ASR9k - ACL Counters
Hi All,
Apologies if this has already been asked but I want to know if there is a way to view access-list counters when it is used in a class-map and the policy-map is applied to an interface.
I tried the following command but I get "unrecognized location".
RP/0/RSP0/CPU0:R1# show access-lists ipv4 ACL-NETWORK-CONTROL-00001 hardware egress location 0/0/1
Tue Jul 1 01:24:20.077 UTC
Unrecognized location
RP/0/RSP0/CPU0:R1# show platform
Tue Jul 1 01:32:32.358 UTC
Node Type State Config State
0/RSP0/CPU0 ASR9001-RP(Active) IOS XR RUN PWR,NSHUT,MON
0/0/CPU0 ASR9001-LC IOS XR RUN PWR,NSHUT,MON
0/0/0 A9K-MPA-20X1GE OK PWR,NSHUT,MON
0/0/1 A9K-MPA-4X10GE OK PWR,NSHUT,MON
IOS-XR version 4.2.3 on ASR9001.
Regards,
Amit.
Hi Amit,
Since you are using access-list in a service policy applied to an interface.
Are you not seeing matches when you do "show policy-map interface g0/0/1/x in/out ?
In order to see the "show access-list" output you have to apply the acl in/out to the interface.
Best Regards,
Bheem
Similar Messages
-
3550-12T ACL OUT counters not incrementing.
We have several acls applied against various vlans on the 3550-12T switch IOS version c3550-i5q3l2-mz.121-22.EA1a.bin. Noticed that if the ACL is applied IN on the interface that all hits are counted. It appears that only the denies are being counted on an ACL if it is applied OUT on the interface.
I am using the permit any any established command and would have expected to see massive counts on this line. When compared to the behavior on the 4507 ACL the established counter increments dramatically.
With out the hit counts it is hard to see what is being done and if an ACL entry is even required.
Any suggestions?ACLs counters will not increment if the traffic is switched via hardware. The ACL counter will only be incrementing on software switched traffic, with matching ACL entries.
-
Hi!
I have FWSM running 4.1(6) with two security contexts.
The context test config is:
FWSM/test# sh run
: Saved
FWSM Version 4.1(6) <context>
hostname test
domain-name fwsm.spbstu.ru
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
interface Vlan556
nameif inside
security-level 100
ip address 192.168.100.254 255.255.255.0
interface Vlan557
nameif dmz
security-level 50
ip address 172.16.2.1 255.255.255.0
passwd 2KFQnbNIdI.2KYOU encrypted
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list permit_any extended permit tcp any any
access-list permit_any extended permit udp any any
access-list permit_any extended permit ip any any
access-list dmz_in extended permit icmp any any
access-list dmz_in extended permit udp any any
access-list dmz_in remark dmz_in
access-list dmz_in extended permit tcp any any
access-list dmz_out extended permit icmp any any
access-list dmz_out extended permit udp any any
access-list dmz_out extended permit tcp any any
access-list inside_in extended permit tcp any eq 3389 any
access-list inside_in extended permit tcp any any
access-list inside_in extended deny ip any any
access-list inside_out extended permit icmp any any
access-list inside_out extended permit udp any any
access-list inside_out extended permit tcp any any
pager lines 24
logging enable
logging console debugging
logging buffered debugging
logging asdm debugging
mtu inside 1500
mtu dmz 1500
no asdm history enable
arp timeout 14400
nat-control
access-group permit_any in interface inside
access-group permit_any out interface inside
access-group permit_any in interface dmz
access-group permit_any out interface dmz
route dmz 0.0.0.0 0.0.0.0 172.16.2.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout pptp-gre 0:02:00
timeout uauth 0:05:00 absolute
username cisco password ZBZ8GNEdrJsjFvsR encrypted
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
no snmp-server location
no snmp-server contact
telnet timeout 60
ssh timeout 60
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns
inspect ftp
inspect netbios
inspect rsh
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect http
service-policy global_policy global
Cryptochecksum:632fecb27da8e4b662d4197c60f1b22a
: end
Routing and vlan config is fine for sure.
but access is denied while ACL counters are 0
Does anybody have any ideas where I should look more carefully?
system context config is
FWSM# sh run
: Saved
FWSM Version 4.1(6) <system>
resource acl-partition 12
hostname FWSM
enable password 8Ry2YjIyt7RRXU24 encrypted
interface Vlan555
interface Vlan556
interface Vlan557
interface Vlan1216
passwd 2KFQnbNIdI.2KYOU encrypted
class default
limit-resource IPSec 5
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
limit-resource All 0
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0
admin-context admin
context admin
description default_context
member default
allocate-interface Vlan1216
allocate-interface Vlan555
allocate-acl-partition 0
config-url disk:/admin.cfg
context test
description test
member default
allocate-interface Vlan556
allocate-interface Vlan557
allocate-acl-partition 1
config-url disk:/CON_test.cfg
prompt hostname context
Cryptochecksum:ae682011fefdab9a0e4eeda02ca49c6e
: endaccess-list permit_any extended permit tcp any any
access-list permit_any extended permit udp any any
access-list permit_any extended permit ip any any
access-list permit_any extended permit icmp any any
access-group permit_any in interface inside
access-group permit_any out interface inside
access-group permit_any in interface dmz
access-group permit_any out interface dmz
I don't understand why FWSM denies ICMP:
( I am pinging from Cat6509 SUP 172.16.2.254 ( which is on dmz interface ) the host on inside interface 192.168.100.250:
%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
%FWSM-7-111009: User 'enable_15' executed cmd: show logging
%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
Any ideas? -
Hello,
I've created a reflexive ACL to allow IP SLA flows between two routers. Looking at the ACL counters, none of the outbound or inbound IP SLA permit statements are incrementing. Looking at the logs, I can see that my IP SLA return traffic is being blocked by the inbound ACL (I created a "deny ip any any log" at the end of my inbound ACL). Since the outbound reflexive statements aren't handling the outbound traffic (the counters aren't incrementing), the inbound reflexive ACL statements aren't being built. When I remove the ACLs, the IP SLA traffic flows normally.
Do ACLs apply to network traffic originated from the router? If not, how could I build a reflexive ACL to support IP SLA traffic?
Thanks,
RobHello Robert,
Traffic generated from the routed itself is not taken into consideration for Reflexive ACLs sessions
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
Hey guys,
I have a question regarding ISE Authorization Policy. In my test lab, I don't have any wired station, and what I have is a wireless lapotp. I have configured to allow only EAP-TLS authentication. Now, my problem is I keep getting "15039 Rejected per authorization profile."
Under the Policy > Authorization, I created a rule where I just want to allow on EAP-TLS either via machine or user identity, and the bottom is the default DenyAccess. When I tried to join the wireless network, I kept getting denied. I checked the ACL counters on the WLC side and it was not increasing.
I changed the default DenyAccess to PermitAccess, and I was able to join the wireless network no problem, and the ACL counters on the WLC side increased.
It seems like I am hitting the default Authorization Policy first which is on the bottom of the authorization policy.
I attached the failed and authenticated logs that I got from ISE.
Has anyone have encoutered this issue?
The version that I have is 1.1.1
Thanks
P.S.
I went back to check my autorization condition, and it is blank (See the 1st screenshot)Hi,
it is obvious that you are not matching any condition.
rather than keeping the condition blank, fill it with a condition that is always match and try if that helps.
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you" -
ISE Internal error suddenly appear
I started to see this error message suddenly
[500] Internal Error
Please contact system administrator. If you are the System Administrator please consult the logs.
ISE deployment consists of two nodes one carrying Administration persona (primary) , and monitoring (secondary) and the other carrying Administration persona (secondary) , and monitoring (primary) persona, the setup was running smoothly without any issues. ISE version was 1.2; and after this issue appeared we did the required troubleshooting with no luck ; so we upgraded both units to 1.3 and still facing the same issue.
We noticed a strange behavior on agent redirection ACL , when trying to reach basic services such as domain,DNS,.. (which are denied from redirection on the ACL) it appears to be redirected to ISE ( last permit ACE in redirection ACL counters increases contineously ) which shouldn't be the case in the posturing stage.
Anyone did face this issue , and what does this mean or have any ideas appreciate to share with us...Wency, maybe you should start a new thread, this is not error 500 related.
That said, you seem to refer to Tacacs functionality. This protocol is not yet supported in ISE. (will be in 2.0; no, I don't know when this will be out).
One can manage CLI access to devices with Radius too, but rather than being able to check each command on ISE, the user gets a certain 'privilege' at login. How the devices enforces that depens on the device. Parser views are a cool feature on IOS devices (routers), but several devices (switches and old routers) support only 15 privilege levels (and you can change the preset levels of commands). Yet other devices (WLC and Prime) use user Roles. Which Radius attributes are to be send depends on the device. You'll have to look it up in the switch/router/etc. manual. Look for aaa and radius attributes.
On Ise, you just add the proper Radius attributes to the authz profile, like this.
To assign a level of 15 (enable mode) for example. -
IPSec VRF Aware (Crypto Map)
Hello!
I have some problem with configuring vrf aware Ipsec (Crypto Map).
Any traffic (from subnet 10.6.6.248/29) do not pass trouth router, but if i run command "ping vrf inside 10.5.5.1 source gi 0/1.737" it working well.
Configuration below:
ip vrf outside
rd 1:1
ip vrf inside
rd 2:2
track 10 ip sla 10 reachability
ip sla schedule 10 life forever start-time now
crypto keyring outside vrf outside
pre-shared-key address 10.10.10.100 key XXXXXX
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp profile AS_outside
vrf inside
keyring outside
match identity address 10.10.10.100 255.255.255.255 outside
isakmp authorization list default
crypto ipsec transform-set ESP-AESesp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
crypto map outside 10 ipsec-isakmp
set peer 10.10.10.100
set security-association idle-time 3600
set transform-set ESP-AES
set pfs group2
set isakmp-profile AS_outside
match address inside_access
ip route vrf inside 10.5.5.0 255.255.255.0 GigabitEthernet0/0.806 10.10.10.100 track 10
ip access-list extended inside_access
permit ip 10.6.6.248 0.0.0.7 10.5.5.0 0.0.0.255
icmp-echo 10.10.10.100 source-interface GigabitEthernet0/0.806
vrf outside
interface GigabitEthernet0/0.806
ip vrf forwarding outside
ip address 10.10.10.101 255.255.255.0
crypto-map outside
interface GigabitEthernet0/1.737
ip vrf forwarding inside
ip address 10.6.6.252 255.255.255.248Hello Frank!
>> 1. You may want to consider removing the "track 10" from your static route to eliminate any issues that this could be causing.
I tried it before. Nothing changes.
>> 2. If you teardown the tunnel, can the traffic from your end client (not the ping generated locally) cause the tunnel to build? If not, you may want to use netflow or ACL counters to verify that your packets are hitting the inside interface.
It is also checked. netflow present counters and ACL counters not present. Source ip is 10.6.6.254/29.
show command below:
ISR-vpn-1#show ip cef vrf inside exact-route 10.6.6.254 10.5.5.1
10.6.6.254 -> 10.5.5.1 => IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
ISR-vpn-1#show ip cef vrf inside 10.24.1.0/24 internal
10.5.5.0/24, epoch 0, RIB[S], refcount 5, per-destination sharing
sources: RIB
feature space:
NetFlow: Origin AS 0, Peer AS 0, Mask Bits 24
ifnums:
GigabitEthernet0/0.806(24): 10.10.10.100
path 22D160E8, path list 22AC27E8, share 1/1, type attached nexthop, for IPv4
nexthop 10.10.10.100 GigabitEthernet0/0.806, adjacency IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
output chain: IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete) -
SR520 Locks up with Domain traffic
Hello everyone, we are having an issue with a SR520 that I though I'd run by everyone.
We have a SR520 setup with a site to site VPN to an ASA5505. The SR520 has 10 computers behind it and the ASA has 15 computers behind it, including the domain controller. Everything has been running smooth without issue, traffic passing in both directions, etc. However, we recently installed a Windows Domain controller (SBS 2008) at the main (asa) site and would like to start joining computers at the remote (sr520) site to the domain. What we found out is that the domain traffic locks up the SR520. So, if none of the computers are joined to the domain, it runs fine, traffic can flow in both directions. We join a computer to the domain & after a couple hours we can't access the main site from the remote site. We can access the remote site from the main site. Also, the computers at the remote site can't access the internet, although we can ping the outside interface of the SR (from a remote host), and even ssh to the SR through the VPN which runs across the internet service. We reboot the SR520 and everything works fine, for a couple of hours.
I reviewed the access-lists and the traffic seems to be qualifying for the correct lists. I even tried to clear the acl counters, but no luck.
My best theory, at this point, is that the domain traffic exceeds some limit and the SR gets confused and can't route the traffic anymore.
At any rate, I had a few questions in regards to this:
1. Any ideas?
2. Could this be a problem with the domain traffic exceeding some compacity on the SR520? If so, how would I measure that?
3. Does anyone have any experience with a scenario like this? Specifically, with running a SR520 at a remote site with domain-joined computers?
4. Are there any specific debug commands that we can use to troubleshoot this?
I can upload the configs also, but I wanted to get the discussion going. We are trying to get the smartnet cleared up, so I can open a case with the TAC, but until then I just have to do my best.
Thanks,
Ben1) LAN port speed doesn't appear to have any effect
2) Forcing a connection type doesn't seem to have any effect. This is also rather impractical.
3) I don't have that option (though there is a TKIP/AES mixed option). Either way, I'd rather not have to resort to using a weaker encryption method.
4) No effect.
I did manage to find some information about the error message (older versions of firmware didn't even offer that clue).
http://www.dd-wrt.com/wiki/index.php/Advanced_wireless_settings#Beacon_Interval
I ended up increasing the beacon interval from 100ms to 500ms under Wireless > Advanced Settings.
The wifi analyzer app on android seems to keep dropping the SSID when the beacon interval is set that high, so I might have to adjust it to find a good balance.
However, while it was set to 500ms, none of the access points went down for two days.
[edit]: I reduced the beacon interval incrementally down to 300ms. It started locking up at 250ms. -
ACE 4710: Possible to allow a user to clear counters but nothing else?
Hello all,
Using an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc. We would also like to allow this user to clear the interface error counters as well, but nothing else. Is this possible?
Thanks!Hello Brandon-
Network-Monitor only lets you browse outputs, it is a not a role that allows a user to make any changes including clearing stats. You can create custom roles and domains to get closer to what you want, but you cannot zero in on a single command like that.
i.e.
ACE# conif t
ACE(config)# role MyRole
ACE(config-role)# rule 1 permit modify feature ?
AAA AAA related commands
access-list ACL related commands
connection TCP/UDP related commands
fault-tolerant Fault tolerance related commands
inspect Appln inspection related commands
interface Interface related commands
loadbalance Loadbalancing policy and class commands
pki PKI related commands
probe Health probe related commands
rserver Real server related commands
serverfarm Serverfarm related commands
ssl SSL related commands
sticky Sticky related commands
vip Virtual server related commands
You can create a permit or deny rule, within that, create/debug/modify/monitor each feature seperately.
Domains allow you to create containers for objects. You can place specific rservers, serverfarms, etc. into it - then apply it to a role so that the user assigned to it can only touch those objects.
Regards,
Chris Higgins -
Hello,
i've configured ISE and WLC to use guestportal with CWA but there is a problem with CoA -- it doesn't want to apply airespace alc after auth at guestportal.
1. At authC page i've configured a wireless MAB to continue if user not found and to use a Internal users as a identity store.
2. At authZ page i've configured a WEBAUTH as a default rule with the following:
Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect-acl=ACL-WEBAUTH-REDIRECT
cisco-av-pair = url-redirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa
3. I've also configured this ACL at WLC to permit
permit dns and icmp any-any
permit any-to-ise-8443
permit ise-to-any
This part works fine because i able to redirect to guestportal and use my guest login&pw to authorize myself. The guest account was previously generated through sponsor portal and it's working too.
4. At authC page i've use a wireless dot1x to use Internal users
5. At authZ page i've use a "if internal users:Guest then GUEST permission" rule
6. GUEST rule looks like the following:
Access Type = ACCESS_ACCEPT
Airespace-ACL-Name = GUEST_INTERNET_ONLY
7. This ACL is configured on the WLC permitting any except private networks (ISE is also permitted)
After guest portal auth i see a success message and i able to ping internet but i have no web access to it. It looks like CoA and Airespace acl are don't working and i keep using my ACL-WEBAUTH-REDIRECT access-list and i see a strange error messages in the WLC logs:
*apfReceiveTask: Nov 12 17:32:27.317: %ACL-3-ENTRY_DONOT_EXIST: acl.c:369 Unable to find an ACL by name "".
I swear my ACL name spelling is correct and both ACL-WEBAUTH-REDIRECT and GUEST_INTERNET_ONLY are on the WLC with their counters growing!
I don't have a point what issue it could be...
Any ideas?
P.S. see attach for Live authentication logThank you guys for your responses, it's working now!
The first problem was there:
Changing IPv4 ACL 'none' (ACL ID 255) ===> 'GUEST_INTERNET_ONLY' (ACL ID 5)
There are only 3 ACLs on my WLC so ALC ID 5 is kinda suspicious -- after WLC reload it becames ACL ID 1 but the problem was unresolved.
After that i changed my authZ matching rule to use another authZ profile:
Access Type = ACCESS_ACCEPT
Airespace-ACL-Name = PERMIT_ALL_TRAFFIC
cisco-av-pair = Airespace:Airespace-ACL-Name
Then i created ACL PERMIT_ALL_TRAFFIC on my WLC with one ACE "permit any any". I also denied access to my private networks at ASA where guest vlan's gateway resides.
I think the problem was in WLC's GUEST_INTERNET_ONLY ACEs which denied traffic to my private networks.
Thanks for the help! -
Help with EEM TCL / CLI scripting for re-direction/wccp counters
Being new with EEM scripting I wanted to see if I was on the right track and get some help to finish my idea.
Our problem I am trying to fix is our remote sites utilize pairs of Cat3650's for some routing and WCCP redirection. We are encountering ACL denial issues causing slow down and access issues. The fix for the issue we remove the WCCP service groups to break peering with our wan optimizers and re-insert the configuration thus re-establishing peering and restoring service.
My idea is to use a TCL scipt on a watchdog timer to parse the "sh ip wccp | inc denied (or unassign)" output for denial and unassignable error counters. If a counter is found I wanted to create a syslog message that would then kick off a simple EEM CLI script to remove the service groups, wait 10 seconds, then re-add the service groups. Please point me in the right direction if I am off track as I am not sure if I can use the EEM CLI for all this or since I want to retreive specific info from the sh ip wccp output if I do need to utilize TCL. I am also unsure if the "total denied" ascii string pulled via the "sh ip wccp | inc denied" will cause issues when attempting to just pull the counter information.
sh ip wccp | inc Denied Red
Total Packets Denied Redirect: 0
Total Packets Denied Redirect: 0
Script thus far :
TCL
if [catch {context_retrieve "EEM_WCCP_ERROR_COUNTER" "count"} result] {
set wccpcounter 0
} else {
set wccpcounter $result
} if [catch {cli_open} result] {
error $result
} else {
array set cli $result
} if [catch {cli_exec $cli(fd) "show ip wccp | incl Denied"} result] {
error $result
} else {
set cmd_output $result
set count ""
catch [regexp {receive ([0-9]+),} $cmd_output} ignore count]
set count
set diff [expr $count - $wccpcounter]
if {$diff != 0} {
action_syslog priority emergencies msg "WCCP counters showing incremental Denied packet counts"
if [catch {cli_close $cli(fd) $cli(tty_id)} result] {
error $result
context_save EEM_WCCP_ERROR_COUNTER count
CLI
event manager applet WCCP_COUNTER_WATCH
event syslog priority emergencies pattern "WCCP counters showing incremental Denied packet counts"
action 001 cli command "enable"
action 002 cli command "config t"
action 003 cli command "no ip wccp 61"
action 004 cli command "no ip wccp 62"
action 005 wait 10
action 006 cli command "ip wccp 61"
action 007 cli command "ip wccp 62"
action 008 wait 15
action 009 cli command "clear ip wccp"
action 010 cli command "end"
Thanks for all the helpThis won't work as EEM cannot intercept its own syslog messages. However, I'm not sure why you need this form of IPC anyway. Why not just make the Tcl script perform the needed CLI commands?
And, yes, you could use all applets here. But since you've written the hard stuff in Tcl already, it might be best just to add the missing calls to reconfigure WCCP to that script. -
ASR9K Series devices inventory is not working.
Hi all. Inventory in CiscoWorks with new devices ASR9K Series is not working. CW version: LMS3.2.1. Device: ASR-9006 AC Chassis. Credentials correct. Can any help me?
Screenshot1: inventory request fail.
Screenshot2: RME knows Cisco ASR9006 Router.Hello again and thx for advice,
I've tried the solution from Cisco for this bug (CSCte95623 ), by manipulating delays values in cmdsvc.properties file and restarting cfgmngmt process. I've changed delay values in very different manner (delay after connect, tunesleepmills, login, e.t.c). Unfortunately this solution didn't help. A CDA work for SSH fails all the time. Also i've manipulated
ssh rate-limit and ssh session-limit values on device. It's a pity that opportunity to set on only sshv1 on device doesn't exist, so CW tries to connect only with sshv2 and there is no chance to check how it work with sshv1.
I'm becoming a bit desperate about that issue. Any ideas?!
There is some output from ssh debugs on device:
debug ssh server
RP/0/RSP1/CPU0:May 31 12:02:14.068 : SSHD_[1114]: Spawned new child process 5869901
RP/0/RSP1/CPU0:May 31 12:02:14.149 : SSHD_[65869]: Client sockfd 3
RP/0/RSP1/CPU0:May 31 12:02:14.151 : SSHD_[65869]: Setting IP_TOS value:192
RP/0/RSP1/CPU0:May 31 12:02:14.152 : SSHD_[65869]: After setting socket options, sndbuf33792, rcvbuf - 33792
RP/0/RSP1/CPU0:May 31 12:02:14.153 : SSHD_[65869]: Connection from ------------ port ---------
RP/0/RSP1/CPU0:May 31 12:02:14.158 : SSHD_[65869]: (addrem_ssh_info_tuple) user:()
RP/0/RSP1/CPU0:May 31 12:02:14.162 : SSHD_[65869]: Session id 0
RP/0/RSP1/CPU0:May 31 12:02:14.162 : SSHD_[65869]: Exchanging versions
RP/0/RSP1/CPU0:May 31 12:02:14.164 : SSHD_[65869]: %SECURITY-SSHD-6-INFO_GENERAL : Client ------ closes socket connection
RP/0/RSP1/CPU0:May 31 12:02:14.164 : SSHD_[65869]: %SECURITY-SSHD-3-ERR_GENERAL : Failed in version exchange
RP/0/RSP1/CPU0:May 31 12:02:14.164 : SSHD_[65869]: In cleanup code, pid:5869901, sig rcvd:0, state:1
RP/0/RSP1/CPU0:May 31 12:02:14.166 : SSHD_[65869]: Cleanup sshd process 5869901, session id 0
RP/0/RSP1/CPU0:May 31 12:02:14.171 : SSHD_[65869]: Closing connection to --------
RP/0/RSP1/CPU0:May 31 12:02:14.171 : SSHD_[65869]: Sending Disconnect msg
RP/0/RSP1/CPU0:May 31 12:02:14.172 : SSHD_[65869]: sshd_shm_acquire_lock: SHM Lock is NULL
RP/0/RSP1/CPU0:May 31 12:02:14.172 : SSHD_[65869]: sshd_shm_unlock: SHM Lock is NULL
RP/0/RSP1/CPU0:May 31 12:02:14.184 : SSHD_[1114]: Signal 18 received in handler: pid 5869901
RP/0/RSP1/CPU0:May 31 12:02:14.207 : SSHD_[1114]: ratelimit_msecs:1000.000000, ratelimit_count:1
RP/0/RSP1/CPU0:May 31 12:02:14.207 : SSHD_[1114]: elapsed:145.976000, ratelimit_msecs:1000.000000, count:1
RP/0/RSP1/CPU0:May 31 12:02:14.207 : SSHD_[1114]: %SECURITY-SSHD-6-INFO_GENERAL : Incoming SSH session rate limit exceeded
And CDA ssh work log from CW:
Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getCmdSvc,1571,Iam inside ssh ....
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getCmdSvc,1573,Initial time_out : 0
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getCmdSvc,1583,Computed time_out : 30
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getCmdSvc,1599,After computing time_out : 30
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getSshCmdSvc,1637,inside getSshCmdSvc with timeout : 30000
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getSshProtocols,1743,Inside getsshprotocols with time out : 30000
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getSshCmdSvc,1651,SSH2 is running
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,136,Got CmdSvc for SSH
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,141,Before Resetting the counters i.e before invoking counters for CredType :: SSH
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,151,After Resetting the counters i.e before invoking counters for CredType :: SSH
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,156,Getting Primary credentails to reset again to Primary only..
[ Thu May 31 12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,201,trying to connect for SSH
[ Thu May 31 12:10:18 MSD 2012 ],ERROR,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,272,Got CmdSvcException com.cisco.nm.lib.cmdsvc.CmdSvcException: java.net.SocketException: Connection reset
at com.cisco.nm.lib.cmdsvc.OpConnect.invoke(OpConnect.java:57)
at com.cisco.nm.lib.cmdsvc.SessionContext.invoke(SessionContext.java:299)
at com.cisco.nm.lib.cmdsvc.Engine.process(Engine.java:57)
at com.cisco.nm.lib.cmdsvc.LocalProxy.process(LocalProxy.java:22)
at com.cisco.nm.lib.cmdsvc.CmdSvc.connect(CmdSvc.java:190)
at com.cisco.nm.lib.cmdsvc.CmdSvc.connect(CmdSvc.java:166)
at com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler.verify(CmdSvc_CDACredTypeHandler.java:202)
at com.cisco.nm.xms.xdi.pkgs.LibCda.GenericCdaHandler.checkSanity(GenericCdaHandler.java:37)
at com.cisco.nm.rmeng.inventory.cda.job.DoCDAonDevice.checkSanity(CdaJobEngine.java:1565)
at com.cisco.nm.rmeng.inventory.cda.job.DoCDAonDevice.run(CdaJobEngine.java:1429)
at com.cisco.nm.rmeng.inventory.cda.job.CdaJobMonitor$ExecutorThread.run(CdaJobMonitor.java:244)
[ Thu May 31 12:10:18 MSD 2012 ],ERROR,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,308,exception occured at the time of closing cmdsvccom.cisco.nm.lib.cmdsvc.CmdSvcException: java.net.SocketException: Connection reset
at com.cisco.nm.lib.cmdsvc.OpConnect.invoke(OpConnect.java:57)
at com.cisco.nm.lib.cmdsvc.SessionContext.invoke(SessionContext.java:299)
at com.cisco.nm.lib.cmdsvc.Engine.process(Engine.java:57)
at com.cisco.nm.lib.cmdsvc.LocalProxy.process(LocalProxy.java:22)
at com.cisco.nm.lib.cmdsvc.CmdSvc.connect(CmdSvc.java:190)
at com.cisco.nm.lib.cmdsvc.CmdSvc.connect(CmdSvc.java:166)
at com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler.verify(CmdSvc_CDACredTypeHandler.java:202)
at com.cisco.nm.xms.xdi.pkgs.LibCda.GenericCdaHandler.checkSanity(GenericCdaHandler.java:37)
at com.cisco.nm.rmeng.inventory.cda.job.DoCDAonDevice.checkSanity(CdaJobEngine.java:1565)
at com.cisco.nm.rmeng.inventory.cda.job.DoCDAonDevice.run(CdaJobEngine.java:1429)
at com.cisco.nm.rmeng.inventory.cda.job.CdaJobMonitor$ExecutorThread.run(CdaJobMonitor.java:244)
[ Thu May 31 12:10:18 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,310,Some exception not handled....
[ Thu May 31 12:10:18 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,312,Not for enable test -
VPLS : VC UP but no data -- ASR9k & 7600 ES+
Dears
Would like your assistance please regarding below VPLS setup
VPLS is between ASR9k & 7600 ES+ card. VC is up but CEs are not able to ping each others
Lab Topology
CE <> Te0/1/0/3.55 ASR9K < -- mpls --> 7600 Gi4/2 <> CE
Any ideas ?
Note
ASR9k & 7600 are directly connected via same ES+ card
||||||||||||||||||||||||||||||||||||||||||||||||||
ASR9k
interface TenGigE0/1/0/3
cdp
interface TenGigE0/1/0/3.55 l2transport
encapsulation dot1q 55 exact
rewrite ingress tag pop 1 symmetric
l2vpn
pw-class PW-CLASS-TEST
encapsulation mpls
transport-mode ethernet
bridge group vpls-test
bridge-domain asr9k-7600
interface TenGigE0/1/0/3.55
vfi vlan-55
neighbor 6.6.6.6 pw-id 55
pw-class PW-CLASS-TEST
7600
ethernet evc test-vpls
interface GigabitEthernet4/2
no ip address
speed 1000
service instance 55 ethernet test-vpls
encapsulation dot1q 55
rewrite ingress tag pop 1 symmetric
bridge-domain 55
interface Vlan55
no ip address
xconnect vfi asr9k-7600
end
l2 vfi asr9k-7600 manual test-vpls
vpn id 55
neighbor 19.19.19.19 encapsulation mpls
||||||||||||
RP/0/RSP0/CPU0:XR1#sh l2vpn bridge-domain
Wed Oct 16 19:34:58.345 UTC
Legend: pp = Partially Programmed.
Bridge group: vpls-test, bridge-domain: asr9k-7600, id: 15, state: up, ShgId: 0, MSTi: 0
Aging: 300 s, MAC limit: 4000, Action: none, Notification: syslog
Filter MAC addresses: 0
ACs: 1 (1 up), VFIs: 1, PWs: 1 (1 up), PBBs: 0 (0 up)
List of ACs:
Te0/1/0/3.55, state: up, Static MAC addresses: 0
List of Access PWs:
List of VFIs:
VFI vlan-55 (up)
Neighbor 6.6.6.6 pw-id 55, state: up, Static MAC addresses: 0
RP/0/RSP0/CPU0:XR1#
RP/0/RSP0/CPU0:XR1#sh l2vpn bridge-domain detail
Wed Oct 16 19:35:02.391 UTC
Legend: pp = Partially Programmed.
Bridge group: vpls-test, bridge-domain: asr9k-7600, id: 15, state: up, ShgId: 0, MSTi: 0
Coupled state: disabled
MAC learning: enabled
MAC withdraw: enabled
MAC withdraw for Access PW: enabled
MAC withdraw sent on bridge port down: disabled
Flooding:
Broadcast & Multicast: enabled
Unknown unicast: enabled
MAC aging time: 300 s, Type: inactivity
MAC limit: 4000, Action: none, Notification: syslog
MAC limit reached: no
MAC port down flush: enabled
MAC Secure: disabled, Logging: disabled
Split Horizon Group: none
Dynamic ARP Inspection: disabled, Logging: disabled
IP Source Guard: disabled, Logging: disabled
DHCPv4 snooping: disabled
IGMP Snooping profile: none
Bridge MTU: 1500
MIB cvplsConfigIndex: 16
Filter MAC addresses:
Create time: 16/10/2013 18:40:04 (00:54:57 ago)
No status change since creation
ACs: 1 (1 up), VFIs: 1, PWs: 1 (1 up), PBBs: 0 (0 up)
List of ACs:
AC: TenGigE0/1/0/3.55, state is up
Type VLAN; Num Ranges: 1
VLAN ranges: [55, 55]
MTU 1500; XC ID 0x44002e; interworking none
MAC learning: enabled
Flooding:
Broadcast & Multicast: enabled
Unknown unicast: enabled
MAC aging time: 300 s, Type: inactivity
MAC limit: 4000, Action: none, Notification: syslog
MAC limit reached: no
MAC port down flush: enabled
MAC Secure: disabled, Logging: disabled
Split Horizon Group: none
Dynamic ARP Inspection: disabled, Logging: disabled
IP Source Guard: disabled, Logging: disabled
DHCPv4 snooping: disabled
IGMP Snooping profile: none
Storm Control: disabled
Static MAC addresses:
Statistics:
packets: received 0, sent 2
bytes: received 0, sent 112
Storm control drop counters:
packets: broadcast 0, multicast 0, unknown unicast 0
bytes: broadcast 0, multicast 0, unknown unicast 0
Dynamic ARP inspection drop counters:
packets: 0, bytes: 0
IP source guard drop counters:
packets: 0, bytes: 0
List of Access PWs:
List of VFIs:
VFI vlan-55 (up)
PW: neighbor 6.6.6.6, PW ID 55, state is up ( established )
PW class PW-CLASS-TEST, XC ID 0xc000001d
Encapsulation MPLS, protocol LDP
Source address 19.19.19.19
PW type Ethernet, control word disabled, interworking none
PW backup disable delay 0 sec
Sequencing not set
PW Status TLV in use
MPLS Local Remote
Label 16052 63
Group ID 0xf 0x0
Interface vlan-55 unknown
MTU 1500 1500
Control word disabled disabled
PW type Ethernet Ethernet
VCCV CV type 0x2 0x12
(LSP ping verification) (LSP ping verification)
VCCV CC type 0x6 0x6
(router alert label) (router alert label)
(TTL expiry) (TTL expiry)
Incoming Status (PW Status TLV):
Status code: 0x0 (Up) in Notification message
MIB cpwVcIndex: 3221225501
Create time: 16/10/2013 18:51:28 (00:43:33 ago)
Last time status changed: 16/10/2013 18:52:43 (00:42:18 ago)
MAC withdraw message: send 0 receive 0
Static MAC addresses:
Statistics:
packets: received 0, sent 0
bytes: received 0, sent 0
DHCPv4 snooping: disabled
IGMP Snooping profile: none
VFI Statistics:
drops: illegal VLAN 0, illegal length 0
RP/0/RSP0/CPU0:XR1#
|||
NPE-3#show mpls l2 binding
Destination Address: 19.19.19.19,VC ID: 55
Local Label: 63
Cbit: 0, VC Type: Ethernet, GroupID: 0
MTU: 1500, Interface Desc: n/a
VCCV: CC Type: RA [2], TTL [3]
CV Type: LSPV [2], BFD/Raw [5]
Remote Label: 16052
Cbit: 0, VC Type: Ethernet, GroupID: 15
MTU: 1500, Interface Desc: vlan-55
VCCV: CC Type: RA [2], TTL [3]
CV Type: LSPV [2]
NPE-3#
NPE-3#show mpls l2 vc 55
Local intf Local circuit Dest address VC ID Status
VFI asr9k-7600 \
vfi 19.19.19.19 55 UP
NPE-3#
NPE-3#show mpls l2 vc 55 detail
Local interface: VFI asr9k-7600 vfi up
Interworking type is Ethernet
Destination address: 19.19.19.19, VC ID: 55, VC status: up
Output interface: none, imposed label stack {}
Preferred path: not configured
Default path: active
No adjacency
Create time: 00:53:12, last status change time: 00:40:59
Last label FSM state change time: 00:39:58
Last peer autosense occurred at: 00:40:59
Signaling protocol: LDP, peer 19.19.19.19:0 up
Targeted Hello: 6.6.6.6(LDP Id) -> 19.19.19.19, LDP is UP
Status TLV support (local/remote) : enabled/supported
LDP route watch : enabled
Label/status state machine : established, LruRru
Last local dataplane status rcvd: No fault
Last BFD dataplane status rcvd: Not sent
Last BFD peer monitor status rcvd: No fault
Last local AC circuit status rcvd: No fault
Last local AC circuit status sent: No fault
Last local PW i/f circ status rcvd: No fault
Last local LDP TLV status sent: No fault
Last remote LDP TLV status rcvd: No fault
Last remote LDP ADJ status rcvd: No fault
MPLS VC labels: local 63, remote 16052
Group ID: local 0, remote 15
MTU: local 1500, remote 1500
Remote interface description: vlan-55
Sequencing: receive disabled, send disabled
Control Word: Off (configured: autosense)
SSO Descriptor: 19.19.19.19/55, local label: 63
Dataplane:
SSM segment/switch IDs: 4200/110690 (used), PWID: 27
VC statistics:
transit packet totals: receive 0, send 0
transit byte totals: receive 0, send 0
transit packet drops: receive 0, seq error 0, send 0
NPE-3#
Many Thanks
Regards
Sherif IsmailHi Xander
First many thanks for your assistance
Have recheked CEs config and they are straight forward. [trunk interface allowing all vlans]
However I have added CE3/PE3 to topolgoy and results were somehow interesting
CE1(ME3800) -- PE1 (ASR9K) --- PE2 (7600) -- PE3 (7600) -- CE3 (ME3800)
|
CE2(ME3800)
Now both CE1/CE2 can ping CE3 but still no communication between CE1 & CE2
Dont know what could be the difference between CE2 & CE3. Only thing that comes to my mind is that with CE2, PE2 is directly connected to PE1. Dont know if this could be a problem or not as in this case MPLS label should be pop but still there is VC label
Another thing I removed "rewrite ingress tag pop 1 symmetric" from all PEs cause with this command CE3 (only) was receiving BPDU with different VLAN ! [dont know if this behavior is normal or not]
interface GigabitEthernet4/2
no ip address
speed 1000
service instance 55 ethernet
encapsulation dot1q 55
rewrite ingress tag pop 1 symmetric
bridge-domain 55
*Oct 24 21:57:14.158: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 2 on GigabitEthernet0/23 VLAN55.
*Oct 24 21:57:14.158: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet0/23 on VLAN0055. Inconsistent local vlan.
*Oct 24 21:57:15.158: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan55, changed state to down
UPE-42#
Once I remove it
UPE-42# *Oct 24 21:59:23.638: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet0/23 on VLAN0055. Port consistency restored
Now what do you think ? :]
Many Thanks
Regards
Sherif Ismail -
Hi all,
I have configured an acl to control traffic going in/out of an interface via tcp ports. However, after applying the acl to the interface, i find that eventhough ports are allowed, traffic is blocked by the acl.
I suspected that it could be the initial tcp handshake (SYN, SYNACK, ACK etc) is not being allowed (due to the implicit deny). When i included that in the acl, it worked. Is this a necessary step in an acl that controls by tcp port?
Reason is, some of the acl configured with tcp port control has not been configured to allow SYN, ACK etc but it works when some of these ACLs are applied to other interface.Hi,
Thanks for the response. As far as the config of the ACL, it's quite straight forward with the thing i'm trying to achieve. 1.1.1.190 & 1.1.1.192 are Mail servers. The objective is to control both .190 & .192. The config is as below:
interface Vlan2
description For Mail
ip address 1.1.1.129 255.255.255.0
ip access-group 2002 in
end
C6500#sh access-li 2002
Extended IP access list 2002
10 permit icmp any any (272 matches)
20 permit tcp host 1.1.1.0 any syn (10467 matches)
30 permit tcp host 1.1.1.0 any ack (781 matches)
40 permit tcp host 1.1.1.190 eq smtp any
50 permit tcp host 1.1.1.190 eq pop3 any
60 permit tcp host 1.1.1.192 eq smtp any
70 permit tcp host 1.1.1.192 eq pop3 any (4 matches)
80 permit ip host 1.1.1.183 2.2.0.0 0.0.255.255 (19 matches)
When I first created this ACL, without the SYN & ACK configured, users failed to connect to the servers. I personally believe users could connect, but it's the return packets from the servers that might have gotten blocked by the ACL. However, after I added in the SYN & ACK, all went well. I could see counters incrementing for the SYN & ACK as well.
Whereas, some other applications that use some custom ports, ie. 10000, 10001, didn't seem to need the explicit configuration of the SYN/ACKs & the ACL worked well. -
Helllo,
I have a ACL applied on a WLAN on a 2125 controller. I cannot get the older Cisco IPSec (Version 5.0.05.0290) client to work through the ACL and through the WLAN onto it's destination. When the Cisco IPSec client is on another unrestricted WLAN, it works. I have allowed TCP/UDP 500, 4500, TCP 10000 both directions and it fails. I can see the denys counters incrementing but cannot figure out what is being blocked. Any ideas?it doesn't mention VPN pass through support on unsupported list for 2100.
Try, WLAN> security> Layer3> L3 security select vpn pass through option, if available. If the option NA then ACL should work for pass through.
http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00808b4c61.shtml
vpn pass through certainly not supported on 2500 and 5500 baed platform, however it can be achieved through ACL.
Maybe you are looking for
-
I have no idea how to set up a pie chart for tracking spending with categories
This is what I want to do to help me track my credit card spending. I want to make a Numbers sheet where i can jot down how much money i spent on a item, and what category that item would go with (example, food, electronics, gas, so on). and then i w
-
Error while using UTL_DBWS package
Hello I want to call a web service using UTL_DBWS package as explained in this link. http://www.oracle-base.com/articles/10g/utl_dbws10g.php I implemented the example successfully, and I need to my own web service. my web service is just a java class
-
Synconizing Sound Files during Playback
I'm trying to create a drumbox with multiple looped sound tracks. The user will have the ability to turn on and off sounds (e.g. hi-hat, snare drum, bass drum, etc). I've figured out how to start and stop sounds, loop them, and remove any unwanted de
-
Re: BT complaints / Ofcom / Legal action
I have been battling BT for months. They do not listen, they do not tell the truth, they make appointments and fail to keep them, wasting other peoples time and money. They failed to connect our services for 2 months before I cancelled the order. The
-
Hi all i have the following types: <begin of type1, fieldA type i , fieldB type i, <end of type1, <begin of type2, fieldC type i fieldA type i, <end of type2, <begin of type3, fieldA type i, fieldB type i, fieldC type i, <end of type3, <begin of type