ASR9k - ACL Counters

Similar Messages

• 3550-12T ACL OUT counters not incrementing.

  We have several acl’s applied against various vlans on the 3550-12T switch IOS version c3550-i5q3l2-mz.121-22.EA1a.bin. Noticed that if the ACL is applied IN on the interface that all hits are counted. It appears that only the denies are being counted on an ACL if it is applied OUT on the interface.
  I am using the permit any any established command and would have expected to see massive counts on this line. When compared to the behavior on the 4507 ACL the established counter increments dramatically.
  With out the hit counts it is hard to see what is being done and if an ACL entry is even required.
  Any suggestions?

  ACLs counters will not increment if the traffic is switched via hardware. The ACL counter will only be incrementing on software switched traffic, with matching ACL entries.

• FWSM strange acl behavior

  Hi!
  I have FWSM running 4.1(6) with two security contexts.
  The context test config is:
  FWSM/test# sh run
  : Saved
  FWSM Version 4.1(6) <context>
  hostname test
  domain-name fwsm.spbstu.ru
  enable password 8Ry2YjIyt7RRXU24 encrypted
  names
  dns-guard
  interface Vlan556
  nameif inside
  security-level 100
  ip address 192.168.100.254 255.255.255.0
  interface Vlan557
  nameif dmz
  security-level 50
  ip address 172.16.2.1 255.255.255.0
  passwd 2KFQnbNIdI.2KYOU encrypted
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  access-list permit_any extended permit tcp any any
  access-list permit_any extended permit udp any any
  access-list permit_any extended permit ip any any
  access-list dmz_in extended permit icmp any any
  access-list dmz_in extended permit udp any any
  access-list dmz_in remark dmz_in
  access-list dmz_in extended permit tcp any any
  access-list dmz_out extended permit icmp any any
  access-list dmz_out extended permit udp any any
  access-list dmz_out extended permit tcp any any
  access-list inside_in extended permit tcp any eq 3389 any
  access-list inside_in extended permit tcp any any
  access-list inside_in extended deny ip any any
  access-list inside_out extended permit icmp any any
  access-list inside_out extended permit udp any any
  access-list inside_out extended permit tcp any any
  pager lines 24
  logging enable
  logging console debugging
  logging buffered debugging
  logging asdm debugging
  mtu inside 1500
  mtu dmz 1500
  no asdm history enable
  arp timeout 14400
  nat-control
  access-group permit_any in interface inside
  access-group permit_any out interface inside
  access-group permit_any in interface dmz
  access-group permit_any out interface dmz
  route dmz 0.0.0.0 0.0.0.0 172.16.2.254 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
  timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout pptp-gre 0:02:00
  timeout uauth 0:05:00 absolute
  username cisco password ZBZ8GNEdrJsjFvsR encrypted
  aaa authentication ssh console LOCAL
  aaa authentication telnet console LOCAL
  aaa authentication http console LOCAL
  http server enable
  no snmp-server location
  no snmp-server contact
  telnet timeout 60
  ssh timeout 60
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect dns
    inspect ftp
    inspect netbios
    inspect rsh
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect icmp
    inspect http
  service-policy global_policy global
  Cryptochecksum:632fecb27da8e4b662d4197c60f1b22a
  : end
  Routing and vlan config is fine for sure.
  but access is denied while ACL counters are 0
  Does anybody have any ideas where I should look more carefully?
  system context config is
  FWSM# sh run
  : Saved
  FWSM Version 4.1(6) <system>
  resource acl-partition 12
  hostname FWSM
  enable password 8Ry2YjIyt7RRXU24 encrypted
  interface Vlan555
  interface Vlan556
  interface Vlan557
  interface Vlan1216
  passwd 2KFQnbNIdI.2KYOU encrypted
  class default
    limit-resource IPSec 5
    limit-resource Mac-addresses 65535
    limit-resource ASDM 5
    limit-resource SSH 5
    limit-resource Telnet 5
    limit-resource All 0
  ftp mode passive
  pager lines 24
  no failover
  no asdm history enable
  arp timeout 14400
  console timeout 0
  admin-context admin
  context admin
    description default_context
    member default
    allocate-interface Vlan1216
    allocate-interface Vlan555
    allocate-acl-partition 0
    config-url disk:/admin.cfg
  context test
    description test
    member default
    allocate-interface Vlan556
    allocate-interface Vlan557
    allocate-acl-partition 1
    config-url disk:/CON_test.cfg
  prompt hostname context
  Cryptochecksum:ae682011fefdab9a0e4eeda02ca49c6e
  : end

  access-list permit_any extended permit tcp any any
  access-list permit_any extended permit udp any any
  access-list permit_any extended permit ip any any
  access-list permit_any extended permit icmp any any
  access-group permit_any in interface inside
  access-group permit_any out interface inside
  access-group permit_any in interface dmz
  access-group permit_any out interface dmz
  I don't understand why FWSM denies ICMP:
  ( I am pinging from Cat6509 SUP 172.16.2.254 ( which is on dmz interface ) the host on inside interface 192.168.100.250:
  %FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
  %FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
  %FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
  %FWSM-7-111009: User 'enable_15' executed cmd: show logging
  %FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
  %FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)
  Any ideas?

• Problem with reflexive ACLs

  Hello,
  I've created a reflexive ACL to allow IP SLA flows between two routers.  Looking at the ACL counters, none of the outbound or inbound IP SLA permit statements are incrementing.  Looking at the logs, I can see that my IP SLA return traffic is being blocked by the inbound ACL (I created a "deny ip any any log" at the end of my inbound ACL).  Since the outbound reflexive statements aren't handling the outbound traffic (the counters aren't incrementing), the inbound reflexive ACL statements aren't being built.  When I remove the ACLs, the IP SLA traffic flows normally.
  Do ACLs apply to network traffic originated from the router?  If not, how could I build a reflexive ACL to support IP SLA traffic?
  Thanks,
  Rob

  Hello Robert,
  Traffic generated from the routed itself is not taken into consideration for Reflexive ACLs sessions
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• ISE Authorization Policy

  Hey guys,
  I have a question regarding ISE Authorization Policy. In my test lab, I don't have any wired station, and what I have is a wireless lapotp. I have configured to allow only EAP-TLS authentication. Now, my problem is I keep getting "15039 Rejected per authorization profile."
  Under the Policy > Authorization, I created a rule where I just want to allow on EAP-TLS either via machine or user identity, and the bottom is the default DenyAccess. When I tried to join the wireless network, I kept getting denied. I checked the ACL counters on the WLC side and it was not increasing.
  I changed the default DenyAccess to PermitAccess, and I was able to join the wireless network no problem, and the ACL counters on the WLC side increased.
  It seems like I am hitting the default Authorization Policy first which is on the bottom of the authorization policy.
  I attached the failed and authenticated logs that I got from ISE.
  Has anyone have encoutered this issue?
  The version that I have is 1.1.1
  Thanks
  P.S.
  I went back to check my autorization condition, and it is blank (See the 1st screenshot)

  Hi,
  it is obvious that you are not matching any condition.
  rather than keeping the condition blank, fill it with a condition that is always match and try if that helps.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• ISE Internal error suddenly appear

  I started to see this error message suddenly 
  [500] Internal Error
  Please contact system administrator. If you are the System Administrator please consult the logs.
  ISE deployment consists of two nodes one carrying Administration persona (primary) , and monitoring (secondary) and the other carrying Administration persona (secondary) , and monitoring (primary) persona, the setup was running smoothly without any issues. ISE version was 1.2; and after this issue appeared we did the required troubleshooting with no luck ; so we upgraded  both units to 1.3 and still facing the same issue.
  We noticed a strange behavior on agent redirection ACL , when trying to reach basic services such as domain,DNS,.. (which are denied from redirection on the ACL) it appears to be redirected to ISE ( last permit ACE in redirection ACL counters increases contineously ) which shouldn't be the case in the posturing stage.
  Anyone did face this issue , and what does this mean or have any ideas appreciate to share with us...

  Wency, maybe you should start a new thread, this is not error 500 related.
  That said, you seem to refer to Tacacs functionality. This protocol is not yet supported in ISE. (will be in 2.0; no, I don't know when this will be out).
  One can manage CLI access to devices with Radius too, but rather than being able to check each command on ISE, the user gets a certain 'privilege' at login. How the devices enforces that depens on the device. Parser views are a cool feature on IOS devices (routers), but several devices (switches and old routers) support only 15 privilege levels (and you can change the preset levels of commands). Yet other devices (WLC and Prime) use user Roles. Which Radius attributes are to be send depends on the device. You'll have to look it up in the switch/router/etc. manual. Look for aaa and radius attributes.
  On Ise, you just add the proper Radius attributes to the authz profile, like this.
  To assign a level of 15 (enable mode) for example.

• IPSec VRF Aware (Crypto Map)

  Hello!
  I have some problem with configuring vrf aware Ipsec (Crypto Map).
  Any traffic (from subnet 10.6.6.248/29) do not pass trouth router, but if i run command "ping vrf inside 10.5.5.1 source gi 0/1.737" it working well.  
  Configuration below:
  ip vrf outside
   rd 1:1
  ip vrf inside
   rd 2:2
  track 10 ip sla 10 reachability
  ip sla schedule 10 life forever start-time now
  crypto keyring outside vrf outside 
    pre-shared-key address 10.10.10.100 key XXXXXX
  crypto isakmp policy 20
   encr aes 256
   authentication pre-share
   group 2
  crypto isakmp invalid-spi-recovery
  crypto isakmp keepalive 10 periodic
  crypto isakmp profile AS_outside
     vrf inside
     keyring outside
     match identity address 10.10.10.100 255.255.255.255 outside
     isakmp authorization list default
  crypto ipsec transform-set ESP-AESesp-aes 256 esp-sha-hmac 
   mode tunnel
  crypto ipsec df-bit clear
  crypto map outside 10 ipsec-isakmp 
   set peer 10.10.10.100
   set security-association idle-time 3600
   set transform-set ESP-AES 
   set pfs group2
   set isakmp-profile AS_outside
   match address inside_access
  ip route vrf inside 10.5.5.0 255.255.255.0 GigabitEthernet0/0.806 10.10.10.100 track 10
  ip access-list extended inside_access
   permit ip 10.6.6.248 0.0.0.7 10.5.5.0 0.0.0.255
  icmp-echo 10.10.10.100 source-interface GigabitEthernet0/0.806
   vrf outside
  interface GigabitEthernet0/0.806
  ip vrf forwarding outside
  ip address 10.10.10.101 255.255.255.0
  crypto-map outside
  interface GigabitEthernet0/1.737
  ip vrf forwarding inside
  ip address 10.6.6.252 255.255.255.248

  Hello Frank!
  >>  1. You may want to consider removing the "track 10" from your static route to eliminate any issues that this could be causing.
  I tried it before. Nothing changes.
  >> 2. If you teardown the tunnel, can the traffic from your end client (not the ping generated locally) cause the tunnel to build? If not, you may want to use netflow or ACL counters to verify that your packets are hitting the inside interface.
  It is also checked. netflow present counters and ACL counters not present. Source ip is 10.6.6.254/29.
  show command below:
  ISR-vpn-1#show ip cef vrf inside exact-route  10.6.6.254 10.5.5.1
   10.6.6.254  -> 10.5.5.1 => IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
  ISR-vpn-1#show ip cef vrf inside 10.24.1.0/24 internal                
  10.5.5.0/24, epoch 0, RIB[S], refcount 5, per-destination sharing
    sources: RIB 
    feature space:
     NetFlow: Origin AS 0, Peer AS 0, Mask Bits 24
    ifnums:
     GigabitEthernet0/0.806(24): 10.10.10.100
    path 22D160E8, path list 22AC27E8, share 1/1, type attached nexthop, for IPv4
    nexthop 10.10.10.100 GigabitEthernet0/0.806, adjacency IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
    output chain: IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)

• SR520 Locks up with Domain traffic

  Hello everyone, we are having an issue with a SR520 that I though I'd run by everyone.
  We have a SR520 setup with a site to site VPN to an ASA5505. The SR520 has 10 computers behind it and the ASA has 15 computers behind it, including the domain controller. Everything has been running smooth without issue, traffic passing in both directions, etc. However, we recently installed a Windows Domain controller (SBS 2008) at the main (asa) site and would like to start joining computers at the remote (sr520) site to the domain. What we found out is that the domain traffic locks up the SR520. So, if none of the computers are joined to the domain, it runs fine, traffic can flow in both directions. We join a computer to the domain & after a couple hours we can't access the main site from the remote site. We can access the remote site from the main site. Also, the computers at the remote site can't access the internet, although we can ping the outside interface of the SR (from a remote host), and even ssh to the SR through the VPN which runs across the internet service. We reboot the SR520 and everything works fine, for a couple of hours.
  I reviewed the access-lists and the traffic seems to be qualifying for the correct lists. I even tried to clear the acl counters, but no luck.
  My best theory, at this point, is that the domain traffic exceeds some limit and the SR gets confused and can't route the traffic anymore.
  At any rate, I had a few questions in regards to this:
  1. Any ideas?
  2. Could this be a problem with the domain traffic exceeding some compacity on the SR520? If so, how would I measure that?
  3. Does anyone have any experience with a scenario like this? Specifically, with running a SR520 at a remote site with domain-joined computers?
  4. Are there any specific debug commands that we can use to troubleshoot this?
  I can upload the configs also, but I wanted to get the discussion going. We are trying to get the smartnet cleared up, so I can open a case with the TAC, but until then I just have to do my best.
  Thanks,
  Ben

  1) LAN port speed doesn't appear to have any effect
  2) Forcing a connection type doesn't seem to have any effect. This is also rather impractical.
  3) I don't have that option (though there is a TKIP/AES mixed option). Either way, I'd rather not have to resort to using a weaker encryption method.
  4) No effect.
  I did manage to find some information about the error message (older versions of firmware didn't even offer that clue).
  http://www.dd-wrt.com/wiki/index.php/Advanced_wireless_settings#Beacon_Interval
  I ended up increasing the beacon interval from 100ms to 500ms under Wireless > Advanced Settings.
  The wifi analyzer app on android seems to keep dropping the SSID when the beacon interval is set that high, so I might have to adjust it to find a good balance.
  However, while it was set to 500ms, none of the access points went down for two days.
  [edit]: I reduced the beacon interval incrementally down to 300ms. It started locking up at 250ms.

• ACE 4710: Possible to allow a user to clear counters but nothing else?

  Hello all,
  Using an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc.  We would also like to allow this user to clear the interface error counters as well, but nothing else.  Is this possible?
  Thanks!

  Hello Brandon-
  Network-Monitor only lets you browse outputs, it is a not a role that allows a user to make any changes including clearing stats.  You can create custom roles and domains to get closer to what you want, but you cannot zero in on a single command like that.
  i.e.
  ACE# conif t
  ACE(config)# role MyRole
  ACE(config-role)# rule 1 permit modify feature ?
    AAA             AAA related commands
    access-list     ACL related commands
    connection      TCP/UDP related commands
    fault-tolerant  Fault tolerance related commands
    inspect         Appln inspection related commands
    interface       Interface related commands
    loadbalance     Loadbalancing policy and class commands
    pki             PKI related commands
    probe           Health probe related commands
    rserver         Real server related commands
    serverfarm      Serverfarm related commands
    ssl             SSL related commands
    sticky          Sticky related commands
    vip             Virtual server related commands
  You can create a permit or deny rule, within that, create/debug/modify/monitor each feature seperately.
  Domains allow you to create containers for objects.  You can place specific rservers, serverfarms, etc. into it - then apply it to a role so that the user assigned to it can only touch those objects.
  Regards,
  Chris Higgins

• ISE Airespace ACL WLC problem

  Hello,
  i've configured ISE and WLC to use guestportal with CWA but there is a problem with CoA -- it doesn't want to apply airespace alc after auth at guestportal.
  1. At authC page i've configured a wireless MAB to continue if user not found and to use a Internal users as a identity store.
  2. At authZ page i've configured a WEBAUTH as a default rule with the following:
  Access Type = ACCESS_ACCEPT
  cisco-av-pair = url-redirect-acl=ACL-WEBAUTH-REDIRECT
  cisco-av-pair = url-redirect=https://ip:port/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  3. I've also configured this ACL at WLC to permit
  permit dns and icmp any-any
  permit any-to-ise-8443
  permit ise-to-any
  This part works fine because i able to redirect to guestportal and use my guest login&pw to authorize myself. The guest account was previously generated through sponsor portal and it's working too.
  4. At authC page i've use a wireless dot1x to use Internal users
  5. At authZ page i've use a "if internal users:Guest then GUEST permission" rule
  6. GUEST rule looks like the following:
  Access Type = ACCESS_ACCEPT
  Airespace-ACL-Name = GUEST_INTERNET_ONLY
  7. This ACL is configured on the WLC permitting any except private networks (ISE is also permitted)
  After guest portal auth i see a success message and i able to ping internet but i have no web access to it. It looks like CoA and Airespace acl are don't working and i keep using my ACL-WEBAUTH-REDIRECT access-list and i see a strange error messages in the WLC logs:
  *apfReceiveTask: Nov 12 17:32:27.317: %ACL-3-ENTRY_DONOT_EXIST: acl.c:369 Unable to find an ACL by name "".
  I swear my ACL name spelling is correct and both ACL-WEBAUTH-REDIRECT and GUEST_INTERNET_ONLY are on the WLC with their counters growing!
  I don't have a point what issue it could be...
  Any ideas?
  P.S. see attach for Live authentication log

  Thank you guys for your responses, it's working now!
  The first problem was there:
  Changing IPv4 ACL 'none' (ACL ID 255) ===> 'GUEST_INTERNET_ONLY' (ACL ID 5)
  There are only 3 ACLs on my WLC so ALC ID 5 is kinda suspicious -- after WLC reload it becames ACL ID 1 but the problem was unresolved.
  After that i changed my authZ matching rule to use another authZ profile:
  Access Type = ACCESS_ACCEPT
  Airespace-ACL-Name = PERMIT_ALL_TRAFFIC
  cisco-av-pair = Airespace:Airespace-ACL-Name
  Then i created ACL PERMIT_ALL_TRAFFIC on my WLC with one ACE "permit any any". I also denied access to my private networks at ASA where guest vlan's gateway resides.
  I think the problem was in WLC's GUEST_INTERNET_ONLY ACEs which denied traffic to my private networks.
  Thanks for the help!

• Help with EEM TCL / CLI scripting for re-direction/wccp counters

  Being new with EEM scripting I wanted to see if I was on the right track and get some help to finish my idea.
  Our problem I am trying to fix is our remote sites utilize pairs of Cat3650's for some routing and WCCP redirection.  We are encountering ACL denial issues causing slow down and access issues.  The fix for the issue we remove the WCCP service groups to break peering with our wan optimizers and re-insert the configuration thus re-establishing peering and restoring service.
  My idea is to use a TCL scipt on a watchdog timer to parse the "sh ip wccp | inc denied (or unassign)" output for denial and unassignable error counters.  If a counter is found I wanted to create a syslog message that would then kick off a simple EEM CLI script to remove the service groups, wait 10 seconds, then re-add the service groups.  Please point me in the right direction if I am off track as I am not sure if I can use the EEM CLI for all this or since I want to retreive specific info from the sh ip wccp output if I do need to utilize TCL.  I am also unsure if the "total denied" ascii string pulled via the "sh ip wccp | inc denied" will cause issues when attempting to just pull the counter information.
  sh ip wccp | inc Denied Red
          Total Packets Denied Redirect:       0
          Total Packets Denied Redirect:       0
  Script thus far :
  TCL
  if [catch {context_retrieve "EEM_WCCP_ERROR_COUNTER" "count"} result] {
  set wccpcounter 0
  } else {
  set wccpcounter $result
  } if [catch {cli_open} result] {
  error $result
  } else {
  array set cli $result
  } if [catch {cli_exec $cli(fd) "show ip wccp | incl Denied"} result] {
  error $result
  } else {
  set cmd_output $result
  set count ""
  catch [regexp {receive ([0-9]+),} $cmd_output} ignore count]
  set count
  set diff [expr $count - $wccpcounter]
  if {$diff != 0} {
  action_syslog priority emergencies msg "WCCP counters showing incremental Denied packet counts"
  if [catch {cli_close $cli(fd) $cli(tty_id)} result] {
  error $result
  context_save EEM_WCCP_ERROR_COUNTER count
  CLI
  event manager applet WCCP_COUNTER_WATCH
  event syslog priority emergencies pattern "WCCP counters showing incremental Denied packet counts"
  action 001 cli command "enable"
  action 002 cli command "config t"
  action 003 cli command "no ip wccp 61"
  action 004 cli command "no ip wccp 62"
  action 005 wait 10
  action 006 cli command "ip wccp 61"
  action 007 cli command "ip wccp 62"
  action 008 wait 15
  action 009 cli command "clear ip wccp"
  action 010 cli command "end"
  Thanks for all the help

  This won't work as EEM cannot intercept its own syslog messages.  However, I'm not sure why you need this form of IPC anyway.  Why not just make the Tcl script perform the needed CLI commands?
  And, yes, you could use all applets here.  But since you've written the hard stuff in Tcl already, it might be best just to add the missing calls to reconfigure WCCP to that script.

• ASR9K Series devices inventory is not working.

  Hi all.  Inventory in CiscoWorks with new devices ASR9K Series is not working. CW version: LMS3.2.1. Device: ASR-9006 AC Chassis. Credentials correct. Can any help me?
  Screenshot1: inventory request fail.
  Screenshot2: RME knows Cisco ASR9006 Router.

  Hello again and thx for advice,
  I've tried the solution from Cisco for this bug (CSCte95623 ), by manipulating delays values in cmdsvc.properties file and restarting cfgmngmt process. I've changed delay values in very different manner (delay after connect, tunesleepmills, login, e.t.c). Unfortunately this solution didn't help. A CDA work for  SSH fails all the time. Also i've manipulated
  ssh rate-limit and ssh session-limit values on device. It's a pity that opportunity to set on only sshv1 on device doesn't exist, so CW tries to connect only with sshv2 and there is no chance to check how it work with sshv1.
  I'm becoming a bit desperate about that issue. Any ideas?!
  There is some output from ssh debugs on device:
  debug ssh server
  RP/0/RSP1/CPU0:May 31 12:02:14.068 : SSHD_[1114]: Spawned new child process 5869901
  RP/0/RSP1/CPU0:May 31 12:02:14.149 : SSHD_[65869]: Client sockfd 3
  RP/0/RSP1/CPU0:May 31 12:02:14.151 : SSHD_[65869]: Setting IP_TOS value:192
  RP/0/RSP1/CPU0:May 31 12:02:14.152 : SSHD_[65869]: After setting socket options, sndbuf33792, rcvbuf - 33792
  RP/0/RSP1/CPU0:May 31 12:02:14.153 : SSHD_[65869]: Connection from ------------ port ---------
  RP/0/RSP1/CPU0:May 31 12:02:14.158 : SSHD_[65869]: (addrem_ssh_info_tuple) user:()
  RP/0/RSP1/CPU0:May 31 12:02:14.162 : SSHD_[65869]: Session id 0
  RP/0/RSP1/CPU0:May 31 12:02:14.162 : SSHD_[65869]: Exchanging versions
  RP/0/RSP1/CPU0:May 31 12:02:14.164 : SSHD_[65869]: %SECURITY-SSHD-6-INFO_GENERAL : Client ------ closes socket connection
  RP/0/RSP1/CPU0:May 31 12:02:14.164 : SSHD_[65869]: %SECURITY-SSHD-3-ERR_GENERAL : Failed in version exchange
  RP/0/RSP1/CPU0:May 31 12:02:14.164 : SSHD_[65869]: In cleanup code, pid:5869901, sig rcvd:0, state:1
  RP/0/RSP1/CPU0:May 31 12:02:14.166 : SSHD_[65869]: Cleanup sshd process 5869901, session id 0
  RP/0/RSP1/CPU0:May 31 12:02:14.171 : SSHD_[65869]: Closing connection to --------
  RP/0/RSP1/CPU0:May 31 12:02:14.171 : SSHD_[65869]: Sending Disconnect msg
  RP/0/RSP1/CPU0:May 31 12:02:14.172 : SSHD_[65869]: sshd_shm_acquire_lock: SHM Lock is NULL
  RP/0/RSP1/CPU0:May 31 12:02:14.172 : SSHD_[65869]: sshd_shm_unlock: SHM Lock is NULL
  RP/0/RSP1/CPU0:May 31 12:02:14.184 : SSHD_[1114]: Signal 18 received in handler: pid 5869901
  RP/0/RSP1/CPU0:May 31 12:02:14.207 : SSHD_[1114]: ratelimit_msecs:1000.000000, ratelimit_count:1
  RP/0/RSP1/CPU0:May 31 12:02:14.207 : SSHD_[1114]: elapsed:145.976000, ratelimit_msecs:1000.000000, count:1
  RP/0/RSP1/CPU0:May 31 12:02:14.207 : SSHD_[1114]: %SECURITY-SSHD-6-INFO_GENERAL : Incoming SSH session rate limit exceeded
  And CDA ssh work log from CW:
  Thu May 31  12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getCmdSvc,1571,Iam inside ssh ....
  [ Thu May 31  12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getCmdSvc,1573,Initial time_out : 0
  [ Thu May 31  12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getCmdSvc,1583,Computed time_out : 30
  [ Thu May 31  12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getCmdSvc,1599,After computing time_out : 30
  [ Thu May 31  12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getSshCmdSvc,1637,inside getSshCmdSvc with timeout : 30000
  [ Thu May 31  12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getSshProtocols,1743,Inside getsshprotocols with time out : 30000
  [ Thu May 31  12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.rmeng.util.rmedaa.RMEDeviceContext,getSshCmdSvc,1651,SSH2 is running
  [ Thu May 31  12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,136,Got CmdSvc for SSH
  [ Thu May 31  12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,141,Before Resetting the counters i.e before invoking counters for CredType :: SSH
  [ Thu May 31  12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,151,After Resetting the counters i.e before invoking counters for CredType :: SSH
  [ Thu May 31  12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,156,Getting Primary credentails to reset again to Primary only..
  [ Thu May 31  12:10:17 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,201,trying to connect for SSH
  [ Thu May 31  12:10:18 MSD 2012 ],ERROR,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,272,Got CmdSvcException com.cisco.nm.lib.cmdsvc.CmdSvcException: java.net.SocketException: Connection reset
      at com.cisco.nm.lib.cmdsvc.OpConnect.invoke(OpConnect.java:57)
      at com.cisco.nm.lib.cmdsvc.SessionContext.invoke(SessionContext.java:299)
      at com.cisco.nm.lib.cmdsvc.Engine.process(Engine.java:57)
      at com.cisco.nm.lib.cmdsvc.LocalProxy.process(LocalProxy.java:22)
      at com.cisco.nm.lib.cmdsvc.CmdSvc.connect(CmdSvc.java:190)
      at com.cisco.nm.lib.cmdsvc.CmdSvc.connect(CmdSvc.java:166)
      at com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler.verify(CmdSvc_CDACredTypeHandler.java:202)
      at com.cisco.nm.xms.xdi.pkgs.LibCda.GenericCdaHandler.checkSanity(GenericCdaHandler.java:37)
      at com.cisco.nm.rmeng.inventory.cda.job.DoCDAonDevice.checkSanity(CdaJobEngine.java:1565)
      at com.cisco.nm.rmeng.inventory.cda.job.DoCDAonDevice.run(CdaJobEngine.java:1429)
      at com.cisco.nm.rmeng.inventory.cda.job.CdaJobMonitor$ExecutorThread.run(CdaJobMonitor.java:244)
  [ Thu May 31  12:10:18 MSD 2012 ],ERROR,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,308,exception occured at the time of closing cmdsvccom.cisco.nm.lib.cmdsvc.CmdSvcException: java.net.SocketException: Connection reset
      at com.cisco.nm.lib.cmdsvc.OpConnect.invoke(OpConnect.java:57)
      at com.cisco.nm.lib.cmdsvc.SessionContext.invoke(SessionContext.java:299)
      at com.cisco.nm.lib.cmdsvc.Engine.process(Engine.java:57)
      at com.cisco.nm.lib.cmdsvc.LocalProxy.process(LocalProxy.java:22)
      at com.cisco.nm.lib.cmdsvc.CmdSvc.connect(CmdSvc.java:190)
      at com.cisco.nm.lib.cmdsvc.CmdSvc.connect(CmdSvc.java:166)
      at com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler.verify(CmdSvc_CDACredTypeHandler.java:202)
      at com.cisco.nm.xms.xdi.pkgs.LibCda.GenericCdaHandler.checkSanity(GenericCdaHandler.java:37)
      at com.cisco.nm.rmeng.inventory.cda.job.DoCDAonDevice.checkSanity(CdaJobEngine.java:1565)
      at com.cisco.nm.rmeng.inventory.cda.job.DoCDAonDevice.run(CdaJobEngine.java:1429)
      at com.cisco.nm.rmeng.inventory.cda.job.CdaJobMonitor$ExecutorThread.run(CdaJobMonitor.java:244)
  [ Thu May 31  12:10:18 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,310,Some exception not handled....
  [ Thu May 31  12:10:18 MSD 2012 ],INFO ,[Thread-1],com.cisco.nm.xms.xdi.pkgs.LibCda.CmdSvc_CDACredTypeHandler,verify,312,Not for enable test

• VPLS : VC UP but no data -- ASR9k & 7600 ES+

  Dears
  Would like your assistance please regarding below VPLS setup
  VPLS is between ASR9k & 7600 ES+ card. VC is up but CEs are not able to ping each others
  Lab Topology
  CE <> Te0/1/0/3.55 ASR9K < -- mpls --> 7600 Gi4/2 <> CE
  Any ideas ?
  Note
  ASR9k & 7600 are directly connected via same ES+ card
  ||||||||||||||||||||||||||||||||||||||||||||||||||
  ASR9k
  interface TenGigE0/1/0/3
  cdp
  interface TenGigE0/1/0/3.55 l2transport
  encapsulation dot1q 55 exact
  rewrite ingress tag pop 1 symmetric
  l2vpn
  pw-class PW-CLASS-TEST
    encapsulation mpls
    transport-mode ethernet
  bridge group vpls-test
    bridge-domain asr9k-7600
    interface TenGigE0/1/0/3.55
    vfi vlan-55
      neighbor 6.6.6.6 pw-id 55
      pw-class PW-CLASS-TEST
  7600
  ethernet evc test-vpls
  interface GigabitEthernet4/2
  no ip address
  speed 1000
  service instance 55 ethernet test-vpls
    encapsulation dot1q 55
    rewrite ingress tag pop 1 symmetric
    bridge-domain 55
  interface Vlan55
  no ip address
  xconnect vfi asr9k-7600
  end
  l2 vfi asr9k-7600 manual test-vpls
  vpn id 55
  neighbor 19.19.19.19 encapsulation mpls
  ||||||||||||
  RP/0/RSP0/CPU0:XR1#sh l2vpn bridge-domain
  Wed Oct 16 19:34:58.345 UTC
  Legend: pp = Partially Programmed.
  Bridge group: vpls-test, bridge-domain: asr9k-7600, id: 15, state: up, ShgId: 0, MSTi: 0
    Aging: 300 s, MAC limit: 4000, Action: none, Notification: syslog
    Filter MAC addresses: 0
    ACs: 1 (1 up), VFIs: 1, PWs: 1 (1 up), PBBs: 0 (0 up)
    List of ACs:
      Te0/1/0/3.55, state: up, Static MAC addresses: 0
    List of Access PWs:
    List of VFIs:
      VFI vlan-55 (up)
        Neighbor 6.6.6.6 pw-id 55, state: up, Static MAC addresses: 0
  RP/0/RSP0/CPU0:XR1#
  RP/0/RSP0/CPU0:XR1#sh l2vpn bridge-domain  detail
  Wed Oct 16 19:35:02.391 UTC
  Legend: pp = Partially Programmed.
  Bridge group: vpls-test, bridge-domain: asr9k-7600, id: 15, state: up, ShgId: 0, MSTi: 0
    Coupled state: disabled
    MAC learning: enabled
    MAC withdraw: enabled
      MAC withdraw for Access PW: enabled
      MAC withdraw sent on bridge port down: disabled
    Flooding:
      Broadcast & Multicast: enabled
      Unknown unicast: enabled
    MAC aging time: 300 s, Type: inactivity
    MAC limit: 4000, Action: none, Notification: syslog
    MAC limit reached: no
    MAC port down flush: enabled
    MAC Secure: disabled, Logging: disabled
    Split Horizon Group: none
    Dynamic ARP Inspection: disabled, Logging: disabled
    IP Source Guard: disabled, Logging: disabled
    DHCPv4 snooping: disabled
    IGMP Snooping profile: none
    Bridge MTU: 1500
    MIB cvplsConfigIndex: 16
    Filter MAC addresses:
    Create time: 16/10/2013 18:40:04 (00:54:57 ago)
    No status change since creation
    ACs: 1 (1 up), VFIs: 1, PWs: 1 (1 up), PBBs: 0 (0 up)
    List of ACs:
      AC: TenGigE0/1/0/3.55, state is up
        Type VLAN; Num Ranges: 1
        VLAN ranges: [55, 55]
        MTU 1500; XC ID 0x44002e; interworking none
        MAC learning: enabled
        Flooding:
          Broadcast & Multicast: enabled
          Unknown unicast: enabled
        MAC aging time: 300 s, Type: inactivity
        MAC limit: 4000, Action: none, Notification: syslog
        MAC limit reached: no
        MAC port down flush: enabled
        MAC Secure: disabled, Logging: disabled
        Split Horizon Group: none
        Dynamic ARP Inspection: disabled, Logging: disabled
        IP Source Guard: disabled, Logging: disabled
        DHCPv4 snooping: disabled
        IGMP Snooping profile: none
        Storm Control: disabled
        Static MAC addresses:
        Statistics:
          packets: received 0, sent 2
          bytes: received 0, sent 112
        Storm control drop counters:
          packets: broadcast 0, multicast 0, unknown unicast 0
          bytes: broadcast 0, multicast 0, unknown unicast 0
        Dynamic ARP inspection drop counters:
          packets: 0, bytes: 0
        IP source guard drop counters:
          packets: 0, bytes: 0
    List of Access PWs:
    List of VFIs:
      VFI vlan-55 (up)
        PW: neighbor 6.6.6.6, PW ID 55, state is up ( established )
          PW class PW-CLASS-TEST, XC ID 0xc000001d
          Encapsulation MPLS, protocol LDP
          Source address 19.19.19.19
          PW type Ethernet, control word disabled, interworking none
          PW backup disable delay 0 sec
          Sequencing not set
          PW Status TLV in use
            MPLS        Local                          Remote
            Label        16052                          63
            Group ID    0xf                            0x0
            Interface    vlan-55                        unknown
            MTU          1500                          1500
            Control word disabled                      disabled
            PW type      Ethernet                      Ethernet
            VCCV CV type 0x2                            0x12
                        (LSP ping verification)        (LSP ping verification)
            VCCV CC type 0x6                            0x6
                        (router alert label)          (router alert label)
                        (TTL expiry)                  (TTL expiry)
          Incoming Status (PW Status TLV):
            Status code: 0x0 (Up) in Notification message
          MIB cpwVcIndex: 3221225501
          Create time: 16/10/2013 18:51:28 (00:43:33 ago)
          Last time status changed: 16/10/2013 18:52:43 (00:42:18 ago)
          MAC withdraw message: send 0 receive 0
          Static MAC addresses:
          Statistics:
            packets: received 0, sent 0
            bytes: received 0, sent 0
        DHCPv4 snooping: disabled
        IGMP Snooping profile: none
        VFI Statistics:
          drops: illegal VLAN 0, illegal length 0
  RP/0/RSP0/CPU0:XR1#
  |||
  NPE-3#show mpls l2 binding
    Destination Address: 19.19.19.19,VC ID: 55
      Local Label:  63
          Cbit: 0,    VC Type: Ethernet,    GroupID: 0
          MTU: 1500,  Interface Desc: n/a
          VCCV: CC Type: RA [2], TTL [3]
                CV Type: LSPV [2], BFD/Raw [5]
      Remote Label: 16052
          Cbit: 0,    VC Type: Ethernet,    GroupID: 15
          MTU: 1500,  Interface Desc: vlan-55
          VCCV: CC Type: RA [2], TTL [3]
                CV Type: LSPV [2]
  NPE-3#
  NPE-3#show mpls l2 vc 55
  Local intf    Local circuit              Dest address    VC ID      Status
  VFI asr9k-7600  \
                vfi                        19.19.19.19    55        UP
  NPE-3#
  NPE-3#show mpls l2 vc 55 detail
  Local interface: VFI asr9k-7600 vfi up
    Interworking type is Ethernet
    Destination address: 19.19.19.19, VC ID: 55, VC status: up
      Output interface: none, imposed label stack {}
      Preferred path: not configured
      Default path: active
      No adjacency
    Create time: 00:53:12, last status change time: 00:40:59
      Last label FSM state change time: 00:39:58
      Last peer autosense occurred at: 00:40:59
    Signaling protocol: LDP, peer 19.19.19.19:0 up
      Targeted Hello: 6.6.6.6(LDP Id) -> 19.19.19.19, LDP is UP
      Status TLV support (local/remote)  : enabled/supported
        LDP route watch                  : enabled
        Label/status state machine        : established, LruRru
        Last local dataplane  status rcvd: No fault
        Last BFD dataplane    status rcvd: Not sent
        Last BFD peer monitor  status rcvd: No fault
        Last local AC  circuit status rcvd: No fault
        Last local AC  circuit status sent: No fault
        Last local PW i/f circ status rcvd: No fault
        Last local LDP TLV    status sent: No fault
        Last remote LDP TLV    status rcvd: No fault
        Last remote LDP ADJ    status rcvd: No fault
      MPLS VC labels: local 63, remote 16052
      Group ID: local 0, remote 15
      MTU: local 1500, remote 1500
      Remote interface description: vlan-55
    Sequencing: receive disabled, send disabled
    Control Word: Off (configured: autosense)
    SSO Descriptor: 19.19.19.19/55, local label: 63
    Dataplane:
      SSM segment/switch IDs: 4200/110690 (used), PWID: 27
    VC statistics:
      transit packet totals: receive 0, send 0
      transit byte totals:  receive 0, send 0
      transit packet drops:  receive 0, seq error 0, send 0
  NPE-3#
  Many Thanks
  Regards
  Sherif Ismail

  Hi Xander
  First many thanks for your assistance
  Have recheked CEs config and they are straight forward. [trunk interface allowing all vlans]
  However I have added CE3/PE3 to topolgoy and results were somehow interesting
  CE1(ME3800) -- PE1 (ASR9K)  --- PE2 (7600) -- PE3 (7600) -- CE3 (ME3800)
                                                                  |
                                                          CE2(ME3800)
  Now both CE1/CE2 can ping CE3 but still no communication between CE1 & CE2
  Dont know what could be the difference between CE2 & CE3. Only thing that comes to my mind is that with CE2, PE2 is directly connected to PE1. Dont know if this could be a problem or not as in this case MPLS label should be pop but still there is VC label
  Another thing I removed "rewrite ingress tag pop 1 symmetric" from all PEs cause with this command CE3 (only) was receiving BPDU with different VLAN !      [dont know if this behavior is normal or not]
  interface GigabitEthernet4/2
  no ip address
  speed 1000
  service instance 55 ethernet
    encapsulation dot1q 55
    rewrite ingress tag pop 1 symmetric
    bridge-domain 55
  *Oct 24 21:57:14.158: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 2 on GigabitEthernet0/23 VLAN55.
  *Oct 24 21:57:14.158: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet0/23 on VLAN0055. Inconsistent local vlan.
  *Oct 24 21:57:15.158: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan55, changed state to down
  UPE-42#
  Once I remove it
  UPE-42# *Oct 24 21:59:23.638: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet0/23 on VLAN0055. Port consistency restored
  Now what do you think ?  :]
  Many Thanks
  Regards
  Sherif Ismail

• Extended ACL TCP port control

  Hi all,
  I have configured an acl to control traffic going in/out of an interface via tcp ports. However, after applying the acl to the interface, i find that eventhough ports are allowed, traffic is blocked by the acl.
  I suspected that it could be the initial tcp handshake (SYN, SYNACK, ACK etc) is not being allowed (due to the implicit deny). When i included that in the acl, it worked. Is this a necessary step in an acl that controls by tcp port?
  Reason is, some of the acl configured with tcp port control has not been configured to allow SYN, ACK etc but it works when some of these ACLs are applied to other interface.

  Hi,
  Thanks for the response. As far as the config of the ACL, it's quite straight forward with the thing i'm trying to achieve. 1.1.1.190 & 1.1.1.192 are Mail servers. The objective is to control both .190 & .192. The config is as below:
  interface Vlan2
  description For Mail
  ip address 1.1.1.129 255.255.255.0
  ip access-group 2002 in
  end
  C6500#sh access-li 2002
  Extended IP access list 2002
  10 permit icmp any any (272 matches)
  20 permit tcp host 1.1.1.0 any syn (10467 matches)
  30 permit tcp host 1.1.1.0 any ack (781 matches)
  40 permit tcp host 1.1.1.190 eq smtp any
  50 permit tcp host 1.1.1.190 eq pop3 any
  60 permit tcp host 1.1.1.192 eq smtp any
  70 permit tcp host 1.1.1.192 eq pop3 any (4 matches)
  80 permit ip host 1.1.1.183 2.2.0.0 0.0.255.255 (19 matches)
  When I first created this ACL, without the SYN & ACK configured, users failed to connect to the servers. I personally believe users could connect, but it's the return packets from the servers that might have gotten blocked by the ACL. However, after I added in the SYN & ACK, all went well. I could see counters incrementing for the SYN & ACK as well.
  Whereas, some other applications that use some custom ports, ie. 10000, 10001, didn't seem to need the explicit configuration of the SYN/ACKs & the ACL worked well.

• ACL on WLAN

        Helllo,
  I have a ACL applied on a WLAN on a 2125 controller.  I cannot get the older Cisco IPSec (Version 5.0.05.0290) client to work through the ACL and through the WLAN onto it's destination.  When the Cisco IPSec client is on another unrestricted WLAN, it works.  I have allowed TCP/UDP 500, 4500, TCP 10000 both directions and it fails.  I can see the denys counters incrementing but cannot figure out what is being blocked.  Any ideas?              

  it doesn't mention VPN pass through support on unsupported list for 2100.
  Try, WLAN> security> Layer3> L3 security select vpn pass through option, if available. If the option NA then ACL should work for pass through.
  http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00808b4c61.shtml
  vpn pass through certainly not supported on 2500 and 5500 baed platform, however it can be achieved through ACL.