ASR1002 EasyVPN termination on vrf (fvrf)

Similar Messages

• Import/Exporting iVRF routes in IPsec iVRF/FVRF environment

  Hi,
  I am currently terminating a number of IPsec VPNs into customers' 'inside' VRFs (iVRFs) with the 'classic' crypto-map applied in a separate Front-Door VRF (FVRF) on an ASR1k. I now want to export a VPN route from one iVRF into another VRF using MP-BGP. This works as expected in as far as the VPN prefix makes it into the BGP table, but not into the RIB - it would appear that this may be by design and a route with a next-hop in the FVRF (i.e. the VPN RRI route) cannot be exported from the VRF and imported into another VRF. Is there any workaround for this; the only one solution which looks like it might work is to import/export these routes using another VRF and back-to-back VASI interfaces, using ordinary BGP to leak routes. Another possible solution is also to use sVTIs instead of classic crypto (thus avoiding the RRI route), but this doesn't address the need to support classic crypto.
  Cheers,
  Matt

  Hi,
  I am currently terminating a number of IPsec VPNs into customers' 'inside' VRFs (iVRFs) with the 'classic' crypto-map applied in a separate Front-Door VRF (FVRF) on an ASR1k. I now want to export a VPN route from one iVRF into another VRF using MP-BGP. This works as expected in as far as the VPN prefix makes it into the BGP table, but not into the RIB - it would appear that this may be by design and a route with a next-hop in the FVRF (i.e. the VPN RRI route) cannot be exported from the VRF and imported into another VRF. Is there any workaround for this; the only one solution which looks like it might work is to import/export these routes using another VRF and back-to-back VASI interfaces, using ordinary BGP to leak routes. Another possible solution is also to use sVTIs instead of classic crypto (thus avoiding the RRI route), but this doesn't address the need to support classic crypto.
  Cheers,
  Matt

• Route leaking from VRF to Global on same router with VLAN interface

  Hi all,
  I would like to do some route leaking from VRF to Global and Global to VRF on the same router. Here is an output of the config:
  interface FastEthernet4
  description ***Connection to WAN***
  ip vrf forwarding FVRF
  ip address 10.0.0.6 255.255.255.0
  interface Vlan100
  description ***LAN***
  ip address 192.168.227.1 255.255.255.0
  So what I want is to import 192.168.227.0 /24 into FVRF and import 10.0.0.0 /24 into the global routing table.
  I though I could do that config but it is not possible:
  (config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100
  % For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface
  OR
  DK-SLVPN(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100 192.168.227.1 global
  %Invalid next hop address (it's this router)
  Any ideas are really welcome.
  Best regards,
  Laurent

  Hi,
  I have tried the following solution:
  Add 10.0.0.0 /24 From VRFto Global:
  ip route 10.0.0.0 255.255.255.0 FastEthernet4
  Add 192.168.227.0 /24 from Global to VRF:
  router bgp 64512
  bgp log-neighbor-changes
  address-family ipv4
    no synchronization
    redistribute connected
    no auto-summary
  exit-address-family
  ip prefix-list Global-VRF seq 5 permit 192.168.227.0/24
  route-map Global permit 10
  match ip address prefix-list Global-VRF
  ip vrf FVRF
    rd 1:1
    import ipv4 unicast map Global
  So now the VRF table looks like that:
  #      sh ip route vrf FVRF
  C        10.0.0.0/24 is directly connected, FastEthernet4
  S        10.0.0.1/32 [254/0] via 10.0.0.1, FastEthernet4
  L        10.0.0.6/32 is directly connected, FastEthernet4
  B     192.168.227.0/24 is directly connected, 00:15:12, Vlan100
  The Global table looks like this:
  #sh ip route
  Gateway of last resort is 10.1.0.107 to network 0.0.0.0
  D*    0.0.0.0/0 [90/1709056] via 10.1.0.107, 3d02h, Tunnel1
         10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
  S        10.0.0.0/24 is directly connected, FastEthernet4
  C        10.1.0.0/24 is directly connected, Tunnel1
  L        10.1.0.227/32 is directly connected, Tunnel1
  C        10.2.0.0/24 is directly connected, Tunnel2
  L        10.2.0.227/32 is directly connected, Tunnel2
  C        10.10.10.227/32 is directly connected, Loopback100
         192.168.227.0/24 is variably subnetted, 2 subnets, 2 masks
  C        192.168.227.0/24 is directly connected, Vlan100
  L        192.168.227.1/32 is directly connected, Vlan100
  But When I try to ping it still doesn´t work:
  #ping vrf FVRF 192.168.227.1 source fastEthernet 4
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.227.1, timeout is 2 seconds:
  Packet sent with a source address of 10.0.0.6
  Success rate is 0 percent (0/5)
  #ping 10.0.0.1 source vlan 100
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
  Packet sent with a source address of 192.168.227.1
  Success rate is 0 percent (0/5)
  Any ideas?
  Regards,
  Laurent

• VRF aware VPN

  Hi,
  I'm trying to set up different types of VRF-aware VPN and I have a problem with below one:
  FVRF=VRF1 and IVRF=global, no VRF
  there  are 2 routers with Loopback1 (global VRF) and gig0/0 (vrf FVRF). When I  ping between Loop1's I see ISAKMP and IPsec SAs are up but I don't  receive echo reply
  Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)
  11.11.11.11                 10.0.0.1                             10.0.0.2              22.22.22.22
  r1#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  10.0.0.1        10.0.0.2        QM_IDLE           1003 ACTIVE
  IPv6 Crypto ISAKMP SA
  r1#sh cry
  r1#sh crypto ip
  r1#sh crypto ipsec sa
  interface: GigabitEthernet0/0
      Crypto map tag: MAPA, local addr 10.0.0.1
     protected vrf: FVRF
     local  ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
     remote ident (addr/mask/prot/port): (22.22.22.22/255.255.255.255/0/0)
     current_peer 10.0.0.2 port 500
       PERMIT, flags={origin_is_acl,}
  #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
       path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
       current outbound spi: 0xCF660D5A(3479571802)
       PFS (Y/N): N, DH group: none
       inbound esp sas:
        spi: 0x66992BE3(1721314275)
  r1# 
  I added static routes on r1 and r2 but apparently I missed something else:
  r1:
  ip route 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2
  r2:
  ip route 11.11.11.11 255.255.255.255 GigabitEthernet0/0 10.0.0.1
  Any suggestions?
  Hubert

  Hi,
  yes, I have the static route:
  r1#sh run | i route
  ip source-route
  ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.0.0.2
  r1#sh ip ro
  r1#sh ip route
  Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route, + - replicated route
  Gateway of last resort is 10.0.0.2 to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via 10.0.0.2, GigabitEthernet0/0
        11.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C        11.11.11.0/24 is directly connected, Loopback1
  L        11.11.11.11/32 is directly connected, Loopback1
  r1#sh ip route vr
  r1#sh ip route vrf FVRF
  Routing Table: FVRF
  Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route, + - replicated route
  Gateway of last resort is not set
        10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C        10.0.0.0/24 is directly connected, GigabitEthernet0/0
  L        10.0.0.1/32 is directly connected, GigabitEthernet0/0
  r1#
  The problem is I can't specify 'global' vrf in the route statement. When I tested a bit different case scenario everything worked fine:
  a) Loop1 (vrf=IVRF) -- gig0/0 (global vrf) <-> gig0/0 (global vrf) -- Loop1 (vrf=IVRF)
    11.11.11.11                 10.0.0.1                             10.0.0.2              22.22.22.22
  I just added:
  ip route vrf IVRF 22.22.22.22 255.255.255.255 GigabitEthernet0/0 10.0.0.2 global
  b) With 2 VRFs:
  Loop1 (vrf=IVRF) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (vrf=IVRF)
  11.11.11.11                 10.0.0.1                             10.0.0.2              22.22.22.22
  I added:
  ip route vrf FVRF 0.0.0.0 0.0.0.0 10.0.0.1
  ip route vrf IVRF 0.0.0.0 0.0.0.0 FastEthernet0/0 10.0.0.1
  So, the problem I have, is only when Loopback interfaces are in global VRF and physical interfaces vrf=FVRF:
  Loop1 (global vrf) -- gig0/0 (vrf=FVRF) <-> gig0/0 (vrf=FVRF) -- Loop1 (global vrf)
  11.11.11.11                 10.0.0.1                             10.0.0.2              22.22.22.22
  I wonder if Cisco supports such scenario.

• 7200's + 2960's - ASR1001's + ME3600's

  Hi,
  We are looking at replacing 7200's + 2960/3560s' at our POPs with 2 x ASR1001's and 2 x ME3600X's - We primarily provide L3VPN (VRF's) to our customers (All L3 done on the 7200's) - At some of our POP's we have IPTransit(Full tables)+Peering sessions on the 7200's (We also peer with some customers).
  We are planning on running MPLS on the ME3600's and terminating customer vrf's there (Rather than on the ASR's), the ASR's will have the IPTransit+Peering sessions (Plus connect to our other POPs via TE tunnels)
  We have a couple of POPs that do not (currently) have any IPTransit or Peering sessions - At these POP's could we simply use the ME3600's without the ASR's? Or is the TE functionality on the ASR's more feature rich than the ME's?  There is a potential for these POP's to provide Peering to customers, which I assume would be best served by the ASR's?
  I know this is a very broad question, but not being overly familiar with the ME3600 range, what "cant" they do compared to the ASR's (Assuming we are running the MetroIPAccess IOS on the ME's)
  Cheers.

  Do some reading and research.....and u will find no drive even gets close to ata 100 spec.....mine are 360 raptors...they only break 55 .....65 to 93 in raid 0....but that also isnt full time.....thats an average at Very best....the new 74 gig raptor can push 65 byit self...400.00 CDN... Ive read the the average7200 HD is running about  35....I have 2 pcs the other has an older 7200 maxtor on it ....and the diff between these 2 for hd speed....isnt seen in 50% of programs im running...and the other 50 % so are very good....and others are just good .....but not Breakneck speed, even though the ( manufactures would say so).....its like Videocards ....some upgrades only gain u 5 to 10% in ur games....and I bet u havent notice it....unless u look for that 1 extra Pixel in the wall..in the back conner...in the dark....behind u ......

• Using LMS to extract VRF name as a variable from device config to deploy VRF name in additional configuration

  Using LMS is there a way to run a job which would extract the VRF name in part of the configuration and then use it as a variable to deploy additional configuration using the VRF name. We have a number of management VRF's and need to deploy a mass configuration change on a number of devices.
  aaa group server tacacs+ blah
  server x.x.x.x
  server x.x.x.x
  ip vrf forwarding test

  I am working for a service provider and I was given a task to configure more than 50000 devices (!). First I started with VBS and some scriptable terminal application, but it was too complicated to handle that much data. I then decided to develop my own application dedicated to device mass-configuration. As I understand your question, you may also find it useful : http://www.prettygoodterminal.com
  BR 

• ASR1002 MLP Bundle Problems

  Hi fols,
  We got ASR 1002 for use as LNS and move VPDN settings from 7204 to ASR1002... Looks like PPPoE interfaces (customers works pefect) but MLP Bundle cant establish :(
  Cisco Console Log:
  Feb 13 05:00:13 104.234.254.1 21010: Feb 13 10:00:12.732: %CPPOSLIB-3-ERROR_NOTIFY: SIP0: cpp_cp:  cpp_cp encountered an error -Traceback= 1#adfdffd320bd4b50a075756a85bafaca   errmsg:7FB80973B000+121D cpp_common_os:7FB80C74C000+D8D5 cpp_common_os:7FB80C74C000+D7D4 cpp_common_os:7FB80C74C000+19A3E cpp_ifm:7FB81F747000+A158 cpp_mlppp_svr_lib:7FB815BBB000+C2F1 cpp_mlppp_svr_lib:7FB815BBB000+1CCA8 cpp_mlppp_svr_smc_lib:7FB815DF9000+2D28 cpp_common_os:7FB80C74C000+11E6E cpp_common_os:7FB80C74C000+118AA cpp_common_os:7FB80C74C000+116EB evlib:7FB80B72C0
  Feb 13 05:00:13 104.234.254.1 21011: Feb 13 10:00:12.733: %FMFP-3-OBJ_DWNLD_TO_CPP_FAILED: SIP0: fman_fp_image:  MLP bundle 174, link 170 download to CPP failed
  Radius Log (look as well):
  Fri Feb 13 04:59:41 2015 : Auth: Login OK: [[email protected]] (from client asr-lns1.xxxxx.com port 3445 cli BHVLPQ1004W lag-39:53)
  Fri Feb 13 04:59:41 2015 : Info: Existing IP: x.x.x.x   (did  cli BHVLPQ1004W lag-39:53 port 3445 user [email protected])
  Fri Feb 13 05:00:12 2015 : Auth: Login OK: [[email protected]] (from client asr-lns1.xxxxx.com port 3009 cli BHVLPQ1004W lag-39:53)
  Fri Feb 13 05:00:12 2015 : Info: Existing IP: x.x.x.x   (did  cli BHVLPQ1004W lag-39:53 port 3009 user [email protected])
  My Debug settings:
  2# sh debug
  PPPoE:
    PPPoE protocol events debugging is on
    PPPoE data packets debugging is on
    PPPoE control packets debugging is on
    PPPoE protocol errors debugging is on
  MLP:
    Multilink fragments debugging is on
    Multilink events debugging is on
    First bytes of multilink packet debugging is on
  VTEMPLATE:
    Virtual Template errors debugging is on
    Virtual Template subinterface debugging is on
  #sh log | in MLP
  :01:13.742: Vi109 MLP: Dropped link Vi110 from bundle [email protected]
  Feb 13 10:01:13.742: Vi109 MLP: Dropped last link, removing bundle [email protected]
  Feb 13 10:01:13.742: Vi109 MLP: Removing bundle '[email protected]'
  Feb 13 10:01:15.392: Vi111 MLP: Request add link to bundle
  Feb 13 10:01:15.392: Vi111 MLP: Adding link to bundle
  Feb 13 10:01:15.392: Vi111 MLP: Requested bundle vaccess creation
  Feb 13 10:01:15.392: Vi111 MLP: Determine clone source for SSS
  Feb 13 10:01:15.392: Vi111 MLP: Link is Virtual-Access, clone from Virtual-Template 1
  Feb 13 10:01:15.395: Vi111 MLP: Determine clone source for SSS
  Feb 13 10:01:15.395: Vi111 MLP: Link is Virtual-Access, clone from Virtual-Template 1
  Feb 13 10:01:15.396: Vi111 MLP: SSS connect, bundle interface Vi112
  Feb 13 10:01:15.396: Vi112 MLP: Changing bundle bandwidth from 100000 to 2000000
  Feb 13 10:01:15.396: Vi112 MLP: Interleaving disabled
  Feb 13 10:01:15.396: Vi112 MLP: Ready to finish adding link Vi111 to bundle
  Feb 13 10:01:15.396: Vi111 MLP: Computed frag size 7499992 exceeds MTU, changed to 1496
  Feb 13 10:01:15.396: Vi112 MLP: Update bundle bandwidth 2000000 set 2000000
  Feb 13 10:01:15.396: Vi111 MLP: Change transmit status from Init to Enabled, transmit links 1
  Feb 13 10:01:15.397: Vi112 MLP: Added first link Vi111 to bundle [email protected]
  Feb 13 10:01:15.397: Vi111 MLP: Updating bundle's PPP handle[0xCE000105] in SSS context
  Feb 13 10:01:15.398: Vi112 MLP: Received segment updated message for bundle
  Feb 13 10:01:15.402: %FMFP-3-OBJ_DWNLD_TO_CPP_FAILED: SIP0: fman_fp_image:  MLP bundle 179, link 178 download to CPP failed
  Feb 13 10:01:17.694: Vi112: MLP: Bundle has 1/2 desired links, requesting another
  Feb 13 10:01:43.097: Vi111 MLP: Change transmit status from Enabled to Idle, transmit links 0
  Feb 13 10:01:43.097: Vi112 MLP: No previous member for idle link in '[email protected]'
  Feb 13 10:01:43.097: Vi112 MLP: Update bundle bandwidth 2000000 set 2000000
  Feb 13 10:01:45.102: Vi111 MLP: Request drop link from bundle Vi112
  Feb 13 10:01:45.103: Vi112 MLP: Removing link Vi111 from bundle [email protected]
  Feb 13 10:01:45.103: Vi111 MLP: Change transmit status from Idle to Init, transmit links 0
  Feb 13 10:01:45.103: Vi112 MLP: Bundle bandwidth 2000000 unchanged
  Feb 13 10:01:45.103: Vi112 MLP: Dropped link Vi111 from bundle [email protected]
  Feb 13 10:01:45.103: Vi112 MLP: Dropped last link, removing bundle [email protected]
  Feb 13 10:01:45.103: Vi112 MLP: Removing bundle '[email protected]'
  2# sh ppp multilink
  Virtual-Access126
    Bundle name: [email protected]
    Remote Username: [email protected]
    Remote Endpoint Discriminator: [3] 4c60.de51.dd67
    Local Endpoint Discriminator: [1] asr1002
    Bundle up for 00:00:25, total bandwidth 2000000, load 1/255
    Receive buffer limit 12192 bytes, frag timeout 1000 ms
    Bundle is Distributed
    Using relaxed lost fragment detection algorithm.
      0/0 fragments/bytes in reassembly list
      0 lost fragments, 0 reordered
      0/0 discarded fragments/bytes, 0 lost received
      0x0 received sequence, 0x0 sent sequence
    Platform Specific Multilink PPP info
      NOTE: internal keyword not applicable on this platform
      Interleaving: Enabled, Fragmentation: Enabled
    Member links: 1 (max 16, min 2)
      BHVLPQ1004W:Vi125  (x.x.x.x), since 00:00:25, 7500000 weight, 1496 frag size, unsequenced
  No inactive multilink interfaces
  Border-ASR1002#sh users | in xxxxx
    Vi129        [email protected] PPPoVPDN     never
    Vi130        [email protected] MLP Bundle   00:00:06
  NO IP ASSIGNED and this SESSIONs will be close in 30-50 sec. Then start again by circle.
  interface Virtual-Template1
   ip unnumbered Loopback100
   no ip redirects
   no ip proxy-arp
   ip mtu 1460
   ip tcp adjust-mss 1420
   load-interval 60
   no peer default ip address
   keepalive 30
   ppp mru match
   ppp authentication pap chap xxx-netwrok.com
   ppp authorization xxx-netwrok.com
   ppp accounting xxx-netwrok.com
   ppp ipcp dns 8.8.8.8
   ppp multilink
   ppp multilink links minimum 2
   ppp multilink interleave
   ppp multilink endpoint string asr1002
  end
  interface Loopback100
   ip address x.x.x.x 255.255.255.255
  end
  #sh ppp  statistics
  Type PPP Statistic                              TOTAL      SINCE CLEARED
  4    Transition Packet Drop                      2          2
  5    Interrupt Transition Packet Drop            5          5
  14   PPP Handles Allocated                       16620      16620
  15   PPP Handles Freed                           13971      13971
  16   LCP Renegotiations                          17         17
  17   NCP Renegotiations                          3          3
  18   NCP Negotiations Failed                     348        348
  19   PPP Encapped Interfaces                     4583       4583
  24   LCP Timeout+                                2892       2892
  25   NCP Timeout+                                89257      89257
  26   LCP Timeout-                                793        793
  27   NCP Timeout-                                9542       9542
  28   Authentication Timeout                      1984       1984
  29   Configure-Ack Id mismatch                   9          9
  30   Configure-Nak/Reject Id mismatch            21         21
  Type PPP MIB Counters                           PEAK       CURRENT
  1    Links at LCP Stage                          13         2
  2    Links at Unauthenticated Name Stage         240        0
  3    Links at Authenticated Name Stage           4          0
  7    Links at Local Termination Stage            2650       2647
  8    MLP Links at LCP Stage                      1          0
  9    MLP Links at Unauthenticated Name Stage     1          0
  10   MLP Links at Authenticated Name Stage       1          0
  14   MLP Links at Local Termination Stage        3          0
  20   Successful LCP neogtiations                 14497      14497
  22   Entered Authentication Stage                14497      14497
  28   IPCP UP Sessions                            2650       2647
  48   CHAP authentication attempts                2          2
  49   CHAP authentication successes               1          1
  51   PAP authentication attempts                 14495      14495
  52   PAP authentication successes                7397       7397
  53   PAP authentication failures                 6141       6141
  95   Total Sessions                              2651       2647
  96   Non-MLP Sessions                            2650       2647
  97   MLP Sessions                                1          0
  98   Total Links                                 2654       2649
  99   Non-MLP Links                               2653       2649
  100  MLP Links                                   2          0
  Type PPP Disconnect Reason                      TOTAL      SINCE CLEARED
  11   Missed too many keepalives                  177        177
  12   PPP Renegotiating                           18         18
  15   LCP failed to negotiate                     1694       1694
  17   Received LCP TERMREQ from peer              1465       1465
  18   Received LCP TERMACK from peer while OPEN   2          2
  24   Removing MLP Bundle                         412        412
  27   MLP Kill Link                               4          4
  29   Lower Layer disconnected                    3187       3187
  37   Received disconnect from Session Manager    174        174
  54   User failed PAP authentication              6141       6141
  55   AAA Server did not respond                  695        695
  57   Authentication timeouts exceeded            2          2
  If i try look show interface for two interface in bundle i see like this:
  Border-ASR1002#sh int Vi24
  Virtual-Access24 is up, line protocol is up
    Hardware is Virtual Access interface
    Interface is unnumbered. Using address of Loopback100 (x.x.x.x)
    MTU 1442 bytes, BW 2000000 Kbit/sec, DLY 100000 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation PPP, LCP Open, multilink Open
    REQsent: IPCP
    MLP Bundle vaccess, cloned from Virtual-Template1
    Vaccess status 0x44, loopback not set
    Keepalive set (30 sec)
    DTR is pulsed for 5 seconds on reset
  Border-ASR1002#sh int Vi28
  Virtual-Access28 is up, line protocol is up
    Hardware is Virtual Access interface
    MTU 1500 bytes, BW 2000000 Kbit/sec, DLY 100000 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation PPP, LCP Open, multilink Open
    Link is a member of Multilink bundle Virtual-Access24
    PPPoVPDN vaccess, cloned from Virtual-Template1
    Vaccess status 0x44
    Protocol l2tp, tunnel id 64648, session id 34181, loopback not set
    Keepalive set (30 sec)
    DTR is pulsed for 5 seconds on reset
  Looks like normal. but in 30-60 sec this crashed... and sure we have not one customers with MLP... i hope we have around 20-30... so should be tonns MLP :)
  Sure i lose few hours for find solutions but without luck. Nobody have exacly answer to this question.
  I got abolutely working configuration from working NAS (7201 and 7204) and move it to ASR... thats what i have with MLP :((((
  Can someone try help me investigate in figure our this....
  I found same thread on ciscoforums where guys tell "need update ios" but someone update it and have same issue, so i hope issue not in IOS version.
  Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSAL-M), Version 15.3(2)S1, RELEASE SOFTWARE (fc1)
  IOS XE Version: 03.09.01.S
  System image file is "bootflash:/asr1002x-universal.03.09.01.S.153-2.S1.SPA.bin"
  If you need anything else, like more debug or more info ... just ask me... i will wait there for your questions.
  Thanks a lot.!
  /// Update
  Little bit more debug from bootflash:/tracelogs/cpp_cp_F0-0.log.7749.20150213111013
  02/13 11:09:07.734 [errmsg]: (ERR): %CPPOSLIB-3-ERROR_NOTIFY: cpp_cp encountered an error -Traceback= 1#adfdffd320bd4b50a075756a85bafaca   errmsg:7FB80973B000+121D cpp_common_os:7FB80C74C000+D8D5 cpp_common_os:7FB80C74C000+D7D4 cpp_common_os:7FB80C74C000+19A3E cpp_ifm:7FB81F747000+A158 cpp_mlppp_svr_lib:7FB815BBB000+C2F1 cpp_mlppp_svr_lib:7FB815BBB000+1CCA8 cpp_mlppp_svr_smc_lib:7FB815DF9000+2D28 cpp_common_os:7FB80C74C000+11E6E cpp_common_os:7FB80C74C000+118AA cpp_common_os:7FB80C74C000+116EB evlib:7FB80B72C000+B8E7 evlib:7FB80B72C000+E1B0
  02/13 11:09:07.735 [buginf]: (debug):
   -Traceback=1#adfdffd320bd4b50a075756a85bafaca   cpp_common_os:7FB80C74C000+11445 cpp_common_os:7FB80C74C000+D7D9 cpp_common_os:7FB80C74C000+19A3E cpp_ifm:7FB81F747000+A158 cpp_mlppp_svr_lib:7FB815BBB000+C2F1 cpp_mlppp_svr_lib:7FB815BBB000+1CCA8 cpp_mlppp_svr_smc_lib:7FB815DF9000+2D28 cpp_common_os:7FB80C74C000+11E6E cpp_common_os:7FB80C74C000+118AA cpp_common_os:7FB80C74C000+116EB evlib:7FB80B72C000+B8E7 evlib:7FB80B72C000+E1B0 cpp_common_os:7FB80C74C000+13B43 :400000+6061 c:7FB7FC394000+1E514 :400000+5CC9
  02/13 11:09:07.735 [cpp-mlppp]: (warn): [cpp_mlp_tx_link_create:3260] cpp_ifm_tx_chan_create_on_if failed link=1563 (retval='CPP Interface Database' detected the 'warning' condition 'IFDB detected error in API': No such file or directory)
  02/13 11:09:07.735 [cpp-mlppp]: (warn): [cpp_mlp_svr_bundle_add_link_cmn:5035] cpp_mlp_tx_link_create failed link=1563 (retval='CPP Interface Database' detected the 'warning' condition 'IFDB detected error in API': No such file or directory)
  02/13 11:09:41.978 [cpp-ifm]: (ERR): cpp_ifm_tx_chan_create_on_if.806: failed to find channel for parent if_h 100-'CPP Interface Database' detected the 'warning' condition 'IFDB detected error in API': No such file or directory
  02/13 11:09:41.980 [errmsg]: (ERR): %CPPOSLIB-3-ERROR_NOTIFY: cpp_cp encountered an error -Traceback= 1#adfdffd320bd4b50a075756a85bafaca   errmsg:7FB80973B000+121D cpp_common_os:7FB80C74C000+D8D5 cpp_common_os:7FB80C74C000+D7D4 cpp_common_os:7FB80C74C000+19A3E cpp_ifm:7FB81F747000+A158 cpp_mlppp_svr_lib:7FB815BBB000+C2F1 cpp_mlppp_svr_lib:7FB815BBB000+1CCA8 cpp_mlppp_svr_smc_lib:7FB815DF9000+2D28 cpp_common_os:7FB80C74C000+11E6E cpp_common_os:7FB80C74C000+118AA cpp_common_os:7FB80C74C000+116EB evlib:7FB80B72C000+B8E7 evlib:7FB80B72C000+E1B0
  02/13 11:09:41.981 [buginf]: (debug):
   -Traceback=1#adfdffd320bd4b50a075756a85bafaca   cpp_common_os:7FB80C74C000+11445 cpp_common_os:7FB80C74C000+D7D9 cpp_common_os:7FB80C74C000+19A3E cpp_ifm:7FB81F747000+A158 cpp_mlppp_svr_lib:7FB815BBB000+C2F1 cpp_mlppp_svr_lib:7FB815BBB000+1CCA8 cpp_mlppp_svr_smc_lib:7FB815DF9000+2D28 cpp_common_os:7FB80C74C000+11E6E cpp_common_os:7FB80C74C000+118AA cpp_common_os:7FB80C74C000+116EB evlib:7FB80B72C000+B8E7 evlib:7FB80B72C000+E1B0 cpp_common_os:7FB80C74C000+13B43 :400000+6061 c:7FB7FC394000+1E514 :400000+5CC9
  02/13 11:09:41.981 [cpp-mlppp]: (warn): [cpp_mlp_tx_link_create:3260] cpp_ifm_tx_chan_create_on_if failed link=1563 (retval='CPP Interface Database' detected the 'warning' condition 'IFDB detected error in API': No such file or directory)
  02/13 11:09:41.981 [cpp-mlppp]: (warn): [cpp_mlp_svr_bundle_add_link_cmn:5035] cpp_mlp_tx_link_create failed link=1563 (retval='CPP Interface Database' detected the 'warning' condition 'IFDB detected error in API': No such file or directory)
  02/13 11:10:13.049 [cpp-ifm]: (ERR): cpp_ifm_tx_chan_create_on_if.806: failed to find channel for parent if_h 100-'CPP Interface Database' detected the 'warning' condition 'IFDB detected error in API': No such file or directory

  Originally Posted by CRAIGDWILSON
  Look in your logs for any issues zmd-messages.log regarding accessing
  "AppData". If so, that could be a known issue they are looking at,
  though it is not really new but there are reports back to even 11.2.x
  The reports are more of a timing issue on boot, but perhaps it could
  relate to logon if that happened soon enough, though non of the reports
  are for logon events.
  On 6/25/2014 2:26 AM, thsundel wrote:
  >
  > Hi!
  > Anyone else have problems with bundles not installing/launching on
  > schedule with 11.3FRU1 agent? Also bundles set to launch at user login
  > doesn't work first time the user logs in after workstation is booted, if
  > they logout and in again then it will work?
  >
  > Thomas
  >
  >
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Technical Support Engineer
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.
  Nope, nothing refering to appdata (only thing it finds is appdatalrucache but that is probably not what you are asking for)...
  I've now tried assiging the bundle both to device and to user but still nothing happes, works fine on our 11.2.x agent workstations.
  Thomas

• Inter-VRF Route leakage

  Hi Guyz,
  I have 3 VRF's on VSS core.
  1) VRF A
  2) VRF B
  3) Global VRF.
  I have Firewall in L3 mode between these VRFs. Traffic between A & B have to cross firewall.
   i can use BGP or EVN to leak routes between VRFs,  but they leak only routes tht are present in  routing table.
  Now i need to leak specific route for eg 10.10.10.10/32 from VRF A to VRF B.
  10.10.10.0/24 is directly connected interface on VRF A. 
  i need to find a way where i can leake /32 route between VRFs.
  Thanks

  Changing the autonomous system number may be necessary when 2 separate BGP networks are combined under a single autonomous system. This typically occurs when one ISP purchases another ISP. The neighbor local-as command is used initially to configure BGP peers to support 2 local autonomous system numbers to maintain peering between 2 separate BGP networks. This configuration allows the ISP to immediately make the transition without any impact on existing customer configurations
  enable
  configure terminal
  router bgp as-number
  address-family {ipv4 | ipv6 | vpnv4| [multicast | unicast | vrf {vrf-name}]}

• Vrf routes into global route table

  Dear All
  I am stuck with a design I am trying to come up with for our EDGE network and looking for ideas from the community.
  It is similar to what is described here:
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/ServEdge.html#wp86450http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/ServEdge.html#wp86904
  In short we have a multi-context FWSM at 2 sites creating an EDGE network, each site operate independently. The sites are linked internally in a single routing domain using OSPF. Each of the outside networks are in seperate VRFs, single-tier model.
  I need to find a way to:
  1) link the 2 sites (currently is done with a GRE tunnel between the site vrfs, looking at replacing this with mp-bgp and l3vpn encapsulation)
  2) redistribute routes from each of the vrf into the common global route table (running ospf)
  1 is working nicely with mp-BGP peer between the sites and routes distributed between, however I am stuck on how to achieve 2.
  The only way I can see is to change the global route table to a vrf, then use rt import/export. This is commonly described as shared services. When I did that I got stuck with how to do the BGP peering as the loopback I was using for the peering is inside the new vrf.
  Basically I want dynamic routing from the global route table to learn routes from each of the sites vrf. Then if a particular site's vrf is unavailable, it can pick up the other site's route.
  Am I missing something here? The document linked makes it sound incredibly easy yet I am struggling with how to implement it.
  Any advice is much appreciated

  Hello philip,
  It is really hard to help you, if you do not provide topology where you would like to implement these changes, so just some thoughts to your points:
  2) redistribute routes from each of the vrf into the common global route table (running ospf)
  You can use PE - CE design. VRFs are terminated on PE with all routes you need in respective VRFs. On PE, MP-BGP routes are redistributed into respective VRF's OSPF process . PE is connected with CE via separate physical interface for each VRF or you can use one physical interface with dedicated sub-interface for each VRF. PE is peering with CE using OSPF. All routes end up in CE global routing table.
  Problems with this design ->
  - for each VRF you have to create separate OSPF process on PE and CE, also OSPF process ID has to be unique on PE for each VRF. Also OSPF process ID has to match to establish OSPF neighborship between PE-CE, so on CE you will have to redistribute OSPF routes from each process to your main OSPF process.
  other workarounds ->
  1) instead OSPF you will use as peering protocol BGP between PE-CE, but you still have to redistribute BGP routes to OSPF on CE
  2) you will use different PE to redistribute each VRF -> BGP routes will be redistributed from VRF into OSPF (same process ID as your main OSPF ID). Routes will be advertised via OSPF into CE global routing table.
  You will use on PE per VRF to redistribute routes into OSPF with same process ID as your main process ID. Thanks to different PEs, you can have same OSPF process ID, all these PEs will peer with same CE via OSPF.
  I hope I made my thoughts understandable, cause its quite hard to explain
  When I did that I got stuck with how to do the BGP peering as the loopback I was using for the peering is inside the new vrf.
  This should not be a problem. You can have same IP on all VRF and also global table, so peering can still be done. After BGP routes are exchanged you can leak prefixes from one vrf to another or into global table as you need.
  Best Regards
  Please rate all helpful posts and close solved questions

• Multiple DMVPNs within separate VRF's using crypto keyring

  Hi All,
  I have deployed ASR's within a service provider environment acting as the DMVPN hubs for multiple customers networks contained within their own VRFs.
  In each case from the tunnel perspective the iVRF and fVRF are the same for a specific customer and crypto key rings are used to associate pre-shared-keys.
  When the box was first deployed a test network was built without using keyrings, but still using the VRF's as shown in the snippet. However I cannot get the configuration to work using keyrings, hence cannot add additional customers. It would appear that IKE phase 2 is not completing.
  An initial bug scrub has come up clear so I'm guessing i must be missing something.
  Current firmware: Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.0(1)S)
  -- snippet of test configuration --
  crypto keyring CUST1 vrf CUST1
    pre-shared-key address 10.10.10.0 255.255.255.0 key **CRYPTOKEY_CUST1**
  crypto isakmp profile CUST1_PROFILE
     vrf CUST1
     keyring CUST1
     match identity address 0.0.0.0
  crypto ipsec transform-set CUST1 esp-aes 256 esp-sha-hmac
  mode transport
  interface Tunnel1
  bandwidth 1000
  ip vrf forwarding CUST1
  ip address 10.10.10.1 255.255.255.0
  no ip redirects
  ip nhrp authentication CUST1
  ip nhrp map multicast dynamic
  ip nhrp network-id 10101010
  ip nhrp holdtime 450
  ip nhrp registration no-unique
  no ip split-horizon
  delay 1000
  tunnel source GigabitEthernet0/0/0.1010
  tunnel mode gre multipoint
  tunnel key 1010
  tunnel vrf CUST1
  tunnel protection ipsec profile CUST1_PROFILE shared
  Any help would be great.
  Best regards
  Mick

  Config wise, you do not need "vrf CUST1" inside the profile, GRE will do handoff for you.
  Hard to say where the problem is without more debugs ;-)
  M.

• Suspecting ESP 10 to fail in ASR1002

  ASR1002 Cisco doesnt recognise ESP 10 module. Log is attached. We need to decide wether the chassi is OK or it is also affected.
  We have conducted the following experiment: turned on the ASR1002  without ESP module and assigned 192.168.0.2 adress to an interface.
  After that tried to ping 192.168.0.2 from outside, all pings have been lost.
  Does the ASR1002 have to respond on the interface without ESP module?
  subject to restrictions as set forth in subparagraph
  (c) of the Commercial Computer Software - Restricted
  Rights clause at FAR sec. 52.227-19 and subparagraph
  (c) (1) (ii) of the Rights in Technical Data and Computer
  Software clause at DFARS sec. 252.227-7013.
             cisco Systems, Inc.
             170 West Tasman Drive
             San Jose, California 95134-1706
  Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.1(3)S1, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Sat 08-Oct-11 01:16 by mcpre
  Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.
  All rights reserved.  Certain components of Cisco IOS-XE software are
  licensed under the GNU General Public License ("GPL") Version 2.0.  The
  software code licensed under GPL Version 2.0 is free software that comes
  with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
  GPL code under the terms of GPL Version 2.0.  For more details, see the
  documentation or "License Notice" file accompanying the IOS-XE software,
  or the applicable URL provided on the flyer accompanying the IOS-XE
  software.
  % failed to initialize nvram
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  cisco ASR1002 (2RU) processor with 1700171K/6147K bytes of memory.
  4 Gigabit Ethernet interfaces
  32768K bytes of non-volatile configuration memory.
  4194304K bytes of physical memory.
  7798783K bytes of eUSB flash at bootflash:.
           --- System Configuration Dialog ---
  Would you like to enter the initial configuration dialog? [yes/no]: no
  Press RETURN to get started!
  *Dec 12 16:40:24.348: %ASR1000_RP_NV-3-NV_ACCESS_FAIL: Initial read of NVRAM contents failed
  *Dec 12 16:40:31.211: %LINK-3-UPDOWN: Interface Lsmpi0, changed state to up
  *Dec 12 16:40:31.211: %LINK-3-UPDOWN: Interface EOBC0, changed state to up
  *Dec 12 16:40:31.211: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
  *Dec 12 16:40:31.212: %LINEPROTO-5-UPDOWN: Line protocol on Interface LI-Null0, changed state to up
  *Dec 12 16:40:31.212: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to down
  *Dec 12 16:40:31.212: %LINK-3-UPDOWN: Interface LIIN0, changed state to up
  *Dec 12 16:40:31.350: %NETCLK-5-NETCLK_MODE_CHANGE: Network clock source not available. The network clock has changed to freerun
  *Dec 12 16:40:31.440: %ASR1000_MGMTVRF-6-CREATE_SUCCESS_INFO: Management vrf Mgmt-intf created with ID 1, ipv4 table-id 0x1, ipv6 table-id 0x1E000001
  *Dec 12 16:40:31.715: %DYNCMD-7-PKGINT_INSTALLED: The command package 'platform_trace' has been succesfully installed
  *Dec 12 16:40:33.429: %LINEPROTO-5-UPDOWN: Line protocol on Interface Lsmpi0, changed state to up
  *Dec 12 16:40:33.430: %LINEPROTO-5-UPDOWN: Line protocol on Interface EOBC0, changed state to up
  *Dec 12 16:40:33.430: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
  *Dec 12 16:40:33.430: %LINEPROTO-5-UPDOWN: Line protocol on Interface LIIN0, changed state to up
  *Dec 12 16:40:23.540: %IOSXE-5-PLATFORM: R0/0: xinetd[32286]: xinetd Version 2.3.14 started with no options compiled in.
  *Dec 12 16:40:23.554: %IOSXE-5-PLATFORM: R0/0: xinetd[32286]: Started working: 1 available service
  *Dec 12 16:40:34.225: %DYNCMD-7-CMDSET_LOADED: The Dynamic Command set has been loaded from the Shell Manager
  *Dec 12 16:40:58.021: %LINK-5-CHANGED: Interface GigabitEthernet0/0/0, changed state to administratively down
  *Dec 12 16:40:58.022: %LINK-5-CHANGED: Interface GigabitEthernet0/0/1, changed state to administratively down
  *Dec 12 16:40:58.022: %LINK-5-CHANGED: Interface GigabitEthernet0/0/2, changed state to administratively down
  *Dec 12 16:40:58.023: %LINK-5-CHANGED: Interface GigabitEthernet0/0/3, changed state to administratively down
  *Dec 12 16:40:58.023: %LINK-5-CHANGED: Interface GigabitEthernet0, changed state to administratively down
  *Dec 12 16:40:59.021: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to down
  *Dec 12 16:40:59.022: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to down
  *Dec 12 16:40:59.022: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/2, changed state to down
  *Dec 12 16:40:59.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/3, changed state to down
  *Dec 12 16:41:02.525: %ASR1000_OIR-6-REMSPA: SPA removed from subslot 0/0, interfaces disabled
  *Dec 12 16:41:02.527: %SPA_OIR-6-OFFLINECARD: SPA (4XGE-BUILT-IN) offline in subslot 0/0
  *Dec 12 16:41:02.531: %ASR1000_OIR-6-INSCARD: Card (fp) inserted in slot F0
  *Dec 12 16:41:02.532: %ASR1000_OIR-6-INSCARD: Card (cc) inserted in slot 0
  *Dec 12 16:41:02.532: %ASR1000_OIR-6-ONLINECARD: Card (cc) online in slot 0
  *Dec 12 16:41:02.536: %ASR1000_OIR-6-INSSPA: SPA inserted in subslot 0/0
  *Dec 12 16:41:02.743: %SYS-5-RESTART: System restarted --
  Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.1(3)S1, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Sat 08-Oct-11 01:16 by mcpre
  *Dec 12 16:41:05.577: %SPA_OIR-6-ONLINECARD: SPA (4XGE-BUILT-IN) online in subslot 0/0
  Router>
  Router>en
  Router#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  Router(config)#in
  Router(config)#int
  Router(config)#interface lo
  Router(config)#interface loo
  Router(config)#interface loopback 0
  Router(config-if)#ip ad
  Router(config-if)#ip address 19
  *Dec 12 16:42:04.778: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up2.1
  Router(config-if)#ip address 192.168.0.1 255.255.255.0
  Router(config-if)#exit
  Router(config)#exit
  Router#sho
  Router#show run
  Router#show running-config int
  Router#show running-config interface 
  *Dec 12 16:42:18.204: %SYS-5-CONFIG_I: Configured from console by consolelo
  Router#show running-config interface lo0
  Router#show running-config interface loo
  Router#show running-config interface loopback 0
  Building configuration...
  Current configuration : 65 bytes
  interface Loopback0
   ip address 192.168.0.1 255.255.255.0
  end
  Router#ping 192.168.0.1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  Router#sho
  Router#show in
  Router#show in
  Router#show inte
  Router#show interfaces lo
  Router#show interfaces loo
  Router#show interfaces loopback 0
  Loopback0 is up, line protocol is up 
    Hardware is Loopback
    Internet address is 192.168.0.1/24
    MTU 1514 bytes, BW 8000000 Kbit/sec, DLY 5000 usec, 
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation LOOPBACK, loopback not set
    Keepalive set (10 sec)
    Last input never, output never, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       0 packets input, 0 bytes, 0 no buffer
       Received 0 broadcasts (0 IP multicasts)
       0 runts, 0 giants, 0 throttles 
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       0 packets output, 0 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  Router# 
  Router#
  *Dec 12 16:43:06.922: %TRANSCEIVER-6-INSERTED: SIP0/0: transceiver module inserted in GigabitEthernet0/0/0
  Router#sho
  Router#show run
  Router#show running-config in
  Router#show running-config interface gi0/0/
  % Incomplete command.
  Router#show running-config interface gi0/0 
  % Incomplete command.
  Router#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  Router(config)#in
  Router(config)#int
  Router(config)#interface gi0/0
  % Incomplete command.
  Router(config)#interface gi0/0/0
  Router(config-if)#no shu
  Router(config-if)#no shutdown 
  Router(config-if)#ip ad
  Router(config-if)#ip address 192.1
  *Dec 12 16:43:44.764: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to down68.2.
  *Dec 12 16:43:43.813: %LINK-3-UPDOWN: SIP0/0: Interface GigabitEthernet0/0/0, changed state to down1
  *Dec 12 16:43:47.440: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to up
  *Dec 12 16:43:46.437: %LINK-3-UPDOWN: SIP0/0: Interface GigabitEthernet0/0/0, changed state to up 
  *Dec 12 16:43:48.440: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to up
  Router(config-if)#ip address 192.168.2.1 255.255.255.0
  Router(config-if)#exit
  Router(config)#exit
  Router#sho
  Router#show run
  Router#show running-config int
  Router#show running-config interface 
  *Dec 12 16:43:56.015: %SYS-5-CONFIG_I: Configured from console by consolegi
  Router#show running-config interface gigabitEthernet 0/0/0
  Building configuration...
  Current configuration : 94 bytes
  interface GigabitEthernet0/0/0
   ip address 192.168.2.1 255.255.255.0
   negotiation auto
  end
  Router#ping 192.168.2.2
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  Router#sho
  Router#show in
  Router#show inte
  Router#show interfaces gi
  Router#show interfaces gigabitEthernet 0/0/0
  GigabitEthernet0/0/0 is up, line protocol is up 
    Hardware is 4XGE-BUILT-IN, address is 8843.e100.7300 (bia 8843.e100.7300)
    Internet address is 192.168.2.1/24
    MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, 
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    Keepalive not supported 
    Full Duplex, 1000Mbps, link type is auto, media type is LX
    output flow-control is off, input flow-control is off
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input never, output 00:00:27, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       17 packets input, 2015 bytes, 0 no buffer
       Received 0 broadcasts (0 IP multicasts)
       0 runts, 0 giants, 0 throttles 
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 watchdog, 17 multicast, 0 pause input
       0 packets output, 0 bytes, 0 underruns
       0 output errors, 0 collisions, 4 interface resets
       0 unknown protocol drops
       0 babbles, 0 late collision, 0 deferred
       0 lost carrier, 0 no carrier, 0 pause output
       0 output buffer failures, 0 output buffers swapped out
  Router#sho
  Router#show pl
  Router#show platform 
  Chassis type: ASR1002             
  Slot      Type                State                 Insert time (ago) 
  0         ASR1002-SIP10       ok                    00:06:40      
   0/0      4XGE-BUILT-IN       ok                    00:03:56      
  R0        ASR1002-RP1         ok, active            00:06:40      
  F0                            unknown               00:06:40      
  P0        ASR1002-PWR-AC      ok                    00:05:28      
  P1        ASR1002-PWR-AC      ps, fail              00:05:28      
  Slot      CPLD Version        Firmware Version                        
  0         07120202            12.2(33r)XNC                        
  R0        08011017            12.2(33r)XNC                        
  F0        N/A                 N/A                                 
  Router#
  System Bootstrap, Version 12.2(33r)XNC, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 2009 by cisco Systems, Inc.
  Current image running: Boot ROM0
  Last reset cause: PowerOn
  Last reset at: Fri Dec 12 16:48:51 UTC 2014
  ASR1002-RP1 platform with 4194303 Kbytes of main memory
  Warning: filesystem is not clean
  Located asr1000rp1-adventerprisek9.03.04.01.S.151-3.S1.bin 
  Image size 312873272 inode num 13, bks cnt 76386 blk size 8*512
  Boot image size = 312873272 (0x12a61138) bytes
  Missing or illegal ip address for variable DEFAULT_GATEWAY
  Using midplane macaddr
  Missing or illegal ip address for variable IP_ADDRESS
  Missing or illegal ip address for variable IP_SUBNET_MASK
  Package header rev 0 structure detected
  Calculating SHA-1 hash...done
  validate_package: SHA-1 hash:
          calculated 61d80af0:032b96a1:6b3b2b5c:667f969a:ad8e4c9f
          expected   61d80af0:032b96a1:6b3b2b5c:667f969a:ad8e4c9f
  Image validated
  %IOSXEBOOT-4-FILESYS_ERRORS_CORRECTED: (rp/0): bootflash contained errors which were auto-corrected.
                Restricted Rights Legend
  Use, duplication, or disclosure by the Government is
  subject to restrictions as set forth in subparagraph
  (c) of the Commercial Computer Software - Restricted
  Rights clause at FAR sec. 52.227-19 and subparagraph
  (c) (1) (ii) of the Rights in Technical Data and Computer
  Software clause at DFARS sec. 252.227-7013.
             cisco Systems, Inc.
             170 West Tasman Drive
             San Jose, California 95134-1706
  Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.1(3)S1, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Sat 08-Oct-11 01:16 by mcpre
  Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.
  All rights reserved.  Certain components of Cisco IOS-XE software are
  licensed under the GNU General Public License ("GPL") Version 2.0.  The
  software code licensed under GPL Version 2.0 is free software that comes
  with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
  GPL code under the terms of GPL Version 2.0.  For more details, see the
  documentation or "License Notice" file accompanying the IOS-XE software,
  or the applicable URL provided on the flyer accompanying the IOS-XE
  software.
  % failed to initialize nvram
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  cisco ASR1002 (2RU) processor with 1700171K/6147K bytes of memory.
  4 Gigabit Ethernet interfaces
  32768K bytes of non-volatile configuration memory.
  4194304K bytes of physical memory.
  7798783K bytes of eUSB flash at bootflash:.
           --- System Configuration Dialog ---
  Would you like to enter the initial configuration dialog? [yes/no]: 
  % Please answer 'yes' or 'no'.
  Would you like to enter the initial configuration dialog? [yes/no]: 
  % Please answer 'yes' or 'no'.
  Would you like to enter the initial configuration dialog? [yes/no]: no
  Press RETURN to get started!
  *Dec 12 16:52:16.032: %ASR1000_RP_NV-3-NV_ACCESS_FAIL: Initial read of NVRAM contents failed
  *Dec 12 16:52:24.113: %LINK-3-UPDOWN: Interface Lsmpi0, changed state to up
  *Dec 12 16:52:24.114: %LINK-3-UPDOWN: Interface EOBC0, changed state to up
  *Dec 12 16:52:24.114: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
  *Dec 12 16:52:24.115: %LINEPROTO-5-UPDOWN: Line protocol on Interface LI-Null0, changed state to up
  *Dec 12 16:52:24.11
  Router>5: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to down
  *Dec 12 16:52:24.115: %LINK-3-UPDOWN: Interface LIIN0, changed state to up
  *Dec 12 16:52:24.361: %NETCLK-5-NETCLK_MODE_CHANGE: Network clock source not available. The network clock has changed to freerun
  *Dec 12 16:52:24.656: %ASR1000_MGMTVRF-6-CREATE_SUCCESS_INFO: Management vrf Mgmt-intf created with ID 1, ipv4 table-id 0x1, ipv6 table-id 0x1E000001
  *Dec 12 16:52:25.151: %LINEPROTO-5-UPDOWN: Line protocol on Interface Lsmpi0, changed state to up
  *Dec 12 16:52:25.152: %LINEPROTO-5-UPDOWN: Line protocol on Interface EOBC0, changed state to up
  *Dec 12 16:52:25.152: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
  *Dec 12 16:52:25.152: %LINEPROTO-5-UPDOWN: Line protocol on Interface LIIN0, changed state to up
  *Dec 12 16:52:25.546: %DYNCMD-7-PKGINT_INSTALLED: The command package 'platform_trace' has been succesfully installed
  *Dec 12 16:52:28.680: %DYNCMD-7-CMDSET_LOADED: The Dynamic Command set has been loaded from the Shell Manager
  *Dec 12 16:52:15.830: %IOSXE-5-PLATFORM: R0/0: xinetd[31943]: xinetd Version 2.3.14 started with no options compiled in.
  *Dec 12 16:52:15.844: %IOSXE-5-PLATFORM: R0/0: xinetd[31943]: Started working: 1 available service
  *Dec 12 16:52:50.090: %LINK-5-CHANGED: Interface GigabitEthernet0/0/0, changed state to administratively down
  *Dec 12 16:52:50.091: %LINK-5-CHANGED: Interface GigabitEthernet0/0/1, changed state to administratively down
  *Dec 12 16:52:50.091: %LINK-5-CHANGED: Interface GigabitEthernet0/0/2, changed state to administratively down
  *Dec 12 16:52:50.091: %LINK-5-CHANGED: Interface GigabitEthernet0/0/3, changed state to administratively down
  *Dec 12 16:52:50.092: %LINK-5-CHANGED: Interface GigabitEthernet0, changed state to administratively down
  *Dec 12 16:52:51.090: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to down
  *Dec 12 16:52:51.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to down
  *Dec 12 16:52:51.092: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/2, changed state to down
  *Dec 12 16:52:51.092: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/3, changed state to down
  *Dec 12 16:52:57.608: %ASR1000_OIR-6-REMSPA: SPA removed from subslot 0/0, interfaces disabled
  *Dec 12 16:52:57.609: %SPA_OIR-6-OFFLINECARD: SPA (4XGE-BUILT-IN) offline in subslot 0/0
  *Dec 12 16:52:57.613: %ASR1000_OIR-6-INSCARD: Card (cc) inserted in slot 0
  *Dec 12 16:52:57.613: %ASR1000_OIR-6-ONLINECARD: Card (cc) online in slot 0
  *Dec 12 16:52:57.615: %ASR1000_OIR-6-INSSPA: SPA inserted in subslot 0/0
  *Dec 12 16:52:57.819: %SYS-5-RESTART: System restarted --
  Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.1(3)S1, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Sat 08-Oct-11 01:16 by mcpre
  *Dec 12 16:53:00.828: %SPA_OIR-6-ONLINECARD: SPA (4XGE-BUILT-IN) online in subslot 0/0
  Router>en
  Router#sho
  Router#show pla
  Router#show platform 
  Chassis type: ASR1002             
  Slot      Type                State                 Insert time (ago) 
  0         ASR1002-SIP10       ok                    00:02:40      
   0/0    

  Are you able to download and install other applications for your Mac?
  Try following along with this Apple doc -> Troubleshooting iTunes installation on Mac OS X

• FlexVPN with F-VRF and multiple tunnels

  Hi There,
  I have a burning question and initially need to understand the possibility of the following scenario, below is a diagram of a single point-to-point connection used for proof of concept. The Hub router acts as a local RADIUS and is to issue IP addresses for both the client tunnel interfaces.
  Two separate tunnels are required, one between Virtual-template 1 and tunnel 1 and one between Virtual-template 2 and tunnel 2, hence they are within a separate VRF on both routers.
  Basically I am wondering if this is possible as getting this to work is a struggle.. I am currently using PSK authentication, though also wondering if there would be issues using certificates, i.e. the hub would effectively receive two separate SAs with the same certificate.
  The flex client and hub have separate profiles keyrings etc for each connection...
  Has anyone got this working before??
  Any help or suggestions/pitfalls would be appreciated.

  Hi Olpeleri,
  Many thx for the reply,
  I have tried using two interfaces on the Hub, though no joy so far..... I want to have the hub tunnel end points in different VRFs, hence I have tried with two virtual templates A and B and interfaces A and B in different VRFs to each other.
  i.e, looking at just one tunnel to start with,
  HUB
  interface Virtual-Template1 type tunnel
  ip vrf forwarding VRF_A
  ip unnumbered Loopback20
  tunnel source Ethernet0/0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile IPSEC-PROFILE
  end
  interface e0/0
  ip vrf forwarding VRF_A
  ip address 172.16.0.2 255.255.255.0
  Is this config correct, I have tried using a front door VRF for each interface also, though the tunnel fails to build when both interfaces are there
  The profile looks like this repeated for each interface with different names and virtual template etc..
  crypto ikev2 profile default
  match fvrf any
  match identity remote fqdn domain cisco.com
  identity local fqdn Hub1.cisco.com
  authentication remote pre-share
  authentication local pre-share
  keyring ALL
  pki trustpoint cisco
  dpd 10 2 periodic
  aaa authorization group psk AUTHOR_LIST AUTHOR_POL
  virtual-template 1
  Thanks,

• Apply QOS to vrf traffic?(Ethernet SubInts)

  Hi,
  I'm trying to apply "GOLD" QOS to vrf traffic that is terminated on eth subints, but class-map is not allowing me to match on subinterfaces:
  class-map match-any GOLD
  match mpls experimental topmost 5
  match ip precedence 5
  match input-interface fastEthernet 0/0 (Subints not allowed)
  I also cannot match on access-group, as the traffic is within a vrf.
  Should I be creating a seperate policy-map marking the traffic as GOLD, and then apply this as a "service-policy input" to each eth subint the vrf is associated with?

  Hi,
  when you apply the service-policy to an interface you do NOT need to specify the interface in the class-map! Example:
  class-map match-any VoIP
  match ip precedence 5
  match ip dscp ef
  policy-map Marking
  class VoIP
  set mpls experimental imposition 5
  interface FastEthernet0/0.100
  ip address ...
  encapsulation dot1q 100
  service-policy input Marking
  This will set MPLS exp bits on all traffic coming into F0/0.100 and being marked with either Prec 5 or DSCP EF.
  Sidenote: using an ACL in class VoIP will also only match traffic on the interface, where the policy is applied. So overlapping customer addresses are not an issue.
  Hope this helps! Please rate all posts.
  Regards, Martin

• ASR 1002 Router doing multiple VRFs

  I have an ASR 1002 router with Three VRFs coming into it. The first 2 VRFs are just terminating on the ASR with L3 sub interfaces. So no big deal with them. The third one is a VRF that needs to terminate on a separate router. The ASR that needs to split out this 3rd VRF is not allowed to have an IP address for it. So it just needs to forward off this as L2 to a separate physical port and then terminates on a different router. 
  So my question is what is the best way to accomplish this on the ASR? Could I setup a pseudo wire setup or is there an easier way to just split off this as separate VLAN to the other physical interface? 

  Hi
  You could try with bridging. Something like this
  Interface bvi 1
  no ip address
  interface gig0
  bridge-gropup 1
  interface gig1
  bridge-group 1
  /Mikael

• Flexvpn fvrf 3G or adsl

  Is it possible for an 819 router to have a 3G connection to a headend device using two vti ipsec interfaces in separate VRFs and the 3G connection within a fvrf?
  I understand this is possible though I am not sure if it will work with a 3G interface...?
  Thanks in advance for any response..

  Hi
  No we had no response so have gone to neorouter and it works fine, interestingly it is only recent installations that are effected by this. Such a shame as it was a great solution when it worked.