Cisco Router Memory Utilization
Hi,
We have a Cisco SA520 Router (Firmware 2.1.18)
We are only using this for about 1 month now. Router seems ok its just
I am worried about the Memory utilization which reach to 62% (144/234 MB)
Is this something to worry about?
How can I utilize this by lowering down the usage?
Pardon me I am just to new Cisco devices.
Many Thanks.
AC
AC,
Please go ahead and upgrade to the latest firmware 2.1.51 Memory utilization shouldn't be a problem. After the upgrade please keep an eye on the memory and report back.
Thanks,
Jasbryan
Cisco Support Engineer
.:|:.:|:.
Similar Messages
-
[Cisco ACS] Memory Utilization limit
Hello,
We have 2 CSACS 1121 with Cisco ACS 5.2.0.26.10
The primary server manages 20000+ authentications per day.
Its memory utilization increases everyday.
It is now at 83%
Is there a limit?
What will happen when memory utilization reach this limit?
What can we do to purge memory utilization? (reboot, service restart...)
Thanks for your help
Patrickadmin# sh memory
total memory: 1031200 kB
free memory: 16288 kB
cached: 298568 kB
swap-cached: 0 kB
Do you know the minimum free memory amount for safe operations?
· is this ACS running any risks being this abpve?
· Are there any general clean-up commands that can be executed to free up memory without jeopardizing operations on the ACS? -
Cant ping behind cisco router (site2site vpn)
Dears;
After configure site to site vpn between cisco router and fortigate firewall,
site A : 10.0.0.0/24 behind fortigate
site B: 10.10.10.0/24 behind cisco router
the tunnel is up and I can ping 10.0.0.1 from site B and can ping 10.10.10.1 from site A but I cant ping any ip inside 10.0.0.0/24 form site B or network 10.10.10.0/24 from site A
my cisco router configuration is
Current configuration : 2947 bytes
! No configuration change since last restart
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
boot-start-marker
boot-end-marker
enable secret 4 EE103as6FtdocdBefpgugX6P9eGaDKDyBvwz7AywH5Q
no aaa new-model
memory-size iomem 10
clock timezone cairo 2 0
crypto pki token default removal timeout 0
ip source-route
ip dhcp excluded-address 192.168.16.1
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp pool GUEST
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool LAN
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 8.8.8.8 8.8.4.4
ip cef
controller VDSL 0
ip ssh version 2
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 5
crypto isakmp key 6 *********** address 4.x.x.x no-xauth
crypto ipsec transform-set myset esp-aes esp-sha256-hmac
crypto map kon-map 10 ipsec-isakmp
set peer 4.x.x.x
set transform-set myset
set pfs group5
match address 105
interface Ethernet0
no ip address
no fair-queue
interface ATM0
no ip address
ip mtu 1452
ip tcp adjust-mss 1452
no atm ilmi-keepalive
interface ATM0.1 point-to-point
ip flow ingress
pvc 0/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
interface FastEthernet0
switchport mode trunk
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
switchport access vlan 2
no ip address
interface FastEthernet3
no ip address
interface Vlan1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Vlan2
ip address 192.168.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 0
ppp pap sent-username
crypto map kon-map
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 100 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
access-list 105 permit ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
banner motd ^C^C
end
when ping from cisco router
konsuler#ping 10.0.0.27 source vlan1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.27, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
Success rate is 0 percent (0/5)
help pleaseThank you karsten
I can ping interface of router from remote site but cant ping any device behind the router and can ping firewall interface but cant ping any device behind the firewall
-counters in
# sh crypto ipsec sa
increased only while ping 10.0.0.1 or 10.10.10.1 from both sides
r#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Dialer1
Uptime: 00:03:12
Session status: UP-ACTIVE
Peer: 4.x.x.x port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.x.x.x
Desc: (none)
IKEv1 SA: local 6.x.x.x/500 remote 4.x.x.x/500 Active
Capabilities:(none) connid:2001 lifetime:22:39:59
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 10.0.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 9 drop 0 life (KB/Sec) 4605776/3407
Outbound: #pkts enc'ed 14 drop 0 life (KB/Sec) 4605775/3407 -
Remote access VPN with Cisco Router - Can not get the Internal Lan .
Dear Sir ,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Below is the IP address of the device.
Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
IP address:10.10.10.1
Mask:255.255.255.0 F0/0
IP Address :20.20.20.1
Mask :255.255.255.0
F0/1
IP address :192.168.1.3
Mask:255.255.255.0
F0/0
IP address :20.20.20.2
Mask :255.255.255.0
F0/1
IP address :192.168.1.1
Mask:255.255.255.0
I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
Need your help to fix the problem.
Router R2 Configuration :!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip tcp synwait-time 5
interface FastEthernet0/0
ip address 20.20.20.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end
Router R1 Configuration :
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login USERAUTH local
aaa authorization network NETAUTHORIZE local
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
username vpnuser password 0 strongpassword
ip tcp synwait-time 5
crypto keyring vpnclientskey
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group remotevpn
key cisco123
dns 192.168.1.2
wins 192.168.1.2
domain mycompany.com
pool vpnpool
acl VPN-ACL
crypto isakmp profile remoteclients
description remote access vpn clients
keyring vpnclientskey
match identity group remotevpn
client authentication list USERAUTH
isakmp authorization list NETAUTHORIZE
client configuration address respond
crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 10
set transform-set TRSET
set isakmp-profile remoteclients
crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPNMAP
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpnpool 192.168.50.1 192.168.50.10
ip forward-protocol nd
ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
no ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
ip access-list extended NAT-ACL
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN-ACL
permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
endDear All,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Waiting for your responce .
--Milon -
SNMP OID for CPU and Memory Utilization on a MDS 9509
Does anyone know what the OIDs are for CPU and Memory utilization on a MDS 9509?
ThanksCISCO-SYSTEM-EXT-MIB.my is a good place to start and you can determine the OID from the MIB.
Once you feel as though you are on the right track, have a look at:
http://www.oidview.com/mibs/9/CISCO-SYSTEM-EXT-MIB.html
I gather that what you need is:
1.3.6.1.4.1.9.9.305.1.1.1
and
1.3.6.1.4.1.9.9.305.1.1.2
Enjoy.
Stephen -
OID for CPU and MEMORY utilization for wrv4400n
Hi,
Can any one please tell me the OID for CPU and MEMORY utilization for wrv4400n?
Thanks
VipinCISCO-SYSTEM-EXT-MIB.my is a good place to start and you can determine the OID from the MIB.
Once you feel as though you are on the right track, have a look at:
http://www.oidview.com/mibs/9/CISCO-SYSTEM-EXT-MIB.html
I gather that what you need is:
1.3.6.1.4.1.9.9.305.1.1.1
and
1.3.6.1.4.1.9.9.305.1.1.2
Enjoy.
Stephen -
High memory utilization after few days - ciscoworks LMS 4.0.1
Hello,
I have the problem that our ciscoworks server gets out of memory after few days. The memory utilization is always getting higher an higher (above 95%). Sometimes it is only after 3 days and sometimes it is after 1 week. So it happens not regulary. Has anyone an idea what could be the problem? I have made an screenshot from the services which use a lot of memory. And at this time the memory utilization is getting higher and higher again....I think there is a problem with tomcat or dbsrv10.exe, there are also a lot of cwjava.exe running.
Kindly regards
David MayerHello,
I have the same problem. First time I've tried to upgrade memory from 8gb to 16gb but I am still experiencing same issues (Memory is running on 98%). I'm not sure exactly what process it is causing this issue, because when I've checked all proccesses from all users running on this server and count them there is no 15 gb at all. My guess is the same for tomcat server which is responsible for RME collector, or correct me if I'm wrong.
Do you have any idea what can cause this problem.
I've tried to upgrade then to Cisco works Prime lan management 4.1, but server went with same issues.
Thanks a lot -
CiscoWorks LMS 4.0.1 High Memory Utilization on Windows 2K8 R2
Hi,
What causes LMS 4.1 to have high memory utilization?I made a little batch
https://supportforums.cisco.com/docs/DOC-21031
It show what process in LMS is eating you RAM / Hogging the CPU.
I don't think resources are used very effectivly in LMS
I did have the impression that some virtual machines running LMS 3.2 actually performed better than real machines, as if the VMware saw it load all these java virtual machines and that it was 45 times the same thing only being used for a few % and therefore could be swapped to disk, leaving the resources to what was actually working in LMS.
What worries me more than the resources used is the gui per.formance.
Cheers,
Michel -
Connecting to NME-IPS results in connecting to cisco router itself
Suddenly, without any clear reason, I cannot access the NME-IPS in my router.
Instead it connects to the router console.
The IP address is also pingable.
Output:
gateway#service-module IDS-Sensor 1/0 status
Service Module is Cisco IDS-Sensor1/0
Service Module supports session via TTY line 66
Service Module is in Steady state
Service Module heartbeat-reset is enabled
Getting status from the Service Module, please wait..
Cisco Systems Intrusion Prevention System Network Module
Software version: 7.0(6)E4
Model: NME-IPS
Memory: 443504 KB
Mgmt IP addr: 192.168.11.99
Mgmt web ports: 443
Mgmt TLS enabled: true
gateway#service-module IDS-Sensor 1/0 session
Trying 192.168.11.99, 2066 ... Open
C
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
User Access Verification
Username:If IME is not connecting, is it giving you some sort of error?
Do you have ASDM launcher loaded? if so, does it also fail to connect?
When you launch IME are you prompted for a password, is that failing on the password entry or does it simply fail to connect to the device?
I have not been able to access my NME via https either, I get a Java error, but I pretty much always use Cisco IME to access my NME module so I have not chased down the Java issue. -
ASA High Memory utilization and random lockouts
We have 2 ASA 5520's running Active/Standby with the cable based failover. At random times perhaps once our twice a week we will get calls that RA VPN users cannot connect, RA users connect with the Cisco VPN client. Also most often during this time we cannot telnet into the "primary" ASA, but we can "usually" access it via the ASDM where we will see that the memory utilization is in the upper 90% range and perhaps as high as 98% consistently. To help temporarily solve the issue we have to telnet to the "secondary" ASA which we can usually access via telnet and perform a "failover active" which will failover the primary and make the secondary become the active and vice versus. Has anyone seen this issue. I have opened up several TAC cases and have not had much help. Thanks in advance!
Hi Brandon,
it is important to know what version are running your ASAs [ie 7.0(4)] and to collect some log, you can set it to error level (logging buffered errors), with the logging standby, so all of the message should be replicated on the standby unit.
even the show crashinfo could give you useful info.
show crashinfo
: Saved_Crash
Thread Name: vpnfo_thread_msg (Old pc 0x00b47b80 ebp 0x01c60634)
You can check the caveats for you release from the cisco site, This link is for the 7.0(4)
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix704rn.html#wp32426
It could be a known bug solved in newer image.
Here you can find useful info to perfom a zer o downtime upgrade.
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mswlicfg.html
Regards,
Marco. -
Encapsulation dot1q is not working?, 2600 Cisco router
I am trying to config a 2620 Cisco router to perform subintreface (F0/0.1) for Vlan Trunk Protocol, however when I try to configure the encapsulation dot1q, I continue to receive error massage with ^ symbol below the 'c' See below, the platform version is a 12.3(26) which should be acceptable to perform an (encapsulation dot1q). The Ethernet is a fast-Ethernet 10/100 port. I also try the ISL, I receive the same massage.
Can anyone suggest what could be the problem!!
Thank you all!!!!!
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int f0/0
Router(config-if)#no ip address
Router(config-if)#no shutdown
Router(config-if)#int f0/0.1
Router(config-subif)#encapsulation dot1q 1
^ % Invalid input detected at '^' marker. Router(config-subif)#
==================================================================================================== Router#show version
Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-I-M), Version 12.3(26), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by cisco Systems, Inc. Compiled Mon 17-Mar-08 15:23 by dchih ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1) Router uptime is 5 minutes System returned to ROM by power-on System image file is "flash:c2600-i-mz.123-26.bin" cisco 2620 (MPC860) processor (revision 0x600) with 28672K/4096K bytes of memory . Processor board ID JAD05440GAN (1508240486) M860 processor: part number 0, mask 49 Bridging software. X.25 software, Version 3.0.0. 1 FastEthernet/IEEE 802.3 interface(s) 1 Serial network interface(s) 32K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Router#
==================================================================================================
Router#sh flash
System flash directory:
File Length Name/status
1 7754580 c2600-i-mz.123-26.bin [7754644 bytes used, 633960 available, 8388604 total]
8192K bytes of processor board System flash (Read/Write)
Router#jesse rodriguez wrote:I am connected through the console, Here are the output.Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)# Router(config)# Router(config)#int f0/0 Router(config-if)#no ip address Router(config-if)#no shutdown Router(config-if)# *Mar 1 00:01:36.891: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state t o up Router(config-if)# Router(config-if)#int f0/0.1Router(config-subif)#enc ? % Unrecognized commandRouter(config-subif)#en? % Unrecognized command Router(config-subif)#en ? % Unrecognized command Router(config-subif)#enJesse
It's possible your feature set it not good enough to run trunking.
Trunking apparently requires a minimum of the IP PLUS feature set according to this document
http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml
table 2 shows a minimum IOS of 12.0(1)T and IPPLUS/IPPLUS on the 2620 - so your IOS revision is OK, but maybe your feature set is not.
You can figure which feature set you have by going here
http://tools.cisco.com/ITDIT/CFN/Dispatch?act=rlsSelect&task=search&searchby=image
and entering your image name (assuming it's not been stuffed with) which you can find by doing "show flash" or "dir"
If you don;t have the right feature set, then you're out of luck unless you can upgrade/change the IOS image the router is booting with.
Cheers. -
Hi
what is the standard range for memory utilization on 35xx switches.
I know under minimal load they can be around 50% but what would be classed as a problem?
Most of mine are between 60% - 90% is this normal?
thanksHi,
With 3500xl's, the load minimum with 50% is OK.If I were you, I would have tried setting up the SPAN on switch and tried capture the traffic passing over the switch.
Link for SPAN config: http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/29_35wc5/scg/swports.htm#xtocid25
If the CPU utilization is more than 50% and there is no unusal traffic on the LAN, you might be hitting CSCdv21552.
Please refer the link below:
http://www.cisco.com/en/US/products/hw/switches/ps607/products_tech_note09186a0080094e78.shtml
HTH,
-amit singh -
Cisco router interface threshold
Hello,
I have a question about getting threshold information out of a specific interface. I have a customer with DSL on a cisco 887 router.
This customer has 2 different pvc's on the ATM0 interface, 2 dialer's (1 for voice, one for data) 2 vlan's (1 for voice, one for data).
What I would like is that the cisco router wil send me a message that only the voice dialer or voice vlan has exceeded it's threshold limit.
I can configure this with the "rmon alarm" command, but then it isn't specific for the voice dialer, it gives me info on both the dialers.
I also tried it with SNMP traps, but this isn't "real-time"
Does anyone know if there is a different solution to solve this?Sorry, small mistake :-)
Heres my configuration:
event manager applet int-rate-test
event interface name Dialer1 parameter receive_rate_bps entry-op gt entry-val 110000 entry-type rate exit-op lt exit-val 50000 exit-type rate average-factor 1 poll-interval 1
snmp-server community G***** RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps license
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps flash insertion removal
snmp-server enable traps adslline
snmp-server enable traps vdsl2line
snmp-server enable traps envmon
snmp-server enable traps c3g
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps mac-notification
snmp-server enable traps energywise
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps bfd
snmp-server enable traps memory bufferpeak
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps cpu threshold
snmp-server enable traps ipsla
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps pw vc
snmp-server enable traps firewall serverstatus
snmp-server enable traps nhrp nhs
snmp-server enable traps nhrp nhc
snmp-server enable traps nhrp nhp
snmp-server enable traps nhrp quota-exceeded
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
snmp-server host *.*.*.30 G****
interface Dialer1
description tbv Internet KPN-lijn
ip address negotiated
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname test-vdsl-inet
ppp chap password 7 051F031C3501580D0A095A1B050910
ppp pap sent-username test-vdsl-inet password 7 111D1C16035F1D081726662D263621
no cdp enable
When I download something from the internet it only shows the interface bandwidth usage stats every 5min. I'm not getting any event messages to my Zenoss server that a threshold has been reached or anything like that.
I have attached a file with the results. -
Site-Site VPN PIX501 and CISCO Router
Hello Experts,
I'm having a test lab at home, I configure a site-to-site vpn using Cisco PIX501 and CISCO2691 router, for the configurations i just some links on the internet because my background on VPN configuration is not too well, for the routers configuration i follow this link:
www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html
and for the pIX configuration I just use the VPN wizard of pix. Done all the confgurations but ping is unsuccessful. Hope you can help me with this, don't know what needs to be done here (Troubleshooting).
Attached here is my router's configuration, topology as well as the pix configuration. Hope you can help me w/ this. Thanks in advance.YES! IT FINALLY WORKS NOW! Here's the updated running-config
: Saved
PIX Version 7.2(2)
hostname PIX
domain-name aida.com
enable password 2KFQnbNIdI.2KYOU encrypted
names
name 172.21.1.0 network2 description n2
interface Ethernet0
speed 100
duplex full
nameif OUTSIDE
security-level 0
ip address 1.1.1.1 255.255.255.252
interface Ethernet1
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name aida.com
access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
pager lines 24
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list nonat
nat (INSIDE) 1 192.168.1.0 255.255.255.0
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username mark password MwHKvxGV7kdXuSQG encrypted
http server enable
http 192.168.1.3 255.255.255.255 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC
crypto map MYMAP 10 set peer 2.2.2.2
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
prompt hostname context
Cryptochecksum:8491323562e3f1a86ccd4334cd1d37f6
: end
ROUTER:
R9#sh run
Building configuration...
Current configuration : 3313 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R9
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login default local
aaa authorization config-commands
aaa authorization exec default local
aaa session-id common
resource policy
memory-size iomem 5
ip cef
no ip domain lookup
ip domain name aida.com
ip ssh version 2
crypto pki trustpoint TP-self-signed-998521732
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-998521732
revocation-check none
rsakeypair TP-self-signed-998521732
crypto pki certificate chain TP-self-signed-998521732
A75B9F04 E17B5692 35947CAC 0783AD36 A3894A64 FB6CE1AB 1E3069D3
A818A71C 00D968FE 3AA7463D BA3B4DE8 035033D5 0CA458F3 635005C3 FB543661
9EE305FF 63
quit
username mark privilege 15 secret 5 $1$BTWy$PNE9BFeWm1SiRa/PiO9Ak/
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 1.1.1.1 255.255.255.252
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto map MYMAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set MYSET
match address TO_ENCRYPT_TRAFFIC
interface FastEthernet0/0
ip address 2.2.2.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MYMAP
interface FastEthernet0/1
ip address 172.21.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list NAT_IP interface FastEthernet0/0 overload
ip access-list extended NAT_IP
deny ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 172.21.1.0 0.0.0.255 any
ip access-list extended TO_ENCRYPT_TRAFFIC
permit ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
transport input ssh
end -
Easy VPN on 1710 cisco router connected to a DSL using dyndns
I have a 1710 cisco router connected to a DSL modem at home. Dynamic DNS or dyndns is implemented on it and everything works fine. In order words, I do not have a static IP address.
I would like to be able to configure vpn or Easy VPN on it so that I can connect with my laptop from outside using the cisco vpn client software.
Can someone please post a step by step sample vpn configuration? Something that does not conflict with my configuration. Below is my config. Thanks in advance.
Paul Pagina
PageHut#show run
Building configuration...
Current configuration : 2543 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname PageHut
boot-start-marker
boot-end-marker
no logging console
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
enable password 7 xxxxxxxxxxxxxxxxxxxxxx
aaa new-model
aaa local authentication attempts max-fail 3
aaa authentication login default local
aaa session-id common
memory-size iomem 15
ip cef
ip inspect name CBAC-NAME tcp router-traffic
ip inspect name IPFW tcp timeout 3600
ip inspect name IPFW udp timeout 15
ip inspect name IPFW ftp
ip inspect name IPFW h323
ip inspect name IPFW rcmd
ip inspect name IPFW smtp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ddns update method DYNDNS
[a1]
HTTP
add http://xxxxxxxxx:[email protected]/nic/[email protected]/nic/update?hostname=<h>&myip=<a>
remove http://xxxxxxxxx:[email protected]/nic/[email protected]/nic/update?hostname=<h>&myip=<a>
interval maximum 28 0 0 0
interval minimum 28 0 0 0
vpdn enable
username cisco privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!
interface Ethernet0
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no ip mroute-cache
half-duplex
interface FastEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
speed 100
pppoe enable group global
pppoe-client dial-pool-number 1
interface Dialer0
no ip address
ip inspect IPFW out
interface Dialer1
mtu 1492
ip ddns update hostname xxxxx.dyndns.org
ip ddns update DYNDNS host members.dyndns.org
ip address negotiated
ip access-group 101 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxx password 7 xxxxxxxxxxxxxxxxxx
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
control-plane
banner motd ^C
**This is a my banner***
*************************************************************************** ^C
line con 0
password 7 xxxxxxxxxxx
line aux 0
password 7 xxxxxxxxxxxxxxx
line vty 0 4
password 7 xxxxxxxxxxxxx
end
PageHut#Hi there,
I check the bug toolkit and I found this one that matches the problem you are describing:
CSCti73763 Bug Details B
large packet drop with ipsec, cef and virtual reassembly
Symptom:large packet drop with ipsec , cef and virtual reassembly
Conditions:large packet drop with ipsec , cef and virtual reassembly
Workaround:disable virtual reassembly or ip cef
1st Found-In
15.0(1)M3
Known Affected Versions
Fixed-In
15.1(3.2)T
15.1(3.3)PI15
15.0(1)M4.4
15.2(0.0.10)PIL16
15.1(1)T2.3
15.1(2)T2.2
15.1(3.15)T
15.2(0.0.18)PIL16
15.1(3.14.6)PIA16
15.2(0.0.1)PIA16
15.2(3.22.4)PIB16
15.1(3)T1.5
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti73763&from=summary
Hope this helps.
Raga
Maybe you are looking for
-
How can I get updated software so my spyder2pro works on my MacBook Pro?
-
Multiple source systems ?
Hi all, What is the best possible answer/solution for the following scenario If I am extracting same data(datasource) from multiple (say 3)R/3 source systems ie the datasources too are same for example 2lis_40_S600, how can we model the architecture
-
Hello, We want to add TocStyleEntry to our TocStyle using javascript. However tocStyleEntries.add accept string not paragraphystyle and we're tried with paragraphystyle name too. We have tried these codes, none of them are working in our case. (excep
-
I'm having sudden blackouts of my iMac. The power button remains on and it goes off keeping it pressed for some seconds. After a blackout it does not restart until about 15 minutes after, till now. I restarted pram to no avail. Any suggestion will be
-
Hi guys, I have a platform with this elements: MSE 7.4.100.0 CISCO PRIME NCS 1.1.2.12 WLC 5508 7.2.115.1 I would like to active the Wips functionality on the access points 1131, I have already the Wips License over the MSE, I don't know if there is