Cisco ACE VIP not responding to Pings
I've searched..... I cannot figure out why my VIPs do not ping. I have two vlans that both replay to a ping on the interface IPs. And I'm new at this, thanks in advace.
GKEL2-ACE1/35568059-Axia# show run
Generating configuration....
no ft auto-sync startup-config
logging enable
logging timestamp
logging trap 5
logging host 10.85.242.100 udp/514
login timeout 60
crypto chaingroup walnut-wcrt100
cert .dom.cer
cert wcrt100.pem
crypto chaingroup .dom-wcrt100
cert .dom.cer
cert wcrt100.pem
crypto csr-params .dom
country CA
state AB
organization-unit IT
common-name .dom
serial-number 1000
email support
crypto csr-params .dom
country CA
state AB
organization-unit IT
common-name .dom
serial-number 1001
email support
access-list ANYONE line 10 extended permit ip any any
access-list ANYONE line 20 extended permit icmp any any
access-list All line 1 extended permit ip any any
probe http HTTP1025
port 1025
interval 2
faildetect 2
passdetect interval 2
request method get url /Login.css
open 1
probe icmp PING
interval 2
faildetect 2
passdetect interval 60
probe tcp PROBE-TCP
interval 2
faildetect 2
passdetect interval 10
passdetect count 2
open 1
rserver redirect REDIRECT-HTTPS
webhost-redirection https://%h%p 302
inservice
rserver host WL1
ip address 10.205.70.100
inservice
rserver host WL2
ip address 10.205.70.101
inservice
rserver host WLDev1
ip address 10.205.71.202
inservice
rserver host WLDev2
ip address 10.205.71.203
inservice
rserver host WLTest1
ip address 10.205.71.150
inservice
rserver host WLTest2
ip address 10.205.71.151
inservice
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-HTTPS
inservice
serverfarm host WEBLOGIC-7433
predictor leastconns
probe PING
rserver WL1 7433
inservice
rserver WL2 7433
inservice
serverfarm host WEBLOGIC-PROD
predictor leastconns
probe PING
rserver WL1 1025
inservice
rserver WL2 1026
inservice
serverfarm host WEBLOGIC-TEST-SSH
predictor leastconns
rserver WLTest1 22
inservice
rserver WLTest2 22
inservice
sticky http-cookie acecookie STICKY-INSERT-COOKIE
cookie insert
serverfarm WEBLOGIC-PROD
action-list type modify http REWRITE
header insert response Via header-value "1.1 web:%ps (ace10-8/a2)value"
header insert request Via header-value "1.1 web:%ps (ace10-8/a2)value"
header insert request X-Forwarded-Proto header-value "%pd"
ssl url rewrite location "*.*"
ssl header-insert session Id
ssl-proxy service ssl-client
ssl-proxy service ssl-proxy
key netcracker.cal.dom.key
cert netcracker.cal.dom.cer
chaingroup netcracker.cal.dom-wcrt100
class-map match-any L4VIPCLASS
2 match virtual-address 10.205.70.80 any
class-map type http loadbalance match-any L7-URL
2 match http url /*.*
class-map type http loadbalance match-all L7SLBCLASS
2 match http url /*
class-map type management match-any REMOTE-MANAGEMENT
2 match protocol telnet any
3 match protocol icmp any
4 match protocol ssh any
5 match protocol snmp any
6 match protocol http any
7 match protocol https any
class-map match-any SSH_Test
2 match virtual-address 10.205.71.80 tcp eq 22
class-map match-any weblogic-7433
2 match virtual-address 10.205.70.80 tcp eq 7433
class-map match-any weblogic-http
2 match virtual-address 10.205.70.80 tcp eq www
class-map match-any weblogic-https
2 match virtual-address 10.205.70.80 tcp eq https
policy-map type management first-match REMOTE-MANAGEMENT
class REMOTE-MANAGEMENT
permit
policy-map type loadbalance first-match L7SLBPOLICY
class L7SLBCLASS
ssl-proxy client ssl-client
policy-map type loadbalance first-match SSH_Test_Policy
class class-default
serverfarm WEBLOGIC-TEST-SSH
policy-map type loadbalance first-match weblogic-7433-policy
class class-default
serverfarm WEBLOGIC-7433
ssl-proxy client ssl-client
policy-map type loadbalance first-match weblogic-http-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-https-policy
class L7-URL
sticky-serverfarm STICKY-INSERT-COOKIE
class class-default
serverfarm WEBLOGIC-PROD
action REWRITE
ssl-proxy client ssl-proxy
policy-map multi-match L4LSBPOLICY
class L4VIPCLASS
loadbalance policy L7SLBPOLICY
policy-map multi-match LB-VIP
class weblogic-http
loadbalance vip inservice
loadbalance policy weblogic-http-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
class weblogic-https
loadbalance vip inservice
loadbalance policy weblogic-https-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
ssl-proxy server ssl-proxy
class weblogic-7433
loadbalance vip inservice
loadbalance policy weblogic-7433-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
ssl-proxy server ssl-proxy
policy-map multi-match LB-VIP-Test
class SSH_Test
loadbalance vip inservice
loadbalance policy SSH_Test_Policy
loadbalance vip icmp-reply
interface vlan 3440
description Internal Production
ip address 10.205.70.250 255.255.255.0
access-group input All
access-group output All
nat-pool 1 10.205.70.249 10.205.70.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP
service-policy input L4LSBPOLICY
no shutdown
interface vlan 3516
description Internal Test/Dev
ip address 10.205.71.250 255.255.255.0
access-group input All
access-group output All
nat-pool 2 10.205.71.249 10.205.71.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP-Test
no shutdown
interface vlan 3520
description LB
ip address 10.205.72.1 255.255.255.0
access-group input All
access-group output All
no shutdown
ip route 0.0.0.0 0.0.0.0 10.205.70.253
username admin password 5 $1$r2r0NmEH$z8S0RxYdhwOE4RGXQ41 role Admin domain default-domain
username cust_admin password 5 $1$/tOIIfUK$yigE519cqLq1IFgX. role Admin domain default-domain
I have removed that service policy completely. It was from some knowledgebase article when I was trying to get http redirection working.
There is no more L4LSBPOLICY nor L4VIPCLASS, Thanks a lot for looking at this...
GKEL2-ACE1/35568059-Axia# show service-policy summary
service-policy: LB-VIP
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
weblogic-http 10.205.70.80 tcp eq 80 1,3440 IN-SRVC 0 50773 53
weblogic-https 10.205.70.80 tcp eq 443 1,3440 IN-SRVC 0 7406 112
weblogic-7433 10.205.70.80 tcp eq 7433 1,3440 IN-SRVC 0 145321 30
service-policy: LB-VIP-Dev
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
weblogic-http-dev 10.205.71.90 tcp eq 80 1,3516 IN-SRVC 0 0 0
weblogic-https-dev 10.205.71.90 tcp eq 443 1,3516 IN-SRVC 0 0 0
weblogic-7433-dev 10.205.71.90 tcp eq 7433 1,3516 IN-SRVC 0 0 0
service-policy: LB-VIP-Test
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
SSH_Test 10.205.71.80 tcp eq 22 1,3516 IN-SRVC 0 29 24
weblogic-http-test 10.205.71.80 tcp eq 80 1,3516 IN-SRVC 0 117 40
weblogic-https-test 10.205.71.80 tcp eq 443 1,3516 IN-SRVC 0 161 61
weblogic-7433-test 10.205.71.80 tcp eq 7433 1,3516 IN-SRVC 0 27 11
class-map type http loadbalance match-any L7-URL
2 match http url /*.*
class-map type http loadbalance match-all L7SLBCLASS
2 match http url /*
class-map type management match-any REMOTE-MANAGEMENT
2 match protocol telnet any
3 match protocol icmp any
4 match protocol ssh any
5 match protocol snmp any
6 match protocol http any
7 match protocol https any
class-map match-any SSH_Test
2 match virtual-address 10.205.71.80 tcp eq 22
class-map match-any weblogic-7433
2 match virtual-address 10.205.70.80 tcp eq 7433
class-map match-any weblogic-7433-dev
2 match virtual-address 10.205.71.90 tcp eq 7433
class-map match-any weblogic-7433-test
2 match virtual-address 10.205.71.80 tcp eq 7433
class-map match-any weblogic-http
2 match virtual-address 10.205.70.80 tcp eq www
class-map match-any weblogic-http-dev
2 match virtual-address 10.205.71.90 tcp eq www
class-map match-any weblogic-http-test
2 match virtual-address 10.205.71.80 tcp eq www
class-map match-any weblogic-https
2 match virtual-address 10.205.70.80 tcp eq https
class-map match-any weblogic-https-dev
2 match virtual-address 10.205.71.90 tcp eq https
class-map match-any weblogic-https-test
2 match virtual-address 10.205.71.80 tcp eq https
policy-map type management first-match REMOTE-MANAGEMENT
class REMOTE-MANAGEMENT
permit
policy-map type loadbalance first-match L7SLBPOLICY
class L7SLBCLASS
ssl-proxy client ssl-client
policy-map type loadbalance first-match SSH_Test_Policy
class class-default
serverfarm WEBLOGIC-TEST-SSH
policy-map type loadbalance first-match weblogic-7433-dev-policy
class class-default
serverfarm WEBLOGIC-7433-Dev
policy-map type loadbalance first-match weblogic-7433-policy
class class-default
serverfarm WEBLOGIC-7433
ssl-proxy client ssl-client
policy-map type loadbalance first-match weblogic-7433-test-policy
class class-default
serverfarm WEBLOGIC-7433-Test
ssl-proxy client ssl-client
policy-map type loadbalance first-match weblogic-http-dev-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-http-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-http-test-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-https-dev-policy
class L7-URL
sticky-serverfarm STICKY-INSERT-COOKIE-DEV
class class-default
serverfarm WEBLOGIC-DEV
action REWRITE
policy-map type loadbalance first-match weblogic-https-policy
class L7-URL
sticky-serverfarm STICKY-INSERT-COOKIE
class class-default
serverfarm WEBLOGIC-PROD
action REWRITE
ssl-proxy client ssl-proxy
policy-map type loadbalance first-match weblogic-https-test-policy
class L7-URL
sticky-serverfarm STICKY-INSERT-COOKIE-TEST
class class-default
serverfarm WEBLOGIC-TEST
action REWRITE
ssl-proxy client ssl-proxy-nctest
policy-map multi-match LB-VIP
class weblogic-http
loadbalance vip inservice
loadbalance policy weblogic-http-policy
loadbalance vip icmp-reply active
nat dynamic 1 vlan 3440
class weblogic-https
loadbalance vip inservice
loadbalance policy weblogic-https-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
ssl-proxy server ssl-proxy
class weblogic-7433
loadbalance vip inservice
loadbalance policy weblogic-7433-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
ssl-proxy server ssl-proxy
policy-map multi-match LB-VIP-Dev
class weblogic-http-dev
loadbalance vip inservice
loadbalance policy weblogic-http-dev-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
class weblogic-https-dev
loadbalance vip inservice
loadbalance policy weblogic-https-dev-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
class weblogic-7433-dev
loadbalance vip inservice
loadbalance policy weblogic-7433-dev-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
policy-map multi-match LB-VIP-Test
class SSH_Test
loadbalance vip inservice
loadbalance policy SSH_Test_Policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
class weblogic-http-test
loadbalance vip inservice
loadbalance policy weblogic-http-test-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
class weblogic-https-test
loadbalance vip inservice
loadbalance policy weblogic-https-test-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
ssl-proxy server ssl-proxy-nctest
class weblogic-7433-test
loadbalance vip inservice
loadbalance policy weblogic-7433-test-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
ssl-proxy server ssl-proxy-nctest
interface vlan 3440
description Internal Production
ip address 10.205.70.250 255.255.255.0
mac-sticky enable
access-group input All
access-group output All
nat-pool 1 10.205.70.249 10.205.70.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP
no shutdown
interface vlan 3516
description Internal Test/Dev
ip address 10.205.71.250 255.255.255.0
mac-sticky enable
access-group input All
access-group output All
nat-pool 1 10.205.71.240 10.205.71.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP-Test
service-policy input LB-VIP-Dev
no shutdown
interface vlan 3520
description LB
ip address 10.205.72.1 255.255.255.0
access-group input All
access-group output All
no shutdown
ip route 0.0.0.0 0.0.0.0 10.205.70.253
Similar Messages
-
ACE VIP not Responding to Ping and cant Connect
Hello All,
I recently deployed an ACE 4710 Appliance. Configs seems right but clients cant Ping the VIP and acnt also connect to the VIP. Also VIP Dosent show in 'sh arp'.
Pls HELP!!!
See the configs!!
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.10.11 10:48:14 =~=~=~=~=~=~=~=~=~=~=~=
sh runGenerating configuration....
boot system image:c4710ace-mz.A4_2_0.bin
hostname STERLING-ACE
interface gigabitEthernet 1/1
channel-group 1
no shutdown
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface gigabitEthernet 1/3
channel-group 1
no shutdown
interface gigabitEthernet 1/4
channel-group 1
no shutdown
interface port-channel 1
switchport trunk allowed vlan 10,200,205,210,215
no shutdown
--More--
access-list INBOUND line 10 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
access-list INBOUND line 24 extended permit icmp any any echo
probe http BANK-APP
interval 2
faildetect 2
passdetect interval 2
expect status 200 200
open 1
probe icmp PING
description ***simple ping monitor***
interval 10
passdetect interval 60
passdetect count 2
receive 1
probe tcp TCP80
interval 10
passdetect interval 10
passdetect count 2
--More--
receive 1
open 5
rserver host BANK-APP-SERVER1
description ***GUI SERVER 1***
ip address 172.20.1.50
probe PING
inservice
rserver host BANK-APP-SERVER2
description ***GUI SERVER 2***
ip address 172.20.1.51
probe PING
inservice
rserver host BANK-APP-SERVER3
description ***GUI SERVER 3***
ip address 172.20.1.52
probe PING
inservice
rserver host BANK-APP-SERVER4
description ***GUI SERVER 4***
ip address 172.20.1.53
probe PING
--More--
inservice
rserver host THIN-CLIENT1
description ***CLI SERVER 1***
ip address 172.20.1.34
probe PING
inservice
rserver host THIN-CLIENT2
description ***CLI SERVER 2***
ip address 172.20.1.35
probe PING
inservice
rserver host THIN-CLIENT3
description ***CLI SERVER 3***
ip address 172.20.1.36
probe PING
inservice
rserver host THIN-CLIENT4
description ***CLI SERVER 4***
ip address 172.20.1.37
probe PING
inservice
--More--
serverfarm host CLI-GROUP
predictor leastconns
probe TCP80
rserver THIN-CLIENT1
inservice
rserver THIN-CLIENT2
inservice
rserver THIN-CLIENT3
inservice
rserver THIN-CLIENT4
inservice
serverfarm host GUI-GROUP
predictor leastconns
probe TCP80
rserver BANK-APP-SERVER1
inservice
rserver BANK-APP-SERVER2
inservice
rserver BANK-APP-SERVER3
inservice
rserver BANK-APP-SERVER4
inservice
--More--
parameter-map type connection TCP-PARAM-MAP
set timeout inactivity 360000
class-map type management match-any REMOTEACCESS
description remote access traffic match
2 match protocol ssh any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol xml-https any
6 match protocol http any
7 match protocol https any
class-map match-all TCP-CLASS
description TCP CONNECTION TIMER
2 match any
class-map match-all VS_WEB1
2 match virtual-address 10.0.0.115 any
class-map match-all VS_WEB2
2 match virtual-address 10.0.0.113 any
policy-map type management first-match REMOTEPOLICY
--More--
class REMOTEACCESS
permit
policy-map type loadbalance first-match HTTP_LB1
class class-default
serverfarm CLI-GROUP
policy-map type loadbalance first-match HTTP_LB2
class class-default
serverfarm GUI-GROUP
policy-map multi-match HTTP_MULTI_MATCH1
class VS_WEB1
loadbalance vip inservice
loadbalance policy HTTP_LB1
loadbalance vip icmp-reply
policy-map multi-match HTTP_MULTI_MATCH2
class VS_WEB2
loadbalance vip inservice
loadbalance policy HTTP_LB2
loadbalance vip icmp-reply
policy-map multi-match TCPIP-POLICY
class TCP-CLASS
connection advanced-options TCP-PARAM-MAP
service-policy input REMOTEPOLICY
service-policy input TCPIP-POLICY
interface vlan 10
description ***LAN LEG***
ip address 10.0.0.66 255.255.255.0
no icmp-guard
access-group input INBOUND
no shutdown
interface vlan 200
description ***THIN CLIENT VLAN****
ip address 172.20.1.33 255.255.255.240
no icmp-guard
access-group input INBOUND
service-policy input HTTP_MULTI_MATCH1
no shutdown
interface vlan 210
description ***BANK APP SERVER VLAN****
ip address 172.20.1.49 255.255.255.240
no icmp-guard
--More--
access-group input INBOUND
service-policy input HTTP_MULTI_MATCH2
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.0.200
username admin password 5 $1$ouG5.Okh$jwBoWkMiWstoTPwb9K9ku1 role Admin domain
default-domain
username www password 5 $1$M31zwdiF$iY8Y5e9nV2sMM2HxwrQI7/ role Admin domain de
fault-domain
STERLING-ACE/Admin#
Thanks!!Hi Joshua,
class-map match-all VS_WEB1
2 match virtual-address 10.0.0.115 any
class-map match-all VS_WEB2
2 match virtual-address 10.0.0.113 any
You have applied
"service-policy input HTTP_MULTI_MATCH1" in VLAN 200 and 210 but as per the config I believe it should be applied to VLAN10.
interface vlan 10
description ***LAN LEG***
ip address 10.0.0.66 255.255.255.0
no icmp-guard
access-group input INBOUND
no shutdown
Can you apply the service policy in VLAN 10 and let me know the result. -
ACE VIPs not advertising or visible
Hi,
The VIPs on my ACE configuration are not advertising themselves. They don't show up in the ARP table in the upstream router/firewall.
The VIPs are configured to be "Inservice". I have probes that are successful. I can access the real servers behind the ACE successfully via pings, ssh, http, etc.
Here's part of my config:
policy-map multi-match int204-n2
class SMTP_Inbound_LB
loadbalance vip inservice
loadbalance policy SMTP_Inbound_LB-l7slb
loadbalance vip icmp-reply active
Is there anything else I need to add? The VIPs aren't responding to pings. The VIPs aren't showing up in the arp table of the upstream router/firewall.
I know there used to be a "loadbalance vip advertise" command, but that command is no longer valid or available.
I am running code version A1.8(0) on the ACE 4710 appliance.
I have this ACE also configured as a bridge. Is there something special I need to add to make the VIPs advertise themselves, respond to pings, etc.?
Any help would be appreciated.
Thank you.Hi Gilles,
Yes, the policy is assigned to both VLAN interfaces of the bridge-group.
Yes, all VIPs show INSERVICE when I run the command "show service-policy int204-n2"
None of the VIPs are responding to pings or showing up in arp table of the upstream router/firewall.
The VIPs are part of the local subnet. I can't ping the local interface (BVI interface) of the bridge-group from the upstream firewall/router.
Yes, the ACE has an arp entry for the upstream router/firewall. The upstream firewall is also the ACE's default-gateway for this context.
Thanks,
Herman -
I have been trying to understand some issues in my internet connections.
If I do a traceroute to say, netflix.com I and get this rather long response:
The 10.0.1.1 is my airport and I can ping it successfully.
the 10.126.20.1 appears to be in my router, based on the IP, but it does not respond to a ping (timeout).
and
209.148.243.165 appears to be owned by Rogers cable, but also does not respond to a ping. The remainder seem more or less reasonable.
Can someone tell my if there is a reason the two above IP's do not respond to ping? Does this imply something is wrong in my part of the network?
I am a TSI customer who uses the common carrier services of Rogers Cable and I have been told my modem is faulty even though internet access, not withstanding the above questions, works well.
The modem is a Thomson DCM476. I am able to ping its IP, however the tracerout does not include the above IP's
Can someone please lead me in the right direction?
Thanks
Barry
traceroute to netflix.com (69.53.236.17), 64 hops max, 52 byte packets
1 10.0.1.1 (10.0.1.1) 1.262 ms 0.989 ms 0.701 ms
2 10.126.20.1 (10.126.20.1) 8.294 ms 7.886 ms 7.900 ms
3 209.148.243.165 (209.148.243.165) 10.543 ms 10.265 ms 11.780 ms
4 69.63.249.77 (69.63.249.77) 10.911 ms 11.223 ms 7.890 ms
5 ae0_2140-bdr04-tor.teksavvy.com (69.196.136.132) 9.884 ms
ae0_2110-bdr04-tor.teksavvy.com (69.196.136.36) 20.773 ms 10.787 ms
6 ix-0-0-2-0.tcore1.tnk-toronto.as6453.net (64.86.33.21) 10.533 ms 9.450 ms 10.983 ms
7 if-5-0-0-5.core4.tnk-toronto.as6453.net (63.243.172.25) 65.523 ms
if-0-0-0-4.core4.tnk-toronto.as6453.net (63.243.172.29) 12.200 ms 11.180 ms
8 if-0-1-2-0.tcore1.ct8-chicago.as6453.net (63.243.172.38) 25.885 ms 25.107 ms 25.536 ms
9 p5-1.ir1.chicago2-il.us.xo.net (206.111.2.33) 22.295 ms 23.455 ms 22.144 ms
10 207.88.14.193.ptr.us.xo.net (207.88.14.193) 82.020 ms 78.378 ms 79.484 ms
11 te-4-1-0.rar3.denver-co.us.xo.net (207.88.12.22) 80.880 ms 79.218 ms 79.740 ms
12 te-3-0-0.rar3.sanjose-ca.us.xo.net (207.88.12.58) 78.672 ms 78.702 ms 76.650 ms
13 ae0.cir1.sanjose2-ca.us.xo.net (207.88.13.73) 76.016 ms 76.863 ms 77.983 ms
14 216.156.85.46.ptr.us.xo.net (216.156.85.46) 77.971 ms 76.340 ms 95.172 ms
15 xe-2-2-0-954.jnrt-edge01.prod1.netflix.com (69.53.225.26) 76.076 ms 87.621 ms 76.976 ms
16 te1-8.csrt-agg01.prod1.netflix.com (69.53.225.6) 77.602 ms 77.353 ms 79.168 ms
17 netflixinc.com (69.53.236.17) 77.611 ms 77.480 ms 76.792 msOne additional test is to use the 'whois' command in Terminal to gather additional information on each of the IP addresses that you get from using traceroute.
My guess at the 10.126.20.1 address is that this is indeed the IP address of your router on the WAN side ... and, as you surmised, it is being provided to your router by your ISP via the Thomsom modem. This looks like a case where the ISP has assigned you a "Public" IP address on their private network. That is, your router does NOT have a Public WAN IP address. This usually is not an issue unless you needed to run servers on your local network that required access from the Internet.
If you are sure that Rogers is supposed to provide you with a public WAN IP address, then either they are not or the modem is faulty as they have indicated.
The second IP address, in question, 209.148.243.165, is indeed, assigned to Rogers Cable. This may be one of their DNS servers for further routing of your traceroute command request.
BTW. It is NOT unusual for owners of networking devices on the Internet to block ping requests. -
VIP is not responding When pinging from ace
hey i have a very strange type of error. everything was working fine untill it just stopped. i have two vips both were mounted and working fine and then one of the vip just stopped working you can ping and get reply from my pc but not from ace. they are connected directly with nexus 5k and was working fine. now you can have reply from for other vips and servers and all other thing but not that single vip. when you ping it on nexus you get DUP; Packets which is not understood by me there is all commands like no ip redirects are been given but i dont know wats rong.
can some1 have any idea and help ?Hi Usman,
Not sure about DUP packets that you see on nexus but from ACE's perspective we need to see what is wrong and for that i would need to look at your configuration and other outputs. Do you see that your client's request is reaching the ACE VIP ? You can check using "show conn address " and see if you see a corresponding backend connection or not. Do you see any handshake failures or any other counters increasing under "show stats crypto server" command? We need to have more information for us to look at to tell you what is going on at least from ACE's viewpoint.
Regards,
Kanwal -
ACE VIP not accessible from client
i have clint vlan configured with vlan 30
and servers vlan with vlan 100..
i have 2 real servers in server vlan 172.16.100.20 and 172.16.100.30
ACE VIP is active and serverfarm is OPERATIONAL
from client and Serve i am able to ping to VIP.
but when i try to browse http://VIP from client its not working.
could any one help me to identify the issue why i am not abl to access http://VIP or https://VIP from cientHi ssivanan,
I need more information to asnwer for your question. Can you pls put your configuration ?
Here are some points I like to check.
+ Are you able to browse the contents locally, specifying own ip address on the one of servers ?
+ Do those servers have a route to vlan 30 ?
+ How does the browsing not working ? Can you elaborate ?
+ What do you see in "show conn" when it fails ?
Great documents on CCO. Worth checking.
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide%2C_Release_A2%28x%29_--_Troubleshooting_Connectivity
- Kim -
Vlan interface will not respond to ping
cisco 2651xm router
IOS: c2600-ipbasek9-mz.124-9.T1.bin
I have two vlans configured on this router as follows:
interface Vlan1
ip address 172.16.1.30 255.255.0.0
ip nat inside
interface Vlan2
ip address 192.168.0.1 255.255.255.0
ip nat inside
from a pc on 172.16.1.x I can ping 172.16.1.30 and get a response.
But from a pc on 192.168.0.x if i ping 192.168.0.1 I get failure, and I've tried this on more than one pc. The 192.168.0.1 vlan will not respond. This is baffling and I can't work out why. Thanks if anyone can help.thanks for your response:
#show run
Building configuration...
Current configuration : 7859 bytes
! Last configuration change at 16:56:37 gmt Tue Mar 3 2015
version 12.4
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
hostname ipbase
boot-start-marker
boot system flash c2600-ipbasek9-mz.124-17.bin
boot-end-marker
no logging buffered
no logging console
enable secret 5 <secret>
enable password <password>
no aaa new-model
resource policy
clock timezone gmt 0
clock summer-time gmt date Mar 30 2011 0:00 Sep 30 2011 0:00
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
ip name-server 156.154.70.22
ip name-server 156.154.71.22
archive
log config
hidekeys
interface ATM0/0
mtu 1478
no ip address
ip tcp adjust-mss 1452
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
clock rate aal5 7000000
hold-queue 224 in
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface ATM0/0.1 point-to-point
ip tcp adjust-mss 1452
no snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface FastEthernet1/0
interface FastEthernet1/1
interface FastEthernet1/2e
interface FastEthernet1/3
interface FastEthernet1/4
interface FastEthernet1/5
interface FastEthernet1/6
interface FastEthernet1/7
interface FastEthernet1/8
interface FastEthernet1/9
interface FastEthernet1/10
interface FastEthernet1/11
interface FastEthernet1/12
description cable to 192.168.0.0
switchport access vlan 2
interface FastEthernet1/13
description cable to 192.168.0.0
switchport access vlan 2
interface FastEthernet1/14
interface FastEthernet1/15
interface Vlan1
ip address 172.16.1.30 255.255.0.0
ip nat inside
interface Vlan2
ip address 192.168.0.1 255.255.255.0
ip nat inside
interface Dialer0
bandwidth 6144
ip address negotiated previous
no ip redirects
no ip proxy-arp
ip nbar protocol-discovery
ip flow egress
ip nat outside
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname <username>
ppp chap password 0 <password>
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.8.0.0 255.255.255.0 172.16.1.43
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 172.16.1.54 1194 interface Dialer0 1194
ip nat inside source static tcp 172.16.1.54 80 interface Dialer0 80
ip nat inside source static tcp 172.16.1.57 1937 interface Dialer0 1937
ip nat inside source static tcp 172.16.1.56 1936 interface Dialer0 1936
ip nat inside source static tcp 172.16.1.58 1938 interface Dialer0 1938
ip nat inside source static udp 172.16.1.43 514 interface Dialer0 514
ip nat inside source static udp 172.16.1.43 5060 interface Dialer0 5060
ip nat inside source static udp 172.16.1.43 10050 interface Dialer0 10050
ip nat inside source static udp 172.16.1.43 10049 interface Dialer0 10049
ip nat inside source static udp 172.16.1.43 10048 interface Dialer0 10048
ip nat inside source static udp 172.16.1.43 10047 interface Dialer0 10047
ip nat inside source static udp 172.16.1.43 10046 interface Dialer0 10046
ip nat inside source static udp 172.16.1.43 10045 interface Dialer0 10045
ip nat inside source static udp 172.16.1.43 10044 interface Dialer0 10044
ip nat inside source static udp 172.16.1.43 10043 interface Dialer0 10043
ip nat inside source static udp 172.16.1.43 10042 interface Dialer0 10042
ip nat inside source static udp 172.16.1.43 10041 interface Dialer0 10041
ip nat inside source static udp 172.16.1.43 10040 interface Dialer0 10040
ip nat inside source static udp 172.16.1.43 10039 interface Dialer0 10039
ip nat inside source static udp 172.16.1.43 10038 interface Dialer0 10038
ip nat inside source static udp 172.16.1.43 10037 interface Dialer0 10037
ip nat inside source static udp 172.16.1.43 10036 interface Dialer0 10036
ip nat inside source static udp 172.16.1.43 10035 interface Dialer0 10035
ip nat inside source static udp 172.16.1.43 10034 interface Dialer0 10034
ip nat inside source static udp 172.16.1.43 10033 interface Dialer0 10033
ip nat inside source static udp 172.16.1.43 10032 interface Dialer0 10032
ip nat inside source static udp 172.16.1.43 10031 interface Dialer0 10031
ip nat inside source static udp 172.16.1.43 10030 interface Dialer0 10030
ip nat inside source static udp 172.16.1.43 10029 interface Dialer0 10029
ip nat inside source static udp 172.16.1.43 10028 interface Dialer0 10028
ip nat inside source static udp 172.16.1.43 10027 interface Dialer0 10027
ip nat inside source static udp 172.16.1.43 10026 interface Dialer0 10026
ip nat inside source static udp 172.16.1.43 10025 interface Dialer0 10025
ip nat inside source static udp 172.16.1.43 10024 interface Dialer0 10024
ip nat inside source static udp 172.16.1.43 10023 interface Dialer0 10023
ip nat inside source static udp 172.16.1.43 10022 interface Dialer0 10022
ip nat inside source static udp 172.16.1.43 10021 interface Dialer0 10021
ip nat inside source static udp 172.16.1.43 10020 interface Dialer0 10020
ip nat inside source static udp 172.16.1.43 10019 interface Dialer0 10019
ip nat inside source static udp 172.16.1.43 10018 interface Dialer0 10018
ip nat inside source static udp 172.16.1.43 10017 interface Dialer0 10017
ip nat inside source static udp 172.16.1.43 10016 interface Dialer0 10016
ip nat inside source static udp 172.16.1.43 10015 interface Dialer0 10015
ip nat inside source static udp 172.16.1.43 10014 interface Dialer0 10014
ip nat inside source static udp 172.16.1.43 10013 interface Dialer0 10013
ip nat inside source static udp 172.16.1.43 10012 interface Dialer0 10012
ip nat inside source static udp 172.16.1.43 10011 interface Dialer0 10011
ip nat inside source static udp 172.16.1.43 10010 interface Dialer0 10010
ip nat inside source static udp 172.16.1.43 10009 interface Dialer0 10009
ip nat inside source static udp 172.16.1.43 10008 interface Dialer0 10008
ip nat inside source static udp 172.16.1.43 10007 interface Dialer0 10007
ip nat inside source static udp 172.16.1.43 10006 interface Dialer0 10006
ip nat inside source static udp 172.16.1.43 10005 interface Dialer0 10005
ip nat inside source static udp 172.16.1.43 10004 interface Dialer0 10004
ip nat inside source static udp 172.16.1.43 10003 interface Dialer0 10003
ip nat inside source static udp 172.16.1.43 10002 interface Dialer0 10002
ip nat inside source static udp 172.16.1.43 10001 interface Dialer0 10001
ip nat inside source static udp 172.16.1.43 10000 interface Dialer0 10000
ip nat inside source static tcp 172.16.1.43 25 interface Dialer0 25
ip nat inside source static tcp 172.16.1.250 1935 interface Dialer0 1935
logging trap debugging
logging facility local6
logging 172.16.1.43
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 2 permit 172.16.0.0 0.0.255.255
access-list 10 permit 172.16.1.43
access-list 10 permit 172.16.1.13
access-list 10 deny any
dialer-list 1 protocol ip permit
snmp-server community public RO 10
control-plane
bridge 1 protocol ieee
line con 0
line aux 0
line vty 0 4
access-class 2 in
password <password>
login
ntp authenticate
ntp clock-period 17208300
ntp source Dialer0
ntp server 129.215.160.240
ntp server 78.129.239.26
ntp server 143.210.16.201
ntp server 82.219.4.31
end -
ACS Appliance does not respond to ping
We have installed an ACS server 3.3. We are able to HTTP to it, and have it ping other devices on the network.
BUT we wish to monitor the device for availability and are using a management program that uses ping's to determine device status. This does not work against the ACS.
Is there a problem with ACS or how can we get it to reply to pings.I believe the recent versions of the ACS have the Cisco CSA agent enabled which denies ping requests. You can turn it off but I can't remember exactly how.
-
Hi,
We have to ACE 4710 device in our network and we have facing device hung issue in our Primary ACE. We are not able to get management access or direct console access to the device when the issue is happened and also we are not able to reach the vlan interface IP or/VIP. Please find the below output we got through monitor that we are connected to the ACE.
Booting localboot(c4710ace-t1k9-mz.A5_1_2.bin)
kernel=(hd0,1)/c4710ace-t1k9-mz.A5_1_2.bin ro root=LABEL=/ auto console=ttyS0,9
600n8 quiet bigphysarea=32768
[Linux-bzImage,setup=0x1400,size=0xe75a16c]
Uncompressing linux Ok, booting the kernal.
Issue is resolved after we manually rebooted the ACE. We have collected the sh tech after the reboot.
Software version : A5 1.2
Kindly suggest what may cause this issue.
Thanks in Adavance.
Regards,
RanjithHi,
We have collected the console logs while we done the reboot. Please find the below output.
------------------------------------------------ Boot log -----------------------------------------------------------------------------
ÐS ÀS AMIBIOS(C)2005 American Megatrends, Inc. BIOS Date: 08/25/09 09:37:25 Ver: 08.00.11 CPU : Intel(R) Pentium(R) 4 CPU 3.40GHz Speed : 3.40 GHz Broadcom NetXtreme Ethernet Boot Agent v8.1.53 Copyright (C) 2000-2005 Broadcom Corporation All rights reserved. Press Ctrl-S to Enter Configuration Menu ... Broadcom NetXtreme Ethernet Boot Agent v8.1.53 AMIBIOS(C)2005 American Megatrends, Inc. BIOS Date: 08/25/09 09:37:25 Ver: 08.00.11 CPU : Intel(R) Pentium(R) 4 CPU 3.40GHz Speed : 3.40 GHz Press F2 to run Setup Press F12 for BBS POPUP DDR2 Frequency:667 MHz, ECC Support in Dual-Channel Interleaved Mode Initializing USB Controllers .. Done. 6144MB OK USB Device(s): 1 Keyboard Auto-Detecting Pri Slave...IDE Hard Disk Pri Slave : 1GB CompactFlash Card CF B612J GRUB Loading stage2........ GNU GRUB version 0.95.1 (639K lower / 3144640K upper memory) *************************************************************************** * localboot(ACE_APPLIANCE_RECOVERY_IMAGE.bin) * * localboot(c4710ace-t1k9-mz.A5_1_2.bin) * * localboot(c4710ace-t1k9-mz.A4_2_0.bin) * * * * * * * * * * * * * * * * * * * *************************************************************************** Use the * and * keys to select which entry is highlighted. Press enter to boot the selected OS, 'e' to edit the commands before booting, or 'c' for a command-line. The highlighted entry will be booted automatically in 1 seconds. kernel=(hd0,1)/c4710ace-t1k9-mz.A5_1_2.bin ro root=LABEL=/ auto console=ttyS0,9 600n8 quiet bigphysarea=32768 [Linux-bzImage, setup=0x1400, size=0xe75a16c] INIT: version 2.85 booting
b4 lspci
1 Cavium device(s) found.
Bringing up NP 0
Downloading U-Boot to NP card 0
Downloading DP image to NP card 0
Starting DP image on NP card on all cores
DP image started on NP card
Setting up dynamic memory size
Initializing Shared Memory
INIT: Entering runlevel: 3
Testing PCI path for Octeon(0)....
This may take some time, Please wait ....
PCI test loop , count 0
PCI path is ready
Starting services...
Waiting for 3 seconds to enter setup mode...
Certificate & key are up to date
Installing MySQL
groupadd: group nobody exists
useradd: user nobody exists
MySQL Installed
Installing JRE
JRE Installed
Starting sysmgr processes.. Please wait...Done!!!
IDC4-INTR-ACE-01 login: admin
Password:
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2012 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
We have not found any error related to flash while booting ACE.
Regards,
Ranjith -
Vip not responding on a specific port
Configured a vip to LB between 2 servers ,and also specified to balance urls ,and it is absolutely working on port 11090 ,and this all http traffic
http://10.12.12.34:11090 ( this vip is working)
serverfarm host vip-1
probe PROBE_TCP_11090
rserver s0adcmmapps1
inservice
rserver s0adcmmapps2
inservice
sticky ip-netmask 255.255.255.255 address source vip-1_STICKY
timeout 30
replicate sticky
serverfarm vip-1
class-map match-all vip-1_CLASS
2 match virtual-address 10.12.12.34 tcp any
class-map type http loadbalance match-any vip_CLASSURL
2 match http url /jmx-console/*
3 match http url /web-console/*
4 match http url /mediamanager/*
5 match http url /teams/*
6 match http url /teamswebservices/*
7 match http url /artesia-ws/*
8 match http url /artesia/*
9 match http url /brs/*
10 match http url /content/*
11 match http url /OTMedia/*
12 match http url .*
13 match http url /mediamanager
14 match http url /teams
policy-map type loadbalance first-match vip-1_POLICY
class vip_CLASSURL
sticky-serverfarm vip-1_STICKY
policy-map multimatch POLICY
class vip-1_CLASS
loadbalance vip inservice
loadbalance policy vip-1_POLICY
loadbalance vip icmp-reply active
nat dynamic 2 vlan 2
appl-parameter http advanced-options CASE_PARAM
interface vlan 2
ip address 10.12.13.217 255.255.252.0
peer ip address 10.12.13.216 255.255.252.0
mtu 1500
no normalization
no icmp-guard
access-group input ALL
nat-pool 2 10.12.12.34 10.12.12.34 netmask 255.255.255.255 pat
service-policy input remote_mgmt_allow_policy
service-policy input POLICY
no shutdown
The same servers ,but this need work on port 11443 and its all https traffic,this past is not working
serverfarm host vip-https,
probe PROBE_TCP_11443
rserver s0adcmmapps1
inservice
rserver s0adcmmapps2
inservice
sticky ip-netmask 255.255.255.255 address source vip-https_STICKY
timeout 30
replicate sticky
serverfarm vip-https
class-map match-all vip-https_CLASS
2 match virtual-address 10.12.12.34 tcp eq 11443
policy-map type loadbalance first-match vip-https_POLICY
class class-default
sticky-serverfarm vip-https_STICKY
policy-map multimatch POLICY
class vip-https_CLASS
loadbalance vip inservice
loadbalance policy vip-https_POLICY
loadbalance vip icmp-reply active
nat dynamic 2 vlan 2
interface vlan 2
ip address 10.12.13.217 255.255.252.0
peer ip address 10.12.13.216 255.255.252.0
mtu 1500
no normalization
no icmp-guard
access-group input ALL
nat-pool 2 10.12.12.34 10.12.12.34 netmask 255.255.255.255 pat
service-policy input remote_mgmt_allow_policy
service-policy input POLICY
no shutdown
Thi is not working as application team is trying to access https://10.12.12.34:11443 ,this not working
when they bypass the vip and access the servers directly https://10.12.12.160:11443 its working fine.Please advise on thisHi,
you can start with checking the status of serverfarm "vip-https" and also check the position of class map "vip-https_CLASS" in polic map "POLICY". Ideally it should be before the class map "vip_1-CLASS" as the later one is hitting port any, and earlier one is designated for TCP port 11443. So if position of class map matching VIP any is above the "VIP 11443", you will never get HIT on this VIP.
hope you got my point... -
Cisco Aironet 2600 not responding after changing static IP using web GUI
Hey guys, I am hoping someone can point me in the right direction with this problem I am having. Over the weekend I changed the IP address of one of our remote Access points so that it would be in the correct VLAN for the building it is in. There are already 2 other AP's in that office and so I changed the IP/Default Gateway of our newly installed AP to match. As soon as I did this, I lost connection with the AP. I can no longer ping the AP or connect to its web interface. I am able to view the AP when I do a #Show cdp neighbors detail. I can see that it has the correct IP address. But when I do a #show arp, I do not see the AP. When I do a #Show mac address-table, I can see the AP and it's MAC address as well. Does anyone know what I may have done wrong/still need to do in order to get this AP back up and running? I am unable to...
This topic first appeared in the Spiceworks Communityif the printer is shown under print in Airport Utility then select the update button.
-
ACE: VIP Out of service, Still accepts TCP connections
Hi Guys. I am looking at a issue with an ACE. SW is 3.0(0)A3(2.6)
We have a setup where most of it appears fine. It detect the loss of rservers, probes fail, the VIP stops responding to Pings, but it still accept TCP connections, even though there is nothing behind to accept them.
The question is, is this correct behaviour? and if so is there any reference I can look at to confirm?
While this behaviour is inconvenient for us. I can see why it may actually be correct.
Thanks,
Paul.Hello Paul,
This is expected behaviour for L7 LB connections:
The 'down' VIP will reply to SYN requests, but will then send a RST packet.
This is because the ACE doesn't know what to do with the L7 connection until it has been build up. Only when the L7 connection is 'open' we notice that all the vserver which could serve this request are down.
So it is correct and expected, but not exactly desired. It's just a side effect of the design. So far I do not known of any plans to change this behaviour. However similar limitations have been addressed in the past, like: CSCsq17137.
Hope this helps, Peter -
ACE 4710 VIP not pingable even with "always" selected.
Hello, I have a somewhat complicated setup in order to allow one particular VIP to answer for the same serverfarm on two different ports (this was a previous question here.) Here is the scrubbed config below. The setup works, but the issue is that the VIP does not reply to pings. We use both the servers and the vip for monitoring internally. It is still operational on the ports it is balancing, but no setting for ping seems to work (Active, Primary, or Always.) What am I doing wrong here? The other sites I use stickys with respond for their VIPs. I'm assuming this one does not due to the more complicated policy map.
probe http HTML-Site-Up_200
description This probe is to verify HTTP operation via site-up.html check
port 80
interval 5
faildetect 2
passdetect interval 10
request method get url /site-up.html
expect status 200 200
open 2
probe icmp ICMP-Ping
interval 5
faildetect 2
passdetect interval 10
probe tcp RAW-TCP-81
port 81
interval 10
faildetect 2
passdetect interval 20
connection term forced
open 1
rserver host psc-us-EQUIPprd1
description EQUIP Prod, server 1
ip address 10.1.1.84
inservice
rserver host psc-us-EQUIPprd2
description EQUIP Prod, server 2
ip address 10.1.1.85
inservice
serverfarm host EQUIPPROD
description EQUIP Prod Server Pool
predictor leastconns
probe HTML-Site-Up_200
probe ICMP-Ping
probe RAW-TCP-81
rserver psc-us-EQUIPprd1
probe ICMP-Ping
probe HTML-Site-Up_200
probe RAW-TCP-81
inservice
rserver psc-us-EQUIPprd2
probe ICMP-Ping
probe HTML-Site-Up_200
probe RAW-TCP-81
inservice
serverfarm host EQUIPPROD-CUSTOMER-81
description EQUIP Customer Site Server Pool, port 81
predictor leastconns
probe RAW-TCP-81
rserver psc-us-EQUIPprd1 81
probe RAW-TCP-81
inservice
rserver psc-us-EQUIPprd2 81
probe RAW-TCP-81
inservice
sticky ip-netmask 255.255.255.255 address source Sticky_EQUIPPROD
timeout 180
replicate sticky
serverfarm EQUIPPROD
class-map type http loadbalance match-all EQUIP_81_Redirect
2 match http header Host header-value ".*equiponline.com"
class-map type http loadbalance match-all EQUIP_81_Redirect_Full
2 match http header Host header-value ".*www.equiponline.com"
class-map match-all VIP-EQUIPPROD
2 match virtual-address 10.1.1.97 any
policy-map type loadbalance first-match VIP-EQUIPPROD-l7slb
class EQUIP_81_Redirect
serverfarm EQUIPPROD-CUSTOMER-81
class EQUIP_81_Redirect_Full
serverfarm EQUIPPROD-CUSTOMER-81
class class-default
sticky-serverfarm Sticky_EQUIPPROD
policy-map multi-match global
class VIP-EQUIPPROD
loadbalance vip inservice
loadbalance policy VIP-EQUIPPROD-l7slb
loadbalance vip icmp-reply
nat dynamic 13 vlan 1000
interface vlan 1000
nat-pool 13 10.1.1.97 10.1.1.97 netmask 255.255.255.0 patOutput from that class from the show service-policy command. And no, it doesn't appear to be pingable from the ACE.
class: VIP-EQUIPPROD
nat:
nat dynamic 13 vlan 1000
curr conns : 361 , hit count : 116690
dropped conns : 5
client pkt count : 4815293 , client byte count: 739114009
server pkt count : 7281612 , server byte count: 8753101386
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
VIP Address: Protocol: Port:
10.1.1.97 any
loadbalance:
L7 loadbalance policy: VIP-EQUIPPROD-l7slb
Regex dnld status : SUCCESSFUL
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 392 , hit count : 134300
dropped conns : 431
client pkt count : 4869950 , client byte count: 741545220
server pkt count : 7281612 , server byte count: 8753101386
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : VIP-EQUIPPROD-l7slb
class/match : EQUIP_81_Redirect
LB action :
primary serverfarm: EQUIPPROD-CUSTOMER-81
state: UP
backup serverfarm : -
hit count : 12602
dropped conns : 0
compression : off
class/match : EQUIP_81_Redirect_Full
LB action :
primary serverfarm: EQUIPPROD-CUSTOMER-81
state: UP
backup serverfarm : -
hit count : 0
dropped conns : 0
compression : off
class/match : class-default
LB action: :
sticky group: Sticky_EQUIPPROD
primary serverfarm: EQUIPPROD
state:UP
backup serverfarm : -
hit count : 107831
dropped conns : 5
compression : off
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
pscaceinside01/Prod# ping 10.1.1.97
Pinging 10.51.221.97 with timeout = 2, count = 5, size = 100 ....
No response received from 10.1.1.97 within last 2 sec
No response received from 10.1.1.97 within last 2 sec
No response received from 10.1.1.97 within last 2 sec
No response received from 10.1.1.97 within last 2 sec
No response received from 10.1.1.97 within last 2 sec
5 packet sent, 0 responses received, 100% packet loss
For what it's worth, none of my VIP's are pingable from the ACE. I think that has to do with me being in one-arm configuration, and using the NAT addresses per VIP. But all other VIPs are pingable from other sources on the subnet. With the exception of this VIP. -
S2S between Cisco ASA 5505 and Sonicwall TZ-170 but not able to ping across
Hi,
I am helping out a friend of mine with his Site-to-Site VPN between his companies Cisco ASA another company's SonicWall TZ-170. I have checked the screenshots proivded by the other end and tried to match with ours. The Tunnel shows but we are not able to Ping resources on the other end. The other side insists that the problem is on our end but I am not sure where the issue resides. Please take a look at our config and let me know if there is anything that I have missed. I am pretty sure I didn't but extra eyes may be of need here.
Our LAN is 10.200.x.x /16 and theirs is 192.168.9.0 /24
ASA Version 8.2(2)
terminal width 300
hostname company-asa
domain-name Company.com
no names
name 10.1.0.0 sacramento-network
name 10.3.0.0 irvine-network
name 10.2.0.0 portland-network
name x.x.x.x MailLive
name 192.168.9.0 revit-vpn-remote-subnet
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.128
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.200.200.1 255.255.0.0
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.22.22.1 255.255.255.0
interface Ethernet0/3
description Internal Wireless
shutdown
nameif Wireless
security-level 100
ip address 10.201.201.1 255.255.255.0
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
domain-name company.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network local_net_group
network-object 10.1.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
network-object 10.200.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.4.0.0 255.255.0.0
network-object 10.5.0.0 255.255.0.0
network-object 10.6.0.0 255.255.0.0
network-object 10.7.0.0 255.255.0.0
network-object 192.168.200.0 255.255.255.0
object-group network NACIO123
network-object 1.1.1.1 255.255.255.224
object-group service MAIL_HTTPS_BORDERWARE tcp
port-object eq smtp
port-object eq https
port-object eq 10101
object-group service SYSLOG_SNMP_NETFLOW udp
port-object eq syslog
port-object eq snmp
port-object eq 2055
object-group service HTTP_HTTPS tcp
port-object eq www
port-object eq https
object-group network OUTSIDECO_SERVERS
network-object host x.x.x.34
network-object host x.x.x.201
network-object host x.x.x.63
object-group network NO-LOG
network-object host 10.200.200.13
network-object host 10.200.200.25
network-object host 10.200.200.32
object-group service iPhoneSync-Services-TCP tcp
port-object eq 993
port-object eq 990
port-object eq 998
port-object eq 5678
port-object eq 5721
port-object eq 26675
object-group service termserv tcp
description terminal services
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DTI tcp
description DCS CONTROL PROTOCOL
port-object eq 3333
object-group service H.245 tcp
description h.245 signaling
port-object range 1024 4999
object-group service RAS udp
port-object eq 1719
port-object range 1718 1720
object-group service XML tcp
port-object range 3336 3341
object-group service mpi tcp
port-object eq 2010
object-group service mvp_control tcp
port-object eq 2946
object-group service rpc tcp-udp
port-object eq 1809
object-group service tcp8080 tcp
port-object eq 8080
object-group service tcp8011 tcp
port-object eq 8011
object-group service rtp_rtcp_udp udp
port-object range 1024 65535
object-group service ecs_xml tcp-udp
port-object eq 3271
object-group service rtp20000 udp
description 10000-65535
port-object range 20000 25000
port-object range 10000 65535
object-group service tcp5222 tcp
port-object range 5222 5269
object-group service tcp7070 tcp
port-object eq 7070
object-group network videoco
network-object host x.x.x.144
network-object host x.x.x.145
object-group service video tcp
port-object range 1718 h323
object-group service XML2 tcp-udp
port-object range 3336 3345
object-group service tcp_tls tcp
port-object eq 5061
object-group service Autodesk tcp
port-object eq 2080
port-object range 27000 27009
access-list outside_policy remark ====== Begin Mail From Postini Network ======
access-list outside_policy extended permit tcp x.x.x.x 255.255.240.0 host x.x.x.x eq smtp
access-list outside_policy extended permit tcp x.x.x.x 255.255.255.240 host x.x.x.x eq smtp
access-list outside_policy extended permit tcp x.x.x.0 255.255.240.0 host x.x.x.x eq smtp
access-list outside_policy remark ****** End Mail From Postini Network ******
access-list outside_policy remark ====== Begin Inbound Web Mail Access ======
access-list outside_policy extended permit tcp any host x.x.x.x object-group HTTP_HTTPS
access-list outside_policy remark ****** End Inbound Web Mail Access ******
access-list outside_policy remark ====== Begin iPhone Sync Rules to Mail Server ======
access-list outside_policy extended permit tcp any host x.x.x.x object-group iPhoneSync-Services-TCP
access-list outside_policy remark ****** End iPhone Sync Rules to Mail Server ******
access-list outside_policy remark ====== Begin MARS Monitoring ======
access-list outside_policy extended permit udp x.x.x.x 255.255.255.128 host x.x.x.x object-group SYSLOG_SNMP_NETFLOW
access-list outside_policy extended permit icmp x.x.x.x 255.255.255.128 host x.x.x.x
access-list outside_policy remark ****** End MARS Monitoring ******
access-list outside_policy extended permit tcp object-group NACIO123 host x.x.x.141 eq ssh
access-list outside_policy extended permit tcp any host x.x.x.x eq www
access-list outside_policy extended permit tcp any host x.x.x.x eq https
access-list outside_policy extended permit tcp any host x.x.x.x eq h323
access-list outside_policy extended permit tcp any host x.x.x.x range 60000 60001
access-list outside_policy extended permit udp any host x.x.x.x range 60000 60007
access-list outside_policy remark radvision 5110 port 80 both
access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq www
access-list outside_policy remark radvision
access-list outside_policy extended permit tcp any object-group videoco object-group termserv
access-list outside_policy remark radvision 5110 port21 out
access-list outside_policy extended permit tcp any object-group videoco eq ftp
access-list outside_policy remark rad5110 port22 both
access-list outside_policy extended permit tcp any object-group videoco eq ssh
access-list outside_policy remark rad 5110 port161 udp both
access-list outside_policy extended permit udp any object-group videoco eq snmp
access-list outside_policy remark rad5110 port443 both
access-list outside_policy extended permit tcp any object-group videoco eq https
access-list outside_policy remark rad5110 port 1024-4999 both
access-list outside_policy extended permit tcp any object-group videoco object-group H.245
access-list outside_policy remark rad5110 port 1719 udp both
access-list outside_policy extended permit udp any object-group videoco object-group RAS
access-list outside_policy remark rad5110 port 1720 both
access-list outside_policy extended permit tcp any any eq h323
access-list outside_policy remark RAD 5110 port 3333 tcp both
access-list outside_policy extended permit tcp any object-group videoco object-group DTI
access-list outside_policy remark rad5110 port 3336-3341 both
access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group XML2
access-list outside_policy remark port 5060 tcp/udp
access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq sip
access-list outside_policy remark rad 5110port 1809 rpc both
access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group rpc
access-list outside_policy remark rad 5110 port 2010 both
access-list outside_policy extended permit tcp any object-group videoco object-group mpi
access-list outside_policy remark rad 5110 port 2946 both
access-list outside_policy extended permit tcp any object-group videoco object-group mvp_control
access-list outside_policy extended permit tcp any object-group videoco object-group tcp8080
access-list outside_policy extended permit tcp any object-group videoco object-group tcp8011
access-list outside_policy remark 1024-65535
access-list outside_policy extended permit udp any object-group videoco object-group rtp_rtcp_udp
access-list outside_policy extended permit object-group TCPUDP any object-group videoco object-group ecs_xml
access-list outside_policy extended permit udp any object-group videoco object-group rtp20000
access-list outside_policy extended permit tcp any object-group videoco eq telnet
access-list outside_policy remark port 53 dns
access-list outside_policy extended permit object-group TCPUDP any object-group videoco eq domain
access-list outside_policy remark 7070
access-list outside_policy extended permit tcp any object-group videoco object-group tcp7070
access-list outside_policy remark 5222-5269 tcp
access-list outside_policy extended permit tcp any object-group videoco range 5222 5269
access-list outside_policy extended permit tcp any object-group videoco object-group video
access-list outside_policy extended permit tcp any object-group videoco object-group tcp_tls
access-list outside_policy remark ====== Begin Autodesk Activation access ======
access-list outside_policy extended permit tcp any any object-group Autodesk
access-list outside_policy remark ****** End Autodesk Activation access ******
access-list outside_policy extended permit tcp x.x.x.x 255.255.255.248 host x.x.x.x eq smtp
access-list outside_policy remark ****** End Autodesk Activation access ******
access-list inside_policy extended deny tcp host 10.200.200.25 10.1.0.0 255.255.0.0 eq 2967 log disable
access-list inside_policy extended deny tcp host 10.200.200.25 10.3.0.0 255.255.0.0 eq 2967 log disable
access-list inside_policy extended deny tcp host 10.200.200.25 10.2.0.0 255.255.0.0 eq 2967 log disable
access-list inside_policy extended deny tcp host 10.200.200.25 10.4.0.0 255.255.0.0 eq 2967 log disable
access-list inside_policy extended deny tcp host 10.200.200.25 10.5.0.0 255.255.0.0 eq 2967 log disable
access-list inside_policy extended deny udp object-group NO-LOG any eq 2967 log disable
access-list inside_policy extended deny tcp object-group NO-LOG any eq 2967 log disable
access-list inside_policy remark ====== Begin Outbound Mail Server Rules ======
access-list inside_policy extended permit udp host 10.200.200.222 any eq 5679
access-list inside_policy extended permit tcp host 10.200.200.222 any eq smtp
access-list inside_policy remark ****** End Outbound Mail Server Rules ******
access-list inside_policy extended permit ip object-group local_net_group any
access-list inside_policy extended permit icmp object-group local_net_group any
access-list OUTSIDECO_VPN extended permit ip host x.x.x.x object-group OUTSIDECO_SERVERS
access-list company-split-tunnel standard permit 10.1.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.2.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.3.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.4.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.200.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.5.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.6.0.0 255.255.0.0
access-list company-split-tunnel standard permit 10.7.0.0 255.255.0.0
access-list company-split-tunnel standard permit 172.22.22.0 255.255.255.0
access-list company-split-tunnel remark Video
access-list company-split-tunnel standard permit 192.168.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.1.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.2.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.3.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.200.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.4.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.5.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.6.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 10.7.0.0 255.255.0.0
access-list SSL_SPLIT standard permit 172.22.22.0 255.255.255.0
access-list SSL_SPLIT remark Video
access-list SSL_SPLIT standard permit 192.168.0.0 255.255.0.0
access-list NONAT_SSL extended permit ip object-group local_net_group 172.20.20.0 255.255.255.0
access-list NONAT_SSL extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
access-list tom extended permit tcp host x.x.x.x any eq smtp
access-list tom extended permit tcp host 10.200.200.222 any eq smtp
access-list tom extended permit tcp any host x.x.x.x
access-list aaron extended permit tcp any any eq 2967
access-list capauth extended permit ip host 10.200.200.1 host 10.200.200.220
access-list capauth extended permit ip host 10.200.200.220 host 10.200.200.1
access-list DMZ extended permit icmp any any
access-list dmz_access_in extended permit tcp any eq 51024 any eq 3336
access-list dmz_access_in extended permit icmp any any
access-list dmz_access_in extended permit tcp any any eq ftp
access-list dmz_access_in extended permit tcp any any eq https
access-list dmz_access_in remark rad5110 port 162 out
access-list dmz_access_in extended permit udp any any eq snmptrap
access-list dmz_access_in remark port 23 out
access-list dmz_access_in extended permit tcp any any eq telnet
access-list dmz_access_in remark port 53 dns out
access-list dmz_access_in extended permit object-group TCPUDP any any eq domain
access-list dmz_access_in extended permit object-group TCPUDP any any eq www
access-list dmz_access_in extended permit tcp any any eq h323
access-list dmz_access_in extended permit tcp any any object-group XML
access-list dmz_access_in extended permit udp any any object-group RAS
access-list dmz_access_in extended permit tcp any any range 1718 h323
access-list dmz_access_in extended permit tcp any any object-group H.245
access-list dmz_access_in extended permit object-group TCPUDP any any eq sip
access-list dmz_access_in extended permit udp any any object-group rtp_rtcp_udp
access-list dmz_access_in extended permit object-group TCPUDP any any object-group XML2
access-list dmz_access_in extended permit ip object-group local_net_group any
access-list dmz_access_in remark port 5061
access-list dmz_access_in extended permit tcp any any object-group tcp_tls
access-list outside_cryptomap extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
pager lines 24
logging enable
logging buffered warnings
logging trap informational
logging history informational
logging asdm warnings
logging host outside x.x.x.x
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu Wireless 1500
mtu management 1500
ip local pool SSL_VPN_POOL 172.20.20.1-172.20.20.75 mask 255.255.255.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT_SSL
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.12 10.200.200.15 netmask 255.255.255.255
static (inside,outside) x.x.x.15 10.5.0.11 netmask 255.255.255.255
static (inside,outside) x.x.x.13 10.200.200.240 netmask 255.255.255.255
static (inside,outside) x.x.x.16 10.200.200.222 netmask 255.255.255.255
static (inside,outside) x.x.x.14 10.200.200.155 netmask 255.255.255.255
static (inside,dmz) 10.200.200.0 10.200.200.0 netmask 255.255.255.0
static (inside,dmz) 10.4.0.0 10.4.0.0 netmask 255.255.0.0
static (dmz,outside) x.x.x.18 172.22.22.15 netmask 255.255.255.255
static (dmz,outside) x.x.x.19 172.22.22.16 netmask 255.255.255.255
static (inside,dmz) 10.3.0.0 10.3.0.0 netmask 255.255.0.0
static (inside,dmz) 10.2.0.0 10.2.0.0 netmask 255.255.0.0
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
static (inside,dmz) 10.6.0.0 10.6.0.0 netmask 255.255.0.0
static (inside,dmz) 10.7.0.0 10.7.0.0 netmask 255.255.0.0
static (inside,dmz) 10.5.0.0 10.5.0.0 netmask 255.255.0.0
access-group outside_policy in interface outside
access-group inside_policy in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.12 1
route inside 10.1.0.0 255.255.0.0 10.200.200.254 1
route inside 10.2.0.0 255.255.0.0 10.200.200.254 1
route inside 10.3.0.0 255.255.0.0 10.200.200.254 1
route inside 10.4.0.0 255.255.0.0 10.200.200.254 1
route inside 10.5.0.0 255.255.0.0 10.200.200.254 1
route inside 10.6.0.0 255.255.0.0 10.200.200.254 1
route inside 10.7.0.0 255.255.0.0 10.200.200.150 1
route inside x.x.x.0 255.255.255.0 10.200.200.2 1
route inside x.x.x.0 255.255.255.0 10.200.200.2 1
route inside 192.168.1.0 255.255.255.0 10.200.200.254 1
route inside 192.168.2.0 255.255.255.0 10.200.200.254 1
route inside 192.168.3.0 255.255.255.0 10.200.200.254 1
route inside 192.168.4.0 255.255.255.0 10.200.200.254 1
route inside 192.168.5.0 255.255.255.0 10.200.200.254 1
route inside 192.168.6.0 255.255.255.0 10.200.200.254 1
route inside 192.168.7.0 255.255.255.0 10.200.200.254 1
route inside 192.168.200.0 255.255.255.0 10.200.200.254 1
route inside 192.168.201.0 255.255.255.0 10.200.200.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 2:00:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server COMPANY-NT-AUTH protocol nt
aaa-server COMPANY-NT-AUTH (inside) host 10.200.200.220
nt-auth-domain-controller DC
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 10.200.200.0 255.255.255.0 inside
http 10.200.0.0 255.255.0.0 inside
http 10.3.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set asa2transform esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set 3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE_MAP 5 match address outside_cryptomap
crypto map OUTSIDE_MAP 5 set pfs
crypto map OUTSIDE_MAP 5 set peer x.x.x.53
crypto map OUTSIDE_MAP 5 set transform-set 3DES-SHA
crypto map OUTSIDE_MAP 5 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP 10 match address OUTSIDECO_VPN
crypto map OUTSIDE_MAP 10 set peer x.x.x.25
crypto map OUTSIDE_MAP 10 set transform-set AES256-SHA
crypto map OUTSIDE_MAP 10 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP 10 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map OUTSIDE_MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 20
console timeout 0
dhcpd dns 10.200.200.220 10.200.200.225
dhcpd wins 10.200.200.220 10.200.200.225
dhcpd lease 18000
dhcpd domain company.com
dhcpd dns 10.200.200.220 10.200.200.225 interface Wireless
dhcpd wins 10.200.200.220 10.200.200.225 interface Wireless
dhcpd lease 18000 interface Wireless
dhcpd domain company.com interface Wireless
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.5.41.40 source outside prefer
ssl trust-point vpn.company.com outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2017-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSL_Client_Policy internal
group-policy SSL_Client_Policy attributes
wins-server value 10.200.200.220
dns-server value 10.200.200.220
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSL_SPLIT
default-domain value company.com
webvpn
sso-server none
auto-signon allow uri * auth-type all
group-policy no-split-test internal
group-policy no-split-test attributes
banner value Welcome to company and Associates
banner value Welcome to company and Associates
dns-server value 10.200.200.220
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelall
default-domain value company.com
group-policy DfltGrpPolicy attributes
dns-server value 10.200.200.220
default-domain value company.com
group-policy company internal
group-policy company attributes
banner value Welcome to company and Associates
banner value Welcome to company and Associates
dns-server value 10.200.200.220
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSL_SPLIT
default-domain value company.com
username ciscoadmin password xxxxxxxxxxx encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool SSL_VPN_POOL
authentication-server-group COMPANY-NT-AUTH
default-group-policy SSL_Client_Policy
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias company_SSL_VPN enable
tunnel-group company_group type remote-access
tunnel-group company_group general-attributes
address-pool SSL_VPN_POOL
authentication-server-group COMPANY-NT-AUTH LOCAL
default-group-policy company
tunnel-group company_group ipsec-attributes
pre-shared-key *****
tunnel-group x.x.x.53 type ipsec-l2l
tunnel-group x.x.x.53 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect tftp
inspect esmtp
inspect ftp
inspect icmp
inspect ip-options
inspect netbios
inspect rsh
inspect skinny
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect mgcp
inspect h323 h225
inspect h323 ras
inspect sip
service-policy global_policy global
privilege cmd level 5 mode exec command ping
privilege cmd level 6 mode exec command write
privilege show level 5 mode exec command running-config
privilege show level 5 mode exec command version
privilege show level 5 mode exec command conn
privilege show level 5 mode exec command memory
privilege show level 5 mode exec command cpu
privilege show level 5 mode exec command xlate
privilege show level 5 mode exec command traffic
privilege show level 5 mode exec command interface
privilege show level 5 mode exec command clock
privilege show level 5 mode exec command ip
privilege show level 5 mode exec command failover
privilege show level 5 mode exec command arp
privilege show level 5 mode exec command route
privilege show level 5 mode exec command blocks
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a0689b4c837c79a51e7a0cfed591dec9
: end
COMPANY-asa#Hi Sian,
Yes on their end the PFS is enabled for DH Group 2.
Here is the information that you requested:
company-asa# sh crypto isakmp sa
Active SA: 3
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 3
1 IKE Peer: x.x.x.87
Type : user Role : responder
Rekey : no State : AM_ACTIVE
2 IKE Peer: x.x.x.53
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
3 IKE Peer: x.x.x.25
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG4
company-asa# sh crypto ipsec sa
interface: outside
Crypto map tag: OUTSIDE_MAP, seq num: 5, local addr: x.x.x.13
access-list outside_cryptomap extended permit ip 10.200.0.0 255.255.0.0 192.168.9.0 255.255.255.0
local ident (addr/mask/prot/port): (10.200.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0)
current_peer: x.x.x.53
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 10744, #pkts decrypt: 10744, #pkts verify: 10744
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.13, remote crypto endpt.: x.x.x.53
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 500EC8BF
current inbound spi : 8DAE3436
inbound esp sas:
spi: 0x8DAE3436 (2377004086)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 32768, crypto-map: OUTSIDE_MAP
sa timing: remaining key lifetime (kB/sec): (3914946/24388)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x500EC8BF (1343146175)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 32768, crypto-map: OUTSIDE_MAP
sa timing: remaining key lifetime (kB/sec): (3915000/24388)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_dyn_map, seq num: 20, local addr: x.x.x.13
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.20.20.8/255.255.255.255/0/0)
current_peer: x.x.x.87, username: ewebb
dynamic allocated peer ip: 172.20.20.8
#pkts encaps: 16434, #pkts encrypt: 16464, #pkts digest: 16464
#pkts decaps: 19889, #pkts decrypt: 19889, #pkts verify: 19889
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 16434, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 30, #pre-frag failures: 0, #fragments created: 60
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 60
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.13/4500, remote crypto endpt.: x.x.x.87/2252
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 2D712C9F
current inbound spi : 0EDB79C8
inbound esp sas:
spi: 0x0EDB79C8 (249264584)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 65536, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 18262
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x2D712C9F (762391711)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 65536, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 18261
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001 -
ACE is not recieving any traffic on VIP
Hi,
I have multiple vips running scenario, of which one vip is not functioning at all. I have bridged mode scenario. The probes for the rservers are showing as success and when i am trying to find the active connections using "show conn", i cant see any connection reaching ACE on that VIP. I can ping the VIP but unable to see any traffic on that VIP. When i telnet on the VIP on the port 8080 i can telnet, but on the browser its showing as Content Server error.
Attached is the ace configuration.
Thanks
AmitJust to add in above post, from command prompt iam able to telnet on the VIP ip address (192.168.3.145) on port 8080 and from the web browser i cant.
Thanks
Amit
Maybe you are looking for
-
How to Get In & Out of Match, Get your Downloads and Run
How to Get In & Out of Match, Get your Downloads and Run So you have read the marketing hype, and are thinking what you really want is to pay for the service to upgrade your low quality bitrate files to a bit better 256KBPS rate easily, as don’t fan
-
How to turn off right-click dictionary 'look up' search in OS X Lion
Right-click spotlight search was a very usefull feature in snow leopard, how can I enable this in Lion, I really don't need a dictionary. Thanks
-
How to play .MOD files on mac
hi all, I need to play some .MOD files (video) on my mac. Window media player 10 and 11 play the files but mac only has media player 9 - is there any other way i can get these .MOD files to play?
-
Sparrow and a fundamental flaw with the App Store
There is an app in the store called Sparrow. If you have not seen this it is a very nice alternative email client to Apple Mail. It was just onsale and then within a week, I read that they have been purchased by Google and the team will be working
-
Internal order for receiver types
Hi, Is possible to set up an additional order +_*for receiver types*_ that can settle to an asset account number. presently we donu2019t have this type but it may be use full for track our assets. It is very urgent I will assign points Thanks Rad