Cisco 831 no netflow export packets through IPSEC

Similar Messages

• Netflow export on Cisco 2821

  Hello,
  a question or more a problem with netflow exports on Cisco 2821's.
  I configured netflow export on a Cisco 2821 with IOS Version 12.4(24)T
  ip cef
  interface FastEthernet0/0/0
  description to XXX
  ip address XXX
  ip flow ingress
  ip flow egress
  duplex full
  speed 10
  ip flow-cache timeout active 1
  ip flow-export source GigabitEthernet0/0
  ip flow-export version 5
  ip flow-export destination XXX XXX
  The netflow collector shows "only ingoing traffic" on interface FastEthernet0/0/0 and
  "only outgoing traffic" on interface GigabitEthernet0/0.
  Same problem with an IOS Version 12.4(20)T1 on other Cisco 2821's.
  But same configuration on other Cisco 2821's with IOS Version 12.4(11)XJ4 work well.
  Any references/suggestions or explanations?

  #It's surprising to me that it's even possible to configure both directions on a single interface.
  #It's generally not a good idea to configure both directions among interfaces on a single router.
  --> It is possible. ;-) I need QoS (DSCP information) for ingoing traffic and
  --> and for outgoing traffic of this interface FastEthernet0/0/0.
  #How's g0/0 configured "ip flow" wise?
  --> There's no netfow configuration on this interface, only on Fa0/0/0.
  -->#sh ip flow interface
  --> FastEthernet0/0/0
  -->  ip flow ingress
  -->  ip flow egress
  #Maybe you're seeing "only outgoing traffic" on
  #interface GigabitEthernet0/0, because those are incoming traffic through fa0/0/0
  #(where IOS ignores the "ip flow egress" part) and flowing out through g0/0?
  --> You're right. The outgoing traffic at Gi0/0 is the ingoing traffic at Fa0/0/0.
  --> But I don't think thath the configuration is wrong and I think that the
  --> "ip flow egress" command on an single interface is not so special.
  --> I really looks like that the command "ip flow egress" on interface Fa0/0/0
  --> is being ignored. But why?
  --> May be I should start an other discussion with a link to this posting in the
  --> router forum.

• Make a Cisco SPA 303 ring by sending a packet through your network?

  Hey Guys,
  I was wondering, and I need to know for my business, is there any way at all for me to make my Cisco SPA 303 VOIP Phone to ring by sending a packet through my local network?
  I would like to just be able to click a button or send a command throught the command prompt and make it ring, but I don't know if there is any way for this to happen.
  Thank!

  Do you know perl?
  I had same issue and I wrote a simple perl script that works as wake up service.
  PERL is an interpreted language and so can be executed on Linux and  Windows operating systems. Linux can interpret perl natively while for  Windows you can download many free interpreters like Activeperl or  Strawberry perl. To run the script you must use a third party server.
  In my configuration the script runs on a linux server in background as a service and checks every minute the  directory called "alarm", reads files and uses the file name as called  number and checks the content to verify if is the time to call. At the moment the script uses SIP and handles 4 call responses: 404 user  not found, 486 busy, 487 not answer and 200 answer ok.  In every cases sends an email and deletes files. Only for the answer  case plays a nice music.
  Files have this particular format: file name is equal to calling  party number and file content is the alarm time in 24 hours format  with : as separator between hours and minutes.
  e.g.
  ext. 101 must be called at 8 am ---> write the file 101.txt with the content 08:00
  ext. 101 must be called at 8:30 am ---> write the file 101.txt with the content 08:30
  There is a limitation: if you activate the Authentication for SIP messages and there are more  then two simultaneous calls, the script sends some INVITEs without  authentication or with wrong checksum and so not all phones ring. This  problem is under investigation.
  Are you intresting?
  Regards.

• Cisco Prime- Netflow Export Issue

  Dear All,
  We are observing high bandwidth being utliized between ASR1004 and Cisco Prime 2.1 after enabling "ip netflow exporter". Is there any way to mitigate it..?

  Yes - use sampled Netflow which statistically samples the flows instead of trying to send every single one back to Prime Infrastructure.
  The IOS-XE configuration guide section on Netflow describes how to set it up.

• How to export Sampling info in Netflow V5 Export Packet

  HI,
  Can you please share with me commands to configure Random Sampled Netflow and then export it in V5 format. Where in V5 export packet sampling information gets exported ?
  Thanks a lot.
  Regards,
  Deepak

  So I've done a bit more research and experimenting.  I've found a good way to export environment variables using systemctl so that they are available to systemd spawned processes, but not to me as a user on the command line (or via cron).
  # http://comments.gmane.org/gmane.comp.sysutils.systemd.devel/8995
  [Unit]
  Description=Gnome Keyring Daemon
  Requires=dbus.socket
  [Service]
  Type=oneshot
  ExecStart=/bin/sh -c "for env in $( /usr/bin/gnome-keyring-daemon --start --components=gpg,pks11,secrets,ssh ); do /usr/bin/systemctl --user set-environment $env; done"
  ExecStop=/bin/sh -c "for env in GNOME_KEYRING_PID GNOME_KEYRING_CONTROL SSH_AUTH_SOCK GPG_AGENT_INFO; do /usr/bin/systemctl --no-block --user unset-environment $env; done"
  RemainAfterExit=yes
  [Install]
  WantedBy=mystuff.target
  After that, I can see the desired environmental variables in systemctl --user show-environment, but they don't show up in my shell when I printenv.
  Last edited by Morrad (2013-05-16 05:57:32)

• What is "Source ID" in Netflow V9 Packet Header

  Hi,
  My question is regarding the "Source ID" field that appears in Netflow V.9 packet header. Following Cisco link (http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.pdf) gives Source ID definition as -
  "The Source ID field is a 32-bit value that is used to guarantee uniqueness for all flows exported from a particular device. (The Source ID field is the equivalent of the engine type and engine ID fields found in the NetFlow Version 5 and Version 8 headers). The format of this field is vendor specific. In the Cisco implementation, the first two bytes are reserved for future expansion, and will always be zero. Byte 3 provides uniqueness with respect to the routing engine on the exporting device. Byte 4 provides uniqueness with respect to the particular line card or Versatile Interface Processor on the exporting device."
  I am using "Source ID" (combined with template id) to uniquely identify options templates exported by different routers. At our new lab setup where we have more than one routers configured to export Netflow, I observed that all the routers were exporting "Source ID" value as "0"(zero). It failed my assumption that I had formed based on definition from above Cisco doc.
  I assumed -
  SourceID    Template Id  Unique Key
  source1       256              source1-256
  source1       257              source1-257
  source2       256              source2-256
  source3       258              source3-258
  But, I observed
  SourceID    Template Id  Unique Key
  0                  256              0-256
  0                  257              0-257
  0                  256              0-256
  0                  258              0-258
  Thus, same template id(256) from different routers(source1, source3) eventually form same unique key and breaks my code.
  I would like to know if my interpretation that Source ID can be used to uniquely identify templates in this manner is correct or not ? 
  Is "Source ID" user configurable attribute ? How does it comply to the definition given in above Cisco doc ?
  Thanks,
  Deepak

  Deepak,
  Consider these quotations from the same RFC 3954:
  Section 2: Terminology:
  Observation Point
  An Observation Point is a location in the network where IP packets
  can be observed; for example, one or a set of interfaces on a network
  device like a router. Every Observation Point is associated with an
  Observation Domain.
  Observation Domain
  The set of Observation Points that is the largest aggregatable set of
  flow information at the network device with NetFlow services enabled
  is termed an Observation Domain. For example, a router line card
  composed of several interfaces with each interface being an
  Observation Point.
  Section 7: Template Management:
  A NetFlow Collector that receives Export Packets from several
  Observation Domains from the same Exporter MUST be aware that the
  uniqueness of the Template ID is not guaranteed across Observation
  Domains.
  Section 9: The Collector Side:
  At any given time the Collector SHOULD maintain the following for all
  the current Template Records and Options Template Records: Exporter,
  Observation Domain, Template ID, Template Definition, Last Received.
  Note that the Observation Domain is identified by the Source ID field
  from the Export Packet.
  So in other words, the Source ID is an identifier of the Observation Domain (and in fact, the IPFIX RFC calls this header field directly as Observation Domain ID). Template IDs are unique per Exporter and per Observation Domain, and if a single Exporter uses multiple templates in its different Observation Domains, the IDs of these templates could overlap even in a single Exporter. Observation Domain IDs (that is, Source IDs) identify only the internal structure of a single Exporter, and no provisions are done to preserve their uniqueness across multiple Exporters - for this, the source IP shall be used.
  With respect to whether there can be multiple NetFlow instances on a single router, I am getting a feeling that with decentralized, distributed platforms, multiple linecards in a single router could run their own NetFlow analysis for data that pass through them, so each one provides a separate NetFlow collection. Thus, each linecard or each feature card doing its own NetFlow analysis should be assigned its own unique Observation Domain ID.
  If it is not user configurable then system should automatically form the value based on router engine and line card. But what I have observed, at more than one routers, is that this value is always 0(zero).
  I believe this is strongly dependent to the hardware construction of the router. As a remotely-related example, old 2600 series routers had two WIC slots. If you inserted two WIC-2T modules into these slots, you'd expect that they would be numbered Serial0/0, Serial0/1, Serial1/0, Serial1/1. Very surprisingly, however, these routers considered both slots to be internally connected to a single bus, and the interfaces were named Serial0/0, Serial0/1, Serial0/2 and Serial0/3 - as if they all were installed in a single slot '0'. Something similar may happen to the Observation Domains and their IDs. You would believe that each single linecard constituted a separate Observation Domain. However, the reality may be different, and the whole router can act as a single Observation Domain to the outside world. It's just the way it is constructed - and programmed.
  It is not clear why Cisco doc says that one should use both "Source ID" and "Source IP Address" to properly distinguish between flows.
  I think it's a poor wording in the RFC. I think what they want to say is that if you use the duplet <Source IP, Source ID> to distinguish between flows, then you're fine both for multiple flows from the same Exporter, and for multiple flows from different Exporters.
  Moreover, isn't "Source IP Address" good enough to distinguish between flows from different sources ?
  If an Exporter could truly be partitioned into multiple Observation Domains then the source IP would not be sufficient. I am just making up examples with no real-life backup here, but think of, say, a multi-chassis router with each chassis being one Observation Domain, or each linecard of a distributed switch being a standalone Observation Domain, or one router virtualized to several different contexts and virtual routers, each of them being a unique Observation Domain, reporting about the flows using the same source IP... I think you get the point.
  I would put it this way... The existence of Source ID in NetFlow v9 (and Observation Domain ID in IPFIX) allows these protocols to nicely cope with situations in which a single physical device can be partitioned into several Observation Domains and perform independent reporting on them using a single source IP. However, the fact that these protocols have this ability does not mean that each and every device, even a Cisco router/switch, must necessarily make use of it.
  Best regards,
  Peter

• Uploading Cfg file to Cisco 831

  Really new here to Cisco. Our netwok administrator was let go and I am running the show now but am having a problem with uploading a config file to our Cisco 831 which is acting as a firewall to a T1 line. I am so newbie to Cisco so bear with me please! Our router was reset to defaults(yea, I know) and of course the config file was lost on the router but... I did find these files saved on one of our file servers. in a folder TFTP-Root
  c831-k9o3y6-mz.123-2.XC2.bin
  startup-config
  cisco831-config
  I can see the files were backed up and on this server there is a TFTP server that has been ran. Here are my questions.
  1. To get the router back to where it was with these files, which ones do I need to upload?
  2. Do I need to upload a boot file and config file or just one or the other?
  3. I did try to upload the startup-config file using telnet and got as far as the TFTP program trying to load it to the Cisco but an error came up about the security range for the TFTP didnt include 10.10.10.1??? The wierd thing is the TFTP server is 192.168.1.10 and the Cisco is 192.168.1.252. I can ping the Cisco but I cannot figure out why the Cisco is sending to the TFTP server that its IP is 10.10.10.1.
  I appreciate any help since right now our office netork has no email till I reset this.
  Thanks
  Jim

  Jim
  I do not think it is a stupid question. When you post to a public forum like this, all kinds of people will see what you post. It is wise to want to protect yourself.
  I would suggest that as a starting point that you replace any passwords with "" (or some silimar string which shows us what passwords were configured but disguises the actual password).
  I would suggest that you disguise any IP addresses that are in public address space (I believe that addresses in private space do not need to be disguised). Some people post configs with the address blanked out but I find this is sometimes counter-productive. I would suggest that you change the first octet of any public address in your config, and be careful that the first octet still shows whether this was class A, class B or class C address space. If you disguise the first octet then if the second, third, and fourth octet are the same as your config we will not have any real idea where you are, but there are valuable indications of what subnetting is being done, and perhaps other things that may be helpful.
  I believe that it is probably sufficient to disguise any passwords and disguise any public IP addresses. If you look through your config and find other things that concern you (perhaps there are comments on interfaces about what they connect to that you do not want to become public) feel free to remove or to alter/disguise them.
  And if you are really nervous about posting config details on the forum, you can email them to me privately. My email address is available through my forum profile. Some other forum contributors also make their email addresses available through their forum profile.
  HTH
  Rick

• How much bandwidth netflow export uses

  Experts,
  I tried searching doc on cisco and even googled for information on how much bandwidth netflow export uses; however I didn't find any convincing article. I also found lancope.com where they estimate the BW required, but still I was not satisfied.
  I would really appreciate if someone can guide me with simple yet affective explanation or say rough guide lines to estimate the bandwidth used by netflow exports...
  Regards,
  Smitesh

  yeah this number is so hard to define, because it really is dependent on the flow export timers, active/inactive, how long flows are active or inactive and also very importantly the cache size.
  generally netflow aggregators (aka routers) use a cache and start to aggressively age out flows when the cache utilization reaches a certain level.
  Also if you have long lived flows and a few of them and a cache size that accomodates it, the export rate is merely defined by the active timer.
  If you have a lot of flows, relative smaller cache, you will automatically see more BW util.
  If you have a lot of short lived flows, then the inactive timer will come into play here.
  to sum it up, a record generally takes 300 bytes (somewhat), if you use v9, then you'll also see template exports.
  all in all, netflow export is generally bursty, but very much related to the traffic patterns also.
  Since this number is so specific to your scenario, best to do is to set up a qos pmap that matches on your netflow export, and use the qos mib to average the rate on that class to see how it looks like for you.
  To pre-estimate something, you'll need at minimum: cache size, number of flows, flow duration (so you can correlate that towards the active vs inactive timers) and the timers itself. That all multiplied against the record size, this just to get a ballpark number.
  cheers
  xander
  xander thuijs CCIE#6775
  Principal Engineer ASR9000/XR SW group

• Cisco 831 and "Can't get video from the camera."

  I'm running a Cisco 831 router with ios 12.4(5a) installed. Every time I try to initiate a video chat with a computer going through the router, I get the "Can't get video..." error. It works fine with computers on my internal network and if I bypass the Cisco router and plug straight into my Cable modem.
  I've covered every conceivable TCP/UDP port being open (per numerous pages re: port 5060, 5190, etc.) and have even gone as far as testing with "permit UDP any any" and "permit TCP any any" at the top of the rules. No luck.
  I've been reading about the possibly needing to "unbind" SIP (port 5060). Is this something that a Cisco 831 router would require? The router doesn't seem to respond to any of the documented Cisco command re: VoIP and does not have any phone support that I'm aware of.
  If anyone has any info that can help me get his up-and-running, I'd be much obliged.
  Thanks,
  Matheau

  Hi Kcritchie,
  It will most likely look like that. But in this case it should be on the UDP protocol.
  The link looks useful (it takes a scroll down to see it for others looking)
  If I do nat bindlist in my Alcatel I get this
  Last login: Thu Jun 29 12:36:20 on console
  Welcome to Darwin!
  Ralph-G4:~ Ralph$ telnet 10.0.0.138
  Trying 10.0.0.138...
  Connected to speedtouch.johnshome.
  Escape character is '^]'.
  Username :
  (Pic line drawing edited out here )
  =>nat bindlist
  Application Proto Port
  ESP esp 1
  FTP tcp 21
  GRE gre 1
  H323 tcp 1720
  IKE udp 500
  ILS tcp 389
  ILS tcp 1002
  IP6TO4 6to4 1
  IRC tcp 6660-6670
  JABBER tcp 5222
  JABBER tcp 15222
  PPTP tcp 1723
  RAUDIO(PNA) tcp 7070
  RTSP tcp 554
  =>
  On my device this is because the SIP binding on UDP port 5060 is unbound.
  2:30 PM Thursday; June 29, 2006

• CISCO 831 E-mail Problem

  Hi, I'm rather new to working with a Cisco equipment. Just switched to it from a Netgear a month ago. Got a weird problem with my Cisco 831 Router at the moment.
  To send e-mail I need to log into my outgoing SMTP server. But since I install the 831 it just refuses to work. When you hit send it is immediately bounced back from "System Administrator" saying "Authentication Required". If I use a SMTP server that doesn't require authentication it works fine.
  Before with the netgear it worked and I've tried putting it back in since the 831 was installed. And it still works placing the blame on the 831.
  Anyone came across anything like this?
  Any ideas?
  Thanks,
  Peter

  Hi,
  Thanks for your reply.
  Hopefully this is what your after.
  Building configuration...
  Current configuration : 4650 bytes
  version 12.3
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  service password-encryption
  hostname admin
  no logging buffered
  enable secret xxxx.
  username xxx password xxx
  username xxx password xxx
  username xxx password xxxx
  no aaa new-model
  ip subnet-zero
  ip name-server 62.31.64.39
  ip name-server 62.31.112.39
  ip dhcp excluded-address 192.168.168.1
  ip dhcp excluded-address 192.168.168.168
  ip dhcp excluded-address 192.168.168.101
  ip dhcp pool CLIENT
  import all
  network 192.168.168.0 255.255.255.0
  default-router 192.168.168.1
  lease 0 2
  ip inspect name myfw cuseeme timeout 3600
  ip inspect name myfw ftp timeout 3600
  ip inspect name myfw rcmd timeout 3600
  ip inspect name myfw realaudio timeout 3600
  ip inspect name myfw smtp timeout 3600
  ip inspect name myfw tftp timeout 30
  ip inspect name myfw udp timeout 15
  ip inspect name myfw tcp timeout 3600
  ip inspect name myfw h323 timeout 3600
  ip audit notify log
  ip audit po max-events 100
  no ftp-server write-enable
  interface Ethernet0
  description CRWS Generated text. Please do not delete this:192.168.168.1-255.255.255.0
  ip address 192.168.168.1 255.255.255.0 secondary
  ip address 10.10.10.1 255.255.255.0
  ip nat inside
  no cdp enable
  hold-queue 32 in
  interface Ethernet1
  ip address dhcp client-id Ethernet1
  ip access-group 111 in
  ip nat outside
  ip inspect myfw out
  duplex auto
  no cdp enable
  interface FastEthernet1
  no ip address
  duplex auto
  speed auto
  interface FastEthernet2
  no ip address
  duplex auto
  speed auto
  interface FastEthernet3
  no ip address
  duplex auto
  speed auto
  interface FastEthernet4
  no ip address
  duplex auto
  speed auto
  ip nat inside source list 102 interface Ethernet1 overload
  ip nat inside source static tcp 192.168.168.168 5900 interface Ethernet1 5900
  ip nat inside source static tcp 192.168.168.168 80 interface Ethernet1 80
  ip nat inside source static tcp 192.168.168.168 21 interface Ethernet1 21
  ip classless
  ip http server
  no ip http secure-server
  access-list 23 permit 192.168.168.0 0.0.0.255
  access-list 23 permit 10.10.10.0 0.0.0.255
  access-list 102 permit ip 192.168.168.0 0.0.0.255 any
  access-list 111 permit tcp any any eq ftp
  access-list 111 permit tcp any any eq www
  access-list 111 permit tcp any any eq 5900
  access-list 111 permit icmp any any administratively-prohibited
  access-list 111 permit icmp any any echo
  access-list 111 permit icmp any any echo-reply
  access-list 111 permit icmp any any packet-too-big
  access-list 111 permit icmp any any time-exceeded
  access-list 111 permit icmp any any traceroute
  access-list 111 permit icmp any any unreachable
  access-list 111 permit udp any eq bootps any eq bootpc
  access-list 111 permit udp any eq bootps any eq bootps
  access-list 111 permit udp any eq domain any
  access-list 111 permit esp any any
  access-list 111 permit udp any any eq isakmp
  access-list 111 permit udp any any eq 10000
  access-list 111 permit tcp any any eq 1723
  access-list 111 permit tcp any any eq 139
  access-list 111 permit udp any any eq netbios-ns
  access-list 111 permit udp any any eq netbios-dgm
  access-list 111 permit gre any any
  access-list 111 deny ip any any
  no cdp run
  line con 0
  exec-timeout 120 0
  no modem enable
  stopbits 1
  line aux 0
  line vty 0 4
  access-class 23 in
  exec-timeout 120 0
  login local
  length 0
  scheduler max-task-time 5000
  end

• Seriously lost with a cisco 831 broadband router...

  ok, to make a long story short I got myself way in over my head with something I know nothing about. Additionally, I've been on the internet for approximately 48 hours and I feel I'm missing something. Here is what I need clarification on. Please help me.
  Purchased online: Cisco 831 Broadband Router. I believe the router software has been wiped but not sure.
  I purchased a serial-to-rj45 adapter and was TRYING to follow instructions for connecting to the console port on the router to at least see if I can communicate with this darn thing... I'm having no luck..
  Can someone PLEASE take me, step by step through the process of pin-out configs for a rj-45 cable, the process for connecting an xp pro computer to the console port on this router and the commands to verify that the software is loaded? I'm a hardware man, not a software man and frankly I feel like the information is written in sand script. I would forever be indebted to anyone that would provide a little guidance for a young man that bit off more than he could chew. <- something I've always done, but I've usually been able to figure things out.

  hi
  i feel these links will be of some help to u...
  http://cisco.com/en/US/products/sw/netmgtsw/ps4618/products_installation_and_configuration_guide_chapter09186a00800810ca.html#xtocid1838115
  pinout details..
  http://cisco.com/en/US/products/sw/netmgtsw/ps4618/products_installation_and_configuration_guide_chapter09186a00800810ca.html#xtocid1838115
  after you get onto the box it may prompt for a password if its set already ,try with cisco or else a simple enter which will get u in the box once ur in give show version command and check whether you are getting any proper o/p.
  meanwhile if u dont get any prompt for password and getting into rommon that tells u that ur box doesnt have a valid ios file or due to various other reason it didnt get up on.
  for more info/assistance do a simple search on what u need in cisco.com or else post it out here...
  regds

• Help sending a Magic Packet through to WOL

  I'm trying to set up my Airport Extreme to send a magic packet through. It successfully wakes up my computer if I do it immediately after it goes to sleep, but if I try after its been asleep a few hours it doesn't work.
  I would think it may be a computer issue, but if I WOL over the network without going over the internet I can wake it up no matter how long it's been asleep. This leads me to believe it's an issue with the Airport Extreme "forgetting" my desktop after it's been asleep for a few minutes.
  I've already set it up to port forward correctly, but is there something else I need to do?

  Unfortunately this seems to be the common experience.
  I did read somewhere that 'routers flush out ARP tables' after a period of inactivity meaning, after 5 mins or so-you cant wake up your sleeping computer remotely. I have no idea what that means or how to fix it, have been looking constantly since Snow Leopard came out.
  As you say, can do it from the home network, outside of that-it only works for about 5 mins.

• Cisco 831 VPN

  Hello. I am trying to access my cisco 831 behind another vendor's hardware firewall for VPN services. I have the VPN enabled on the inside interface. I am not using the outside interface at all. I basically want to use this device just for VPN services.
  eg.
  {Internet}-WAN->FIREWALL-> Forward VPN Services->CISCO831(LAN)
  Can I forward ports at the firewall level to allow VPN connections on the cisco device?
  If so, is there a way to relay the DHCP requests to my DHCP server rather than allocate a pool on the VPN device?
  Thanks in advance.

  The DHCP protocol supplies automatic configuration parameters such as an IP address with a subnet mask, default gateway, DNS server address, and WINS address to hosts. Initially, DHCP clients have none of these configuration parameters. They obtain this information by sending a broadcast request for it. When a DHCP server sees this request, the DHCP server supplies the necessary information. Due to the nature of these broadcast requests, the DHCP client and server must be on the same subnet. Layer 3 devices such as routers and firewalls do not typically forward these broadcast requests by default.
  Refer to the following document for more information
  PIX/ASA 7.x as a DHCP Relay Configuration Example
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008075fcfb.shtml

• WPA-Enterprise radius through IPSEC

  Hi
  I have a WRVS4400N and I want to use WPA-Enterprise. The Radius server is accessed through IPSEC VPN. I can connect to the radius server from clients behind the WRVS4400N, but I cannot ping the radius server from the WRVS4400N itself. Is this configuration possible?
  Regards,
  Hein Gustavsen

  It is forgetting the network everytime the iPad sleeps - even when it doesn't require an unlock passwod.

• Cisco 831 --- dot1x critical and MAB Support

  Hi,
  We have 4 Cisco 831 routers that we are trying to configure for wired 802.1x authentication using CSSC (Cisco Secure service client -- free version). I was wondering what version of IOS (on 831 platform) support the dot1x critical as well as Mac-auth bypass features. I checked the release note for 12.4 with no luck...
  I was wondering if anyone was able to get these features working on Cisco 831 platform?
  Thanks in a advance

  802.1x authenticator feature is not supported on cisco 831 broadband routers. Try using cisco 851 router.