CONNECTED_TO_OSPF network 10.1.1.0 0.0.0.255 area 0 network 192.168.0.0 0.0.0.255 area 10
  And checked on Spoke
  Spoke1#show ip route ospf(...)Gateway of last resort is 172.16.1.1 to network 0.0.0.0      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masksO        10.1.1.177/32 [110/3000] via 10.1.1.1, 00:05:06, Tunnel1O E2     10.255.255.0/24 [110/20] via 10.1.1.1, 00:00:04, Tunnel1O IA  192.168.0.0/24 [110/1010] via 10.1.1.1, 00:04:49, Tunnel1
  Final note "shared" is not needed on point to point interfaces.

• OSPF PTP with ASA

  Hello
  I am trying to bring up a L3 PTP between an ASA and a 6500 running IOS.   The ASA is in routed mode configured for OSPF.  On the ASA I configure the interface to the 6500 with an IP address and define the network type as point-to-point.   I add that network to the OSPF process configuration. Likewise on the 6500 I configure the interface as a L3 interface with IP and network type as point-to-point.   I add the same /30 network to that OSPF process.  I can ping across the /30 both ways but the adjacency is not forming.   The ASA debugs show the hello coming from the correct 6500 interface.   However the ASA can't find the 6500 interface.  The debug indicates "cannot locate nbr x.x.x.x (ip address of 6500 interface). 
  When I remove the "ospf network point-to-point nonbroadcast" command on the ASA the adjacency does form.    However, on the ASA side it's "2way/drother" and on the 6500 side "full".   The LSDB's look good.   But the 6500 is not injecting the routes advertised from the ASA into the routing table.  
  Thoughts?  I suspect I am missing a concept or simple command.   As far as I can tell this is a supported configuration on the ASA.    But have not been able to find any point-to-point configuration examples.
  Any information is much appreciated.
  Thanks
  Chuck

  On the ASA the "non-broadcast" option is required.  When I try to leave it off I get a "command incomplete" message.
  There are no other options available so I used "ospf network point-to-point non-broadcast" option.
  On the 6500 IOS switch I can simply put in "ip ospf network point-to-point" with no further options.  Here the "non-broadcast" option is not available even if I wanted it.  
  So with the ASA using "ospf network point-to-point nonbroadcast" and the 6500 IOS using "ip ospf network point-to-point" I can't get the adjacency up.   Both network types are listed as "POINT-TO-POINT" for each interface.
  Any further thougths anyone?   Is there a different command on the ASA that doesn't require the non-broadcast option?
  Chuck

• ASR 1002 OTV and OSPF routing adjacency

  I have two data centers using ASR 1002x configured for unicast OTV as the DCI.... and all is operational.
  A Nexus 9K is the core switch in DC1 and a 6500 is the core switch in DC2
  I now need to route non-otv vlans between data centers.
  Questions:
  1. is forming OSPF adjacency's between the 9K and 6500 supported over the OTV overlay?
  2. If not - what is a supported design?
  I cannot find anything out there.....
  Thanks in Advance

  Hi Blaz,
  In the debugs, I still see Framed-Compression attribute in the access-accept sent from radius:
  Mar 19 11:22:37.737: RADIUS:  Framed-Compression  [13]  6   None                      [0]
  Changing the compression from "Van-Jacobsen-TCP-IP" to 'None' is not enough. You need to remove the Framed-Compression attribute completely from the radius profile for the subscriber.
  Could you try that?
  Regards

• 6880 in VSS Mode and OSPF maximum paths

  Hi Folks,
  I have an issue observed in testing.  We have implemented a VSS solution on the 6880-X-LE.  We have two MEC L3 PO's upstream and thus two OSPF path's for our default route.  After creating an event in the lab to put the boxes in Active - Active (pulled VSL links off SW1) and then go through the process of restoring the VSS (put VSL links back in) I noticed my additional path did not restore.
  From the restoration perspective, it went as follows:
  Sw1 - Active SW2-standby - pull VSL links
  VSL PO goes down
  SW1 - Active SW2 - Active (sub second traffic impact)
  SW1 - enters recovery mode SW2 - Active
  VSL links back in  - VSL PO up
  SW1 - reboots and comes up standby SW2 - Active
  Routing table now only shows entry for PO200 and no routes can go out PO100.
  6880#sh ip route
  <cut>  
  0.0.0.0/0 [110/1000] via 192.168.0.253, 00:38:34, Port-channel200
        1.0.0.0/24 is subnetted, 2 subnets
  O        1.1.1.0 [110/151] via 10.86.50.253, 00:31:55, Port-channel200
  O        1.1.2.0 [110/151] via 10.86.50.253, 00:31:55, Port-channel200
        192.168.0.0/16 is variably subnetted, 59 subnets, 8 masks
  O        192.168.1.0/25 [110/150] via 1192.168.0.253, 00:31:55, Port-channel200
  O        192.168.1.128/25 [110/350] via 192.168.0.253, 00:31:55, Port-channel200
  O        192.168..3.0/25 [110/350] via 192.168.0.253, 00:31:55, Port-channel200
  6880#sh ip ospf ne
  Neighbor ID     Pri   State           Dead Time   Address         Interface
  192.168.0.253     0   FULL/  -        00:00:31    192..168.50.253    Port-channel200
  192.168.0.251     0   FULL/  -        00:00:32    192.168.50.251    Port-channel100
  Can anyone help? 
  Thanks,
  Rash

  Hi Reza,
  I can't post the configuration. However, I can tell you that I have a TAC case open with Cisco and they agree with me that this behavior requires further investigation.  So the "PO" in question disappears seems to match when I get the error related to the a port-member not being compatible:
  Jan 26 15:18:17 est: %EC-SW2_STBY-5-CANNOT_BUNDLE2: Te2/3/14 is not compatible with Te1/5/14 and will be suspended (speed of Te2/3/14 is 10G, Te1/5/14 is 1000M)
  So what happens is that in PO100 you'll see only one bundled port and the other is suspended.  This causes OSPF to withdraw the PO from the routing table (hypothesis but reproducible).  
  In our trial production launch, I performed the same test above redundancy force-switchover and you'll see both entries in the routing-table. Once the other modules come up and I get a suspended port-member that particular PO disappears from the routing table. 
  If you shut/no shut that PO, the PO returns as an available path in the routing table.  In production we are not using GLC-T (as in the lab) but are using GLC-SX-MM.  The bug that puts this member into a suspended state falls under the this bug id:
  CSCur17071
  What I missed initially is the fact, that the routing table removes that PO from being an available path even though it still has an active port-member.
  Cheers,
  Rash

• OSPF and VLANs

  Scope of Inquiry:
  I've supported heterogeneous networks for merely a decade, but never quite big enough to expose me to Enterprise routing/switching concepts in real-time. I've supported numerous Metro Ethernet hub and spoke topologies, as well as a few racks in a datacenter environment ... however, once again ... no real application of OSPF, EIGRP, etc. 
  I'm learning some of the fundamental concepts of OSPF, adjacency, LSA types, etc... but one thing that has me tripped up is whether or not/how VLANs would be leveraged in a real-world scenario, in an OSPF environment.
  Can anyone kindly give me a very clear and concise explanation/high-level explanation of the contextual application of VLANs in an OSPF network, including whether or not tags would exist in each area, etc. * Please do not pontificate --- that is to overstate a simple explanation with extraneous details that are outside the scope of a basic/real-world explanation. Hope that wasn't too terse, but I'm trying to gain a working knowledge of the protocol and its nuances quickly. 
  Thanks!
  -Data-

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  Hmm, don't know if I can briefly provide such a description.  Currently, I work in a large company (about 100,000 employees [with about 5,000 Enterprise switches and routers]) and my purview is about 10% of our Enterprise's switches and routers.  My sites range is size from just supporting a few hosts to thousands of hosts, equipment "sizes" range from Cisco 800 series ISRs, up to 6500s in VSS pairs.
  From a VLAN standpoint, VLANs generally provide subnets for hosts which also range is size from a /29 up to a /23.  VLAN/subnets are defined principally for like hosts and sized for the number of like hosts.  However, generally like host VLANs/subnets are split into multiple like VLANs/subnets once you get up to about a /24.
  A VLAN/subnet might only be hosted on one large chassis (4510 or 6509/6513) or it might be hosted on multiple L2 switches (2Ks/3Ks).  Generally (but not always) VLANs/subnets do not span multiple sites.
  At the moment, all sites with a region, generally one or more adjacent US States, are grouped into the same OSPF area.  I.e. such a region might have 50 to a couple of hundred OSPF "routers" in the same area.
  Originally area zero was used to tie the region areas together, but currently BGP is used with the WAN core (between regions).
  OSPF, per area, of course has all the subnets being hosted by VLANs and also all the (numbered) p2p links (per region/OSPF-area networks can run into a couple of hundred).
  LAN designs are generally just 1 or 2 layers, this because you can host so much on a large chassis or stack.  For example, at one of my larger sites, my user edge devices are 3 6509s with 96 port line cards.  As the users ports support both VoIP and data VLANs, a single data or VoIP VLAN spans two line cards (i.e. 192 ports).  So with 7 user line cards, the chassis hosts 4 data VLANs/subnets(/24) and 4 VoIP VLANs/subnets(/24).  As the 6509 has a L3 sup, the 8 chassis subnets are included in that device's OSPF router section and advertized to the rest of the OSPF area (via a dual gig, L3 Etherchannel, uplinked to a site core 6509 - the latter having two 10g SM off-site OSPF p2p fiber links).
  At a small (old technology) branch, I might have a "ring" of several 2K series switches.  For routing I'll have some 3K switch with an off-site gig link and a connection to one of the 2K switches.  I might also have a small ISR with a VPN tunnel, for off-site, with a connection to a different 2K switch.  There will be one to several VLANs/subnets defined on the 2K switches and 3K switch.  The ISR will indirectly have access to the VLANs via .q subinterfaces.  The 3K and ISR provide the subnet getways and include the VLAN/subnets into OSPF.  The also generally will run HSRP for the VLAN/subnet gateway IP.
  At a small (newer technology) branch, may have a L3 stack and an ISR.  One stack member has the high speed off-site gig link, the ISR connects to a different stack member.  However, the ISR now has a L3 routed p2p link to the L3 stack; there's no HSRP.  Yet, VLANs/subnets are pretty much as the above (paragraph).
  Hopefully the above gives you a view into some real world, large scale, with VLANs and OSPF.
  If you have additional questions, feel free to ask.

• IMac keeps cycling on and off

  My iMac mysteriously starts up by itself and then shuts down by itself. I didn't touch it for 2 weeks and after I went to use it, it now just keeps cycling up and down. The only way to stop it is to keep it unplugged. Any insights? Thanks.

  Hello and Welcome to Apple Discussions. 
  Here are some things to try:
  Check your Energy Saver settings (the iMac can be set to startup and shutdown here)  Apple Menu > System Preferences... > Energy Saver pane.
  Check the logs; Go to Macintosh HD > Applications > Utilities > Console. In here (assuming you can get it to stay on long enough to look) you can inspect the various system logs to see what may be causing the power cycling. Each system event is recorded against the time it occurred so you can do some detective work.
  Did you leave the iMac unplugged for those two weeks?
  Does the iMac take longer than normal to boot up at this time?
  Do you get a report saying "Your computer did not shut down properly"?
  cheers
  mrtotes

• VLANs in OSPF network?

  Scope of Inquiry:
  I've supported heterogeneous networks for merely a decade, but never quite big enough to expose me to Enterprise routing/switching concepts in real-time. I've supported numerous Metro Ethernet hub and spoke topologies, as well as a few racks in a datacenter environment ... however, once again ... no real application of OSPF, EIGRP, etc. 
  I'm learning some of the fundamental concepts of OSPF, adjacency, LSA types, etc... but one thing that has me tripped up is whether or not/how VLANs would be leveraged in a real-world scenario, in an OSPF environment.
  Can anyone kindly give me a very clear and concise explanation/high-level explanation of the contextual application of VLANs in an OSPF network, including whether or not tags would exist in each area, etc. * Please do not pontificate --- that is to overstate a simple explanation with extraneous details that are outside the scope of a basic/real-world explanation. Hope that wasn't too terse, but I'm trying to gain a working knowledge of the protocol and its nuances quickly. 
  Thanks!
  -Data-

  Hi, I am afraid you chose the wrong forum. This one is mostly about contact centers. You might have to send your question to Routing&Switching section.
  G.

• Tunning ospf dr/bdr eletction time

  Hello. 
  I just want to know how to reduce ospf adjacency time. 
  When broadcast mode, it takes long time to elect DR/BDR when routers are in 2way state. 
  Is there any way to pass quickly this state?
  Thank you : )

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  If there are just two neighbors, you could set their OSPF mode to point-to-point.  Then they will establish adjacency much faster.

• Troubleshoot strange OSPF instability

  This one's got me stumped. some of our core L3 routers will just up lose their neighbors. I'm logging adjaceny changes and they just go to a DOWN state and then quickly (sometimes 2 seconds, sometimes a minutes) going through the neighbor stages (init, 2-way, etc)
  I've checked layer2 counters and spanning-tree and they look OK. It's happening on all 5 of our core campus routers (6500s with L3 engines).
  what is even stranger is sometimes the 6500s will lose their 7200 WAN router neighbor as well. There isn't really a pattern.
  Can this be processor? OSPF has too many DB entires for an area?
  Thanks in advanced. I was tempted to turn on SPF debugging.
  Logg messages from one ospf router. Notice going directly from FULL to INIT.
  May 25 18:17:35.588: %OSPF-5-ADJCHG: Process 1, Nbr 172.21.191.2 on Port-channel
  1.99 from [b]FULL to INIT, 1-Way[/b]
  May 25 18:18:29.877: %OSPF-5-ADJCHG: Process 1, Nbr 172.21.191.2 on Port-channel
  1.99 from INIT to 2WAY, 2-Way Received
  May 25 18:18:29.877: %OSPF-5-ADJCHG: Process 1, Nbr 172.21.191.2 on Port-channel
  1.99 from 2WAY to EXSTART, AdjOK?
  May 25 18:18:29.877: %OSPF-5-ADJCHG: Process 1, Nbr 172.21.191.2 on Port-channel
  1.99 from EXSTART to EXCHANGE, Negotiation Done
  May 25 18:18:29.897: %OSPF-5-ADJCHG: Process 1, Nbr 172.21.191.2 on Port-channel
  1.99 from EXCHANGE to LOADING, Exchange Done
  May 25 18:18:29.897: %OSPF-5-ADJCHG: Process 1, Nbr 172.21.191.2 on Port-channel
  1.99 from LOADING to FULL, Loading Done
  May 25 18:21:16.749: %OSPF-5-ADJCHG: Process 1, Nbr 172.21.191.2 on Port-channel
  1.99 from FULL to INIT, 1-Way
  May 25 18:21:19.937: %OSPF-5-ADJCHG: Process 1, Nbr 172.21.191.2 on Port-channel
  1.99 from INIT to 2WAY, 2-Way Received
  May 25 18:21:26.749: %OSPF-5-ADJCHG: Process 1, Nbr 172.21.191.2 on Port-channel
  1.99 from 2WAY to EXSTART, AdjOK?
  May 25 18:21:29.937: %OSPF-5-ADJCHG: Process 1, Nbr 172.21.191.2 on Port-channel
  1.99 from EXSTART to EXCHANGE, Negotiation Done
  May 25 18:21:29.965: %OSPF-5-ADJCHG: Process 1, Nbr 172.21.191.2 on Port-channel
  1.99 from EXCHANGE to LOADING, Exchange Done
  May 25 18:21:29.965: %OSPF-5-ADJCHG: Process 1, Nbr 172.21.191.2 on Port-channel
  1.99 from LOADING to FULL, Loading Done

  Well its still happening. This time I've captured the problem with "debup ip ospf adjacency".
  What is concerning is some of these messages. Bad sequence number and neighbor going from full to exchstart. I still can't see any underlying layer1/2 problems.
  Jun 4 09:16:21.178: OSPF: Rcv DBD from 172.21.190.5 on Port-channel1.3 seq 0x16
  7A opt 0x2 flag 0x7 len 32 state FULL
  Jun 4 09:16:21.178: OSPF: Bad seq received from 172.21.190.5 on Port-channel1.3
  Jun 4 09:16:21.178: %OSPF-5-ADJCHG: Process 1, Nbr 172.21.190.5 on Port-channel
  1.3 from FULL to EXSTART, SeqNumberMismatch
  Jun 4 09:16:21.178: OSPF: Send DBD to 172.21.190.5 on Port-channel1.3 seq 0x6ED
  opt 0x2 flag 0x7 len 32
  Jun 4 09:16:21.182: OSPF: Rcv DBD from 172.21.190.5 on Port-channel1.3 seq 0x6E
  D opt 0x2 flag 0x2 len 1472 state EXSTART
  Jun 4 09:16:21.182: OSPF: NBR Negotiation Done. We are the MASTER
  Jun 4 09:16:21.182: %OSPF-5-ADJCHG: Process 1, Nbr 172.21.190.5 on Port-channel
  1.3 from EXSTART to EXCHANGE, Negotiation Done
  Jun 4 09:16:21.182: OSPF: Send DBD to 172.21.190.5 on Port-channel1.3 seq 0x6EE
  opt 0x2 flag 0x3 len 1472
  Jun 4 09:16:21.186: OSPF: Rcv DBD from 172.21.190.5 on Port-channel1.3 seq 0x6E
  E opt 0x2 flag 0x2 len 632 state EXCHANGE
  Jun 4 09:16:21.186: OSPF: Send DBD to 172.21.190.5 on Port-channel1.3 seq 0x6EF
  opt 0x2 flag 0x3 len 632
  Jun 4 09:16:21.186: OSPF: Rcv DBD from 172.21.190.5 on Port-channel1.3 seq 0x6E
  F opt 0x2 flag 0x0 len 32 state EXCHANGE
  Jun 4 09:16:21.186: OSPF: Send DBD to 172.21.190.5 on Port-channel1.3 seq 0x6F0
  opt 0x2 flag 0x1 len 32
  Jun 4 09:16:21.190: OSPF: Rcv DBD from 172.21.190.5 on Port-channel1.3 seq 0x6F
  0 opt 0x2 flag 0x0 len 32 state EXCHANGE
  Jun 4 09:16:21.190: OSPF: Exchange Done with 172.21.190.5 on Port-channel1.3
  Jun 4 09:16:21.190: %OSPF-5-ADJCHG: Process 1, Nbr 172.21.190.5 on Port-channel
  1.3 from EXCHANGE to LOADING, Exchange Done
  Jun 4 09:16:21.190: OSPF: Synchronized with 172.21.190.5 on Port-channel1.3, st
  ate FULL
  Jun 4 09:16:21.190: %OSPF-5-ADJCHG: Process 1, Nbr 172.21.190.5 on Port-channel
  1.3 from LOADING to FULL, Loading Done

• %ROUTING-RIB-3-UPDATE_TIMEOUT

  Hi,
  We are having GSR-12010 router in our n/w.Problm is that everytime any ospf link is going down we ae geting the error message listed below:
  LC/0/2/CPU0:Jan 20 07:57:32 : ifmgr[164]: %PKT_INFRA-LINEPROTO-5-UPDOWN : Line protocol on Interface POS0/2/3/0, changed state to Down
  RP/0/8/CPU0:Jan 20 07:57:32 : ospf[304]: %ROUTING-OSPF-5-ADJCHG : Process 200, Nbr 10.181.128.3 on POS0/2/3/0 in area 0 from FULL to DOWN, Neighbor Down: interface down or detached
  LC/0/2/CPU0:Jan 20 07:57:34 : g_spa_3[158]: %L2-SONET_LOCAL-4-ALARM : SonetPath0/2/3/0: B3_TCA
  LC/0/2/CPU0:Jan 20 07:57:42 : ifmgr[164]: %PKT_INFRA-LINK-3-UPDOWN : Interface POS0/2/3/0, changed state to Up
  LC/0/2/CPU0:Jan 20 07:57:42 : ifmgr[164]: %PKT_INFRA-LINEPROTO-5-UPDOWN : Line protocol on Interface POS0/2/3/0, changed state to Up
  LC/0/2/CPU0:Jan 20 07:57:45 : g_spa_3[158]: %L2-SONET_LOCAL-4-ALARM : SonetPath0/2/3/0: B3_TCA cleared
  RP/0/8/CPU0:Jan 20 07:57:52 : ospf[304]: %ROUTING-OSPF-5-ADJCHG : Process 200, Nbr 10.181.128.3 on POS0/2/3/0 in area 0 from LOADING to FULL, Loading Done
  RP/0/8/CPU0:Jan 20 08:27:32 : ipv4_rib[225]: %ROUTING-RIB-3-UPDATE_TIMEOUT : Client "ospf" updated the RIB without signaling update completion for Vrf: "default" Tbl: "default" Safi: "Unicast"
  LC/0/2/CPU0:Jan 20 08:56:40 : ifmgr[164]: %PKT_INFRA-LINK-3-UPDOWN : Interface POS0/2/3/0, changed state to Down
  LC/0/2/CPU0:Jan 20 08:56:40 : ifmgr[164]: %PKT_INFRA-LINEPROTO-5-UPDOWN : Line protocol on Interface POS0/2/3/0, changed state to Down
  RP/0/8/CPU0:Jan 20 08:56:40 : ospf[304]: %ROUTING-OSPF-5-ADJCHG : Process 200, Nbr 10.181.128.3 on POS0/2/3/0 in area 0 from FULL to DOWN, Neighbor Down: interface down or detached
  LC/0/2/CPU0:Jan 20 08:56:40 : g_spa_3[158]: %L2-SONET_LOCAL-4-ALARM : SonetPath0/2/3/0: B3_TCA
  LC/0/2/CPU0:Jan 20 08:56:50 : ifmgr[164]: %PKT_INFRA-LINK-3-UPDOWN : Interface POS0/2/3/0, changed state to Up
  LC/0/2/CPU0:Jan 20 08:56:50 : ifmgr[164]: %PKT_INFRA-LINEPROTO-5-UPDOWN : Line protocol on Interface POS0/2/3/0, changed state to Up
  LC/0/2/CPU0:Jan 20 08:56:52 : g_spa_3[158]: %L2-SONET_LOCAL-4-ALARM : SonetPath0/2/3/0: B3_TCA cleared
  RP/0/8/CPU0:Jan 20 08:57:00 : ospf[304]: %ROUTING-OSPF-5-ADJCHG : Process 200, Nbr 10.181.128.3 on POS0/2/3/0 in area 0 from LOADING to FULL, Loading Done
  RP/0/8/CPU0:Jan 20 09:26:40 : ipv4_rib[225]: %ROUTING-RIB-3-UPDATE_TIMEOUT : Client "ospf" updated the RIB without signaling update completion for Vrf: "default" Tbl: "default" Safi: "Unicast"
  Please help us to get route cause and solution to this error log.
  Rgds,
  Tejeshwar Saini

  Hello Tejeshwar,
  the OSPF adjacency comes up correctly?
  is the device able to forward and receive over the link?
  the message appears to just signal the OSPF process has modified the RIB table, because the OSPF neighbor came up, without providing a signal to another process and
  This may be without impact or with impact on your device
  if you see that there is an impact you should open a TAC service request.
  if there is no impact, you may be able to live with this message
  You are using IOS XR 3.6. TAC will probably suggest you an upgrade that can take the form or one or more SMU packages or a whole IOS XR upgrade.
  Hope to help
  Giuseppe

• DMZ layer design review

  Hello,
  I would appreciate if some can share their experience/problems with below design between Core-Firewall-DMZ-Aggregation setup.
  1. There is a Layer-3 connectivity between core and firewall segments with L3 point-to-point links running OSPF. The active firewall(FW-A) forms ospf neighborship with Core-A and similarly FW-B forms ospf neighborship with Core-B and Core-A / Core-B form ospf neighborship.
  2. Aggregation switch and Firewall are connected over L2 trunks and OSPF is running over SVIs (VLAN 13 / bcast segment), Aggregation switch-A is elected as DR and Aggregation switch-B is BDR, both firewalls have configured ospf priority to zero. FW-A(active) forms ospf adjacency with Aggregation-A and Aggregation-B, and each Aggregation switch forms ospf neighborship with the active firewall only.
  Is there any chance that the broadcast network b/w Aggregation switch and Firewall can cause any problem when any of the aggregation switch reloads.
  I have attached a rough sketch for better understanding.
  Regards,
  Akhtar

  Hello,
  I would appreciate if some can share their experience/problems with below design between Core-Firewall-DMZ-Aggregation setup.
  1. There is a Layer-3 connectivity between core and firewall segments with L3 point-to-point links running OSPF. The active firewall(FW-A) forms ospf neighborship with Core-A and similarly FW-B forms ospf neighborship with Core-B and Core-A / Core-B form ospf neighborship.
  2. Aggregation switch and Firewall are connected over L2 trunks and OSPF is running over SVIs (VLAN 13 / bcast segment), Aggregation switch-A is elected as DR and Aggregation switch-B is BDR, both firewalls have configured ospf priority to zero. FW-A(active) forms ospf adjacency with Aggregation-A and Aggregation-B, and each Aggregation switch forms ospf neighborship with the active firewall only.
  Is there any chance that the broadcast network b/w Aggregation switch and Firewall can cause any problem when any of the aggregation switch reloads.
  I have attached a rough sketch for better understanding.
  Regards,
  Akhtar