Cisco 3750 --- Mark TCP packets from port 80 with DSCP ef
Good afternoon,
I am trying to mark outgoing traffic from a web server with value of DSCP ef
When I am doing a traffic capture all TCP packets have tos 0x0
If I marked UDP packets, or icmp packets, I can see it with in trafic capture, but not TCP traffic.
This is my config,
mls qos
ip access-list extended MARK-HTTP-ACL
permit tcp host 10.10.10.10 eq www any
class-map match-any HTTP-CM
match access-group name MARK-HTTP-ACL
policy-map PRIORITY-PM
class HTTP-CM
set dscp ef
interface GigabitEthernet1/0/11
switchport access vlan 20
switchport mode access
spanning-tree portfast
mls qos trust dscp
service-policy input PRIORITY-PM
Can anybody can help me to understand, why I cannot mark TCP packets?
Thank you
Yes. You need to eliminate the things I've said to eliminate with the other side. Ensure your configs are matching exactly. They probably are, whatever, just make sure of it because it's easy. You both need to run packet captures on your interfaces both in and out to even begin to have an idea of where to look.
The more info you can have just one person responsible for the better. What I mean by that is, it's typically a nice step for the 'bigger end' to have the 'smaller end's' config file to look at.
If you are seeing packets come in your inside, leave your outside, and never make it to his inside, then take it a step at a time.
If you're seeing them come in his interface and never come back out, you know where to look.
Set your caps to a single host to single host if need be, and generate traffic accordingly.
You need to narrow down where NOT to look so that you know where TO look. I would say then, and only then, do you get the ISP involved. Once you're sure the problem exists between his edge device and your edge device.
I do exactly this for a living on a daily basis...day after day after day. I'm responsible for over 200 IPSec s2s connections and thousands of SSL VPN sessions. I always start the exact same way...from the very bottom.
Similar Messages
-
How can I mirror all ports on CISCO 3750 switches to one Gigabyte port?
Hi,
I have a requirement to mirror all the ports on my 7 CISCO 3750 switches, which are in 3 separate stacks, to one single Gigabyte Ethernet port.
Does anyone know how I can do that?
Thanks in advance.Vlad, thanks a heap for your response.
I want to apply to my sitation. Please let me know if I get them right in the following:
Catalyst A
vlan 901
remote-span
monitor session 1 source interface fastethernet 1-48 (I want to monitor all ports on the CISCO 3725)
monitor session 1 destination remote vlan 901
Catalyst B
vlan 901
remote-span (If I don't need to monitor this switch, do I still need to put anything into this switch at all?)
Catalyst C
vlan 901
remote-span
monitor session 1 source interface fastethernet 1-48 (I want to monitor all ports on this switch as well)
monitor session 1 source remote vlan 901
monitor session 1 destination interface gigabitethernet 3 (There are 4 Gigabit Ethernet Uplink in CISCO 3750, I want all the traffic to go to port 3, is this the right way to do?)
Thanks in advance. -
WRT54GX2: TCP packets blocked (except SYN/SYN-ACK) to internet
I'm using WRT54GX2 with latest FW 1.01.22 and I've been running into internet connectivity with one of my laptop (Toshiba MX35-S149 using Atheros). From this laptop DNS/ping works to the internet (UDP/ICMP) but all of the TCP data packets from the internet are being blocked by the router (I think). All of the other PC's continue to work with no problem.
Rebooting the router (power cycle) causes thing to work again for this laptop but after some time (15-20 minutes or so) once again the problem comes back. I've already spent about 3 hours with support on this but no luck.
I did a packet capture on the laptop and any HTTP request show TCP SYN, SYN-ACK packets but no data packets. The laptop continues to do the retransmission. At this point I can still PING and DNS resolve any of the names.
The HTTP to the router's page (192.168.1.1) continues to work without any problem (still using the wireless NIC). Hard-wiring the laptop to router works fine.
I asked the support if I can do a packet capture on the router itself but I was told "That is not possible".
I'll add the packet capture files later today.
Any help is appreciated as I don't think I'll get any help from the tech-support.
TIA,
NavrasInteresting - I have a similar problem however I am trying to block packets going out. So you say that it allows the TCP for a little while then later it is blocked.
Why are you trying to pass TCP into the computer specifically?
Do you have a firewall on your laptop that you can check the logs off?
I have been with support for my issue which is basically the BLOCKED SERVICES options are all greyed out. I need to block udp/tcp packets from going out on exactly the same router, same firmware as yours. They just read scripts from their help desk manuals and do not really seem to understand problems that are NOT in the scripts. Too bad I was hoping after cisco took over linksys would get better at customer support, not the other way.
I saw a post previously that states that the same router DOES NOT HAVE the blocked services as a function. The manual and screen seem to indicate otherwise.
Interesting...let us know what happens.
danee -
We are transitioning from Exchange 2003 to Exchange 2010. We found Outlook online mode (non-cached mode) have many warning "Outlook is trying to retrieve data from the Microsoft Exchange Server [CAS-ARray]", usually happen when users tried to open
address book but sometimes even normal operation like click the Send button. The problem does not affect OWA and extremely rare when Outlook is running in cached mode. Check the firewall logs, we notice a lot of "TCP Packet Out of State" drops.
We have a lot from the CAS/HT to DC/GC on TCP_3268 and LDAP. And the errors are "TCP packet out of state: First packet isn't SYN" with tcp_flags FIN-ACK, PUSH-ACK.
We also have a lot from CAS/HT to the Outlook Clients on the static RPC port (TCP_59933). And the errors are "TCP packet out of state: First packet isn't SYN" with tcp_flags FIN-ACK, PUSH-ACK and RST-ACK, ACK.
This happens even on Outlook 2010 which I though it has TCP Keep Alive implmented to keep the session active within 1 hour.
Can somebody tell me if these out-of-state are the cause of our problem? And how to fix it?
THANK 1,000,000Hello AndyHWC,
I did some consulting with our CAS team and received the following feedback to your post:
It is difficult to determine what is causing resets without seeing the captures first hand however, the concern is that you are seeing dropped packets on the firewall logs. Where is this firewall located?
Based on the description "Check the firewall logs, we notice a lot of "TCP Packet Out of State" drops." and "We have a lot from the CAS/HT to DC/GC on TCP_3268 and
LDAP." indicates to me that the firewall is between CAS and GC. This not supported under any circumstances and would explain the issue they are seeing with clients trying to "retrieve data from the GC".
If there is not a firewall between the GC and CAS then a Microsoft support engineer would need to have concurrent Netmon Captures from client, CAS, GC during the
issue to analyze. If only one GC exists consider adding another GC to handle the client requests and for fault tolerance.
Also verify that all NIC card drivers are updated to the latest driver version
More information about firewalls with Exchange 2007/2010
http://msexchangeteam.com/archive/2009/10/21/452929.aspx
http://technet.microsoft.com/en-us/library/bb232184(EXCHG.80).aspx
You can install the Client Access server role on an Exchange 2007 computer that is running any other server roles except for the Edge Transport server role. You
cannot install the Client Access server role on a computer that is installed in a cluster. Installation of a Client Access server in a perimeter network is not supported.
http://technet.microsoft.com/en-us/library/dd577077(EXCHG.80).aspx
“The Installation of a Client Access Server in a Perimeter Network Is Not Supported
Issue You may want to install an Exchange 2007 Client Access server in a perimeter network. However, this type of installation is not supported in Exchange
2007.
Cause The Exchange 2007 Client Access server role is not supported in any configuration in which a firewall is located between the Client Access server
and a Mailbox server or a domain controller. This includes firewall devices, firewall programs, or any program or device that is designed to restrict traffic between two network locations.
For correct operation, Client Access servers require typical domain connectivity to domain controllers and global catalog servers. Because any devices
or programs that restrict or reduce access to domain controllers or global catalog servers may affect the correct operation of the Client Access server, we do not support this type of configuration.
Resolution To resolve this issue, move the Client Access servers to the internal network. For more information about the ports that Exchange 2007 uses
for various services, see Data Path Security Reference.”
Thanks,
Kevin Ca - MSFT
Kevin Ca - MSFT -
Hello,
I have an Spanning tree problem when i conect 2 links from Switch DELL M6220 (there are blades to virtual machines too) to 2 links towards 2 switches CISCO 3750 connected with an stack (behavior like one switch for redundancy, with one IP of management)
In dell virtual machine is Spanning tree rapid stp, and in 3750 is Spanning tree mode pvst, cisco says that this is not important, only is longer time to create the tree.
I dont know but do you like this solutions i want to try on sunday?:
Could Spanning tree needs to work to send one native vlan to negociate the bdpus? switchport trunk native vlan 250
Is it better to put spanning-tree guard root in both 3750 in the ports to mitigate DELL to be root in Spanning Tree?
Is it better to put spanning- tree port-priority in the ports of Swicht Dell?
¿could you help me to control the root? ¿Do you think its better another solution? thanks!
CONFIG WITH PROBLEM
======================
3750: (the 2 ports are of 2 switches 3750s conected with a stack cable, in a show run you can see this)
interface GigabitEthernet2/0/28
description VIRTUAL SNMP2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 4,13,88,250
switchport mode trunk
switchport nonegotiate
logging event trunk-status
shutdown
interface GigabitEthernet1/0/43
description VIRTUAL SNMP1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 4,13,88,250
switchport mode trunk
switchport nonegotiate
shutdown
DELL M6220: (its only one swith)
interface Gi3/0/19
switchport mode trunk
switchport trunk allowed vlan 4,13,88,250
exit
interface Gi4/0/19
switchport mode trunk
switchport trunk allowed vlan 4,13,88,250
exitF.Y.I for catylyst heroes - here is the equivalent config for SG-300 - Vlan1 is required on the allowed list on the catylyst side (3xxx/4xxx/6xxx)
In this example:
VLANS - Voice on 188, data on 57, management on 56.
conf t
hostname XXX-VOICE-SWXX
no passwords complexity enable
username xxxx priv 15 password XXXXX
enable password xxxxxx
ip ssh server
ip telnet server
crypto key generate rsa
macro auto disabled
voice vlan state auto-enabled !(otherwise one switch controls your voice vlan….)
vlan 56,57,188
voice vlan id 188
int vlan 56
ip address 10.230.56.12 255.255.255.0
int vlan1
no ip add dhcp
ip default-gateway 10.230.56.1
interface range GE1 - 2
switchport mode trunk
channel-group 1 mode auto
int range fa1 - 24
switchport mode trunk
switchport trunk allowed vlan add 188
switchport trunk native vlan 57
qos advanced
qos advanced ports-trusted
exit
int Po1
switchport trunk allowed vlan add 56,57,188
switchport trunk native vlan 1
do sh interfaces switchport po1
!CATYLYST SIDE
!Must Explicitly allow VLan1, this is not normal for catalysts - or spanning tree will not work ! Even though it’s the native vlan on both sides.
interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,56,57,189
switchport mode trunk -
Best way to connect 2 Cisco 3750 PoE 24-port Switches
Hello. I have 2 Cisco 3750 PoE 24-port switches in a small office environment. Right now I have a trunk configured off my ASA 5505 to switch 1, and then just an access port configured on a port (switch 1) and an access port configured on a port (switch 2) to connect them together. These switches also have 2 GB SFP ports but they are not being used in this configuration.
I was curious to know if anyone had any better recommend configurations for connecting these 2 switches together? I'm not sure if this particular model can be stacked?What are the exact model numbers (should be written on a sticker)?
You will know if they can be stacked as you will see the 2x stack ports on the back of each switch :)
If they can then that is probably the way to go unless you want to keep them as separate switches for some reason.
If you want them separate, I would connect them via a Trunk link at least so you can have the same Vlans on both.
Thanks -
Communication problem between ASA 5510 and Cisco 3750, L2 Decode drops
Having problem with communication between ASA 5510 an Cisco Catalyst 3750.
Here is the Cisco switch port facing the ASA 5510 configuration:
interface FastEthernet2/0/6
description Trunk to ASA 5510
switchport trunk encapsulation dot1q
switchport trunk native vlan 50
switchport trunk allowed vlan 131,500
switchport mode trunk
switchport nonegotiate
And here is the ASA 5510 port configuration:
interface Ethernet0/3
speed 100
no nameif
no security-level
no ip address
interface Ethernet0/3.500
vlan 500
nameif outside
security-level 0
ip address X.X.X.69 255.255.255.0
There is a default route on ASA to X.X.X.1.
When I try to ping from ASA X.X.X.1 i get:
Sending 5, 100-byte ICMP Echos to 31.24.36.1, timeout is 2 seconds:
Also in the output of show interface eth 0/3 on the ASA i can see that the L2 Decode drop counter increases.
I have also changed the ports on the Switch and ASA but the same error stays.
Any thoughts?I don't see anything wrong with your trunk configuration; I have a similar one working between an ASA 5520 and a Catalyst 3750G.
Maybe you should adjust the "speed 100"? In my experience, partial autoconfiguration results in duplex mis-matches, which results in dropped packets.
I'd try removing the "speed 100" and letting the ASA port autonegotiate with the switch. Alternatively, have both sides set
speed 100
duplex full
and see if things improve.
-- Jim Leinweber, WI State Lab of Hygiene -
One computer at COMPANY-A is attempting to communicate with two
computers located at COMPANY-B, via an IPsec tunnel between the
two companies.
All communications are via TCP protocol.
All devices present public IP addresses to one another, although they
may have RFC 1918 addresses on other interfaces, and NAT may be in use
on the COMPANY-B side. (NAT is not being used on the COMPANY-A side.)
The players:(Note: first three octets have been changed for security reasons)
COMPANY-A computer 1.2.3.161
COMPANY-A router 1.2.3.8 (also IPsec peer)
COMPANY-A has 1.2.3.0/24 with no subnetting.
COMPANY-B router 4.5.6.228 (also IPsec peer)
COMPANY-B computer #1 4.5.7.94 (this one has no issues)
COMPANY-B computer #2 4.5.7.29 (this one fails)
COMPANY-B has 4.5.6.0/23 subnetted in various ways.
COMPANY-B also has 9.10.11.0/24, but it is not involved in the issue.
What works:
The COMPANY-A computer 1.2.3.161 can communicate via the single IPsec
tunnel to COMPANY-B computer #1 4.5.7.94 without problems.
The "show crypto session detail" command shows Inbound/Outbound packets
flowing in the dec'ed and enc'ed positions.
What doesn't:
When the COMPANY-A computer 1.2.3.161 attempts to communicate
via the single IPsec tunnel with the COMPANY-B computer #2 4.5.7.29,
the COMPANY-A router eventually reports five of these messages:
Oct 9 15:24:54.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:24:57.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:03.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:15.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:39.329: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:26:27.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
and the "show crypto session detail" shows inbound packets being dropped.
The COMPANY-A computer that opens the TCP connection never gets past the
SYN_SENT phase of the TCP connection whan trying to communicate with the
COMPANY-B computer #2, and the repeated error messages are the retries of
the SYN packet.
On the COMPANY-A side, this IPsec configuration has been set up on a 3745,
a 3725, and some 76xx routers were tried, all with similar behavior,
with packets from one far-end computer passing fine, and packets from
another far-end computer in the same netblock passing through the same
IPsec tunnel failing with the "failed SA identity" error.
The COMPANY-A computer directs all packets headed to COMPANY-B via the
COMPANY-A router at 1.2.3.8 with this set of route settings:
netstat -r -n
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
4.5.7.0 1.2.3.8 255.255.255.0 UG 0 0 0 eth3
1.2.3.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
10.1.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth3
10.0.0.0 10.1.1.1 255.0.0.0 UG 0 0 0 eth0
0.0.0.0 1.2.3.1 0.0.0.0 UG 0 0 0 eth3
The first route line shown is selected for access to both COMPANY-B computers.
The COMPANY-A router (IPsec tunnel endpoint, 1.2.3.8) has this
configuration:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address 4.5.6.228
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set COMPANY-B01 esp-3des esp-sha-hmac
crypto map COMPANY-BMAP1 10 ipsec-isakmp
description COMPANY-B VPN
set peer 4.5.6.228
set transform-set COMPANY-B01
set pfs group2
match address 190
interface FastEthernet0/0
ip address 1.2.3.8 255.255.255.0
no ip redirects
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map COMPANY-BMAP1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.2.3.1
ip route 10.0.0.0 255.0.0.0 10.1.1.1
ip route 1.2.3.8.0 255.255.255.0 FastEthernet0/0
access-list 190 permit ip host 1.2.3.161 4.5.7.0 0.0.0.255
access-list 190 permit ip host 1.2.3.161 9.10.11.0 0.0.0.255
bridge 1 protocol ieee
One of the routers tried had this IOS/hardware configuration:
Cisco IOS Software, 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.4(25c),
RELEASE SOFTWARE (fc2)
isco 3725 (R7000) processor (revision 0.1) with 115712K/15360K bytes of memory.
Processor board ID XXXXXXXXXXXXXXX
R7000 CPU at 240MHz, Implementation 39, Rev 3.3, 256KB L2 Cache
2 FastEthernet interfaces
4 ATM interfaces
DRAM configuration is 64 bits wide with parity disabled.
55K bytes of NVRAM.
31296K bytes of ATA System CompactFlash (Read/Write)
250368K bytes of ATA Slot0 CompactFlash (Read/Write)
Configuration register is 0x2102
#show crypto sess
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
Active SAs: 0, origin: crypto map
#show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:06:26:27
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 651 drop 16 life (KB/Sec) 4496182/23178
Outbound: #pkts enc'ed 574 drop 2 life (KB/Sec) 4496279/23178
IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
The COMPANY-B device on their end of the IPsec VPN is a Juniper SSG1000
Version 6.1 (ScreenOS)
We only have a limited view into the Juniper device configuration.
What we were allowed to see was:
COMPANY-B-ROUTER(M)-> sh config | incl COMPANY-A
set address "Untrust" "oss-COMPANY-A-1.2.3.161" 1.2.3.161 255.255.255.255
set ike gateway "COMPANY-A-1-GW" address 1.2.3.8 Main outgoing-interface "ethernet2/1" preshare xxxxxxxxxxxxxxxxxxxxxx proposal "pre-g2-3des-sha"
set vpn "COMPANY-A-1-IKE" gateway "COMPANY-A-1-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha-28800"
set policy id 2539 from "Untrust" to "Trust" "oss-COMPANY-A-1.2.3.161" "9.10.11.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2500
set policy id 2500 from "Trust" to "Untrust" "9.10.11.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2539
set policy id 2541 from "Trust" to "Untrust" "4.5.7.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2540
set policy id 2540 from "Untrust" to "Trust" "oss-COMPANY-A-1.2.3.161" "4.5.7.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2541
COMPANY-B-ROUTER(M)->
I suspect that this curious issue is due to a configuration setting on the
Juniper device, but neither party has seen this error before. COMPANY-B
operates thousands of IPsec VPNs and they report that this is a new error
for them too. The behavior that allows traffic from one IP address to
work and traffic from another to end up getting this error is also unique.
As only the Cisco side emits any error message at all, this is the only
clue we have as to what is going on, even if this isn't actually an IOS
problem.
What we are looking for is a description of exactly what the Cisco
IOS error message:
IPSEC(epa_des_crypt): decrypted packet failed SA identity check
is complaining about, and if there are any known causes of the behavior
described that occur when running IPsec between Cisco IOS and a Juniper
SSG device. Google reports many other incidents of the same error
message (but not the "I like that IP address but hate this one" behavior),
and not just with a Juniper device on the COMPANY-B end, but for those cases,
not one was found where the solution was described.
It is hoped that with a better explanation of the error message
and any known issues with Juniper configuration settings causing
this error, we can have COMPANY-B make adjustments to their device.
Or, if there is a setting change needed on the COMPANY-A router,
that can also be implemented.
Thanks in advance for your time in reading this, and any ideas.Hello Harish,
It is believed that:
COMPANY-B computer #1 4.5.7.94 (this one has no issues)
COMPANY-B computer #2 4.5.7.29 (this one fails)
both have at least two network interfaces, one with a public IP address
(which we are supposedly conversing with) and one with a RFC 1918 type
address. COMPANY-B is reluctant to disclose details of their network or
servers setup, so this is not 100% certain.
Because of that uncertainty, it occurred to me that perhaps COMPANY-B
computer #2 might be incorrectly routing via the RFC 1918 interface.
In theory, such packets should have been blocked by the access-list on both
COMPANY-A router, and should not have even made it into the IPsec VPN
if the Juniper access settings work as it appears they should. So I turned up
debugging on COMPANY-A router so that I could see the encrypted and
decrypted packet hex dumps.
I then hand-disassembled the decoded ACK packet IP header received just
prior to the "decrypted packet failed SA check" error being emitted and
found the expected source and destination IP addresses (4.5.7.29 and 1.2.3.161),
in the unecapsulated packet. I also found the expected port numbers of the TCP
conversation that was trying to be established in the TCP header. So, it
looks like COMPANY-B computer #2 is emitting the packets out the right
interface.
The IP packet header of the encrypted packet showed the IP addresses of the
two routers at each terminus of the IPsec VPN, but since I don't know what triggers
the "SA check" error message or what it is complaining about, I don't know what
other clues to look for in the packet dumps.
As to your second question, "can you check whether both encapsulation and
decapsulation happening in 'show crypto ipsec sa'", the enc'ed/dec'ed
counters were both going up by the correct quantities. When communicating
with the uncooperative COMPANY-B computer #2, you would also see the
received Drop increment for each packet decrypted. When communicating
with the working COMPANY-B computer #1, the Drop counters would not
increment, and the enc'ed/dec'ed would both increment.
#show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:07:59:54
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 376 drop 5 life (KB/Sec) 4458308/28784
Outbound: #pkts enc'ed 401 drop 3 life (KB/Sec) 4458308/28784
Attempt a TCP communication to COMPANY-B computer #2...
show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:07:59:23
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 376 drop 6 life (KB/Sec) 4458307/28753
Outbound: #pkts enc'ed 402 drop 3 life (KB/Sec) 4458307/28753
Note Inbound "drop" changed from 5 to 6. (I didn't let it sit for all
the retries.)
#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: COMPANY-BMAP1, local addr 1.2.3.8
protected vrf: (none)
local ident (addr/mask/prot/port): (1.2.3.161/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.5.7.0/255.255.255.0/0/0)
current_peer 4.5.6.228 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 402, #pkts encrypt: 402, #pkts digest: 402
#pkts decaps: 376, #pkts decrypt: 376, #pkts verify: 376
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 3, #recv errors 6
local crypto endpt.: 1.2.3.8, remote crypto endpt.: 4.5.6.228
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xDF2CC59C(3744253340)
inbound esp sas:
spi: 0xD9D2EBBB(3654478779)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: COMPANY-BMAP1
sa timing: remaining key lifetime (k/sec): (4458307/28600)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDF2CC59C(3744253340)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: COMPANY-BMAP1
sa timing: remaining key lifetime (k/sec): (4458307/28600)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
The "send" errors appear to be related to the tunnel reverting to a
DOWN state after periods of inactivity, and you appear to get one
each time the tunnel has to be re-negotiated and returned to
an ACTIVE state. There is no relationship between Send errors
incrementing and working/non-working TCP conversations to the
two COMPANY-B servers.
Thanks for pondering this very odd behavior. -
Hello all,
we are incrementally receiving a lot of MARS events that comes from Cisco IDS, all those events are â NULL TCP PACKETâ, and the destination is always the same, a smtp ironport machine trough the 25 port, from diferent public IPs.
Does anybody have a similar scenario? What can we do?
ThanksHi,
The signature version 364 and the IPS version is 6.1 (1) E2.
It is suppoused that is a single TCP packet with none of the SYN, ACK,FIN or RST flags.
It comes from different public IP's that comes from different ISP's.
Regards
Izaskun -
Cisco 300 - VLAN DHCP packets not passing
I am seeing a problem with our Cisco 300 switches. We use these switches as access switches, with a stacked 3750-G at the core, two 2960-S at the distribution layer, and about 10 300 Series switches at the access layer (10 port and 28 ports, all PoE).
We use Voice VLAN (VLAN 14) for our Mitel phones – there is a DHCP server on the Mitel system. Phones come up, get tagged VLAN 14 (LLDP), Traffic flows (including Broadcast for DHCP etc…). The system works, and has worked for months.
One day, suddenly, I find that all the Mitel phones on a particular access switch are not working. I look on the Mitel system and the lease on DHCP has expired, and the phone is stuck on renewing its DHCP IP address. I run port mirroring on the switch for VLAN 14 to see what is happening. The phones are stuck on DHCP discover, and I see the DHCP Discover broadcast packets on the switch but nothing else, no DHCP offer packets – hence the phone stuck at boot cycle.
I then do a port mirror from another access switch (that is currently working) – I can see the broadcast packets from the Mitel phones on the broken switch, but on this switch I can also see the DHCP offer packets from the Mitel system. I run two port mirrors simultaneous from the two switches (one working, one not) and I can see that the DHCP offer packets are not coming through to the broken switch. Panic ensues – I look at the distribution layer and there is no problem what so ever.
For some strange reason, the Cisco 300 28 port has stopped passing DHCP broadcast packets on a particular VLAN, even though they are being sent. I power cycle the switch – and hey presto, DHCP offer packets are coming through, and the phones get an IP address and boot properly.
I wipe the sweat off my brow, note the issue down and carry on my daily duties.
Forward a couple of weeks later, and to today. I have another phone that is showing the same symptoms, luckily it is the only phone on this particular Cisco 300 28 port. The same issue is occurring as described above. I gather as much diagnostic information I can then reboot the switch – but still no joy. I then remember that this switch is not directly attached to the distribution layer and instead gets trunked to another Cisco 300 28 port. I give that a reboot and 5 minutes later, DHCP broadcast offers are passing and the phone boots.
I am listing this problem as not just a ‘one off’ now, and is recurring. It has happened to two of my 300 28 port switches.
All Switches running 1.1.2.0.
No link to up time – first instance of the problem, switch was up for 14 days – second instance (another switch) uptime of 39 days
LLDP is working fine on the switches, as is Voice-VLAN (Port is tagged and broadcasts out DHCP Discover which is seen by other devices throughout network)
Nothing in the log file on the access switch
Nothing on the Dist/Core regarding STP – Spanning tree set up is fine throughout
Has anyone else experienced same? I’m hoping this is a bug that is getting fixed.
Many Thanks
TimHello Tim
Brayton Hackworth had a similar post as yours, found here;
https://supportforums.cisco.com/message/3684179#3684179
Brayton is using the Mitel 5330 phones where the LLDP no longer fed VLAN information to the phone network. But, he reverted to use a DHCP server to provide the VLAN information.
Unfortunately, I (personally) cannot test any Mitel resources (since I don't have them) so my labs usually only consist of either 7900 series or SPA500/900 series phones.
The best thing I can really recommend to you is to make a package of data consisting of;
Topology which consists of;
Modem type
Router including IP
All devices including IP of switches
Servers / relevant workstations
# of attached devices and # of users on the LAN
Switch config file + show tech on a notepad
Syslog output from the switch
Working PCAP
PCAP showing failure
PCAP legend showing what IP address are who (unless topology contains all IP)
Where the PCAP is taken from and method
We then can create a service request for you and pass it for review.
-Tom -
I have a Cisco 5505(base license) and a Cisco 3750(48 port). I want to be able to connect to the 3750 on different vlans(for home lab),but I'm no able to ping the "outside" IP of the ASA. I can ping the different vlans from the ASA once I created the routes from the ASA.
3750 config:
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname SwitchA
no aaa new-model
switch 1 provision ws-c3750-48p
ip subnet-zero
ip routing
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet1/0/1
description Uplink to Cisco ASA 5505
switchport access vlan 100
switchport mode access
spanning-tree portfast
interface FastEthernet1/0/2
no switchport
no ip address
interface FastEthernet1/0/3
interface FastEthernet1/0/4
interface FastEthernet1/0/5
switchport access vlan 10
interface FastEthernet1/0/6
interface Vlan1
no ip address
interface Vlan2
ip address 10.10.0.1 255.255.255.0
interface Vlan3
ip address 10.10.1.254 255.255.255.0
interface Vlan10
no ip address
interface Vlan100
description SW-to-ASA
ip address 172.16.100.2 255.255.255.0
interface Vlan172
no ip address
interface Vlan182
no ip address
interface Vlan192
no ip address
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.100.1
ip http server
ip http secure-server
ASA Config:
interface Vlan1
shutdown
no nameif
no security-level
no ip address
interface Vlan10
nameif users
security-level 100
ip address 172.16.10.254 255.255.255.0
interface Vlan172
no nameif
security-level 100
ip address 172.16.100.1 255.255.255.0
interface Vlan192
nameif OUTSIDE
security-level 0
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 192
interface Ethernet0/1
description Trunk to Switch
switchport access vlan 172
Is this even doable?Hi,
I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
object network acvpnpool
subnet <anyconnect VPN Subnet>
object network insidelan
subnet <inside lan subnet>
nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
Regards
Karthik -
Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN
Hi Guys,
I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
For some odd reason, I am able to ping the following, with no issues.
Cisco 3750 SVI (192.168.1.3)
CentOS web server (connected directly to the Cisco ASA 5505)
I have checked and enable the following:
Nat Exemption
Sysopt connection permit-vpn
ACL's
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Added ICMP in the inspection policy
Packet-capture - Only getting echo requests.
Thanks in advance!Hi,
I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
object network acvpnpool
subnet <anyconnect VPN Subnet>
object network insidelan
subnet <inside lan subnet>
nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
Regards
Karthik -
ISCSI traffic running across Cisco 3750 Switches
My customer has a small shop with 2 servers runnig iSCSI to a SAN device. They are looking for a switch recommendation and I would like to use a pair of Cisco 3750's, to take advantage of the VSS technology for redundancy,L3 and some other Core requirements, but I am concerned about performance.
I thought my other option is to use 3750E's but concerned about the added costs.The fabric and pps ratings for the 3750Gs don't support wire-rate for more than 16 gig ports. (Max performance for 3750G models is 38.7 Mpps and 32 Gbps fabric; for 3750-E it's 101.2 Mpps and 128 Gbps fabric [NB: pps is enough, slightly insufficent fabric bandwidth for 48 port models - similar 4948 offers 102 Mpps, 136 Gbps].)
Another performance limitation of the 3750s (and to lessor extent the 3750-Es) is stack ring bandwidth. As best I can tell, the 32 Gbps is really dual 8 Gbps duplex (dual 16 Gbps duplex for -Es). An important distinction between the original StackWise technology and the later StackWise+, the former puts a copy of all traffic on the stack, the latter suppresses unnecessary unicast. The former also requires the sender to remove the traffic from the stack ring, the latter the destination removes the traffic. (I.e. the "+" technology, really is plus.)
For really, really demanding performance, a stack ring isn't the same as a chassis fabric (e.g. 4500s), and within a single switch, the lower end switch models, they can't always provide wire-rate for all their ports. However, the real question is whether you need this performance in a small shop even though iSCSI is being used.
In other words, its rare to see all ports demanding full bandwidth, so a stack of 48 port 3750Gs migtht work just fine for your customer if the actual need doesn't require more than the device can supply.
In similar situations, I present the customer with such facts. Based on what the expected load is, device "A" might work fine, but it can't guarantee performance beyond a certain level. If customer wants the capability for more performance, for growth or "just to be safe", can do too, here's your options (and extra cost) for that too.
BTW, if SAN devices can support 10gig, then you'll need something better than the 3750G since the model with a single 10gig port has been discontinued. -
13017 Received TACACS+ packet from unknown Network Device or AAA Client
I am adding new routers to our Corporate network for a new MPLS network. I am getting 13017 Received TACACS+ packet from unknown Network Device or AAA Client errors for these new routers. They are added to ACS 5.4.0.30 correctly just like all of our other devices. We have never had real routers on the network before, just switches and access points. Is there something special I need to set in ACS for these to work and authenticate correctly? I can only access the currently with built in login locally.
One of the new router configs
Current configuration : 2370 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname T666
boot-start-marker
boot-end-marker
enable secret 5 $1$h7b3$.T2idTKb9H98BQ8Op0MAC/
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
voice-card 0
crypto pki trustpoint TP-self-signed-2699490457
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2699490457
revocation-check none
rsakeypair TP-self-signed-2699490457
username netadmin privilege 15 secret 5 $1$SIR2$A3MpShVNeAOlTPyLZESr..
interface FastEthernet0/0
ip address 10.114.2.1 255.255.255.0
ip helper-address 10.30.101.4
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface Serial0/1/0
ip address X.X.X.X 255.255.255.252
no fair-queue
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
service-module t1 fdl ansi
no cdp enable
router bgp 65065
no synchronization
bgp log-neighbor-changes
network 10.114.2.0 mask 255.255.255.0
neighbor X.X.X.X remote-as 209
neighbor X.X.X.X default-originate
default-information originate
no auto-summary
ip forward-protocol nd
ip bgp-community new-format
ip http server
ip http authentication aaa
ip http secure-server
ip tacacs source-interface FastEthernet0/0
no logging trap
tacacs-server host 10.30.101.221 key 7 1429005B5C502225
tacacs-server host 10.30.101.222 key 7 1429005B5C502225
tacacs-server directed-request
control-plane
banner exec ^CC
C
Login OK
^C
banner motd ^CC
C
** UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED. USE OF
** THIS SYSTEM CONSTITUES CONSENT TO MONITORING AT ALL TIMES.
** RUAN Transport Corporation
** Network Services
** [email protected]
** 515.245.2512
^C
line con 0
line aux 0
line vty 0 4
exec-timeout 30 0
transport input all
line vty 5 15
exec-timeout 30 0
scheduler allocate 20000 1000
end
T666#AAA Protocol > TACACS+ Authentication Details
Date :
September 19, 2014
Generated on September 19, 2014 10:21:27 AM CDT
Authentication Details
Status:
Failed
Failure Reason:
13017 Received TACACS+ packet from unknown Network Device or AAA Client
Logged At:
Sep 19, 2014 10:21 AM
ACS Time:
Sep 19, 2014 10:21 AM
ACS Instance:
acs01
Authentication Method:
Authentication Type:
Privilege Level:
User
Username:
Remote Address:
Network Device
Network Device:
Network Device IP Address:
10.114.2.1
Network Device Groups:
Access Policy
Access Service:
Identity Store:
Selected Shell Profile:
Active Directory Domain:
Identity Group:
Access Service Selection Matched Rule :
Identity Policy Matched Rule:
Selected Identity Stores:
Query Identity Stores:
Selected Query Identity Stores:
Group Mapping Policy Matched Rule:
Authorization Policy Matched Rule:
Authorization Exception Policy Matched Rule:
Other
ACS Session ID:
Service:
AV Pairs:
Response Time:
Other Attributes:
ACSVersion=acs-5.3.0.40-B.839
ConfigVersionId=359
Device Port=59840
Protocol=Tacacs
Authentication Result
Steps
Received TACACS+ packet from unknown Network Device or AAA Client
Additional Details
DiagnosticsACS Configuration Changes -
Double TNS datagrams in one TCP packet
I have the following Problem:
During a database Connection over an IPSec - tunnel between a Fortigate and a Juniper firewall the connection stalls.
This is exactly reproducible with on select or bulk insert statement. Neither OCI or thin changes the behavior. Without the tunnel(f.e. LAN or ISDN connect)
there no problem an no duplicate TNS.
I have logged the TCP traffic with wireshark on both sides and noticed that I have two tns datagrams in one TCP packet.
I use different IPSec tunnels and haven only problems with this one. Do you have a hint whats going on?
BTW: I change sdu and tdu sizes. This changes the point in time of the stall (double tns).
Here is the Wireshark Log:
519 1128.135566 192.168.197.33 10.4.100.73 TNS Request, Data (6), Data
520 1128.135912 192.168.197.33 10.4.100.73 TNS Request, Data (6), Data
521 1128.179202 10.4.100.73 192.168.197.33 TCP [TCP Window Update] ncube-lm > 64542 [ACK] Seq=7203 Ack=2341 Win=65535 Len=0
522 1128.202975 10.4.100.73 192.168.197.33 TCP ncube-lm > 64542 [ACK] Seq=7203 Ack=3691 Win=64185 Len=0
523 1128.213284 10.4.100.73 192.168.197.33 TNS Response, Marker (12), Attention
524 1128.213516 10.4.100.73 192.168.197.33 TNS Response, Marker (12), Attention
525 1128.213557 192.168.197.33 10.4.100.73 TCP 64542 > ncube-lm [ACK] Seq=4265 Ack=7225 Win=64201 Len=0
526 1128.217649 192.168.197.33 10.4.100.73 TNS Request, Marker (12), Attention
527 1128.255460 10.4.100.73 192.168.197.33 TCP [TCP Dup ACK 524#1] ncube-lm > 64542 [ACK] Seq=7225 Ack=3691 Win=65535 Len=0
* 528 1128.501575 192.168.197.33 10.4.100.73 TNS [TCP Retransmission] Request, Marker (12), Attention
529 1128.588704 10.4.100.73 192.168.197.33 TCP ncube-lm > 64542 [ACK] Seq=7225 Ack=4276 Win=64950 Len=0
Here the connection stalls, but does not terminate. The data transmission is not finished.
The * packet has the following header information:
Frame 528: 639 bytes on wire (5112 bits), 639 bytes captured (5112 bits)
Ethernet II, Src: FujitsuT_92:f0:b5 (00:19:99:92:f0:b5), Dst: Fortinet_25:ea:de (00:09:0f:25:ea:de)
Internet Protocol, Src: 192.168.197.33 (192.168.197.33), Dst: 10.4.100.73 (10.4.100.73)
Transmission Control Protocol, Src Port: 64542 (64542), Dst Port: ncube-lm (1521), Seq: 3691, Ack: 7225, Len: 585
Transparent Network Substrate Protocol
Packet Length: 574
Packet Checksum: 0x0000
Packet Type: Data (6)
Reserved Byte: 00
Header Checksum: 0x0000
Data
Transparent Network Substrate Protocol
Packet Length: 11
Packet Checksum: 0x0000
Packet Type: Marker (12)
Reserved Byte: 00
Header Checksum: 0x0000
Attention
Marker Type: Data Marker - 1 Data Bytes (0x01)
Marker Data Byte: 0x00
Marker Data Byte: 0x02
Any idea?Ben wrote:
Convert dbl to U64 then use swap words. Swap Words is polymorphic and will adapt the the data type you prest to it.
Ben
Convert is a bad idea here.you want to typecast instead.
Rolf Kalbermatter
Rolf Kalbermatter
CIT Engineering Netherlands
a division of Test & Measurement Solutions
Maybe you are looking for
-
Adobe Acrobat X Pro & Adobe Acrobat X Standard questions
Hi, I'm running into a problem. I have Adobe Acrobat X Pro on my computer at work, however, I'm finding that my field personnel have Adobe Acrobat X Standard. I've written some javascripts on a form to automatically calculate when a number is enter
-
Experts, If we collect costs at the Project level (i.e by entering Project Number and not by the WBS Element) on the PO, is there anyway we can kind of split that costs to the WBS Elements - Please note that we are doing a settlement on the costs col
-
Calling PL/SQL from JavaScript
Hi, I was wondering whether anyone has been able to successfully call a PL/SQL function from JavaScript and have the PL/SQL function return a result to the calling JavaScript function. What I am wanting to do is, depending on what the value returned
-
JSP Issues Converting Timestamps Correctly
I am pulling a timestamp from a DB2 database that has the date and time. When I pull the timestamp using the toString() function, it only gives me the year, month, and day, and dropping the time. I initialize the SQL, and create the connection to the
-
AS3 Works in Captivate, not Executing in Browser
I have a swf file with AS3 coding. The file consists of a timeout timer in frame 1, then jumps to frame 10, where upon there is more AS3 sprite/movie clip animation coding that simply move MC onto the stage. This code works fine when ran as a swf OR