%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /x.x.x.x, src_addr= x.x.x.x, prot= 47

Hi ,
I am want to crerate a GREover IPsec Tunnel between Cisco ASR 1002 and cisco 3900 i am getting the below error.
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /x.x.x.x, src_addr= x.x.x.x, prot= 47
I have attached the configuration file as well currently working on tunnel 117.
Site A already have some tunnels up and running but only tunnel 117 is not working which i created now on ASR 1002.
CAN ANYONE LET ME KNOW WHAT I AM FACING AN ISSUE.

The first issue that I note is that you have applied the crypto map on the tunnel interface as well as on the physical interface. While there are perhaps still some examples that show this they are based on the operation of quite old IOS versions. The code that you are now running expects the crypto map to be applied only on the physical interface. I suggest that you remove the crypto map from the tunnel interfaces. Try that and let us know if the behavior changes.
HTH
Rick

Similar Messages

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

Hi Everyone.
I was making some changes in routers and after I rolled back configuration a gre tunnel won't work. It's GRE Tunnel between a Cisco 7600 and Cisco 2851.
It seems like 7600 sent packets unencrypted.
On C2851 is received this message:
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /10.0.0.10, src_addr= 10.0.0.18, prot= 47
Could you check configuration attached and give any advise.
Thank you.

I went through the configuration and think all required components are in there.
I would say that we should check routing.
Error message means that packet recieved as per local policy should have been a IPSEC encrypted packet however it was a plain text packet.
going further:
* Please check if tunnel is up and share show crypto ipsec sa from either end.
* please check if the packets leaving other end are taking right exit interface and if yes are they encrypted or not. you can check this with the help of ACL (disabling CEF if this is not into production and there is no MPLS link involved).

DMVPN Issues - IPsec packets

Hi All,
I am currently trying to configure DMVPN for the first time. I have been following the cisco config guide and googling a few other bits however I seem to have hit a brick wall.
The setup is in a lab environment so i can post up as much info as required but here are the important bits:
I have 3 Cisco 2821 routers running IOS 12.4(15) with a Layer 3 switch in the middle connecting the "wan" ports together. the routing is working fine, I can ping each router from each other router.
A few snippets from the hub router config:
crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac!crypto ipsec profile DMVPN_PRJ set transform-set DMVPN_SET!interface Tunnel0 bandwidth 10000 ip address 172.17.100.1 255.255.255.0 no ip redirects ip mtu 1500 ip nhrp authentication secretid ip nhrp map multicast dynamic ip nhrp network-id 101 ip nhrp holdtime 450 ip tcp adjust-mss 1460 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 10101 tunnel protection ipsec profile DMVPN_PRJ!interface GigabitEthernet0/0 description HQ WAN ip address 1.1.1.1 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto!
and heres the config on the first spoke router:
crypto ipsec transform-set DMVPN_SET esp-3des esp-md5-hmac!crypto ipsec profile DMVPN_PRJ set transform-set DMVPN_SET!interface Tunnel0 bandwidth 3000 ip address 172.17.100.10 255.255.255.0 no ip redirects ip mtu 1500 ip nhrp authentication secretid ip nhrp map 172.17.100.1 1.1.1.1 ip nhrp map multicast 1.1.1.1 ip nhrp network-id 101 ip nhrp holdtime 450 ip nhrp nhs 172.17.100.1 ip tcp adjust-mss 1460 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint tunnel key 10101 tunnel protection ipsec profile DMVPN_PRJ!interface GigabitEthernet0/0 description Site 1 WAN ip address 11.11.11.1 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto!
if I shut/no shut the tunnel0 interface on spoke 1, I get the following error on the hub router:
Mar 30 13:41:17.075: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.        (ip) vrf/dest_addr= /1.1.1.1, src_addr= 11.11.11.1, prot= 47
so I feel im missing some config on the spoke side to encrypt the traffic but im not sure what.
the following are outputs from the spoke router:
RTR_SITE1#sh dmvpn detailLegend: Attrb --> S - Static, D - Dynamic, I - Incompletea        N - NATed, L - Local, X - No Socket        # Ent --> Number of NHRP entries with same NBMA peer -------------- Interface Tunnel0 info: --------------Intf. is up, Line Protocol is up, Addr. is 172.17.100.10   Source addr: 11.11.11.1, Dest addr: MGRE Protocol/Transport: "multi-GRE/IP", Protect "DMVPN_PRJ",Tunnel VRF "", ip vrf forwarding ""NHRP Details: NHS:       172.17.100.1 EType:Spoke, NBMA Peers:1# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb    Target Network----- --------------- --------------- ----- -------- ----- -----------------    1         1.1.1.1    172.17.100.1   IKE    never S       172.17.100.1/32 Interface: Tunnel0Session: [0x48E31B98] Crypto Session Status: DOWN fvrf: (none),   IPSEC FLOW: permit 47 host 11.11.11.1 host 1.1.1.1        Active SAs: 0, origin: crypto map   Outbound SPI : 0x       0, transform :    Socket State: ClosedPending DMVPN Sessions:
RTR_SITE1#sh ip nhrp detail172.17.100.1/32 via 172.17.100.1, Tunnel0 created 00:33:44, never expire Type: static, Flags: used NBMA address: 1.1.1.1
RTR_SITE1#sh crypto ipsec sainterface: Tunnel0    Crypto map tag: Tunnel0-head-0, local addr 11.11.11.1   protected vrf: (none)   local ident (addr/mask/prot/port): (11.11.11.1/255.255.255.255/47/0)   remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)   current_peer 1.1.1.1 port 500     PERMIT, flags={origin_is_acl,}    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0    #pkts compressed: 0, #pkts decompressed: 0    #pkts not compressed: 0, #pkts compr. failed: 0    #pkts not decompressed: 0, #pkts decompress failed: 0    #send errors 46, #recv errors 0     local crypto endpt.: 11.11.11.1, remote crypto endpt.: 1.1.1.1     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0     current outbound spi: 0x0(0)     inbound esp sas:     inbound ah sas:     inbound pcp sas:     outbound esp sas:     outbound ah sas:     outbound pcp sas:
All of these commands show up as blank when i run them on the hub router.
Any help appreciated.
Thanks

Thanks for the help
I was following this guide: http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_DMVPN.html#wp1118625
I am using NAT, g0/1 on the routers in the LAN interface with a difference 10.x.x.x/24 on each router.
isakmp policy solved my issue, fixed the MTU as well.
What do i need to add to allow the 10.x.x.x networks to use the tunnels to communicate? I can now ping each end of the tunnel from both routers but not the LAN interfaces.
Thanks

Packets not getting encrypt and decrypt IPSEC

Hi Everyone,
I have 2691 Router conencted to Internet and it is doing Nat.
This connects to 3550A Switch which has connection to 1811W Router.
I setup VPN between 1811W and 3550A.
3550A has connection to 2691 via ospf.
OSPF is running between 1811w and 3550A.
1811
1811w# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.99.2    192.168.99.1    QM_IDLE           2005 ACTIVE
IPv6 Crypto ISAKMP SA
1811w# sh crypto ipsec sa
interface: FastEthernet0
    Crypto map tag: VPN_MAP, local addr 192.168.99.1
   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)
   current_peer 192.168.99.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 30, #recv errors 0
     local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
3550A
3550SMIA#                                                                                           sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.168.99.2    192.168.99.1    QM_IDLE           1001 ACTIVE
IPv6 Crypto ISAKMP SA
3550SMIA#sh cry
3550SMIA#sh crypto ipsec sa
interface: FastEthernet0/8
    Crypto map tag: VPN_MAP, local addr 192.168.99.2
   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)
   current_peer 192.168.99.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 15, #recv errors 0
     local crypto endpt.: 192.168.99.2, remote crypto endpt.: 192.168.99.1
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
As seen above the packets are not encrypted between 1811w and 3550A.
I have used same ACL on both 1811W and 3550A
ip access-list extended INTERESTING_TRAFFIC
permit ip 192.168.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log
Any reasons why packets are not getting encrypt and decrypt?
Thanks
MAhesh

Hi Eugene,
I did that here is info now
        sh crypto ipsec sa
interface: FastEthernet0
    Crypto map tag: VPN_MAP, local addr 192.168.99.1
   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)
   current_peer 192.168.99.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 43, #pkts encrypt: 43, #pkts digest: 43
    #pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
     local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0x8319FE5B(2199518811)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0xAE0A578B(2919913355)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 15, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: VPN_MAP
        sa timing: remaining key lifetime (k/sec): (4454255/2388)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x8319FE5B(2199518811)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 16, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: VPN_MAP
        sa timing: remaining key lifetime (k/sec): (4454255/2388)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:
Seems it is encrypted now.
Congig of ACL
ip access-list extended INTERESTING_TRAFFIC
permit ip 192.168.0.0 0.0.255.255 192.168.99.0 0.0.0.255 log
even though i have log command config in thr ACL still it shows only
2 logs
.Dec 15 14:23:55.723 MST: %SEC-6-IPACCESSLOGP: list INTERESTING_TRAFFIC permitted udp 192.168.99.1(123) -> 192.168.99.2(123), 1 packet
.Dec 15 14:29:28.391 MST: %SYS-5-CONFIG_I: Configured from console by mintoo on vty0 (192.168.98.6)
.Dec 15 14:40:55.749 MST: %SEC-6-IPACCESSLOGP: list INTERESTING_TRAFFIC permitted udp 192.168.99.1(123) -> 192.168.99.2(123), 1 packet
1811w#
Do you know why is this?
Thanks
MAhesh

Data packet not yet processing in ODS load??

Hi all,
I got an error when I loaded data from IS to the ODS. Can someone let me know why and how to resolve it. Thank you in advance.
Here is the error message in the monitor:
Warning: data packet 1 & 2 arrived BW; processing: data packet not yet processing.
(No data packet numbers could be determined for request REQU_77H7ERP54VXW5PZZP5J6DYKP7)
Processing end:
transfer rules (0 record): missing message
Update PSA (0 record): messing messages
Update rules (0 record): messging messages

John,
I dont think its space problem.In st22 go with detail note.
What happend, how to correct it.Will help you to solve the problem.
Check this note 613440 also.
Note : 647125
Symptom
A DYNPRO_FIELD_CONVERSION dump occurs on screen 450 of the RSM1 function group (saplrsm1).
Other terms
DYNPRO_FIELD_CONVERSION, 450, SAPLRSM1
Reason and Prerequisites
This is caused by a program error.
The screen contains unused, hidden fields/screen elements that are too small for the screen check that was intensified with the current Basis patch (kernel patch 880). These fields originate in the 4.0B period of BW 1.0 and are never used.
Solution
Depending on your BW system release, you must solve the problem as follows:
BW 3.0B
 ImportSupport Package 14 for 3.0B (BW 3.0B Patch 14 or SAPKW30B14) into your BW system. This Support Package will be available when note 571695 with the short text,"SAPBWNews BW 3.0B Support Package 14", which describes this Support Package in more detail, is released for customers.
BW 3.1 Content
 ImportSupport Package 8 for 3.1 Content (BW 3.10 Patch 08 or SAPKW31008) into your BW system.This Support Package will be availablewhen note 571743 with the short text, "SAPBWNews BW 3.1 Content Support Package 08", is released for customers.
The dump occurs with the invisible G_NEW_DATUM date field on the bottom right of the screen, which is only 1 byte long and can be deleted.
You can delete the following unused fields/screen elements:
%A_G_NEW_NOW Selectionfield group
G_NEW_ZEIT Input/output field
G_NEW_UNAME Input/output field
G_NEW_DATUM Input/output field
%#AUTOTEXT021 Text field
G_NEW_NOW Selection button
G_NEW_BATCH Selection button
You can delete these fields/screen elements because they are not used anywhere.
This deletion does not cause any problems.
After you delete the fields/screen elements, you must also delete the following rows in the flow logic in screen 450:
FIELD G_NEW_DATUM MODULE DOKU_NEW_DATUM.
FIELD G_NEW_ZEIT MODULE DOKU_NEW_ZEIT.
The function group is then syntactically correct.
Unfortunately, we cannot provide an advance correction.
The aforementioned notes may already be available to provide information in advance of the Support Package release.However, the short text will still contains the words "preliminary version" in this case.
For more information on BW Support Packages, see note 110934.
Thanks
Ram

Error "Data packet not complete; for example, 000013" when reading from PSA

Dear all,
I have an issue with my data loading, when i execute my infopackage, i specify that it should be loaded into PSA before going to the data target. in my infopackage request i notice that i have got missing data package
e.g.
Data package 1 : everything OK
Data package 2 : everything OK
Data package 3 : everything OK
Data package 8 : everything OK
Data package 10 : everything OK
Data package 12 : everything OK
Data package 13 : everything OK
what happen to data package inbetween e.g. DP4, DP5 etc etc?
In my "step by step analysis" under the status tab everything is green and nothing seem to have went wrong, no short dump, no job cancelled, nothing.
Since everything "seems" to be alright, when i try to update subsequently to the data target, i get the following errors below.
Data packet not complete; for example, 000013
Request has errors / is incomplete
I got 2 questions here...
1. why do i have missing data package and it still showes me a green idicator?
2. how can i solve this and is this something i should be worried about?
Thank you very very much!

Hii SCHT,
you encounter these type of errors rarely...
but in RSMO screen, check for any TRFCs struck..
also go to the JOB in Source System and analyze the JOBLOG,
there you can find some information about what tht particular job did..!!!
and after that check for the same in the BW system...
perhaps while transferring?extracting the recordsthrough data packages, it might have missed ..
Force the request RED and repeat the IP again...
you dont need to worry about anything...simply force the request red and reload.. just let us know if the problem still persists after repeating the load...
Regards
Prince

Asp drop - First TCP packet not SYN (tcp-not-syn)

I have many tcp-not-syn:
First TCP packet not SYN (tcp-not-syn) 46841247
For sure it is not a routing issue cause ie 10.32.3.230 usually can connect to 192.168.16.2 which is a proxy server. Sometimes it can't and I get the
tcp-not-syn error. So after a capture I got the following,
ASA# capture asp-drop type asp-drop tcp-not-syn
ASA# sh capture asp-drop | i 10.32.3.230
2397: 16:11:31.904295 802.1Q vlan#8 P0 10.32.3.230.2322 > 192.168.16.2.8080: R 556133793:556133793(0) win 0
2398: 16:11:31.905272 802.1Q vlan#8 P0 10.32.3.230.2322 > 192.168.16.2.8080: R 556133793:556133793(0) win 0
2400: 16:11:31.908583 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0
2401: 16:11:31.908613 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0
2402: 16:11:31.908629 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0
2403: 16:11:31.908659 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0
2404: 16:11:31.908766 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0
2405: 16:11:31.908796 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0
2406: 16:11:31.908812 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) ack 4258924744 win 0
2407: 16:11:31.909071 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0
2408: 16:11:31.909102 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0
2409: 16:11:31.909132 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0
2410: 16:11:31.910490 802.1Q vlan#8 P0 10.32.3.230.2321 > 192.168.16.2.8080: R 1839687588:1839687588(0) win 0
2411: 16:11:31.910521 802.1Q vlan#8 P0 10.32.3.230.2321 > 192.168.16.2.8080: R 1839687588:1839687588(0) win 0
2412: 16:11:31.910551 802.1Q vlan#8 P0 10.32.3.230.2321 > 192.168.16.2.8080: R 1839687588:1839687588(0) win 0
2413: 16:11:31.910566 802.1Q vlan#8 P0 10.32.3.230.2321 > 192.168.16.2.8080: R 1839687588:1839687588(0) win 0
2414: 16:11:31.911192 802.1Q vlan#8 P0 10.32.3.230.2321 > 192.168.16.2.8080: R 1839687588:1839687588(0) win 0
2415: 16:11:31.911207 802.1Q vlan#8 P0 10.32.3.230.2321 > 192.168.16.2.8080: R 1839687588:1839687588(0) win 0
2416: 16:11:31.911238 802.1Q vlan#8 P0 10.32.3.230.2321 > 192.168.16.2.8080: R 1839687588:1839687588(0) win 0
2417: 16:11:31.915205 802.1Q vlan#8 P0 10.32.3.230.2321 > 192.168.16.2.8080: R 1839687588:1839687588(0) win 0
2418: 16:11:31.915235 802.1Q vlan#8 P0 10.32.3.230.2321 > 192.168.16.2.8080: R 1839687588:1839687588(0) win 0
2419: 16:11:31.915296 802.1Q vlan#8 P0 10.32.3.230.2321 > 192.168.16.2.8080: R 1839687588:1839687588(0) win 0
2420: 16:11:31.915327 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0
2421: 16:11:31.915357 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0
2422: 16:11:31.915815 802.1Q vlan#8 P0 10.32.3.230.2320 > 192.168.16.2.8080: R 55902087:55902087(0) win 0
2432: 16:11:33.102426 802.1Q vlan#8 P0 10.32.3.230.2317 > 192.168.16.2.8080: R 4189536219:4189536219(0) win 0
2433: 16:11:33.102457 802.1Q vlan#8 P0 10.32.3.230.2317 > 192.168.16.2.8080: R 4189536219:4189536219(0) win 0
2434: 16:11:33.102487 802.1Q vlan#8 P0 10.32.3.230.2317 > 192.168.16.2.8080: R 4189536219:4189536219(0) win 0
syslog message says:
deny tcp (no connection) from 10.32.3.78/1646 to 192.168.16.2/8080 flags RST on interface inside
The question is how can I define it is:
1. the proxy 192.168.16.2 itself is too slow responding to the syn packet sent from the client 10.32.3.78
2. a reset is sent by the proxy 192.168.16.2 and then forwarded by the ASA to the client 10.32.3.78
3. an idle timeout tuning needed on firewall
4. anything else
Thanks

Hi,
Since it is a RST packet coming from client IP destined to proxy server IP on ASA's interface (of course with no associated connection in ASA state table), ASA will drop it as first tcp packet not syn.
When a packet arrives on ASA, it checks to see if it belongs to an existing flow, if not, it has to be a new connection but since SYN flag is not set here, it gets dropped under above reason code.
Now, you would probabaly want to capture the entire traffic stream from client to server on ASA interface to understand what caused those resets. May be client sent some new requests (SYN's) and proxy was too busy to respond. Again, complete capture in pcap would be needed for further analysis.
Regards,
Sourav Kakkar

Not encrypted dot1x packet from 0012.f0b9.87c3 has been discarded

I have a very basic config to setup wireless on on an 857W router.
When I get connected the log fills up the the following message.
Not encrypted dot1x packet from 0012.f0b9.87c3 has been discarded
What is causing this?
Config below
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
no aaa new-model
dot11 ssid TESTSSID_1
vlan 10
max-associations 10
authentication open
authentication key-management wpa
wpa-psk ascii 0 mywpapskpwd
dot11 ssid TESTSSID_2
vlan 20
max-associations 10
authentication open
authentication key-management wpa
wpa-psk ascii 0 mytestpassword
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1
ip dhcp pool HOME_1
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
ip dhcp pool HOME_2
network 10.20.0.0 255.255.255.0
default-router 10.20.0.3
ip cef
archive
log config
hidekeys
bridge irb
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
spanning-tree portfast
interface FastEthernet2
spanning-tree portfast
interface FastEthernet3
interface Dot11Radio0
no ip address
no ip route-cache cef
no ip route-cache
encryption vlan 10 mode ciphers tkip
encryption vlan 20 mode ciphers tkip
broadcast-key change 60
ssid TESTSSID_1
ssid TESTSSID_2
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
channel 2452
station-role root
world-mode dot11d country GB both
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
interface Vlan1
ip address 10.7.12.219 255.255.255.0
interface Vlan10
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1400
bridge-group 10
hold-queue 100 out
interface Vlan20
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1400
bridge-group 20
hold-queue 100 out
interface BVI10
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface BVI20
ip address 10.20.0.3 255.255.255.0
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.7.12.254
no ip http server
no ip http secure-server
control-plane
bridge 10 protocol ieee
bridge 10 route ip
bridge 20 protocol ieee
bridge 20 route ip
line con 0
no modem enable
line aux 0
line vty 0 4
login
scheduler max-task-time 5000
end
Router#

Too funny... I get clients complain to me about issues and they have drivers that are from 2003 or 2004.
Now all you have to do is make sure all other devices are on the same firmware. Makes troubleshooting sooooooo much easier.

Not encrypted dot1x packet syslog Alert - what is this?

Hi, I have a Cisco 877w at home which I just use with my laptop for the internet. Thing is I keep geting this alert on my syslof server, what is it? The MAC address is my laptop which is wirelessly connected.
May 9 19:48:20.265: *** Not encrypted dot1x packet from 0012.4d8f.170a has been discarded
May 9 19:49:05.253: *** Not encrypted dot1x packet from 0012.4d8f.170a has been discarded
May 9 19:49:50.252: *** Not encrypted dot1x packet from 0012.4d8f.170a has been discarded
May 9 19:50:35.510: *** Not encrypted dot1x packet from 0012.4d8f.170a has been discarded
May 9 19:51:20.214: *** Not encrypted dot1x packet from 0012.4d8f.170a has been discarded

Here is the configuration guide which will help you :
http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_example09186a00808a8d80.shtml

Class-map not works, Packets not tagging

Hey Guys,
I have define policy maping and dont know why its not tagging the IPs;
class-map match-all KHAN
match access-group name ABC
match input-interface GigabitEthernet0/1
ip access-list extended ABC
permit ip host 10.11.201.20 10.11.207.128 0.0.0.127
permit ip host 10.11.201.19 10.11.207.128 0.0.0.127
policy-map TAIM
class voice
priority percent 50
set dscp ef
class KHAN
priority percent 49
set dscp af41
interface Multilink1
service-policy output TAIM
When I check the IPs on netflow it is showing half packets are tagged with af41 anf half are default.
Any idea will be appreciated.
Thanks
show policy map interface result
Class-map: TAIM (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name ABC
Match: input-interface GigabitEthernet0/1
Priority: 49% (3763 kbps), burst bytes 94050, b/w exceed drops: 0
QoS Set
dscp af41
Packets marked 0

The problem is the way you are matching the packets:
Here it shows that there are 0 packets marked and 0 packets matched:
Class-map: TAIM (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name ABC
Match: input-interface GigabitEthernet0/1
Priority: 49% (3763 kbps), burst bytes 94050, b/w exceed drops: 0
QoS Set
dscp af41
Packets marked 0
When you define this:
class-map match-all KHAN
match access-group name ABC
match input-interface GigabitEthernet0/1
You are telling the router to match both conditions of ACL ABC and Interface input Gi0/1... most likely what happens here is that the class map does not match both condtions here.
Depending on what you need to accomplish, you can change it to be ANY:
class-map match-any KHAN
match access-group name ABC
match input-interface GigabitEthernet0/1
This way it will work if it matches either the first condition ACL ABC or second condition input Gi0/1.
Or you can just remove the input statement for Gi0/1 and match by the IPs only:
class-map match-all KHAN
match access-group name ABC

IPSEC packet has invalid spi

I have a very simple LAN-2-LAN between two cisco routers running IOS version 12.4(15)T8 as follows:
RouterA:
crypto isakmp key test123 address 4.2.97.15 no-xauth
crypto isakmp policy 1
encr aes 256
hash sha
authentication pre-share
group 5
lifetime 86400
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec transform-set tset esp-aes 256 esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
set peer 4.2.97.15
set security-association lifetime seconds 3600
set transform-set tset
set pfs group5
match address vpn
interface FastEthernet0/0
ip address 207.15.205.15 255.255.255.0
speed 100
full-duplex
crypto map vpn
ip access-list extended vpn
permit ip 129.174.15.0 0.0.0.255 129.174.16.0 0.0.0.255
RouterB:
crypto isakmp key test123 address 207.15.205.15 no-xauth
crypto isakmp policy 1
encr aes 256
hash sha
authentication pre-share
group 5
lifetime 86400
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec transform-set tset esp-aes 256 esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
set peer 207.15.205.15
set security-association lifetime seconds 3600
set transform-set tset
set pfs group5
match address vpn
interface FastEthernet0/0
ip address 4.2.97.15 255.255.255.0
speed 100
full-duplex
crypto map vpn
ip access-list extended vpn
permit ip 129.174.16.0 0.0.0.255 129.174.15.0 0.0.0.255
Every now and then I am seeing this message in the log file:
Jul 27 00:25:20.603: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd
IPSEC packet has invalid spi for destaddr=207.15.205.15, prot=50,
spi=0x681E0955(1746798933), srcaddr=4.2.97.15.
Why am I seeing this message? The VPN peer between two router is very stable without any errors.
I've asked several ccie consultant folks and none of them is able to provide me with a satifactory answer regarding this message.
Anyone know why? Thanks in advance.

I know its been a while since this was asked but to help anyone who may still want to know here is the reason from Cisco:
It simply means IPsec Security Associations are out of sync       between the peer devices. As a result, an encrypting device will encrypt       traffic with SAs that its peer does not know about. These packets are dropped       on the peer with the above message logged to the syslog
Read more here: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080bf6100.shtml
One of the most common IPsec issues is that SAs can become out of sync       between the peer devices. As a result, an encrypting device will encrypt       traffic with SAs that its peer does not know about. These packets are dropped       on the peer with this message logged to the syslog: Sep 2 13:27:57.707: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet
   has invalid spi for destaddr=20.1.1.2, prot=50, spi=0xB761863E(3076621886),
   srcaddr=10.1.1.1

IPSEC error: Received a non-IPSEC packet

Hi all
Below is my network setup. Using a Wireless Lan Controller and a Lightweight AP as its end point. Between the Router and ASA is an IPSEC tunnel
WLC---Router(==VPN==)ASA---AP
From my AP segment, i am able to ping to my WLC. Apparently the AP need to pass udp traffic to register itself to the WLC. Unfortunately i got this error msg
IPSEC: Received a non-IPSec (protocol=udp) packet from 172.16.8.4(AP) to 172.16.52.2 (WLC).
I have already allowed ACL of any any udp connection & also enabled split tunneling to include AP's traffic.
What did i miss out?

This message is displayed when the received packet matched the crypto map ACL, but it is not IPSec-encapsulated. The IPSec Peer is sending unencapsulated packets. This error can occur because of a policy setup error on the peer. This error is the reason why the reverse-path authentication is getting failed.

IPSEC packets are not encrypted

Hello (and Happy Thanksgiving to those in the USA),
We recently swapped our ASA and re-applied the saved config to the new device. There is a site-to-site VPN that works and a remote client VPN that does not. We use some Cisco VPN clients and some Shrew Soft VPN clients.I've compared the config of the new ASA to that of the old ASA and I cannot find any differences (but the remote client VPN was working on the old ASA). The remote clients do connect and a tunnel is established but they are unable to pass traffic. Systems on the network where the ASA is located are able to access the internet.
Output of sho crypto isakmp sa (ignore peer #1, that is the working site-to-site VPN)
   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA d
Total IKE SA: 2
1   IKE Peer: xx.168.155.98
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: xx.211.206.48
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
Output of sho crypto ipsec sa (info regarding site-to-site VPN removed). Packets are decrypted but not encrypted.
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: publi
c-ip
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.20.1.100/255.255.255.255/0/0)
      current_peer: xx.211.206.48, username: me
      dynamic allocated peer ip: 10.20.1.100
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0
      local crypto endpt.: public-ip/4500, remote crypto endpt.: xx.211.206.48/4
500
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 7E0BF9B9
      current inbound spi : 41B75CCD
    inbound esp sas:
      spi: 0x41B75CCD (1102535885)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28776
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
      spi: 0xC06BF0DD (3228299485)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, Rekeyed}
         slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28774
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x000003FF 0xFFF80001
    outbound esp sas:
      spi: 0x7E0BF9B9 (2114714041)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28774
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
      spi: 0xCBF945AC (3422111148)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, Rekeyed}
         slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28772
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
Config from ASA
: Saved
: Written by me at 19:56:37.957 pst Tue Nov 26 2013
ASA Version 8.2(4)
hostname mfw01
domain-name company.int
enable password xxx encrypted
passwd xxx encrypted
names
name xx.174.143.97 cox-gateway description cox-gateway
name 172.16.10.0 iscsi-network description iscsi-network
name 192.168.1.0 legacy-network description legacy-network
name 10.20.50.0 management-network description management-network
name 10.20.10.0 server-network description server-network
name 10.20.20.0 user-network description user-network
name 192.168.1.101 private-em-imap description private-em-imap
name 10.20.10.2 private-exchange description private-exchange
name 10.20.10.3 private-ftp description private-ftp
name 192.168.1.202 private-ip-phones description private-ip-phones
name 10.20.10.6 private-kaseya description private-kaseya
name 192.168.1.2 private-mitel-3300 description private-mitel-3300
name 10.20.10.1 private-pptp description private-pptp
name 10.20.10.7 private-sharepoint description private-sharepoint
name 10.20.10.4 private-tportal description private-tportal
name 10.20.10.8 private-xarios description private-xarios
name 192.168.1.215 private-xorcom description private-xorcom
name xx.174.143.99 public-exchange description public-exchange
name xx.174.143.100 public-ftp description public-ftp
name xx.174.143.101 public-tportal description public-tportal
name xx.174.143.102 public-sharepoint description public-sharepoint
name xx.174.143.103 public-ip-phones description public-ip-phones
name xx.174.143.104 public-mitel-3300 description public-mitel-3300
name xx.174.143.105 public-xorcom description public-xorcom
name xx.174.143.108 public-remote-support description public-remote-support
name xx.174.143.109 public-xarios description public-xarios
name xx.174.143.110 public-kaseya description public-kaseya
name xx.174.143.111 public-pptp description public-pptp
name 192.168.2.0 Irvine_LAN description Irvine_LAN
name xx.174.143.98 public-ip
name 10.20.10.14 private-RevProxy description private-RevProxy
name xx.174.143.107 public-RevProxy description Public-RevProxy
name 10.20.10.9 private-XenDesktop description private-XenDesktop
name xx.174.143.115 public-XenDesktop description public-XenDesktop
name 10.20.1.1 private-gateway description private-gateway
name 192.168.1.96 private-remote-support description private-remote-support
interface Ethernet0/0
nameif public
security-level 0
ip address public-ip 255.255.255.224
interface Ethernet0/1
speed 100
duplex full
nameif private
security-level 100
ip address private-gateway 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.0.1 255.255.255.0
management-only
ftp mode passive
clock timezone pst -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name mills.int
object-group service ftp
service-object tcp eq ftp
service-object tcp eq ftp-data
object-group service DM_INLINE_SERVICE_1
group-object ftp
service-object udp eq tftp
object-group service DM_INLINE_TCP_1 tcp
port-object eq 40
port-object eq ssh
object-group service web-server
service-object tcp eq www
service-object tcp eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp eq smtp
group-object web-server
object-group service DM_INLINE_SERVICE_3
service-object tcp eq ssh
group-object web-server
object-group service kaseya
service-object tcp eq 4242
service-object tcp eq 5721
service-object tcp eq 8080
service-object udp eq 5721
object-group service DM_INLINE_SERVICE_4
group-object kaseya
group-object web-server
object-group service DM_INLINE_SERVICE_5
service-object gre
service-object tcp eq pptp
object-group service VPN
service-object gre
service-object esp
service-object ah
service-object tcp eq pptp
service-object udp eq 4500
service-object udp eq isakmp
object-group network MILLS_VPN_VLANS
network-object 10.20.1.0 255.255.255.0
network-object server-network 255.255.255.0
network-object user-network 255.255.255.0
network-object management-network 255.255.255.0
network-object legacy-network 255.255.255.0
object-group service InterTel5000
service-object tcp range 3998 3999
service-object tcp range 6800 6802
service-object udp eq 20001
service-object udp range 5004 5007
service-object udp range 50098 50508
service-object udp range 6604 7039
service-object udp eq bootpc
service-object udp eq tftp
service-object tcp eq 4000
service-object tcp eq 44000
service-object tcp eq www
service-object tcp eq https
service-object tcp eq 5566
service-object udp eq 5567
service-object udp range 6004 6603
service-object tcp eq 6880
object-group service DM_INLINE_SERVICE_6
service-object icmp
service-object tcp eq 2001
service-object tcp eq 2004
service-object tcp eq 2005
object-group service DM_INLINE_SERVICE_7
service-object icmp
group-object InterTel5000
object-group service DM_INLINE_SERVICE_8
service-object icmp
service-object tcp eq https
service-object tcp eq ssh
object-group service RevProxy tcp
description RevProxy
port-object eq 5500
object-group service XenDesktop tcp
description Xen
port-object eq 8080
port-object eq 2514
port-object eq 2598
port-object eq 27000
port-object eq 7279
port-object eq 8000
port-object eq citrix-ica
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_8 any host public-ip
access-list public_access_in extended permit object-group VPN any host public-ip
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_7 any host public-ip-phones
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_1 any host public-ftp
access-list public_access_in extended permit tcp any host public-xorcom object-group DM_INLINE_TCP_1
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_2 any host public-exchange
access-list public_access_in extended permit tcp any host public-RevProxy object-group RevProxy
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_3 any host public-remote-support
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_6 any host public-xarios
access-list public_access_in extended permit object-group web-server any host public-sharepoint
access-list public_access_in extended permit object-group web-server any host public-tportal
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_4 any host public-kaseya
access-list public_access_in extended permit object-group DM_INLINE_SERVICE_5 any host public-pptp
access-list public_access_in extended permit ip any host public-XenDesktop
access-list private_access_in extended permit icmp any any
access-list private_access_in extended permit ip any any
access-list VPN_Users_SplitTunnelAcl standard permit server-network 255.255.255.0
access-list VPN_Users_SplitTunnelAcl standard permit user-network 255.255.255.0
access-list VPN_Users_SplitTunnelAcl standard permit management-network 255.255.255.0
access-list VPN_Users_SplitTunnelAcl standard permit 10.20.1.0 255.255.255.0
access-list VPN_Users_SplitTunnelAcl standard permit legacy-network 255.255.255.0
access-list private_nat0_outbound extended permit ip object-group MILLS_VPN_VLANS Irvine_LAN 255.255.255.0
access-list private_nat0_outbound extended permit ip object-group MILLS_VPN_VLANS 10.20.1.96 255.255.255.240
access-list private_nat0_outbound extended permit ip object-group MILLS_VPN_VLANS 10.90.2.0 255.255.255.0
access-list public_1_cryptomap extended permit ip object-group MILLS_VPN_VLANS Irvine_LAN 255.255.255.0
access-list public_2_cryptomap extended permit ip object-group MILLS_VPN_VLANS 10.90.2.0 255.255.255.0
pager lines 24
logging enable
logging list Error-Events level warnings
logging monitor warnings
logging buffered warnings
logging trap warnings
logging asdm warnings
logging mail warnings
logging host private private-kaseya
logging permit-hostdown
logging class auth trap alerts
mtu public 1500
mtu private 1500
mtu management 1500
ip local pool VPN_Users 10.20.1.100-10.20.1.110 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (public) 101 interface
nat (private) 0 access-list private_nat0_outbound
nat (private) 101 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
static (private,public) public-ip-phones private-ip-phones netmask 255.255.255.255 dns
static (private,public) public-ftp private-ftp netmask 255.255.255.255 dns
static (private,public) public-xorcom private-xorcom netmask 255.255.255.255 dns
static (private,public) public-exchange private-exchange netmask 255.255.255.255 dns
static (private,public) public-RevProxy private-RevProxy netmask 255.255.255.255 dns
static (private,public) public-remote-support private-remote-support netmask 255.255.255.255 dns
static (private,public) public-xarios private-xarios netmask 255.255.255.255 dns
static (private,public) public-sharepoint private-sharepoint netmask 255.255.255.255 dns
static (private,public) public-tportal private-tportal netmask 255.255.255.255 dns
static (private,public) public-kaseya private-kaseya netmask 255.255.255.255 dns
static (private,public) public-pptp private-pptp netmask 255.255.255.255 dns
static (private,public) public-XenDesktop private-XenDesktop netmask 255.255.255.255 dns
access-group public_access_in in interface public
access-group private_access_in in interface private
route public 0.0.0.0 0.0.0.0 cox-gateway 1
route private server-network 255.255.255.0 10.20.1.254 1
route private user-network 255.255.255.0 10.20.1.254 1
route private management-network 255.255.255.0 10.20.1.254 1
route private iscsi-network 255.255.255.0 10.20.1.254 1
route private legacy-network 255.255.255.0 10.20.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
ldap attribute-map admin-control
map-name comment Privilege-Level
ldap attribute-map allow-dialin
map-name msNPAllowDialin IETF-Radius-Class
map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE IPSecUsers
ldap attribute-map mills-vpn_users
map-name msNPAllowDialin IETF-Radius-Class
map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin True IPSecUsers
ldap attribute-map network-admins
map-name memberOf IETF-Radius-Service-Type
map-value memberOf FALSE NOACCESS
map-value memberOf "Network Admins" 6
dynamic-access-policy-record DfltAccessPolicy
aaa-server Mills protocol nt
aaa-server Mills (private) host private-pptp
nt-auth-domain-controller ms01.mills.int
aaa-server Mills_NetAdmin protocol ldap
aaa-server Mills_NetAdmin (private) host private-pptp
server-port 389
ldap-base-dn ou=San Diego,dc=mills,dc=int
ldap-group-base-dn ou=San Diego,dc=mills,dc=int
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *
ldap-login-dn cn=asa,ou=Service Accounts,ou=San Diego,dc=mills,dc=int
server-type microsoft
ldap-attribute-map mills-vpn_users
aaa-server NetworkAdmins protocol ldap
aaa-server NetworkAdmins (private) host private-pptp
ldap-base-dn ou=San Diego,dc=mills,dc=int
ldap-group-base-dn ou=San Diego,dc=mills,dc=int
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *
ldap-login-dn cn=asa,ou=Service Accounts,ou=San Diego,dc=mills,dc=int
server-type microsoft
ldap-attribute-map network-admins
aaa-server ADVPNUsers protocol ldap
aaa-server ADVPNUsers (private) host private-pptp
ldap-base-dn ou=San Diego,dc=mills,dc=int
ldap-group-base-dn ou=San Diego,dc=mills,dc=int
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *
ldap-login-dn cn=asa,ou=Service Accounts,ou=San Diego,dc=mills,dc=int
server-type microsoft
ldap-attribute-map mills-vpn_users
aaa authentication enable console ADVPNUsers LOCAL
aaa authentication http console ADVPNUsers LOCAL
aaa authentication serial console ADVPNUsers LOCAL
aaa authentication telnet console ADVPNUsers LOCAL
aaa authentication ssh console ADVPNUsers LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 public
http 0.0.0.0 0.0.0.0 private
snmp-server host private private-kaseya poll community ***** version 2c
snmp-server location Mills - San Diego
snmp-server contact Mills Assist
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp private
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map public_map 1 match address public_1_cryptomap
crypto map public_map 1 set pfs
crypto map public_map 1 set peer xx.168.155.98
crypto map public_map 1 set transform-set ESP-3DES-MD5 ESP-AES-128-SHA
crypto map public_map 1 set nat-t-disable
crypto map public_map 1 set phase1-mode aggressive
crypto map public_map 2 match address public_2_cryptomap
crypto map public_map 2 set pfs group5
crypto map public_map 2 set peer xx.181.134.141
crypto map public_map 2 set transform-set ESP-AES-128-SHA
crypto map public_map 2 set nat-t-disable
crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map public_map interface public
crypto isakmp enable public
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 28800
telnet 0.0.0.0 0.0.0.0 private
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 public
ssh 0.0.0.0 0.0.0.0 private
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.2-192.168.0.254 management
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 216.129.110.22 source public
ntp server 173.244.211.10 source public
ntp server 24.124.0.251 source public prefer
webvpn
enable public
svc enable
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol svc
group-policy IPSecUsers internal
group-policy IPSecUsers attributes
wins-server value 10.20.10.1
dns-server value 10.20.10.1
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Users_SplitTunnelAcl
default-domain value mills.int
address-pools value VPN_Users
group-policy Irvine internal
group-policy Irvine attributes
vpn-tunnel-protocol IPSec
username admin password Kra9/kXfLDwlSxis encrypted
tunnel-group VPN_Users type remote-access
tunnel-group VPN_Users general-attributes
address-pool VPN_Users
authentication-server-group Mills_NetAdmin
default-group-policy IPSecUsers
tunnel-group VPN_Users ipsec-attributes
pre-shared-key *
tunnel-group xx.189.99.114 type ipsec-l2l
tunnel-group xx.189.99.114 general-attributes
default-group-policy Irvine
tunnel-group xx.189.99.114 ipsec-attributes
pre-shared-key *
tunnel-group xx.205.23.76 type ipsec-l2l
tunnel-group xx.205.23.76 general-attributes
default-group-policy Irvine
tunnel-group xx.205.23.76 ipsec-attributes
pre-shared-key *
tunnel-group xx.168.155.98 type ipsec-l2l
tunnel-group xx.168.155.98 general-attributes
default-group-policy Irvine
tunnel-group xx.168.155.98 ipsec-attributes
pre-shared-key *
class-map global-class
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
class global-class
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
service-policy global-policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5d5c963680401d150bee94b3c7c85f7a
Maybe my eyes are glazing over from looking at this for too long. Does anything look wrong? Maybe I missed a command that would not show up in the config?
Thanks in advance to all who take a look.

Marius,
I connected via my VPN client at home and pinged a remote server, attempted to RDP by name and then attempted to RDP by IP address. All were unsuccessful. Here is the packet capture:
72 packets captured
   1: 09:44:06.304671 10.20.1.100.137 > 10.20.10.1.137: udp 68
   2: 09:44:06.304885 10.20.1.100.54543 > 10.20.10.1.53: udp 34
   3: 09:44:07.198384 10.20.1.100.51650 > 10.20.10.1.53: udp 32
   4: 09:44:07.300353 10.20.1.100.54543 > 10.20.10.1.53: udp 34
   5: 09:44:07.786504 10.20.1.100.137 > 10.20.10.1.137: udp 68
   6: 09:44:07.786671 10.20.1.100.137 > 10.20.10.1.137: udp 68
   7: 09:44:07.786855 10.20.1.100.137 > 10.20.10.1.137: udp 68
   8: 09:44:08.198399 10.20.1.100.51650 > 10.20.10.1.53: udp 32
   9: 09:44:09.282608 10.20.1.100.61328 > 10.20.10.1.53: udp 32
10: 09:44:09.286667 10.20.1.100.137 > 10.20.10.1.137: udp 68
11: 09:44:09.286926 10.20.1.100.137 > 10.20.10.1.137: udp 68
12: 09:44:09.287201 10.20.1.100.137 > 10.20.10.1.137: udp 68
13: 09:44:09.300491 10.20.1.100.54543 > 10.20.10.1.53: udp 34
14: 09:44:10.199193 10.20.1.100.51650 > 10.20.10.1.53: udp 32
15: 09:44:10.282150 10.20.1.100.61328 > 10.20.10.1.53: udp 32
16: 09:44:11.286865 10.20.1.100.137 > 10.20.10.1.137: udp 68
17: 09:44:12.302993 10.20.1.100.61328 > 10.20.10.1.53: udp 32
18: 09:44:12.785054 10.20.1.100.137 > 10.20.10.1.137: udp 68
19: 09:44:13.301101 10.20.1.100.54543 > 10.20.10.1.53: udp 34
20: 09:44:14.204029 10.20.1.100.51650 > 10.20.10.1.53: udp 32
21: 09:44:14.287323 10.20.1.100.137 > 10.20.10.1.137: udp 68
22: 09:44:14.375331 10.20.1.100 > 10.20.10.1: icmp: echo request
23: 09:44:16.581589 10.20.1.100.137 > 10.20.10.1.137: udp 50
24: 09:44:18.083842 10.20.1.100.137 > 10.20.10.1.137: udp 50
25: 09:44:18.199879 10.20.1.100.137 > 10.20.10.1.137: udp 50
26: 09:44:19.224063 10.20.1.100 > 10.20.10.1: icmp: echo request
27: 09:44:19.582367 10.20.1.100.137 > 10.20.10.1.137: udp 50
28: 09:44:19.704019 10.20.1.100.137 > 10.20.10.1.137: udp 50
29: 09:44:20.288193 10.20.1.100.137 > 10.20.10.1.137: udp 68
30: 09:44:21.200307 10.20.1.100.137 > 10.20.10.1.137: udp 50
31: 09:44:21.786321 10.20.1.100.137 > 10.20.10.1.137: udp 68
32: 09:44:23.289535 10.20.1.100.137 > 10.20.10.1.137: udp 68
33: 09:44:24.204777 10.20.1.100 > 10.20.10.1: icmp: echo request
34: 09:44:29.219440 10.20.1.100 > 10.20.10.1: icmp: echo request
35: 09:44:29.287460 10.20.1.100.137 > 10.20.10.1.137: udp 68
36: 09:44:30.787617 10.20.1.100.137 > 10.20.10.1.137: udp 68
37: 09:44:32.287887 10.20.1.100.137 > 10.20.10.1.137: udp 68
38: 09:45:00.533816 10.20.1.100.137 > 10.20.10.1.137: udp 50
39: 09:45:02.018019 10.20.1.100.137 > 10.20.10.1.137: udp 50
40: 09:45:03.160239 10.20.1.100.52764 > 10.20.10.1.53: udp 34
41: 09:45:03.350354 10.20.1.100.53948 > 10.20.10.1.53: udp 38
42: 09:45:03.521960 10.20.1.100.137 > 10.20.10.1.137: udp 50
43: 09:45:04.158408 10.20.1.100.52764 > 10.20.10.1.53: udp 34
44: 09:45:04.344342 10.20.1.100.53948 > 10.20.10.1.53: udp 38
45: 09:45:06.160681 10.20.1.100.52764 > 10.20.10.1.53: udp 34
46: 09:45:06.358593 10.20.1.100.53948 > 10.20.10.1.53: udp 38
47: 09:45:10.159125 10.20.1.100.52764 > 10.20.10.1.53: udp 34
48: 09:45:10.345227 10.20.1.100.53948 > 10.20.10.1.53: udp 38
49: 09:45:14.550478 10.20.1.100.59402 > 10.20.10.1.53: udp 32
50: 09:45:15.536166 10.20.1.100.59402 > 10.20.10.1.53: udp 32
51: 09:45:17.546144 10.20.1.100.59402 > 10.20.10.1.53: udp 32
52: 09:45:21.882812 10.20.1.100.137 > 10.20.10.1.137: udp 50
53: 09:45:23.379222 10.20.1.100.137 > 10.20.10.1.137: udp 50
54: 09:45:24.893386 10.20.1.100.137 > 10.20.10.1.137: udp 50
55: 09:45:41.550035 10.20.1.100.137 > 10.20.10.1.137: udp 50
56: 09:45:43.029875 10.20.1.100.137 > 10.20.10.1.137: udp 50
57: 09:45:44.541979 10.20.1.100.137 > 10.20.10.1.137: udp 50
58: 09:46:10.767782 10.20.1.100.137 > 10.20.10.1.137: udp 68
59: 09:46:12.261934 10.20.1.100.137 > 10.20.10.1.137: udp 68
60: 09:46:13.776250 10.20.1.100.137 > 10.20.10.1.137: udp 68
61: 09:46:19.848970 10.20.1.100.137 > 10.20.10.1.137: udp 68
62: 09:46:20.113183 10.20.1.100.49751 > 10.20.10.7.3389: S 3288428077:3288428077(0) win 8192
63: 09:46:21.331251 10.20.1.100.137 > 10.20.10.1.137: udp 68
64: 09:46:22.831423 10.20.1.100.137 > 10.20.10.1.137: udp 68
65: 09:46:23.101511 10.20.1.100.137 > 10.20.10.1.137: udp 50
66: 09:46:23.123254 10.20.1.100.49751 > 10.20.10.7.3389: S 3288428077:3288428077(0) win 8192
67: 09:46:24.591705 10.20.1.100.137 > 10.20.10.1.137: udp 50
68: 09:46:26.115976 10.20.1.100.137 > 10.20.10.1.137: udp 50
69: 09:46:28.834276 10.20.1.100.137 > 10.20.10.1.137: udp 68
70: 09:46:29.125817 10.20.1.100.49751 > 10.20.10.7.3389: S 3288428077:3288428077(0) win 8192
71: 09:46:30.342816 10.20.1.100.137 > 10.20.10.1.137: udp 68
72: 09:46:31.840746 10.20.1.100.137 > 10.20.10.1.137: udp 68
72 packets shown

Master data HR to E-REC standalone system not being created using PFAL

I am trying to transfer data from HR to standalone E-REC system using PFAL transcation.
IDOC transferred with Status 53.
BADIS of E-rec are Implemented.
In e-rec relationship O to S, S to CP, CP to US, CP to BP and CP to P are getting created Properly in table HRP1001.
We are unable to see the data for Infotypes 0000,0001,0002,0006,0105 for the same CP in PP01.
We tried the same scenario with SRM system and there we were able to see the data of above infotypes for a CP.
Table T77S0 are maintained according to the SAP notes.
Please through some light on how we can transfer the data of HR master to E-rec and where exactly we have to check for this master data in E-REC
Thanks in Advance.

Dear Rohit,
Firstly,
No, you cannot have infotypes like how you have mentioned for SRM. This is not how it is in eRecruiting. As Raj suggested, we look at other infotypes of this.
5102 : gives you details about the candidates.Object NA.
5105: Qualification details etc.
For an object P in the system, there is CP. On activating the relevant BADIs, a BP & NA are created for the CP when transferring data from core HR. Now, this does not necessarily mean that all the HR infotypes are transferred to relvant infotypes in eRecruiting. The data is handled differently.
If you are sure that NA exists, then internal candidates are created successfully. Next thing would be to map this NA object with the relevant PA details like name, address,email address etc. For this we make use of the BP object associated with the CP & not the CP or the NA.
So, if you would want to check if the transfer is successful then you go to tcode BP & check if the name & address details etc are the same as the corresponding P for which the NA is created.
To see more of the core HR info, you can check the business partner BUT000 against the relevant BP.
I hope this clears some of your confusion.
Secondly,
Regarding the BADI, I am aware that this BADi is mainly required in an integration implementation scenario. But i think the sample implementation of this BADI CONV_HR_DATA_TO_EREC is required to create internal candidates from idocs.I think this is required for the P to CPBPNA transformation.But if you say the NA is created without this then maybe i am wrong. Please take a second look at this.
Regards,
Sowmya

QoS Packets not matching on 6500 with SUP720-10GE and SU2T

Hi,
I do not see packets matching in policy.
output below:
Switch#sh policy-map interface vlan 2232
Vlan2232
Service-policy input: HARDPHONE-VVLAN
Class-map: VOICETRAFFIC (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name VOICETRAFFIC
Class-map: VOICESIGNALING (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name VOICESIGNALING
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any
0 packets, 0 bytes
5 minute rate 0 bps
I also not find packets matching ACL:
switch#sh access-lists
Extended IP access list VIDEOTRAFFIC
10 permit udp any any range 16384 32767
Extended IP access list VOICESIGNALING
10 permit tcp any 10.128.0.0 0.3.255.255 range 2000 2002
20 permit tcp any 10.128.0.0 0.3.255.255 eq 5060
30 permit udp any 10.128.0.0 0.3.255.255 eq 5060
40 permit tcp any 172.20.10.0 0.0.1.255 range 2000 2002
50 permit tcp any 172.20.10.0 0.0.1.255 eq 5060
60 permit udp any 172.20.10.0 0.0.1.255 eq 5060
Extended IP access list VOICETRAFFIC
10 permit udp 10.128.0.0 0.63.255.255 10.128.0.0 0.63.255.255 range 16384 32767
I checked policies, they looks applied correctly.
On SUP-720-10GE, I modified ACL to 'permit udp any any' but not found any matching packets. There are plenty of IP phones connected directly to this switch belongs to voice VLAN. I applied VLAN based QoS under voice VLAN and other VLANs too.
I observed different thing on SUP 2T. I saw packets matching ACL statement 'permit udp any any' but when I took off this line, ACL was not showing packets matching.
OUTPUT of IP phones connected to switch:
switch#sh cdp neighbors | in SEP
SEP0008308A5D7B Gig 13/38 143 H P M IP Phone Port 1
SEP0008308A5DE0 Gig 10/1 121 H P M IP Phone Port 1
SEP0023049C6348 Gig 3/42 152 H P M IP Phone Port 1
SEP0021A02D64D4 Gig 9/28 120 H P M IP Phone Port 1
SEP1C6A7AE0588E Gig 3/9 127 H P M IP Phone Port 1
SEP00229059969E Gig 12/48 166 H P M IP Phone Port 1
SEP0008308AF26F Gig 2/7 161 H P M IP Phone Port 1
SEP00235EB7BE0E Gig 4/2 154 H P M IP Phone Port 1
SEP00229059BE5A Gig 6/37 158 H P M IP Phone Port 1
SEP1CAA07115CF3 Gig 12/29 148 H P M IP Phone Port 1
SEP00235EB7884F Gig 9/3 156 H P M IP Phone Port 1
SEP0008308B03FB Gig 2/30 178 H P M IP Phone Port 1
SEP006440B42CD3 Gig 3/45 132 H P M IP Phone Port 1
SEP0022905991C9 Gig 11/4 145 H P M IP Phone Port 1
SEP0008308A5E6C Gig 6/36 124 H P M IP Phone Port 1
SEP006440B427CA Gig 13/31 170 H P M IP Phone Port 1
SEP006440B425FF Gig 3/19 168 H P M IP Phone Port 1
SEP0008308A7AD7 Gig 2/3 159 H P M IP Phone Port 1
SEP0008308A3EB2 Gig 10/4 132 H P M IP Phone Port 1
SEP002414B45A0E Gig 10/28 170 H P M IP Phone Port 1
SEP04C5A4B19C8B Gig 2/15 162 H P M IP Phone Port 1
SEP006440B43DE6 Gig 9/48 162 H P M IP Phone Port 1
SEP006440B42B0D Gig 9/23 179 H P M IP Phone Port 1
Could anyone please help, how to make sure that packets are hitting correct ACL and policy on 6500 with SUP720-10GE and SUP2T.
Thanks,
Pruthvi

Please note that 6500 is used as L2 switch only and SVI are used for applying policies only.
Configuration below:
class-map match-all VOICESIGNALING
match access-group name VOICESIGNALING
class-map match-all VOICETRAFFIC
match access-group name VOICETRAFFIC
class-map match-all VIDEOTRAFFIC
match access-group name VIDEOTRAFFIC
policy-map HARDPHONE-VVLAN
class VOICETRAFFIC
police flow mask src-only 128000 8000 conform-action set-dscp-transmit ef exceed-action drop
class VOICESIGNALING
police flow mask src-only 32000 8000 conform-action set-dscp-transmit cs3 exceed-action policed-dscp-transmit
class class-default
police flow mask src-only 32000 8000 conform-action set-dscp-transmit default exceed-action policed-dscp-transmit
policy-map STUDENT-DVLAN
class class-default
police flow mask src-only 25000000 1562500 conform-action set-dscp-transmit default exceed-action policed-dscp-transmit
policy-map STAFF-DVLAN
class VOICESIGNALING
police flow mask src-only 32000 8000 conform-action set-dscp-transmit cs3 exceed-action policed-dscp-transmit
class VOICETRAFFIC
police flow mask src-only 128000 8000 conform-action set-dscp-transmit ef exceed-action drop
class VIDEOTRAFFIC
police flow mask src-only 2000000 150000 conform-action set-dscp-transmit ef exceed-action drop
class class-default
police flow mask src-only 50000000 1000000 conform-action set-dscp-transmit ef exceed-action drop
ip access-list extended VOICESIGNALING
remark Skinny and SIP protocols From Phones to Voice Core Infrastructure
permit tcp any 10.128.0.0 0.3.255.255 range 2000 2002
permit tcp any 10.128.0.0 0.3.255.255 eq 5060
permit udp any 10.128.0.0 0.3.255.255 eq 5060
permit tcp any 172.20.10.0 0.0.1.255 range 2000 2002
permit tcp any 172.20.10.0 0.0.1.255 eq 5060
permit udp any 172.20.10.0 0.0.1.255 eq 5060
ip access-list extended VOICETRAFFIC
permit udp any any dscp ef
permit udp 10.128.0.0 0.63.255.255 10.128.0.0 0.63.255.255
permit udp any any range 16384 32767 dscp ef
ip access-list extended VOICESIGNALING
remark Skinny and SIP protocols From Phones to Voice Core Infrastructure
permit tcp any 10.128.0.0 0.3.255.255 range 2000 2002
permit tcp any 10.128.0.0 0.3.255.255 eq 5060
permit udp any 10.128.0.0 0.3.255.255 eq 5060
permit tcp any 172.20.10.0 0.0.1.255 range 2000 2002
permit tcp any 172.20.10.0 0.0.1.255 eq 5060
permit udp any 172.20.10.0 0.0.1.255 eq 5060
ip access-list extended VIDEOTRAFFIC
permit udp any any range 16384 32767 dscp ef
interface Vlan104
description PolicyOnlyInt
no ip address
service-policy input STAFF-DVLAN
interface Vlan105
description PolicyOnlyInt
no ip address
service-policy input STAFF-DVLAN
interface Vlan573
description PolicyOnlyInt
no ip address
service-policy input PUBLIC-DVLAN
interface Vlan604
description PolicyOnlyInt
no ip address
service-policy input PUBLIC-DVLAN
interface Vlan654
description PolicyOnlyInt
no ip address
service-policy input STUDENT-DVLAN
interface Vlan674
description PolicyOnlyInt
no ip address
service-policy input PUBLIC-DVLAN
interface Vlan807
ip address 172.18.128.5 255.255.255.0
interface Vlan860
description PolicyOnlyInt
no ip address
service-policy input PUBLIC-DVLAN
interface Vlan2016
description PolicyOnlyInt
no ip address
service-policy input HARDPHONE-VVLAN
interface Vlan3124
description PolicyOnlyInt
no ip address
shutdown
service-policy input HARDPHONE-VVLAN
switch#sh access-lists
Extended IP access list VOICESIGNALING
10 permit tcp any 10.128.0.0 0.3.255.255 range 2000 2002
20 permit tcp any 10.128.0.0 0.3.255.255 eq 5060
30 permit udp any 10.128.0.0 0.3.255.255 eq 5060
40 permit tcp any 172.20.10.0 0.0.1.255 range 2000 2002
50 permit tcp any 172.20.10.0 0.0.1.255 eq 5060
60 permit udp any 172.20.10.0 0.0.1.255 eq 5060
Extended IP access list VOICETRAFFIC
10 permit udp any any dscp ef <----- not showing any match
11 permit udp 10.128.0.0 0.63.255.255 10.128.0.0 0.63.255.255 <----not shwoing any match
12 permit udp any any range 16384 32767 dscp ef<----not shwoing any match
If I user "permit udp any any ", acl is showing match.
switch#sh access-lists
Extended IP access list VOICETRAFFIC
10 permit udp any any dscp ef
11 permit udp 10.128.0.0 0.63.255.255 10.128.0.0 0.63.255.255
12 permit udp any any range 16384 32767 dscp ef
13 permit udp any any (527055 matches)

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /x.x.x.x, src_addr= x.x.x.x, prot= 47

Similar Messages

Maybe you are looking for