ASR9K - 4.2.3 to 4.3.4 Upgrade - VRRP Issue
Hello all,
After upgrading 4.2.3 to 4.3.4, when checking the failing config, I found the following issue regarding VRRP:
RP/0/RSP0/CPU0:A9K-LAB02#sh configuration failed startup
Mon May 5 16:24:19.094 WEST
!!15:13:09 UTC Mon May 05 2014
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
router vrrp
interface TenGigE0/0/0/0.3701
address-family ipv4
vrrp 1
priority 200
!!% 'vrrp' detected the 'warning' condition 'Virtual MAC already in use on this port'
timer 1
!!% 'vrrp' detected the 'warning' condition 'Virtual MAC already in use on this port'
address 200.100.1.100
!!% 'vrrp' detected the 'warning' condition 'Virtual MAC already in use on this port'
End
According to bug CSCed75140, I expect this issue to be solved starting in 4.3.0...
Any idea?
Thx,
Pedro
Pedro,
There must be a missunderstand the bug you quote is to improve the error notification with this unsupported config, it doesn't make the config supported. Some details on this issue from the Release notes of the bug:
<B>Problem Symptom:</B>
In a router running IOS-XR, configuring the same virtual router id(VRID) on
multiple sub-interfaces of the same physical interfaces is <B>NOT</B> supported
for HSRP/ VRRP
<B>Workaround:</B>
Use different virtual router id for the different sub-interfaces of same
physical interface
<B>Further Problem Description:</B>
Example of unsupported config:
<B>
router vrrp
interface GigabitEthernet0/5/0/38.175
vrrp 1 ipv4 10.186.0.1
interface GigabitEthernet0/5/0/38.176
vrrp 1 ipv4 10.186.0.9
</B>
If you have two groups configured with the same virtual router id, this means
that they have the same virtual MAC address (as this is derived from the
virtual router ID). When VRRP is in Master state, it installs an entry for
it's virtual MAC in to the MAC filter for the interface over which it is
running. However, it is not possible to program the MAC filter per
sub-interface. Therefore if VRRP is running over a sub-interface it is the MAC
filter of the underlying physical interface which is actually programmed
(although VRRP has no way of being aware of this). If using the unsupported
configuration, you have two Master groups with the same virtual MAC address on
sub-interfaces of the same physical interface. In this case there will only be
one MAC address installed in the filter of the physical interface. When one of
these groups is removed by configuration or it transitions out of Master
state, it removes its virtual MAC address from the MAC filter of the
underlying physical interface meaning there is now no MAC address installed at
all and the VRRP feature for the remaining Master group will no longer
work. The root cause of the problem is that the MAC filter cannot be
programmed per sub-interface.
Similar Messages
-
Improving install experience in IOS XR (ASR9K/CRS)
This time its a question to our customers:
If you insisted on keeping SMUs, SPs, Install rollback and the things you have gotten used to today, how would you change the install process to make it simpler, but still provide what we do now?
Or asked differently what do struggle with today when it comes to Installing/Upgrading Software and what would you like to see improved.
We want to hear your feedback. You can send a message too, please don't hold back..
Eddie.Mathieu, inline:
>For example we were running 4.3.4 on our ASR9K and faced few bugs. Most of them were fixed in >SP3. While upgrading a router from 4.3.4 to SP3, we ran into a bug that completely crashed our >router. We had to turboboot everything. We raised a ticket with TAC and they told us we had to install >asr9k-px-4.3.4.CSCul58246.tar before upgrading to SP3. Unfortunately, this fix needs >asr9k->px->4.3.4.CSCug75299.tar and asr9k-px-4.3.4.CSCui94441.tar. This means to upgrade a >router from 4.3.4 to SP3, you actually need to reboot it 3 times!!! By optimizing as much as we can >this process, this means a maintenance of ~50min which is a lot of downtime for our customers!
Mathieu the SP Readme has been updated to include these per-requistes, so hopefully in the future it shouldn't be required. This process of pre-req smus for SP are not needed from 5.1.3 on.
>Why not releasing a 4.3.4-SP image each time your release a SP? At least providers could turboboot >it already patched?
Turboboot is the last thing we want you guys to do, its slow and painful, turboboot should rarely be used.
>Concerning turboboot, the transfert speed thru an integrated management port is catastrophic. We >can't specify a large block size to speed up things so even if we have a TFTP directly connected to >the port, transfers are way too slow. A good way would be to be able to transfer files with HTTP / FTP >during a turboboot.
We don't have a TCP stack in ROMMON and we don't plan to support it. We will support things like ONIE and IPXE in the future.
>Then if transfers are done in a fast & efficient way, we could save time by directly sending an >uncompressed image over the network instead of waiting for the router to decompress the archive.
I like the uncompressed image idea, we are exploring that.
Thanks for the feedback and we'll keep you posted.
Eddie. -
[ASR9K nvEdge]How to decide who will be primary DSC after cluster rebuild?
Hi
I have a question about ASR9K nvEdge cluster.
Normally,when the EOBC & IRL link are disconnected, the cluster will enter into "split node" status.
each rack will think itself is primary DSC.
My question is that after the EOBC & IRL are reconneted(cluster rebuild), whick one (rack0 or rack1) will be the primary DSC? and why?
Thanks,
TomYes that's perfect thanks for the details. This is the expected behavior. In fact this is how we will be achieving nv ssu. Which is a new feature on the roadmap. What happens here is rack0 goes down and it sends out beacons while booting on eobc(your step 5) finds that there is a responding DSC (Rack1) gets the sw from rack 1 and reboots and joins the cluster as nonDSC.
Have you had a chance to review the nv edge deployment guide? It has these details.
Eddie.
Sent from Cisco Technical Support iPhone App -
[asr9k cluster upgrade procedure]
Dear CSC (and hopefully Xander):
What is the proper way of upgrading an asr9k cluster?
Do i have to break the cluster and upgrade both 9ks separately? then rebuild the cluster?
Or you just treat the cluster as one box and when you upgrade one of them, both are upgraded simultaneously?
(is there a document that describes this procedure for a cluster specifically?)
Thanks in advance!
c.Hello Carlos,
you can proceed with the following Cisco's recommendations thanks to Lenin Pedu:
https://supportforums.cisco.com/docs/DOC-34114#13_Cluster_RackByRack_Upgrade_
HTH,
Michel. -
ASR9K Series devices inventory is not working.
Hi all. Inventory in CiscoWorks with new devices ASR9K Series is not working. CW version: LMS3.2.1. Device: ASR-9006 AC Chassis. Credentials correct. Can any help me?
Screenshot1: inventory request fail.
Screenshot2: RME knows Cisco ASR9006 Router.Hello again and thx for advice,
I've tried the solution from Cisco for this bug (CSCte95623 ), by manipulating delays values in cmdsvc.properties file and restarting cfgmngmt process. I've changed delay values in very different manner (delay after connect, tunesleepmills, login, e.t.c). Unfortunately this solution didn't help. A CDA work for SSH fails all the time. Also i've manipulated
ssh rate-limit and ssh session-limit values on device. It's a pity that opportunity to set on only sshv1 on device doesn't exist, so CW tries to connect only with sshv2 and there is no chance to check how it work with sshv1.
I'm becoming a bit desperate about that issue. Any ideas?!
There is some output from ssh debugs on device:
debug ssh server
RP/0/RSP1/CPU0:May 31 12:02:14.068 : SSHD_[1114]: Spawned new child process 5869901
RP/0/RSP1/CPU0:May 31 12:02:14.149 : SSHD_[65869]: Client sockfd 3
RP/0/RSP1/CPU0:May 31 12:02:14.151 : SSHD_[65869]: Setting IP_TOS value:192
RP/0/RSP1/CPU0:May 31 12:02:14.152 : SSHD_[65869]: After setting socket options, sndbuf33792, rcvbuf - 33792
RP/0/RSP1/CPU0:May 31 12:02:14.153 : SSHD_[65869]: Connection from ------------ port ---------
RP/0/RSP1/CPU0:May 31 12:02:14.158 : SSHD_[65869]: (addrem_ssh_info_tuple) user:()
RP/0/RSP1/CPU0:May 31 12:02:14.162 : SSHD_[65869]: Session id 0
RP/0/RSP1/CPU0:May 31 12:02:14.162 : SSHD_[65869]: Exchanging versions
RP/0/RSP1/CPU0:May 31 12:02:14.164 : SSHD_[65869]: %SECURITY-SSHD-6-INFO_GENERAL : Client ------ closes socket connection
RP/0/RSP1/CPU0:May 31 12:02:14.164 : SSHD_[65869]: %SECURITY-SSHD-3-ERR_GENERAL : Failed in version exchange
RP/0/RSP1/CPU0:May 31 12:02:14.164 : SSHD_[65869]: In cleanup code, pid:5869901, sig rcvd:0, state:1
RP/0/RSP1/CPU0:May 31 12:02:14.166 : SSHD_[65869]: Cleanup sshd process 5869901, session id 0
RP/0/RSP1/CPU0:May 31 12:02:14.171 : SSHD_[65869]: Closing connection to --------
RP/0/RSP1/CPU0:May 31 12:02:14.171 : SSHD_[65869]: Sending Disconnect msg
RP/0/RSP1/CPU0:May 31 12:02:14.172 : SSHD_[65869]: sshd_shm_acquire_lock: SHM Lock is NULL
RP/0/RSP1/CPU0:May 31 12:02:14.172 : SSHD_[65869]: sshd_shm_unlock: SHM Lock is NULL
RP/0/RSP1/CPU0:May 31 12:02:14.184 : SSHD_[1114]: Signal 18 received in handler: pid 5869901
RP/0/RSP1/CPU0:May 31 12:02:14.207 : SSHD_[1114]: ratelimit_msecs:1000.000000, ratelimit_count:1
RP/0/RSP1/CPU0:May 31 12:02:14.207 : SSHD_[1114]: elapsed:145.976000, ratelimit_msecs:1000.000000, count:1
RP/0/RSP1/CPU0:May 31 12:02:14.207 : SSHD_[1114]: %SECURITY-SSHD-6-INFO_GENERAL : Incoming SSH session rate limit exceeded
And CDA ssh work log from CW:
Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getCmdSvc,1571,Iam inside ssh ....
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getCmdSvc,1573,Initial time_out : 0
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getCmdSvc,1583,Computed time_out : 30
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getCmdSvc,1599,After computing time_out : 30
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getSshCmdSvc,1637,inside getSshCmdSvc with timeout : 30000
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getSshProtocols,1743,Inside getsshprotocols with time out : 30000
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getSshCmdSvc,1651,SSH2 is running
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,136,Got CmdSvc for SSH
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,141,Before Resetting the counters i.e before invoking counters for CredType :: SSH
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,151,After Resetting the counters i.e before invoking counters for CredType :: SSH
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,156,Getting Primary credentails to reset again to Primary only..
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,201,trying to connect for SSH
[ Thu May 31 12:10:18 MSD 2012 ],ERROR,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,272,Got CmdSvcException com.cisco.nm.lib.cmdsvc.CmdSvcException: java.net.SocketException: Connection reset
at com.cisco.nm.lib.cmdsvc.OpConnect.invoke(OpConnect.java:57)
at com.cisco.nm.lib.cmdsvc.SessionContext.invoke(SessionContext.java:299)
at com.cisco.nm.lib.cmdsvc.Engine.process(Engine.java:57)
at com.cisco.nm.lib.cmdsvc.LocalProxy.process(LocalProxy.java:22)
at com.cisco.nm.lib.cmdsvc.CmdSvc.connect(CmdSvc.java:190)
at com.cisco.nm.lib.cmdsvc.CmdSvc.connect(CmdSvc.java:166)
at com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler.verify(CmdSvc_CDACredTypeHandler.java:202)
at com.cisco.nm.xms.xdi.pkgs.LibCda.GenericCdaHandler.checkSanity(GenericCdaHandler.java:37)
at com.cisco.nm.rmeng.inventory.cda.job.DoCDAonDevice.checkSanity(CdaJobEngine.java:1565)
at com.cisco.nm.rmeng.inventory.cda.job.DoCDAonDevice.run(CdaJobEngine.java:1429)
at com.cisco.nm.rmeng.inventory.cda.job.CdaJobMonitor$ExecutorThread.run(CdaJobMonitor.java:244)
[ Thu May 31 12:10:18 MSD 2012 ],ERROR,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,308,exception occured at the time of closing cmdsvccom.cisco.nm.lib.cmdsvc.CmdSvcException: java.net.SocketException: Connection reset
at com.cisco.nm.lib.cmdsvc.OpConnect.invoke(OpConnect.java:57)
at com.cisco.nm.lib.cmdsvc.SessionContext.invoke(SessionContext.java:299)
at com.cisco.nm.lib.cmdsvc.Engine.process(Engine.java:57)
at com.cisco.nm.lib.cmdsvc.LocalProxy.process(LocalProxy.java:22)
at com.cisco.nm.lib.cmdsvc.CmdSvc.connect(CmdSvc.java:190)
at com.cisco.nm.lib.cmdsvc.CmdSvc.connect(CmdSvc.java:166)
at com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler.verify(CmdSvc_CDACredTypeHandler.java:202)
at com.cisco.nm.xms.xdi.pkgs.LibCda.GenericCdaHandler.checkSanity(GenericCdaHandler.java:37)
at com.cisco.nm.rmeng.inventory.cda.job.DoCDAonDevice.checkSanity(CdaJobEngine.java:1565)
at com.cisco.nm.rmeng.inventory.cda.job.DoCDAonDevice.run(CdaJobEngine.java:1429)
at com.cisco.nm.rmeng.inventory.cda.job.CdaJobMonitor$ExecutorThread.run(CdaJobMonitor.java:244)
[ Thu May 31 12:10:18 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,310,Some exception not handled....
[ Thu May 31 12:10:18 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,312,Not for enable test -
Am having problem bringing up mpls l2vpn between asr9k and 7609 router . Below is my config. The interfaces are up, the vc working, but can't ping across.
AS9K
interface GigabitEthernet0/2/0/6.609 l2transport
encapsulation dot1q 609
rewrite ingress tag pop 1 symmetric
mtu 1526
pw-class TST
encapsulation mpls
transport-mode vlan
xconnect group TST
p2p TST
interface GigabitEthernet0/6.609
neighbor 2.2.2.2 pw-id 609
pw-class TST
7609
interface gig 3/4.609
encapsulation dot1q 609
xconnect 1.1.1.1 609 encapsulation mpls
***OUTPUT FROM ASR9K********
RP/0/RSP0/CPU0#sh l2vpn xconnect pw-class TST detail
Group X,X, state is up; Interworking none
AC: GigabitEthernet0/6.609, state is up
Type VLAN; Num Ranges: 1
VLAN ranges: [905, 905]
MTU 1512; XC ID 0x1040003; interworking none
Statistics:
packets: received 735789487, sent 725878036
bytes: received 405747931393, sent 184926449749
drops: illegal VLAN 0, illegal length 0
PW: neighbor 2.2.2.2, PW ID 609, state is up ( established )
PW class ENS, XC ID 0xc0000003
Encapsulation MPLS, protocol LDP
Source address 1.1.1.1
PW type Ethernet VLAN, control word disabled, interworking none
PW backup disable delay 0 sec
Sequencing not set
PW Status TLV in use
MPLS Local Remote
Label 17442 847
Group ID 0x80003c0 0x0
Interface GigabitEthernet0/6.609 uknown
MTU 1512 1512
Control word disabled disabled
PW type Ethernet VLAN Ethernet VLAN
VCCV CV type 0x2 0x2
(LSP ping verification) (LSP ping verification)
VCCV CC type 0x6 0x6
(router alert label) (router alert label)
(TTL expiry) (TTL expiry)
Incoming Status (PW Status TLV):
Status code: 0x0 (Up) in Notification message
Outgoing Status (PW Status TLV):
Status code: 0x0 (Up) in Notification message
MIB cpwVcIndex: 3221225475
Statistics:
packets: received 725878036, sent 735789487
bytes: received 184926449749, sent 405747931393
*******7609 OUTPUT*******
Local interface: Gi1/3.609 up, line protocol up, Eth VLAN 609 up
Destination address: 1.1.1.1, VC ID: 609, VC status: up
Output interface: Gi2/4, imposed label stack {0 151644}******************This is my problem no imposed label on 7609
Preferred path: not configured
Default path: active
Next hop: 10.198.64.21
Create time: 00:00:16, last status change time: 00:00:16
Signaling protocol: LDP, peer 1.1.1.1 up
Targeted Hello: 2.2.2.2(LDP Id) -> 1.1.1.1, LDP is UP
Status TLV support (local/remote) : enabled/supported
LDP route watch : enabled
Label/status state machine : established, LruRru
Last local dataplane status rcvd: No fault
Last local SSS circuit status rcvd: No fault
Last local SSS circuit status sent: No fault
Last local LDP TLV status sent: No fault
Last remote LDP TLV status rcvd: No fault
Last remote LDP ADJ status rcvd: No fault
MPLS VC labels: local 505, remote 151644
Group ID: local 0, remote 134218688
MTU: local 1508, remote 1508
Remote interface description: GigabitEthernet0_6_.609
Sequencing: receive disabled, send disabled
Control Word: Off (configured: autosense)
SSO Descriptor: 1.1.1.1/609, local label: 505
SSM segment/switch IDs: 57633/24673 (used), PWID: 28772
VC statistics:
transit packet totals: receive 3, send 0
transit byte totals: receive 216, send 0
transit packet drops: receive 0, seq error 0, send 0Hello ogungbenro wale,
Would you be so kind to verify the output form 7600, since the config part does not correspond to VC you provided output for:
interface gig 3/4.609 <=
Local interface: Gi1/3.609 up, line protocol up, Eth VLAN 609 up <= -
ASR9K PPPoE ERROR - bad session data
In a month the second case all are disconnected Rrroyesessii and new aren't connected not to reboot a router yet.
Messages
RP/0/RSP0/CPU0:Feb 12 20:17:00.396 : pppoe_ma[378]: Bundle-Ether100.10: I dst ffff.ffff.ffff src bcee.7bed.90a0: len 46 0x11090000000c01010000010300040001000000000000000000000000000000000000000000000000000000000000
RP/0/RSP0/CPU0:Feb 12 20:17:00.396 : pppoe_ma[378]: [PADI-Recv]: Bundle-Ether100.10 peer-mac bcee.7bed.90a0
RP/0/RSP0/CPU0:Feb 12 20:17:00.396 : pppoe_ma[378]: [PADI-Recv]: vlan-id-outer 600
RP/0/RSP0/CPU0:Feb 12 20:17:00.396 : pppoe_ma[378]: [PADI-Recv]: Service-name:
RP/0/RSP0/CPU0:Feb 12 20:17:00.396 : pppoe_ma[378]: [PADI-Recv]: Host-uniq: 00010000
RP/0/RSP0/CPU0:Feb 12 20:17:00.396 : pppoe_ma[378]: Bundle-Ether100.10: O dst bcee.7bed.90a0 src e4c7.227c.ea0b: len 31 0x11070000001901010000010300040001000001020009415352394b2d424e47
RP/0/RSP0/CPU0:Feb 12 20:17:00.396 : pppoe_ma[378]: [PADO-Sent]: Bundle-Ether100.10 peer-mac bcee.7bed.90a0
RP/0/RSP0/CPU0:Feb 12 20:17:00.396 : pppoe_ma[378]: [PADO-Sent]: vlan-id-outer 600
RP/0/RSP0/CPU0:Feb 12 20:17:00.396 : pppoe_ma[378]: Bundle-Ether100.10: I dst ffff.ffff.ffff src 0860.6e24.0390: len 46 0x11090000000c01010000010300040001000000000000000000000000000000000000000000000000000000000000
RP/0/RSP0/CPU0:Feb 12 20:17:00.396 : pppoe_ma[378]: [PADI-Recv]: Bundle-Ether100.10 peer-mac 0860.6e24.0390
RP/0/RSP0/CPU0:Feb 12 20:17:00.396 : pppoe_ma[378]: [PADI-Recv]: vlan-id-outer 88
RP/0/RSP0/CPU0:Feb 12 20:17:00.396 : pppoe_ma[378]: [PADI-Recv]: Service-name:
RP/0/RSP0/CPU0:Feb 12 20:17:00.410 : pppoe_ma[378]: Bundle-Ether100.10: O dst 5404.a68e.2160 src e4c7.227c.ea0b: len 31 0x11070000001901010000010300040001000001020009415352394b2d424e47
RP/0/RSP0/CPU0:Feb 12 20:17:00.410 : pppoe_ma[378]: [PADO-Sent]: Bundle-Ether100.10 peer-mac 5404.a68e.2160
RP/0/RSP0/CPU0:Feb 12 20:17:00.410 : pppoe_ma[378]: [PADO-Sent]: vlan-id-outer 210
RP/0/RSP0/CPU0:Feb 12 20:17:00.410 : pppoe_ma[378]: Bundle-Ether100.10: I dst ffff.ffff.ffff src 5404.a6e6.81d4: len 46 0x11090000000c01010000010300040001000000000000000000000000000000000000000000000000000000000000
RP/0/RSP0/CPU0:Feb 12 20:17:00.410 : pppoe_ma[378]: [PADI-Recv]: Bundle-Ether100.10 peer-mac 5404.a6e6.81d4
RP/0/RSP0/CPU0:Feb 12 20:17:00.410 : pppoe_ma[378]: [PADI-Recv]: vlan-id-outer 32
RP/0/RSP0/CPU0:Feb 12 20:17:00.410 : pppoe_ma[378]: [PADI-Recv]: Service-name:
RP/0/RSP0/CPU0:Feb 12 20:17:00.410 : pppoe_ma[378]: [PADI-Recv]: Host-uniq: 00010000
RP/0/RSP0/CPU0:Feb 12 20:17:00.410 : pppoe_ma[378]: Bundle-Ether100.10: O dst 5404.a6e6.81d4 src e4c7.227c.ea0b: len 31 0x11070000001901010000010300040001000001020009415352394b2d424e47
RP/0/RSP0/CPU0:Feb 12 20:17:00.410 : pppoe_ma[378]: [PADO-Sent]: Bundle-Ether100.10 peer-mac 5404.a6e6.81d4
RP/0/RSP0/CPU0:Feb 12 20:17:00.518 : pppoe_ma[378]: Bundle-Ether100.10: I dst ffff.ffff.ffff src 60a4.4c8c.8ddc: len 46 0x11090000000c01010000010300040001000000000000000000000000000000000000000000000000000000000000
RP/0/RSP0/CPU0:Feb 12 20:17:00.518 : pppoe_ma[378]: [PADI-Recv]: Bundle-Ether100.10 peer-mac 60a4.4c8c.8ddc
RP/0/RSP0/CPU0:Feb 12 20:17:00.518 : pppoe_ma[378]: [PADI-Recv]: vlan-id-outer 60
RP/0/RSP0/CPU0:Feb 12 20:17:00.518 : pppoe_ma[378]: [PADI-Recv]: Service-name:
RP/0/RSP0/CPU0:Feb 12 20:17:00.518 : pppoe_ma[378]: [PADI-Recv]: Host-uniq: 00010000
RP/0/RSP0/CPU0:Feb 12 20:17:00.518 : pppoe_ma[378]: [PADI-Recv]: ERROR - bad session data
RP/0/RSP0/CPU0:Feb 12 20:17:00.518 : pppoe_ma[378]: Bundle-Ether100.10: O dst 60a4.4c8c.8ddc src e4c7.227c.ea0b: len 31 0x11070000001901010000010300040001000001020009415352394b2d424e47
ASR9001
Cisco IOS XR Software, Version 5.1.1[Default]
Copyright (c) 2014 by Cisco Systems, Inc.
ROM: System Bootstrap, Version 2.04(20140227:092320) [ASR9K ROMMON]
How to fight against it? before such it wasn't noticedhi vladimir,
I checked the source code when this error is set. this is seen when a session stage packet is received that has no valid idb (aka subscriber interface) for the session ID that was found in the packet together with the vlan tags.
Now this is a PADI, so it is not a session packet to start with.
Next I see that the function that sets this error is only called for on data packets when the opcode is 0x00 in your case the opcode is 0x09 which is a PADI.
what I am thinking that is happening here is that the punt software has provided incorrect pointers to the start of the packet due to a sw bug.
I would like to request if you can evaluate xr513 for this as I see some fixes in 512/513 relating to the punt handling sw that might be of benefit here.
regards
xander -
VPLS : VC UP but no data -- ASR9k & 7600 ES+
Dears
Would like your assistance please regarding below VPLS setup
VPLS is between ASR9k & 7600 ES+ card. VC is up but CEs are not able to ping each others
Lab Topology
CE <> Te0/1/0/3.55 ASR9K < -- mpls --> 7600 Gi4/2 <> CE
Any ideas ?
Note
ASR9k & 7600 are directly connected via same ES+ card
||||||||||||||||||||||||||||||||||||||||||||||||||
ASR9k
interface TenGigE0/1/0/3
cdp
interface TenGigE0/1/0/3.55 l2transport
encapsulation dot1q 55 exact
rewrite ingress tag pop 1 symmetric
l2vpn
pw-class PW-CLASS-TEST
encapsulation mpls
transport-mode ethernet
bridge group vpls-test
bridge-domain asr9k-7600
interface TenGigE0/1/0/3.55
vfi vlan-55
neighbor 6.6.6.6 pw-id 55
pw-class PW-CLASS-TEST
7600
ethernet evc test-vpls
interface GigabitEthernet4/2
no ip address
speed 1000
service instance 55 ethernet test-vpls
encapsulation dot1q 55
rewrite ingress tag pop 1 symmetric
bridge-domain 55
interface Vlan55
no ip address
xconnect vfi asr9k-7600
end
l2 vfi asr9k-7600 manual test-vpls
vpn id 55
neighbor 19.19.19.19 encapsulation mpls
||||||||||||
RP/0/RSP0/CPU0:XR1#sh l2vpn bridge-domain
Wed Oct 16 19:34:58.345 UTC
Legend: pp = Partially Programmed.
Bridge group: vpls-test, bridge-domain: asr9k-7600, id: 15, state: up, ShgId: 0, MSTi: 0
Aging: 300 s, MAC limit: 4000, Action: none, Notification: syslog
Filter MAC addresses: 0
ACs: 1 (1 up), VFIs: 1, PWs: 1 (1 up), PBBs: 0 (0 up)
List of ACs:
Te0/1/0/3.55, state: up, Static MAC addresses: 0
List of Access PWs:
List of VFIs:
VFI vlan-55 (up)
Neighbor 6.6.6.6 pw-id 55, state: up, Static MAC addresses: 0
RP/0/RSP0/CPU0:XR1#
RP/0/RSP0/CPU0:XR1#sh l2vpn bridge-domain detail
Wed Oct 16 19:35:02.391 UTC
Legend: pp = Partially Programmed.
Bridge group: vpls-test, bridge-domain: asr9k-7600, id: 15, state: up, ShgId: 0, MSTi: 0
Coupled state: disabled
MAC learning: enabled
MAC withdraw: enabled
MAC withdraw for Access PW: enabled
MAC withdraw sent on bridge port down: disabled
Flooding:
Broadcast & Multicast: enabled
Unknown unicast: enabled
MAC aging time: 300 s, Type: inactivity
MAC limit: 4000, Action: none, Notification: syslog
MAC limit reached: no
MAC port down flush: enabled
MAC Secure: disabled, Logging: disabled
Split Horizon Group: none
Dynamic ARP Inspection: disabled, Logging: disabled
IP Source Guard: disabled, Logging: disabled
DHCPv4 snooping: disabled
IGMP Snooping profile: none
Bridge MTU: 1500
MIB cvplsConfigIndex: 16
Filter MAC addresses:
Create time: 16/10/2013 18:40:04 (00:54:57 ago)
No status change since creation
ACs: 1 (1 up), VFIs: 1, PWs: 1 (1 up), PBBs: 0 (0 up)
List of ACs:
AC: TenGigE0/1/0/3.55, state is up
Type VLAN; Num Ranges: 1
VLAN ranges: [55, 55]
MTU 1500; XC ID 0x44002e; interworking none
MAC learning: enabled
Flooding:
Broadcast & Multicast: enabled
Unknown unicast: enabled
MAC aging time: 300 s, Type: inactivity
MAC limit: 4000, Action: none, Notification: syslog
MAC limit reached: no
MAC port down flush: enabled
MAC Secure: disabled, Logging: disabled
Split Horizon Group: none
Dynamic ARP Inspection: disabled, Logging: disabled
IP Source Guard: disabled, Logging: disabled
DHCPv4 snooping: disabled
IGMP Snooping profile: none
Storm Control: disabled
Static MAC addresses:
Statistics:
packets: received 0, sent 2
bytes: received 0, sent 112
Storm control drop counters:
packets: broadcast 0, multicast 0, unknown unicast 0
bytes: broadcast 0, multicast 0, unknown unicast 0
Dynamic ARP inspection drop counters:
packets: 0, bytes: 0
IP source guard drop counters:
packets: 0, bytes: 0
List of Access PWs:
List of VFIs:
VFI vlan-55 (up)
PW: neighbor 6.6.6.6, PW ID 55, state is up ( established )
PW class PW-CLASS-TEST, XC ID 0xc000001d
Encapsulation MPLS, protocol LDP
Source address 19.19.19.19
PW type Ethernet, control word disabled, interworking none
PW backup disable delay 0 sec
Sequencing not set
PW Status TLV in use
MPLS Local Remote
Label 16052 63
Group ID 0xf 0x0
Interface vlan-55 unknown
MTU 1500 1500
Control word disabled disabled
PW type Ethernet Ethernet
VCCV CV type 0x2 0x12
(LSP ping verification) (LSP ping verification)
VCCV CC type 0x6 0x6
(router alert label) (router alert label)
(TTL expiry) (TTL expiry)
Incoming Status (PW Status TLV):
Status code: 0x0 (Up) in Notification message
MIB cpwVcIndex: 3221225501
Create time: 16/10/2013 18:51:28 (00:43:33 ago)
Last time status changed: 16/10/2013 18:52:43 (00:42:18 ago)
MAC withdraw message: send 0 receive 0
Static MAC addresses:
Statistics:
packets: received 0, sent 0
bytes: received 0, sent 0
DHCPv4 snooping: disabled
IGMP Snooping profile: none
VFI Statistics:
drops: illegal VLAN 0, illegal length 0
RP/0/RSP0/CPU0:XR1#
|||
NPE-3#show mpls l2 binding
Destination Address: 19.19.19.19,VC ID: 55
Local Label: 63
Cbit: 0, VC Type: Ethernet, GroupID: 0
MTU: 1500, Interface Desc: n/a
VCCV: CC Type: RA [2], TTL [3]
CV Type: LSPV [2], BFD/Raw [5]
Remote Label: 16052
Cbit: 0, VC Type: Ethernet, GroupID: 15
MTU: 1500, Interface Desc: vlan-55
VCCV: CC Type: RA [2], TTL [3]
CV Type: LSPV [2]
NPE-3#
NPE-3#show mpls l2 vc 55
Local intf Local circuit Dest address VC ID Status
VFI asr9k-7600 \
vfi 19.19.19.19 55 UP
NPE-3#
NPE-3#show mpls l2 vc 55 detail
Local interface: VFI asr9k-7600 vfi up
Interworking type is Ethernet
Destination address: 19.19.19.19, VC ID: 55, VC status: up
Output interface: none, imposed label stack {}
Preferred path: not configured
Default path: active
No adjacency
Create time: 00:53:12, last status change time: 00:40:59
Last label FSM state change time: 00:39:58
Last peer autosense occurred at: 00:40:59
Signaling protocol: LDP, peer 19.19.19.19:0 up
Targeted Hello: 6.6.6.6(LDP Id) -> 19.19.19.19, LDP is UP
Status TLV support (local/remote) : enabled/supported
LDP route watch : enabled
Label/status state machine : established, LruRru
Last local dataplane status rcvd: No fault
Last BFD dataplane status rcvd: Not sent
Last BFD peer monitor status rcvd: No fault
Last local AC circuit status rcvd: No fault
Last local AC circuit status sent: No fault
Last local PW i/f circ status rcvd: No fault
Last local LDP TLV status sent: No fault
Last remote LDP TLV status rcvd: No fault
Last remote LDP ADJ status rcvd: No fault
MPLS VC labels: local 63, remote 16052
Group ID: local 0, remote 15
MTU: local 1500, remote 1500
Remote interface description: vlan-55
Sequencing: receive disabled, send disabled
Control Word: Off (configured: autosense)
SSO Descriptor: 19.19.19.19/55, local label: 63
Dataplane:
SSM segment/switch IDs: 4200/110690 (used), PWID: 27
VC statistics:
transit packet totals: receive 0, send 0
transit byte totals: receive 0, send 0
transit packet drops: receive 0, seq error 0, send 0
NPE-3#
Many Thanks
Regards
Sherif IsmailHi Xander
First many thanks for your assistance
Have recheked CEs config and they are straight forward. [trunk interface allowing all vlans]
However I have added CE3/PE3 to topolgoy and results were somehow interesting
CE1(ME3800) -- PE1 (ASR9K) --- PE2 (7600) -- PE3 (7600) -- CE3 (ME3800)
|
CE2(ME3800)
Now both CE1/CE2 can ping CE3 but still no communication between CE1 & CE2
Dont know what could be the difference between CE2 & CE3. Only thing that comes to my mind is that with CE2, PE2 is directly connected to PE1. Dont know if this could be a problem or not as in this case MPLS label should be pop but still there is VC label
Another thing I removed "rewrite ingress tag pop 1 symmetric" from all PEs cause with this command CE3 (only) was receiving BPDU with different VLAN ! [dont know if this behavior is normal or not]
interface GigabitEthernet4/2
no ip address
speed 1000
service instance 55 ethernet
encapsulation dot1q 55
rewrite ingress tag pop 1 symmetric
bridge-domain 55
*Oct 24 21:57:14.158: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 2 on GigabitEthernet0/23 VLAN55.
*Oct 24 21:57:14.158: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet0/23 on VLAN0055. Inconsistent local vlan.
*Oct 24 21:57:15.158: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan55, changed state to down
UPE-42#
Once I remove it
UPE-42# *Oct 24 21:59:23.638: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet0/23 on VLAN0055. Port consistency restored
Now what do you think ? :]
Many Thanks
Regards
Sherif Ismail -
Hello all,
I received a report from one of the ASR9Ks and when I checked the log and did a little research using this site(http://www.cisco.com/c/en/us/td/docs/ios_xr_sw/iosxr_r4-2/error/messages/em42sems/em42ip.html) and here is what I found out:
1- RP/0/RSP0/CPU0::Apr 30 12:46:17.450 : ntpd[240]: %IP-IP_NTP-5-SYNC_LOSS : Synchronization lost : 10.10.100.254 : System clock selection failed
Cisco's Error Explanation:
a. %IP-IP_NTP-5-SYNC_LOSS Synchronization lost : [chars] : [chars]
b. Explanation NTP lost synchronization due to one of the following reasons: 1. Server authentication failed 2. Access denied by remote server 3. Peer unreachable or clock selection failed 4. The association was removed 5. The clock was stepped and needs to be resynced 6. The ephemeral client association was timeout 7. ntp clear command
c. Recommended Action If SYNC_LOSS because 'The clock was stepped and needs to be resynced' keeps occurring constantly during time, try to exec ntp reset drift.
2- RP/0/RSP0/CPU0::Apr 30 12:46:17.450 : ntpd[240]: %IP-IP_NTP-5-HP_CONN_LOST : High priority NTP peer connection lost - Stratum 2->4.
Cisco's Error Explanation:
a. %IP-IP_NTP-5-HP_CONN_LOST High priority NTP peer connection lost - Stratum [dec]-[dec].
b. Explanation The ntp server lost the connection with a high-priority clock source. The Stratum tells the change of server stratum.
c. Recommended Action No action is required.
3- RP/0/RSP0/CPU0::Apr 30 13:03:14.121 : ntpd[240]: %IP-IP_NTP-5-HP_CONN_RECOVERED : High priority NTP peer connection recovered - Stratum 5->2.
Cisco's Error Explanation:
a. %IP-IP_NTP-5-LP_CONN_RECOVERED At least a low priority NTP peer connection was recovered - Stratum [dec]-[dec].
b. Explanation The ntp server recovered a connection with one of the configured clock source. The Stratum tells the change of server stratum.
c. Recommended Action No action is required.
I'm not sure if I understand the following statements. I'd really appreciate it if someone can clarify to me what these two statements mean.
High priority NTP peer connection lost - Stratum 2->4.
High priority NTP peer connection recovered - Stratum 5->2.
Thanks in advance.
ZekeThx for the quick reply. The 10.10.100.254 is an internal NTP peer. Here is the output of the NTP assoc from this ASR9K:
RP/0/RSP0/CPU0:vacrw01001001#sh ntp associations
Thu May 1 13:49:00.111 PDT
address ref clock st when poll reach delay offset disp
*~198.123.30.132 192.58.23.182 2 2898 1024 374 5.95 0.862 18.651
10.10.100.252 10.10.100.253 4 9 1024 377 1.95 -1.382 0.697
10.10.100.251 10.10.100.253 4 40 1024 377 2.08 -1.344 0.202
~207.26.97.57 .STEP. 16 - 1024 0 0.00 0.000 15937
~10.10.100.254 10.10.100.253 4 252 1024 377 3.45 -2.377 18.463
~10.10.100.250 10.10.100.253 4 389 1024 377 6.00 -2.489 18.186
~192.6.38.127 .STEP. 16 - 1024 0 0.00 0.000 15937
~10.10.100.249 198.123.30.132 3 965 1024 377 6.00 -1.942 19.083
* sys_peer, # selected, + candidate, - outlayer, x falseticker, ~ configured
Much appreciated.
Best, ~sK -
Traffic Shaping ASR9k in output interface.
If we configure output traffic shaping on an ASR 9000 interface the Service Policy is not installed, however in cco we can find that traffic shaping is supported see the next link:
http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.2/qos/configuration/guide/b_qos_cg421asr_chapter_0100.html#ID407
My configuration is:
policy-map I4-TEST-OUT
class class-default
shape average 300000 bps
interface GigabitEthernet0/0/1/10
description <DESCRIPTION . CIRCUIT_ID>
bandwidth 300
service-policy input I4-TEST-IN
service-policy output I4-TEST-OUT
ipv4 address 1.1.1.1 255.255.255.252
ipv4 verify unicast source reachable-via rx
load-interval 30
ASR9k#show policy-map int g0/0/1/10
GigabitEthernet0/0/1/10 input: I4-TEST-IN
Class class-default
Classification statistics (packets/bytes) (rate - kbps)
Matched : 0/0 0
Transmitted : N/A
Total Dropped : 0/0 0
Policing statistics (packets/bytes) (rate - kbps)
Policed(conform) : 0/0 0
Policed(exceed) : 0/0 0
Policed(violate) : 0/0 0
Policed and dropped : 0/0
GigabitEthernet0/0/1/10 direction output: Service Policy not installed
RP/0/RSP1/CPU0:CE.HTCHP.RPE01#
as you can see we got a message "GigabitEthernet0/0/1/10 direction output: Service Policy not installed".
If I use a class instead of the class class-default the policy-map is correctly installed, If I use a child policy-map under the class class-default the policy is installed also.
Do you know if it is a restriction to use traffic shaping in an output interface and using the default class?
regards
thanksI forgot to post the 15.x otuput; here it is.
R2#sh policy-map int f0/0
FastEthernet0/0
Service-policy output: SHAPE_10M
Class-map: class-default (match-any)
14 packets, 1056 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 14/1056
shape (average) cir 10000000, bc 40000, be 40000
target shape rate 10000000 -
ASR9K - Anything for load-balancing?
Does the ASR9K provide any load-balancing mechanisms that is comparable to PfR/OER?
- HBHi Hosam,
as a matter of fact few guys and I have a proposal on the table for that, not precisely the same as pfr, but more a load
based loadbalancing dynamically adjusted.
this is longer term.
today I can offer you DMZ link bandwidth whereby you can statically apply a load distribution (ECMP) in an unequal path sharing (UCMP). google ucmp asr9000 for more details if you're interested in that.
regards
xander -
The packet rate mib 1.3.6.1.4.1.9.2.2.1.1.7 for 7600 seem not support by ASR9K, anyone can share the packet rate /s mib for ASR9K
This is generally computed offline by the mgmt station based on the packet counters (from the IFMIB) and computed over time.
A great package that does this is MRTG you may like to mess around with.
alternatively you could possibly pull the XR interface rate out via XML.
regards
xander -
ASR9K BNG and user defined VSAs
Hello All,
I am currently deploying Cisco ASR9K BNG solution and it needs to be integrated with a Cisco ACS 3.3 equipment (yes that old .. going to migrate to new product in the future). There are several specific attributes need that are not on the base config of the ACS 3.3 but it seems that i can configure them manually:
In addition to supporting a set of predefined RADIUS vendors and vendor-specific attributes (VSAs), Cisco Secure ACS supports RADIUS vendors and VSAs that you define. Vendors you add must be IETF-compliant; therefore, all VSAs that you add must be sub-attributes of IETF RADIUS attribute number 26.
This is from the ACS 3.3 configuration manual.
I have never done this user defined VSAs. Anyone has experience with this ? Will this work ?
How can i identify the exact attributes necessary for my implementation to work ?
Thanks!
DavidHi David,
yes that will work.
Radius is very "simple", it defines attributes in teh following format:
attribute-number string representation encoding type.
the encoding type is important, because the value you provide on the string representation fo the attribute
will get encoded in that manner.
For instance a string value of "105" is 3 bytes with chars "1", "0" and "5". the INT encoding of this will be a single byte with value "105", which is the ascii letter "i".
Now Attribute number "26" has string representation "vendor-specific". These attributes are encoded slightly different
attribute 26, vendor code, vendor length, vendor attribute, vendor value.
for Cisco the vendor code is 9, always.
The vendor attribute we have some options, for isntance:
"1" is the cisco-avpair you may well know.
"2" is cisco-nas-port
250 is SSG command code for instance.
In general, all VSA's follow a string encoding.
So if you have the ability to define a new VENDOR specific attribute, they always start with 26, vendorcode and vendor attribute.
IF you like you add a, what we call IETF attribute, that is the first digit (some vendors "stole" some values there like ascend, who was the originator of radius pretty much), they had assigned for instance number 135 for ascend-primary-dns which is encoded as ip address (so 4 octets converted to a ulong value).
Does that clarify your Q at all? In short, yes VSA's are alwyas usable in ANY radius that supprots attribute 26.
regards
xander -
Hi.
There's a propietery dhcp server that in certain cases, assigns yiaddr=127.0.0.1. The goal is to get rid of unwanted clients.
An asr9k configured as dhcp proxy sends a release for every ack for yiaddr=127.0.0.1, so client never gets this assignment and tries again and again multiplying traffic.
I know this dhcp server config doesn't make much sense, but I don't see any limitations about this on rfc2131 nor draft-ietf-dhc-proxyserver-opt-05.
Is there any way to workaround this?
Thanks!
DiegoDHCP Proxy uses the VIP and not the management IP of the WLC. Is one of the WLC ports connected to your internal network and the other port connected to the FW? Again with DHCP Proxy enabled, traffic will flow to your internal DHCP server as long as you have all the dhcp server address configured on the interfaces and have ip helper-address setup on the L3 interfaces.
Here is a doc regarding DHCP Proxy:
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080af5d13.shtml#DHCP-Proxy -
Hi.
There's a propietery dhcp server that in certain cases, assigns yiaddr=127.0.0.1. The goal is to get rid of unwanted clients.
An asr9k configured as dhcp proxy sends a release for every ack for yiaddr=127.0.0.1, so client never gets this assignment and tries again and again multiplying traffic.
I know this dhcp server config doesn't make much sense, but I don't see any limitations about this on rfc2131 nor draft-ietf-dhc-proxyserver-opt-05.
Is there any way to workaround this?
Thanks!
Diegohi vikas,
yeah that is the current existing limitation we have whereby the Prefix-Delegation with a local server is tied to all subscriber access interfaces.
If you need more granularity we can provide that by using radius and an offbox dhcp server if that is an option for you.
This way you have the ability also to load a dhcp class from radius to signal to the dhcp server this class so a more selective pool can be used.
Mixing local dhcp server with offbox is currently not available.
I would like to do this functionality, but it is not a quick fix unfortunately. So if that on a per access interface bases local DHCP pool is a requirement, I would need to redirect you to your account team and facilitate a discussion with our eng group to see what can be done when.
Today; (using) radius (for pool selection on an OFF-box server) is your best option.
cheers!
xander
Maybe you are looking for
-
How to send a Mail from a Query executed in a BatchJob ?
Hi All, at Valorec we use SAP ECC 6.0 (EHP 4) and have created some Query's. When executing a Query via the GUI you have the possibility to send the result to a Mail account. (List -> Send to -> E-Mail). I would like to start a query in a Batch-Job b
-
Search Server Database problem
Hi, I have a problem with a creation of a new search server database. (I use search1 default search server ) The command that I used is: psadmin create-search-db -s search1 -u amadmin -d defaultand the log response is: [#|2008-08-29T01:02:24.518+0200
-
Ssh access very slow to some accounts
I have OS X Server 10.6.2 up and running. If I ssh from a client machine to the server as the admin user, I get a password prompt, and on entering the password I immediately get to a shell prompt. If I do the same but specify another user, I get a pa
-
My requirement is to calculate few things like total_cash_amount,TOTAL_CO_PATIENT_AMOUNT etc... FOr this we will be using BILLING.PATIENTBILL,BILLING.PATIENTBILLDETAILS,BILLING.TRANSACTION tables. The below is already developed procedure. I am askd t
-
[size="3" face="Times New Roman">I love add in sound cards. Motherboard sound will never match what an add in sound card can do. Of course that is when the drivers are working and the company that makes the add in sound card backs their product with