BGP support in Cisco IOS 15.1(3) T2

Because of security concerns I must update the IOS in my 2800 and 3800 series routers. After checking the available options and the
Cisco IOS Software Checker application the version of choice would appear to be 15.1(3)T2. But I must be able to support BGP and 15.1(3)T2 is not listed in the Cisco Feature Navigator.
Generally one might assume that if a previous version and image supported a feature, the update would also. But I cannot take any chance that this is true or not true. I need to know for sure before implementation.
Before I bring a system crashing down, I need to know if this IOS version, and which images of this version, support BGP.
Any assistance gratefully accepted.
Manny

Of course it support BGP.
However, 15.0(1)Mx would be the safest choice.

Similar Messages

IPV6 Support in Cisco IOS

I am having a difficult time determining why on a 2811 running IOS c2800nm-advsecurityk9-mz.150-1.M2.bin, the router won't accept ipv6 commands. The feature set from what I can discern includes ipv6 support. However, I have received mixed views. Does advsecurity image support ipv6 or do I need adv ip services image?

The philosophical direction of Cisco is to have full IPv4 and IPv6 parity across feature sets. Any IPv4 feature should appear in the same license level of software for IPv6.
That said, some older software and platforms may have been missed.
See
https://supportforums.cisco.com/community/netpro/network-infrastructure/ipv6-transition/blog/2011/09/21/ipv6-feature-packaging-in-cisco-routers-and-switches
See if the problem persists with the latest version. If so, I'd treat it as a bug and open a case.

Cisco IOS CA

Team,
I am using Cisco IOS XE Software, Version 03.15.00.S - Standard Support Release Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(2)S, RELEASE SOFTWARE (fc3) to support my Cisco IOS CA.
In a nutshell, I am trying to support a FlexVPN - Win7 VPN client as per tac document id 115907
In this document, it states that OpenSSL CA is used but a Cisco IOS CA can also be used. When testing I am at a point where my certificates do not match the example:
The TAC document example:
X509v3 extensions:
X509v3 Key Usage: F0000000
Digital Signature
Non Repudiation
Key Encipherment
Data Encryption
My lab version:
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
Question - How do I get these alternate extensions using the Cisco IOS CA?
Chris

Hi Marcin,
You have the same as I - I got my lab working - I tripped up on the KeyUsage thinking that my VPN headend Cisco CSR needed these same extensions as my Win7 client did. When I adjusted my Win7 CSR to feature these extra extensions and re-enrolled, everything is working.
Thanks for your help,
Chris

Cisco IOS 12.2 (50) SE2 Netflow support

hi to everyboby,
I'm trying to understand if the IOS version "Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(50)SE2, RELEASE SOFTWARE (fc2)" supports the netflow feature.
I'm trying to configure the cisco WS-C3750G-12S for sending netflow datagrams but I don't find the commands like "ip flow-export".
This cisco official document says that the commands for enabling netflow are not supported.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_35_se/configuration/guide/swuncli.html#wp1060525
Is It true or I'm missing something?
Thank you very much!
giorgio

No, Netflow is not support on the Cat2K and Cat3K switches. See http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/prod_white_paper0900aecd80406232.html .

Cisco IOS Version to Support SIP Trunking on AS5400 Routers

Hi all,
Kindly help .Can anyone tell me which Cisco IOS Version Supports SIP Trunking on AS5400 Routers ?
Regards,
Cliff .

Hi,
Please look at:
http://www.cisco.com/en/US/products/hw/univgate/ps505/products_data_sheet09186a0080091e51.html
http://www.cisco.com/en/US/docs/routers/access/as5350/software/feature/guide/UPfeapu.html
HTH
Jorge Armijo
Please remember to rate helpful responses and identify helpful or correct answers.

Catalyst c3750g Cisco IOS 12.2 (25) SEE2 support SSH

I need some help configuring SSH on a 48 port Switch Cisco WS-C3750G-48TS that is running Cisco IOS 12.2(25) SEE2.
I have attempted to set it up, but I had no luck. If anyone can give me any assistance to this let me know.

Hi Mike
Based on your existing IOS level (iP Base/IP services/Adv IP services) you should upgrade your switch to one of the IOS versions given below, to have SSH:
c3750-ipbasek9-mz.12.2-52.SE - min flash 16, DRAM 128
c3750-ipservicesk9-mz.12.2-52.SE - min flash 16, DRAM 128
c3750-advipservicesk9-mz.12.2-46.SE - min flash 16, DRAM 128
Once you have your IOS upgraded, define hostname, domain name, crypto rsa key, and transport input commands on the switch to have it converted to SSH..
Hope this helps.. All the best
Raj

Link Local BGP peering between Cisco and Juniper (M-Series)

Hi,
has anybody successfully managed to get a working IPv6 session between a Cisco and a Juniper router using Link Local IPs?
I got it working between two cisco routers and two Juniper Routers but not with the two different vendors.
Configuration on the Juniper site:
   family inet6 {
       address FE80::1/64;
protocols {
      bgp {
          group customer_ipv6 {
              neighbor fe80::2 {
                  local-interface at-2/0/0.119;
                  peer-as 65300;
                  as-override;
Configuration on the Cisco site:
interface ATM0/0/0.1 point-to-point
bandwidth 2033
ip address 10.194.235.42 255.255.255.252
ip access-group AL-SECURITY-WAN out
ip mtu 1500
ipv6 address FE80::2 link-local
ipv6 enable
bfd interval 999 min_rx 999 multiplier 15
pvc 1/32
vbr-nrt 2244 2244 1
tx-ring-limit 3
encapsulation aal5snap
router bgp 65300
bgp router-id 10.213.58.185
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor FE80::1%ATM0/0/0.1 remote-as 65300
neighbor FE80::1%ATM0/0/0.1 version 4
neighbor FE80::2%GigabitEthernet0/1 remote-as 65300
neighbor FE80::2%GigabitEthernet0/1 version 4
address-family ipv4
exit-address-family
address-family ipv6
neighbor FE80::1%ATM0/0/0.1 activate
neighbor FE80::1%ATM0/0/0.1 advertisement-interval 5
neighbor FE80::1%ATM0/0/0.1 soft-reconfiguration inbound
neighbor FE80::1%ATM0/0/0.1 route-map NH6 out
neighbor FE80::2%GigabitEthernet0/1 activate
neighbor FE80::2%GigabitEthernet0/1 advertisement-interval 5
neighbor FE80::2%GigabitEthernet0/1 soft-reconfiguration inbound
neighbor FE80::2%GigabitEthernet0/1 route-map NH6 out
exit-address-family
CE_HOSTNAME# show ip bgp ipv6 uni su
BGP router identifier 10.213.58.185, local AS number 65300
BGP table version is 7, main routing table version 7
4 network entries using 656 bytes of memory
4 path entries using 320 bytes of memory
1/1 BGP path/bestpath attribute entries using 128 bytes of memory
2 BGP AS-PATH entries using 48 bytes of memory
2 BGP community entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1200 total bytes of memory
BGP activity 34/12 prefixes, 38/12 paths, scan interval 60 secs
Neighbor        V           AS MsgRcvd MsgSent   TblVer InQ OutQ Up/Down State/PfxRcd
FE80::1%ATM0/0/0.1
                4        65300       0       0        1    0    0 never    Idle
FE80::2%GigabitEthernet0/1
                4        65300      15      16        7    0    0 00:10:59        4
CE_HOSTNAME#
The console monitoring states the following:
Nov 10 06:30:33.023 MET: %BGP-3-NOTIFICATION: sent to neighbor FE80::1%ATM0/0/0.1 active 2/7 (unsupported/disjoint capability) 0 bytes
Nov 10 06:30:33.023 MET: %BGP-4-MSGDUMP: unsupported or mal-formatted message received from FE80::1%ATM0/0/0.1:
FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 001D 0104 505A 005A 52D2 C023 00
Nov 10 06:30:33.023 MET: %BGP-3-NOTIFICATION: received from neighbor FE80::1%ATM0/0/0.1 active 2/5 (authentication failure) 0 bytes
de-ipc-ulmdon-ce-02#
Nov 10 06:30:33.023 MET: %BGP_SESSION-5-ADJCHANGE: neighbor FE80::1%ATM0/0/0.1 IPv6 Unicast topology base removed from session BGP Notification sent
The Cisco Router is running IOS 15.2, the Juniper Site JunOS 10.4
Any Ideas how I can get this to work?
Thanks in advance!

Marcin,
I updated the debugging log, the previous one was created using override-capability-neg on the neighbor (experimental).
>>0) Do you see similar scenario for working session? (Between two Cisco routers)
The working connection between two cisco routers doesn't show any output
>>1) What verion of IOS are you running? Something failrly recent I hope?
Show Version:
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(1)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Mon 19-Sep-11 16:24 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)
CE_HOSTNAME uptime is 2 weeks, 5 days, 21 hours, 35 minutes
System returned to ROM by reload at 18:43:21 MET(S) Fri Oct 21 2011
System restarted at 18:44:50 MET(S) Fri Oct 21 2011
System image file is "flash:c1900-universalk9-mz.SPA.152-1.T1.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO1941/K9 (revision 1.0) with 446464K/77824K bytes of memory.
Processor board ID FCZ1504C0G8
1 DSL controller
2 Gigabit Ethernet interfaces
1 ATM interface
1 terminal line
DRAM configuration is 64 bits wide with parity disabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
Device#   PID                   SN
*0        CISCO1941/K9          FCZ1504C0G8
Technology Package License Information for Module:'c1900'
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
ipbase        ipbasek9      Permanent      ipbasek9
security      None          None           None
data          datak9        Permanent      datak9
Configuration register is 0x2102
>>2) Can we have some more info from Juniper side (logs/debugs).
Sadly not. The Juniper Traceoptions don't show anything
All I can offer you at this point is the neighbor show command:
user@Juniper> show bgp neighbor fe80::2 instance vrf-test
Peer: fe80::2 AS 65300         Local: unspecified AS 20570
Type: External    State: Idle           Flags:
Last State: NoState       Last Event: NoEvent
Last Error: None
Export: [ pol-standard-bgp-export ] Import: [ pol-standard-bgp-import ]
Options:
Options:
Address families configured: inet6-unicast
Path-attributes dropped: 128
Holdtime: 90 Preference: 170
Number of flaps: 0
Trace options: all
Trace file: /var/log/bgp_ipv6_ll_20111110 size 131072 files 10
user@Juniper> show bgp summary instance vrf-test
Groups: 2 Peers: 2 Down peers: 1
Table          Tot Paths Act Paths Suppressed    History Damp State    Pending
vrf-2.inet.0          37         16          0          0          0          0
vrf-.inet6.0           0          0          0          0          0          0
vrf-24.mdt.0           0          0          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
10.194.235.42         65300       1149       1076       0       1     8:44:00 Establ
vrf-test.inet.0: 6/7/7/0
fe80::2               65300          0          0       0       0     9:38:32 Idle
>>3)
CE_HOSTNAME#
Nov 10 15:35:49.574 MET: BGP: ses global 10.194.235.41 (0x2970EDA4:1) Keep alive timer fired.
Nov 10 15:35:49.574 MET: BGP: 10.194.235.41 KEEPALIVE requested (bgp_keepalive_timer_expired)
Nov 10 15:35:49.574 MET: BGP: ses global 10.194.235.41 (0x2970EDA4:1) service keepalive IO request.
Nov 10 15:35:49.574 MET: BGP: 10.194.235.41 KEEPALIVE write request serviced in BGP_IO
CE_HOSTNAME#
Nov 10 15:35:50.598 MET: BGP: ses global FE80::2%GigabitEthernet0/1 (0x316FBDDC:1) Keep alive timer fired.
Nov 10 15:35:50.598 MET: BGP: FE80::2%GigabitEthernet0/1 KEEPALIVE requested (bgp_keepalive_timer_expired)
Nov 10 15:35:50.598 MET: BGP: ses global FE80::2%GigabitEthernet0/1 (0x316FBDDC:1) service keepalive IO request.
Nov 10 15:35:50.598 MET: BGP: FE80::2%GigabitEthernet0/1 KEEPALIVE write request serviced in BGP_IO
CE_HOSTNAME#
Nov 10 15:35:52.850 MET: BGP: 10.194.235.41 received KEEPALIVE, length (excl. header) 0
CE_HOSTNAME#
Nov 10 15:35:54.694 MET: BGP: FE80::1%ATM0/0/0.1 active went from Idle to Active
Nov 10 15:35:54.694 MET: BGP: FE80::1%ATM0/0/0.1 open active, local address FE80::2
Nov 10 15:35:54.698 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Adding topology IPv6 Unicast:base
Nov 10 15:35:54.698 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Send OPEN
Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active went from Active to OpenSent
Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active sending OPEN, version 4, my as: 65300, holdtime 180 seconds, ID AD53AB9
Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active KEEPALIVE write request serviced in BGP_IO
Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active service 2 read request in BGP_IO
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active KEEPALIVE write request serviced in BGP_IO
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active service 2 read request in BGP_IO
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active service 2 read request in BGP_IO
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv message type 1, length (excl. header) 10
Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Receive OPEN
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv OPEN, version 4, holdtime 90 seconds
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv OPEN w/ OPTION parameter len: 0
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active went from OpenSent to Closing
Nov 10 15:35:54.702 MET: %BGP-3-NOTIFICATION: sent to neighbor FE80::1%ATM0/0/0.1 active 2/7 (unsupported/disjoint capability) 0 bytes
Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Send NOTIFICATION 2/7 (unsupported/disjoint capability) 0 bytes
Nov 10 15:35:54.702 MET: %BGP-4-MSGDUMP: unsupported or mal-formatted message received from FE80::1%ATM0/0/0.1:
FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 001D 0104 505A 005A 52D2 C023 00
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv message type 3, length (excl. header) 2
Nov 10 15:35:54.702 MET: %BGP-3-NOTIFICATION: received from neighbor FE80::1%ATM0/0/0.1 active 2/5 (authentication failure) 0 bytes
Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Receive NOTIFICATION 2/5 (authentication failure) 0 bytes
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active bad state change from Closing to Closing
Nov 10 15:35:54.702 MET: -Traceback= 21B3370Cz 21B33C74z 21B34258z
Nov 10 15:35:54.702 MET: BGP: tbl IPv4 Unicast:base Service reset requests
Nov 10 15:35:54.702 MET: BGP: tbl IPv6 Unicast:base Service reset requests
Nov 10 15:35:54.702 MET: BGP: tbl VPNv4 Unicast:base Service reset requests
Nov 10 15:35:54.702 MET: BGP: tbl VPNv6 Unicast:base Service reset requests
Nov 10 15:35:54.702 MET: BGP: tbl IPv4 Multicast:base Service reset requests
Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) NSF delete stale NSF not active
Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) NSF no stale paths state is NSF not active
Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) Resetting ALL counters.
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active closing
Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Session close and reset neighbor FE80::1%ATM0/0/0.1 topostate
Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) Resetting ALL counters.
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active went from Closing to Idle
Nov 10 15:35:54.702 MET: %BGP_SESSION-5-ADJCHANGE: neighbor FE80::1%ATM0/0/0.1 IPv6 Unicast topology base removed from session BGP Notification sent
CE_HOSTNAME#CE_HOSTNAME#
Nov 10 15:35:49.574 MET: BGP: ses global 10.194.235.41 (0x2970EDA4:1) Keep alive timer fired.
Nov 10 15:35:49.574 MET: BGP: 10.194.235.41 KEEPALIVE requested (bgp_keepalive_timer_expired)
Nov 10 15:35:49.574 MET: BGP: ses global 10.194.235.41 (0x2970EDA4:1) service keepalive IO request.
Nov 10 15:35:49.574 MET: BGP: 10.194.235.41 KEEPALIVE write request serviced in BGP_IO
CE_HOSTNAME#
Nov 10 15:35:50.598 MET: BGP: ses global FE80::2%GigabitEthernet0/1 (0x316FBDDC:1) Keep alive timer fired.
Nov 10 15:35:50.598 MET: BGP: FE80::2%GigabitEthernet0/1 KEEPALIVE requested (bgp_keepalive_timer_expired)
Nov 10 15:35:50.598 MET: BGP: ses global FE80::2%GigabitEthernet0/1 (0x316FBDDC:1) service keepalive IO request.
Nov 10 15:35:50.598 MET: BGP: FE80::2%GigabitEthernet0/1 KEEPALIVE write request serviced in BGP_IO
CE_HOSTNAME#
Nov 10 15:35:52.850 MET: BGP: 10.194.235.41 received KEEPALIVE, length (excl. header) 0
CE_HOSTNAME#
Nov 10 15:35:54.694 MET: BGP: FE80::1%ATM0/0/0.1 active went from Idle to Active
Nov 10 15:35:54.694 MET: BGP: FE80::1%ATM0/0/0.1 open active, local address FE80::2
Nov 10 15:35:54.698 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Adding topology IPv6 Unicast:base
Nov 10 15:35:54.698 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Send OPEN
Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active went from Active to OpenSent
Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active sending OPEN, version 4, my as: 65300, holdtime 180 seconds, ID AD53AB9
Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active KEEPALIVE write request serviced in BGP_IO
Nov 10 15:35:54.698 MET: BGP: FE80::1%ATM0/0/0.1 active service 2 read request in BGP_IO
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active KEEPALIVE write request serviced in BGP_IO
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active service 2 read request in BGP_IO
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active service 2 read request in BGP_IO
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv message type 1, length (excl. header) 10
Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Receive OPEN
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv OPEN, version 4, holdtime 90 seconds
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv OPEN w/ OPTION parameter len: 0
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active went from OpenSent to Closing
Nov 10 15:35:54.702 MET: %BGP-3-NOTIFICATION: sent to neighbor FE80::1%ATM0/0/0.1 active 2/7 (unsupported/disjoint capability) 0 bytes
Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Send NOTIFICATION 2/7 (unsupported/disjoint capability) 0 bytes
Nov 10 15:35:54.702 MET: %BGP-4-MSGDUMP: unsupported or mal-formatted message received from FE80::1%ATM0/0/0.1:
FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 001D 0104 505A 005A 52D2 C023 00
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active rcv message type 3, length (excl. header) 2
Nov 10 15:35:54.702 MET: %BGP-3-NOTIFICATION: received from neighbor FE80::1%ATM0/0/0.1 active 2/5 (authentication failure) 0 bytes
Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Receive NOTIFICATION 2/5 (authentication failure) 0 bytes
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active bad state change from Closing to Closing
Nov 10 15:35:54.702 MET: -Traceback= 21B3370Cz 21B33C74z 21B34258z
Nov 10 15:35:54.702 MET: BGP: tbl IPv4 Unicast:base Service reset requests
Nov 10 15:35:54.702 MET: BGP: tbl IPv6 Unicast:base Service reset requests
Nov 10 15:35:54.702 MET: BGP: tbl VPNv4 Unicast:base Service reset requests
Nov 10 15:35:54.702 MET: BGP: tbl VPNv6 Unicast:base Service reset requests
Nov 10 15:35:54.702 MET: BGP: tbl IPv4 Multicast:base Service reset requests
Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) NSF delete stale NSF not active
Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) NSF no stale paths state is NSF not active
Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) Resetting ALL counters.
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active closing
Nov 10 15:35:54.702 MET: BGP: ses global FE80::1%ATM0/0/0.1 (0x296337B4:0) act Session close and reset neighbor FE80::1%ATM0/0/0.1 topostate
Nov 10 15:35:54.702 MET: BGP: nbr_topo global FE80::1%ATM0/0/0.1 IPv6 Unicast:base (0x296337B4:0) Resetting ALL counters.
Nov 10 15:35:54.702 MET: BGP: FE80::1%ATM0/0/0.1 active went from Closing to Idle
Nov 10 15:35:54.702 MET: %BGP_SESSION-5-ADJCHANGE: neighbor FE80::1%ATM0/0/0.1 IPv6 Unicast topology base removed from session BGP Notification sent
CE_HOSTNAME#

ISE 1.1.3 en Cisco IOS SCEP

Hi,
I'm running Cisco ISE 1.1.3.124 and a Cisco IOS 2811 (c2800nm-spservicesk9-mz.150-1.M2.bin) which I configured the be a SCEP server.
PKI Authentication and enrollment of a Cisco switch with this SCEP server is running well but BYOD clients enrollment via EAP-TLS (1024/2048) giving me the following error on the Cisco IOS SCEP server:
SCEP#
.Mar 17 15:21:59.446: Sun, 17 Mar 2013 15:21:59 GMT 10.0.0.164 /cgi-bin/pkiclient.exe ok
        Protocol = HTTP/1.1 Method = GET Query = operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgU
AMIAGCSqGSIb3DQEHAaCAJIAEggPoMIAGCSqGSIb3DQEHA6CAMIACAQAxggEvMIIBKwIBADATMA4xDDAKBgNVBAMTA2lzZQIBA
TANBgkqhkiG9w0BAQEFAASCAQAmbK6WZ5L6gw+uh7h4Qi53XL76QsBNcY8E6cMxWDp8hWbLvujNOylSvJLF
.Mar 17 15:21:59.446:
.Mar 17 15:21:59.454: CRYPTO_CS: received a SCEP request, 3652 bytes
.Mar 17 15:21:59.454: CRYPTO_CS: read SCEP: registered and bound service SCEP_READ_DB_10
.Mar 17 15:21:59.482: CRYPTO_CS: scep msg type - 19
.Mar 17 15:21:59.482: CRYPTO_CS: trans id - 9871e81c65121310b77df8b341c7c887a5392da2
.Mar 17 15:21:59.486: CRYPTO_CS: failed to open env data
.Mar 17 15:21:59.486: CRYPTO_CS: read SCEP: unregistered and unbound service SCEP_READ_DB_10
.Mar 17 15:21:59.486: CRYPTO_CS: failed to read SCEP request
.Mar 17 15:21:59.502: Sun, 17 Mar 2013 15:21:59 GMT 10.0.0.164 /cgi-bin/pkiclient.exe ok
SCEP#
I'm stuck now on the message: failed to open env data. So can anyone explain what the meaning is of this message or maybe know if IOS SCEP with ISE is supported ?
Thanks in advance.
greetz Michel
btw the tracelog of the switch enrollment with IOS SCEP is below:
SCEP#
.Mar 17 14:57:10.932: Sun, 17 Mar 2013 14:57:10 GMT 10.0.0.161 /cgi-bin/pkiclient.exe ok
        Protocol = HTTP/1.0 Method = GET Query = operation=PKIOperation&message=MIIGWgYJKoZIhvcNAQcCoIIGSzCCBkcCAQExCzAJBgUrDgMCGgUAMIIDAAYJKoZI
hvcNAQcBoIIC8QSCAu0wggLpBgkqhkiG9w0BBwOgggLaMIIC1gIBADGBujCBtwIB
ADAgMBsxGTAXBgNVBAMTEGNhLndlc3R3aWp6ZXIubmwCAQEwDQYJKoZIhvcNAQEB
BQAEgYAo/LNaINm+tcgzF8V8d7d5x
.Mar 17 14:57:10.932:
.Mar 17 14:57:10.936: CRYPTO_CS: received a SCEP request, 2210 bytes
.Mar 17 14:57:10.940: CRYPTO_CS: read SCEP: registered and bound service SCEP_READ_DB_1
.Mar 17 14:57:10.948: CRYPTO_CS: scep msg type - 19
.Mar 17 14:57:10.948: CRYPTO_CS: trans id - 59D142A6D0F525668626A435229BAAF1
.Mar 17 14:57:11.040: CRYPTO_CS: read SCEP: unregistered and unbound service SCEP_READ_DB_1
.Mar 17 14:57:11.040: CRYPTO_CS: received an enrollment request
.Mar 17 14:57:11.040: CRYPTO_PKI: creating trustpoint clone ise1
.Mar 17 14:57:11.040: CRYPTO_CS: checking policy for enrollment request ID=1
.Mar 17 14:57:11.040: CRYPTO_CS: request has been authorized, transaction id=59D142A6D0F525668626A435229BAAF1
.Mar 17 14:57:11.040: CRYPTO_CS: locking the CS
.Mar 17 14:57:11.040: CRYPTO_CS: added CDP extension
.Mar 17 14:57:11.044: CRYPTO_CS: added key usage extension
.Mar 17 14:57:11.044: CRYPTO_CS: Validity: 13:57:11 UTC Mar 17 2013-13:57:11 UTC Oct 3 2013
.Mar 17 14:57:11.128: CRYPTO_CS: writing serial number 0x2.
.Mar 17 14:57:11.180: CRYPTO_CS: file opened: nvram:ise.ser
.Mar 17 14:57:11.180: CRYPTO_CS: Writing 32 bytes to ser file
.Mar 17 14:57:13.864: CRYPTO_CS: reqID=1 granted, fingerprint=2
.Mar 17 14:57:13.864: CRYPTO_CS: unlocking the CS
.Mar 17 14:57:13.864: CRYPTO_CS: write SCEP: registered and bound service SCEP_WRTE_DB_1
.Mar 17 14:57:13.984: CRYPTO_CS: write SCEP: unregistered and unbound service SCEP_WRTE_DB_1
.Mar 17 14:57:13.988: CRYPTO_CS: Certificate generated and sent to requestor
.Mar 17 14:57:13.988: CRYPTO_CS: removing trustpoint clone ise1

Michel,
Officially supported it is not:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCud86973
Some people mentioned varios degrees of "having it working".
In your case it's the envelope data which appears to be a problem for IOS.
M.

IPV6 BGP session between ASR (IOS-XR 5.1.2 SP4) to MX480 (JUNOS 11.4R6.6)

Hi,
We're in the process of changing route-reflectors and have run into an interoperability problem between Cisco IOS-XR and Junos 11.4R6.6 on the MX-480 that Juniper is currently in the process of looking at. V4 works like a charm and the sessions come up immediately. The same may be said for both V4/V6 on other MX series devices (i.e. the MX5).
Not wishing to go into too many details, I have two questions:
1. Has anyone else encountered this problem? And if so,
2. Have you identified a viable workaround without upgrading the MX480 to a newer version of Junos?
Doing a hard clear of the session other on the Juniper or Cisco side 10 to 15 times produces a connect most of the time, though it can take longer sometimes. Unhappily this is not viable option and upgrading from 11.4.R6.6 to 12.3R8.7 would require some very complicated planning.
Kind regards,
Andrew

I have similar problem. Did you manage to resolve the BGP-LU prefixes received over eBGP session? In my case as well all looks OK (eBGP LU session up, prefixes with labels exchanged, routing table looks OK), with the exception of CEF:
RP/0/0/CPU0:02-ASBR2#show cef 172.16.20.2/32 detail
Thu Jul 3 14:48:04.746 UTC
172.16.20.2/32, version 393, drop adjacency, internal 0x4004001 0x0 (ptr 0xacba7fa4) [1], 0x0 (0xacba2640), 0x10 (0xacc33754)
Updated Jul 3 14:14:07.206
Prefix Len 32, traffic index 0, precedence n/a, priority 4
gateway array (0xacb63e7c) reference count 18, flags 0xf2, source rib (6), 0 backups
[7 type 5 flags 0x210101 (0xacc38048) ext 0x0 (0x0)]
LW-LDI[type=5, refc=3, ptr=0xacba2640, sh-ldi=0xacc38048]
via 10.9.0.3, 0 dependencies, recursive, bgp-ext [flags 0x6020]
path-idx 0 NHID 0x0 [0xacb0ad08 0x0]
unresolved
local label 16016
labels imposed {16001}
Load distribution: 0 (refcount 7)
Hash OK Interface Address
0 Y Unknown drop

Cisco IOS SLB or CSM?

I am trying to inform myself if Cisco IOS supports Server Load Balancing (SLB) without the CSM. It appears this software has been integrated into a hardware module known as a Content Switching Module. (CSM)
Aside from cost and being a hardware module (faster) in a IOS based Catalyst 6500, Is there a functional advantage / disadvantage of using the Cisco CSM over Cisco IOS Server Load Balancing or vice versa. Any comments would be appreciated. Thanks.
Mark

IOS SLB shares the same software code base as Cisco IOS and has all the software features sets of Cisco IOS software. IOS SLB is recommended for customers desiring complete integration of SLB technology into traditional Cisco switches and routers.
The CSM is specifically designed to meet the demands of large Internet service providers (ISPs), Co-location facilities, Application service providers (ASPs), and Enterprise web server farms.
These links might help you gain a better understanding:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e8/iosslb8e.htm#xtocid32
http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_qanda_item09186a0080092384.shtml
http://www.cisco.com/warp/customer/cc/pd/si/casi/ca6000/prodlit/ccsm_ds.htm

QinQ support on Cisco SUP7L-E?

Current release note for Cisco IOS XE Release 3.2.0XO says:
These sections list the limitations and restrictions for the current release of Cisco IOS software on the Catalyst 4500E series switch.
•802.1q tunneling and related features are not supported.
but in feature navigator there is 802.1q available
- IEEE 802.1Q Tunneling
- Selective QinQ
Sup 6E has support also:
Be aware that 802.1Q requires WS-C4948, WS-C4948-10GE, ME-4924-10GE, WS-C4928-10GE, WS-C4900M, WS-X4013+10GE, WS-X4516, WS-X4516-10GE, or WS-X45-SUP6-E; Layer 2 protocol tunneling is supported on all supervisor engines.

Hi Riccardo,
I checked the tables and for my unterstanding SUP7L-E and SUP7-E are SW feature parity…
Out of the release note:
Additionally, Supevisor Engine 7L-E running Cisco IOS 3.2.0XO has feature parity with Supervisor Engine 7-E running Cisco IOS XE 3.2.0SG.
The feature set for Supervisor Engine 7L-E matches that of Supervisor Engines 7-E
That means Q-in-Q should also work on SUP7L-E within next IOS release (March – May 2012) … or am i wrong?
Thanks
Manuel
Von: rsimoni
Gesendet: Dienstag, 10. Januar 2012 16:52
An: Linder Manuel (CASSARiUS AG)
Betreff: - Re: QinQ support on Cisco SUP7L-E?
Home
Re: QinQ support on Cisco SUP7L-E?
created by Riccardo Simoni in Other Service Provider Subjects - View the full discussion

Can IPV6 QOS support in Cisco 3750x switches

Hi
I have tried IPv6 qos using class map in Catalyst 3750 switches but the platform is not support.
Can anyone configured the IPV6 qos in Cisco 3750-X switches. Does it support?
Cisco 3750 config
policy-map up
class bwtest-up
police 2048000 128000 exceed-action drop
policy-map down
class bwtest-down
police 512000 128000 exceed-action drop
trust dscp
class-map match-all bwtest-up
match access-group name bwup
class-map match-all bwtest-down
match access-group name bwdown
ipv6 access-list bwup
permit ipv6 2402:xxxx:x:x::/64
ipv6 access-list bwdown
permit ipv6 any 2402:xxxx:x:x::/64
L3(config)#int g1/0/4
L3(config-if)#service-policy input up
QoS: class(bwtest-up) IPv6 class not supported on interface GigabitEthernet1/0/4 ( error)
Please help!

interface GigabitEthernet1/0/4
description ##Test LAN-IPV##
no switchport
bandwidth 2048
no ip address
load-interval 30
speed 100
duplex full
ipv6 address 2402:xxxx:x:x::1/64
ipv6 enable
ipv6 ospf 200 area 0
end
switch sw version
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE9, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Mon 03-Mar-14 22:45 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02F00000
ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
Cherry uptime is 6 days, 7 hours, 23 minutes
System returned to ROM by power-on
System restarted at 07:04:50 IST Thu Mar 19 2015
System image file is "flash:/c3750-ipservicesk9-mz.122-55.SE9.bin"

Cisco IOS IPS in Cisco 2921/k9 router

Hi All,
I have a router of Cisco 2921 series (C2921/K9) basic box with IP BAse IOS image (SL-29-IPB-K9 IOS). I would like to enable IOS Level IPS feature on this Router now. Based on the Cisco Document i have found i need to purchase an additonal subscripton license to enale the IPS feature. My querry is-
Will it support on the Basic IP Base IOS or do i need to change the IOS?
If i need to purchase the Subscription Licesne, how can i get the part number and cost for the same?
Do i need to buy any addtional module for this like (NME-IPS-K9) ?
Thanks in advance for your quick support
regards
Sunny

Hi Sunny
1. Yes you can enable IPS on IOS with the security license, without buying a subscription, but this would make little sense - new signatures are being released all the time so you would not be protected from recently discovered vulnerabilities/attacks.
2. Correct, the modules and appliances run a different kind of software and are much more powerful
3. If you add the module, you do NOT need the security license. It would still be advised to get a subscription license to get signature updates for the module.
I hope this helps, let us know.
regards
Herbert
jacob.samuel wrote:Dear Herbert,Thanks alot for the wonderful post. It clear most of my doubts. Still i kindly need to know few more points-1) Cant we enable IPS Feature on 2921/K9 router (with Sec license or 2921Sec/K9 bundle) without signature subscription license (is it a must? it is for getting updates of signatures and for support only, right?)2) I came to know from a distributor pre-sales engineer that the Cisco IOS Level Intrusion Protection is not going to provide the full feature of IPS like NME module or IPS Applinace. Is that right?3) If i add NME-IPS-K9 Module to my 2921 Router, without enabling Sec License, can i enable IPS feature on the Router. Or is it a must that i need to buy Sec License (SL-29-SEC-K9)?Attaching the Datasheet of NME-IPS-K9 module (Page num 5 above Table 3) mentione as follows-Cisco IOS Software Feature Sets and ReleaseTable 3 lists the required Cisco IOS feature sets and releases for Cisco IPS AIM and IPS NME on the Cisco 1841,
2800 and 3800 series Integrated Services Routers Note that, IPS NME on the Cisco 2900 and 3900 Integrated
Services Routers does not require a Security Feature license.
In that case if i buy a module i can install it on the 2921K9 box directly and can enable the IPS feature right? I dont need any License and additonal signature subscription here to enable the IPS feature (if i dont need signature updates and support) right?
thanks alot for the support.
regards
Sunny

Are HTTPS probes supported in Cisco devices ?

Hello,
I am aware Cisco supports HTTP probe types. Are HTTPS (HTTP Secure) probes are supported in Cisco devices too ? If so from which IOS version ?
Your comments are very much appreciated.
Thanks.

Hi ,
As per my understanding there is No IOS code which support HTTPS opeartions , Only HTTP operations are supported as of now.
Thakns
Afroz

Cisco IOS SLB

Hello Guys,
I am wondering if cisco 3750 Series support Cisco IOS SLB for SMTP protocol, Can anyone help me in this?
Thanks in advance,
Jagdev

Hi Jagdev,
Cisco supports IOS SLB only on Cat 6k, 7x00
Siva

BGP support in Cisco IOS 15.1(3) T2

Similar Messages

Maybe you are looking for