Debug IP ICMP

hi ,
i have found below result when enable bebug ip icmp ..while not traffic in or out..m enable this non-working hour:
is it DoS Attack of Normal?
*Nov 4 19:37:38.943: ICMP: echo reply sent, src 125.19.X.X, dst 203.178.148.19, topology BASE, dscp 0 topoid 0
*Nov 4 19:41:09.483: ICMP: echo reply sent, src 125.19.X.X, dst 41.79.69.16, topology BASE, dscp 0 topoid 0
*Nov 4 19:41:27.031: ICMP: echo reply sent, src 125.19.X.X, dst 192.33.90.66, topology BASE, dscp 0 topoid 0
*Nov 4 19:41:28.079: ICMP: echo reply sent, src 125.19.X.X, dst 192.33.90.66, topology BASE, dscp 0 topoid 0
*Nov 4 19:41:54.295: ICMP: echo reply sent, src 125.19.X.X, dst 137.165.1.114, topology BASE, dscp 0 topoid 0
*Nov 4 19:41:55.235: ICMP: echo reply sent, src 125.19.X.X, dst 137.165.1.114, topology BASE, dscp 0 topoid 0
*Nov 4 19:43:30.583: ICMP: echo reply sent, src 125.19.X.X, dst 203.62.195.170, topology BASE, dscp 0 topoid 0
*Nov 4 19:43:51.147: ICMP: echo reply rcvd, src 192.33.90.66, dst 59.145.X.X, topology BASE, dscp 0 topoid 0
*Nov 4 19:43:51.303: ICMP: echo reply rcvd, src 192.33.90.66, dst 59.145.X.X, topology BASE, dscp 0 topoid 0
*Nov 4 19:43:51.451: ICMP: echo reply rcvd, src 192.33.90.66, dst 59.145.X.X, topology BASE, dscp 0 topoid 0
*Nov 4 19:43:51.603: ICMP: echo reply rcvd, src 192.33.90.66, dst 59.145.X.X, topology BASE, dscp 0 topoid 0

Similar Messages

ISR router cannot receive packets addressed to itself?

Hello, Support Team and All Members,
I have a C881G router connected to 2 different ISP networks with a failover function configured and running properly. The following is a simple network diagram:
The main WAN traffic goes through the ISP 1 LTE network and the router, provided by that ISP. The DMS Host on that router points to our C881G router Fa4 WAN interface (192.168.1.10), so the ISP 1 NAT Router is practically transparent to our traffic. Our C881G tracks the DNS server within the ISP 1 network (194.dns.isp.1) and in case of it's inaccessibility the traffic is switched to the backup link, served by the on-board HSPA+ modem (interface Dialer0 of our C881G), connected to the ISP 2 HSPA network. It works fine, but the problem is with the PPTP connections from outside to the C881G router. The PPTP calls work always from the PPTP Client 2 PC (directly connected to the Fa4 subnet), but from PPTP Client 1 PC it works only in the failover mode - when all traffic goes through the ISP 2. The incoming path via ISP 1 does not work. The problem is rather not connected to the PPTP VPN, GRE, authentication or encryption, because just the first TCP 1723 SYN packets are dropped at Fa4 much earlier by the C881G router. The debug ip packet detail shows the following routing decision:
IP: s=194.xxx.yyy.80 (FastEthernet4), d=192.168.1.10, len 40, input feature
TCP src=4241, dst=1723, seq=791503628, ack=4111924253, win=0 ACK RST, MCI Check(94), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
FIBipv4-packet-proc: route packet from FastEthernet4 src 194.xxx.yyy.80 dst 192.168.1.10
FIBfwd-proc: Default:192.168.1.10/32 receive entry
FIBipv4-packet-proc: packet routing failed
All other packets addressed from outside networks to the router itself and received via the Fa4 are also dropped in this way. All packets sent to Fa4 from the local subnet 192.168.1.0 are accepted. The routing table shows only standard connected interfaces and 1 static route to the 194.dns.isp.1 via 192.168.1.1, which is also the tracked gateway of last resort.
Router runs the CEF.
I cannot locate in the following configuration file any statement preventing the packets addressed to the router itself:
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
hostname C881_xyz
boot-start-marker
boot-end-marker
logging buffered 8192
no logging console
no logging monitor
no aaa new-model
clock timezone PCTime 1 0
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
crypto ...
... <removed for sanity>
crypto pki ...
ip dhcp excluded-address 192.168.70.1 192.168.70.99
ip dhcp excluded-address 192.168.70.180 192.168.70.254
ip dhcp excluded-address 192.168.71.1 192.168.71.99
ip dhcp excluded-address 192.168.71.180 192.168.71.254
ip dhcp pool ccp-pool
import all
network 192.168.70.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.70.1
lease 0 12
ip dhcp pool NVR
import all
network 192.168.71.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.71.1
lease 0 12
ip domain name mydomain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect WAAS flush-timeout 10
ip cef
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
chat-script gsm "" "AT!SCACT=1,1" TIMEOUT 60 "OK"
license udi pid C881G+7-K9 sn ***********
username admin privilege 15 secret 5 ******************************
controller Cellular 0
track 1 ip sla 1 reachability
delay down 1 up 30
interface FastEthernet0
description All VLANs Trunk
switchport mode trunk
no ip address
interface FastEthernet1
description VLAN 1 - LAN Main
no ip address
interface FastEthernet2
description VLAN 20 - LAN NVR
switchport access vlan 20
no ip address
interface FastEthernet3
description Traffic Monitoring only
no ip address
interface FastEthernet4
description WAN SP1$ETH-WAN$
ip address 192.168.1.10 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface Virtual-Template1
ip unnumbered FastEthernet4
peer default ip address pool vpn_pptp_pool
no keepalive
ppp encrypt mppe auto
ppp authentication ms-chap-v2
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer pool-member 1
dialer-group 1
async mode interactive
interface Vlan1
description LAN Main
ip address 192.168.70.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan20
description LAN NVR
ip address 192.168.71.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer pool 1
dialer idle-timeout 0
dialer string gsm
dialer persistent
dialer-group 1
ip local policy route-map track-primary-if
ip local pool vpn_pptp_pool 192.168.70.180 192.168.70.199
ip forward-protocol nd
no ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 32
sort-by bytes
cache-timeout 600000
ip nat inside source route-map ISP_1 interface FastEthernet4 overload
ip nat inside source route-map ISP_2 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1
ip route 0.0.0.0 0.0.0.0 Dialer0 253
ip route 194.dns.isp.1 255.255.255.255 192.168.1.1
ip sla auto discovery
ip sla 1
icmp-echo 194.dns.isp.1 source-interface FastEthernet4
frequency 10
ip sla schedule 1 life forever start-time now
logging trap debugging
dialer-list 1 protocol ip permit
route-map track-primary-if permit 1
match ip address 100
set interface FastEthernet4
route-map Static_ISP_2 permit 10
match interface Dialer0
route-map Static_ISP_1 permit 10
match interface FastEthernet4
route-map ISP_2 permit 10
match ip address 1
match interface Dialer0
route-map ISP_1 permit 10
match ip address 1
match interface FastEthernet4
access-list 1 remark List for outside NATs
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.70.0 0.0.0.255
access-list 1 permit 192.168.71.0 0.0.0.255
access-list 100 remark CCP_ACL Category=0
access-list 100 permit icmp any host 194.dns.isp.1
access-list 105 remark List for debugging local ICMP tests
access-list 105 remark CCP_ACL Category=16
access-list 105 permit icmp any any
control-plane
line con 0
no modem enable
line aux 0
line 3
script dialer gsm
modem InOut
no exec
transport input all
rxspeed 21600000
txspeed 5760000
line vty 0 4
exec-timeout 0 0
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
ntp update-calendar
ntp server 195.time.srv.1
end
Do you have an idea what can be the reason of that behaviour?
I really appreciate your suggestions,
Maciex

Hello Maciex,
I am afraid that the debug ip packet detailed has led you to a wrong conclusion. Whatever the "forus FALSE" means, it does not indicate that the router refuses to consider the packet as addressed to itself. I've just concocted a very quick test - two routers connected back to back, one is 10.0.1.1/24, the other is 10.0.1.2/24. I am pinging 10.0.1.2 from 10.0.1.1 and this is what 10.0.1.2 shows me:
*Aug 4 23:09:38.067: IP: s=10.0.1.1 (Ethernet2/1), d=10.0.1.2, len 100, input feature
*Aug 4 23:09:38.071: ICMP type=8, code=0, MCI Check(94), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Aug 4 23:09:38.079: FIBipv4-packet-proc: route packet from Ethernet2/1 src 10.0.1.1 dst 10.0.1.2
*Aug 4 23:09:38.083: FIBfwd-proc: Default:10.0.1.2/32 receive entry
*Aug 4 23:09:38.083: FIBipv4-packet-proc: packet routing failed
*Aug 4 23:09:38.087: IP: tableid=0, s=10.0.1.1 (Ethernet2/1), d=10.0.1.2 (Ethernet2/1), routed via RIB
*Aug 4 23:09:38.091: IP: s=10.0.1.1 (Ethernet2/1), d=10.0.1.2 (Ethernet2/1), len 100, rcvd 3
*Aug 4 23:09:38.095: ICMP type=8, code=0
*Aug 4 23:09:38.099: IP: s=10.0.1.1 (Ethernet2/1), d=10.0.1.2, len 100, stop process pak for forus packet
*Aug 4 23:09:38.103: ICMP type=8, code=0
*Aug 4 23:09:38.107: FIBipv4-packet-proc: route packet from (local) src 10.0.1.2 dst 10.0.1.1
*Aug 4 23:09:38.111: FIBfwd-proc: packet routed by adj to Ethernet2/1 10.0.1.1
*Aug 4 23:09:38.111: FIBipv4-packet-proc: packet routing succeeded
*Aug 4 23:09:38.115: IP: s=10.0.1.2 (local), d=10.0.1.1 (Ethernet2/1), len 100, sending
*Aug 4 23:09:38.119: ICMP type=0, code=0
*Aug 4 23:09:38.127: IP: s=10.0.1.2 (local), d=10.0.1.1 (Ethernet2/1), len 100, sending full packet
*Aug 4 23:09:38.131: ICMP type=0, code=0
Note that even here, the router said the same as yours - and yet it did respond successfully to the ping request.
There is, I am afraid, a more mundane problem. PPTP is generally incompatible with PAT. PPTP uses two data streams: one is the control channel run over TCP port 1723, the other is the actual tunneled traffic - however, that traffic is essentially GRE-encapsulated, put directly into IP packets with no port information (there is no TCP/UDP involved). Without special support on the ISP 1 NAT box, PPTP sessions will not be able to pass through it. You will have to negotiate this with your ISP 1 - ask him to configure its NAT box with PPTP Application Layer Gateway support and allow IP protocol 47 (GRE).
This would explain why the PPTP Client 2 can always connect to your router - it is because there is no NAT/PAT/FW between the client and the router. It would also explain why Client 1 is able to connect over ISP 2 - because on that path, there is no NAT/PAT/FW box apparently present and there is a direct connectivity to the public IP address of your router.
Try talking to your ISP 1 about this.
Best regards,
Peter

Show ip route shows 'route', but ping times out. Please help.

RouterB,EIGRP 100
s0:152.1.1.1/16
Lo:1.1.1.1/24
no auto-summary]- connected to V35---
[s0/0 RouterA,Lo:2.2.2.2/24,EIGRP AS 100, OSPF Area0, s0/1]/
--- connected to---
[s0/0:192.168.15.2/24
RouterC, OSPF 200,
Area 1]
As you can see in the show ip route from RouterC below, I am able to see a route for 1.1.1.0/24. It is an EIGRP AS redistributed into OSPF.
However, I ping '1.1.1.1' from RouterC, but it times out. Why can't I get to 1.1.1.1 from RouterC ?!
RouterC# Show ip route
1.0.0.0/24 is subnetted, 1 subnets
O E2 1.1.1.0 [110/1000] via 192.168.15.1, 00:04:06, Serial0/0
O E2 152.1.0.0/16 [110/1000] via 192.168.15.1, 00:06:12, Serial0/0
2.0.0.0/32 is subnetted, 1 subnets
O IA 2.2.2.2 [110/65] via 192.168.15.1, 00:06:19, Serial0/0
3.0.0.0/24 is subnetted, 1 subnets
C 3.3.3.0 is directly connected, Loopback0
C 192.168.15.0/24 is directly connected, Serial0/0
RouterC#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Success rate is 0 percent (0/5)

I agree with Sundar that since the route appears in the routing table that you probably do have a viable path to get to 1.1.1.0 and that the problem is most likely lack of a return path.
One way to verify this would be to run debug ip icmp on the router that you are attempting to ping and then do the ping again. If the debug output shows that the ping packets are being received then you have verified that the problem is with the return path.
HTH
Rick

3750 as a router and a switch. sub-optimal routing problem

Objective: To limit the traffic on Vlan8. We are seeing traces from K1 or T1 to 192.168.1.4 like this:
1- 10.10.10.5
2- 10.10.20.1
3- 192.168.1.4
then
1- 10.10.10.4
2- 10.10.30.1
3- 192.168.1.4
or
1- 10.10.10.5
2- 10.10.200.1
3- 192.168.1.4
this causes the packets to travers vlan8 once to get routed by P61B then switched back across to reach the next hop 20.1 or vice versa.
How can we avoid this behavior?
Study the attached drawing carefully. Vlan 8 has 4 routers on it and the 3750s have routes to the 4 networks above them. packets are not routed between the 3750's

Hello Todd,
Could set up a debug ip icmp on the router 192.168.1.4 and ping it from both T-1 and K-1, I think this problem would be more clear to everyone.
If not mabybe you could provide the output of "show ip route" on the routes on this issue,at least on the routers/switch 192.168.1.2 , 192.168.1.3 and 10.10.10.4 and 10.10.10.5 and T-1, K-1.
for routes like 192.168.1.4, 10.10.10.2-5 and 20.20.20.2-3
Hope thats not to much info.
Thanks,
Vlad

DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 HUB Router

Hi Guys,
I'm in a mess, I have Cisco 877-K9 router which sits behind an ASA 5510 FW.
The Design :
Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )
||
ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)
||
Switch
||
LAN
Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa.
I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not able to ping any LAN IP at Spoke site nor am I able to ping my LAN from any Spoke site.
I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.
Any help in this regards is highly appreciated. I really need this to work. Attached are the config files....
Thanks,
Aj.

Thanks to both of you guys for replying. I should've been more descriptive in my initial post, but just thought of getting more ideas.
All the troubleshooting was done before posting the problem, and to clearify the things, Please find below the results.
1) what RProtocol r u using?
a) It's OSPF
2) if ur using OSPF, try show ip route on the hub and spoke to verify the hub/spoke routes are learned via OSPF
a) I did the "show ip route" and bothe the HUB and Spokes get their routes defined
(on the HUB if I used "network 192.9.201.0 255.255.255.0 area 0" I coudln't get routes advertised on spokes)
(I changed to "redistribute static subnests" and I was able to get Hub routes advertised")
3) are your tunnels config correctly? try show crypto ipsec sa
a) They are as they should be and "show crypto ipsec sa" comes up with proper in/out encrypted data
4) on your hub'spoke do a debug ip icmp
a) Did that as well, and If I do a debug on a Spoke and ping from my HUB to that spoke on the tunnel IP, I get proper src/dest results, but If I ping from HUB to Spoke on a client IP behind the Spoke, It pings but does not show any result on the Spoke debug.
I'm able to ping all the Spoke's Tunnel IPs and clients behind the Spokes from the HUB router, but not from either the ASA nor the clients on my LAN.
Additional to the info above, Please also note :
I did notice something that, from my HUB router, which is also my DSL Modem, I'm unable to ping any clients behind the ASA.
So I guess I'm stuck on the point that My Cisco HUB is unable to talk to my LAN, If I can get the HUB to talk to the internal LAN, I would be able to ping clients on LAN from any Spoke or clients behind Spokes.
From HUB router I'm able to ping clients behind Spokes.
Does that give any Ideas ?
Thanks in Advance.
Aj.

2611xm Terminal Server + ACS + reauthentication when selecting menu options

Hi,
I've managed to setup ACS Authentication on my 2611xm router,
after you login to the router I have a autocommand setup to run a menu.
My problem is when you select the option on the menu,
You are then re prompted to reauthenicated against the router again before connecting to the line,
can any one tell me how to stop this from happening.
Thanks for your time and effort in advance, I have enclosed a config below.
DDRAS01#sh running-config
Building configuration...
Current configuration : 6854 bytes
! Last configuration change at 10:28:49 AEST Sun Feb 21 2010 by <removed>
! NVRAM config last updated at 19:25:53 AEST Sat Feb 20 2010 by <removed>
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service linenumber
service sequence-numbers
hostname DDRAS01
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 informational
logging rate-limit all 10000
logging console critical
enable password 7 <removed>
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login if_needed local
aaa authentication enable default enable
aaa authentication ppp default local
aaa authorization exec default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
clock timezone AEST 10
clock summer-time AEST recurring last Sun Oct 2:00 last Sun Mar 3:00
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
ip domain list <removed>
ip domain list <removed>
ip domain name <removed>
ip host dd-cr-01e 2033 172.16.1.1
ip host ddsws01 2034 172.16.1.1
ip host ddsws04 2035 172.16.1.1
ip host ddce565 2040 172.16.1.1
ip name-server <removed>
ip name-server <removed>
username netops privilege 15 password 7 <removed>
ip ssh source-interface FastEthernet0/0
ip ssh logging events
ip ssh version 2
interface Loopback0
ip address 172.16.1.1 255.255.255.255
interface FastEthernet0/0
ip address <removed> 255.255.255.0
speed 100
full-duplex
interface Serial0/0
no ip address
shutdown
interface BRI0/0
no ip address
encapsulation hdlc
shutdown
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <removed>
ip http server
no ip http secure-server
ip tacacs source-interface FastEthernet0/0
ip radius source-interface FastEthernet0/0
logging facility local6
logging <removed>
snmp-server community <removed> RO
snmp-server community <removed> RW
snmp-server location <removed>
snmp-server contact NetOps
menu ddras01 title ^C
Cisco Terminal Server
Select the number from the list below
Use 'ctrl+shift+6' then 'x' to switch back to the menu
^C
menu ddras01 text 1 Connect to DD-CR-01
menu ddras01 command 1 resume dd-cr-01 /connect telnet dd-cr-01 2033
menu ddras01 text 2 Connect to DDSWS01
menu ddras01 command 2 resume ddsws01 /connect telnet ddsws01 2034
menu ddras01 text 3 Connect to DDSWS04
menu ddras01 command 3 resume ddsws04 /connect telnet ddsws04 2035
menu ddras01 text 8 Connect to DDCE565
menu ddras01 command 8 resume ddce565 /connect telnet ddce565 2040
menu ddras01 text 9 Exit
menu ddras01 command 9 menu-exit
menu ddras01 clear-screen
menu ddras01 status-line
menu ddras01 line-mode
tacacs-server host 10.2.0.50
tacacs-server directed-request
tacacs-server key 7 <removed>
control-plane
privilege exec level 15 write terminal
privilege exec level 15 write
privilege exec level 1 ping
privilege exec level 10 undebug ip icmp
privilege exec level 10 undebug ip
privilege exec level 10 undebug all
privilege exec level 10 undebug
privilege exec level 10 terminal monitor
privilege exec level 10 terminal
privilege exec level 15 show running-config
privilege exec level 5 show configuration
privilege exec level 5 show
privilege exec level 10 debug ip icmp
privilege exec level 10 debug ip
privilege exec level 10 debug all
privilege exec level 10 debug
privilege exec level 10 clear interface
privilege exec level 10 clear counters
privilege exec level 10 clear
line con 0
password 7 <removed>
logging synchronous
line 33 64
no exec-banner
exec-timeout 0 0
no activation-character
no exec
transport preferred telnet
transport input all
escape-character 27
stopbits 1
flowcontrol hardware
line aux 0
line vty 0 4
password 7 <removed>
logging synchronous
autocommand menu ddras01
line vty 5 181
password 7 <removed>
logging synchronous
autocommand menu ddras01
ntp clock-period 17208487
ntp source FastEthernet0/0
ntp server <removed>
end

Hi Jesse
I have made the changes you recommended however i'm still getting prompted to reauthenticate each time I choose a menu entry,
I have included a updated copy of the config, any help you can provide if greatly appreaciated.
Thanks
DDRAS01(config)#do sh runnin
Building configuration...
Current configuration : 7371 bytes
! Last configuration change at 17:55:22 AEST Sun Feb 21 2010 by david
! NVRAM config last updated at 11:07:30 AEST Sun Feb 21 2010 by david
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service linenumber
service sequence-numbers
hostname DDRAS01
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 informational
logging rate-limit all 10000
logging console critical
enable password 7
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login if_needed local
aaa authentication login NOAUTH none
aaa authentication enable default enable
aaa authentication ppp default local
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization exec NOAUTH none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
clock timezone AEST 10
clock summer-time AEST recurring last Sun Oct 2:00 last Sun Mar 3:00
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
ip domain list
ip domain list
ip domain name
ip host dd-cr-01 2033 172.16.1.1
ip host ddsws01 2034 172.16.1.1
ip host ddsws04 2035 172.16.1.1
ip host ddce565 2040 172.16.1.1
ip name-server
ip name-server
username netops privilege 15 password 7
ip ssh source-interface FastEthernet0/0
ip ssh logging events
ip ssh version 2
interface Loopback0
ip address 172.16.1.1 255.255.255.255
interface FastEthernet0/0
ip address 255.255.255.0
speed 100
full-duplex
interface Serial0/0
no ip address
shutdown
interface BRI0/0
no ip address
encapsulation hdlc
shutdown
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0
ip http server
no ip http secure-server
ip tacacs source-interface FastEthernet0/0
ip radius source-interface FastEthernet0/0
logging facility local6
logging
snmp-server community RO
snmp-server community RW
snmp-server location
snmp-server contact
menu ddras01 title ^C
Cisco Terminal Server
Select the number from the list below
Use 'ctrl+shift+6' then 'x' to switch back to the menu
^C
menu ddras01 text 1 Connect to DD-CR-01
menu ddras01 command 1 resume dd-cr-01 /connect telnet dd-cr-01 2033
menu ddras01 text 2 Connect to DDSWS01
menu ddras01 command 2 resume ddsws01 /connect telnet ddsws01 2034
menu ddras01 text 3 Connect to DDSWS04
menu ddras01 command 3 resume ddsws04 /connect telnet ddsws04 2035
menu ddras01 text 8 Connect to DDCE565
menu ddras01 command 8 resume ddce565 /connect telnet ddce565 2040
menu ddras01 text a Clear connection to DD-CR-01
menu ddras01 command a clear line 33
menu ddras01 text b Clear connection to DDSWS01
menu ddras01 command b clear line 34
menu ddras01 text c Clear connection to DDSWS04
menu ddras01 command c clear line 35
menu ddras01 text h Clear connection to DDCE565
menu ddras01 command h clear line 40
menu ddras01 text x Exit Menu
menu ddras01 command x menu-exit
menu ddras01 text l Logout
menu ddras01 command l logout
menu ddras01 clear-screen
menu ddras01 status-line
tacacs-server host
tacacs-server directed-request
tacacs-server key 7
control-plane
privilege exec level 15 write terminal
privilege exec level 15 write
privilege exec level 1 ping
privilege exec level 10 undebug ip icmp
privilege exec level 10 undebug ip
privilege exec level 10 undebug all
privilege exec level 10 undebug
privilege exec level 10 terminal monitor
privilege exec level 10 terminal
privilege exec level 15 show running-config
privilege exec level 5 show configuration
privilege exec level 5 show
privilege exec level 10 debug ip icmp
privilege exec level 10 debug ip
privilege exec level 10 debug all
privilege exec level 10 debug
privilege exec level 10 clear interface
privilege exec level 10 clear counters
privilege exec level 10 clear
line con 0
password 7
logging synchronous
line 33 64
no exec-banner
exec-timeout 0 0
no activation-character
no exec
transport preferred telnet
transport input all
escape-character 27
stopbits 1
flowcontrol hardware
line aux 0
line vty 0 4
password 7
logging synchronous
autocommand menu ddras01
line vty 5 181
password 7
authorization exec NOAUTH
logging synchronous
login authentication NOAUTH
autocommand menu ddras01
ntp clock-period 17208478
ntp source FastEthernet0/0
ntp server
end

2611xm Terminal Server + ACS + duplicate login when using menu options

Hi,
I'm trying to set up ACS on my 2611xm router, so far I have been able to do this, however when you login,
I have a autocommand setup to run a menu. My problem is when you select the option on the menu it
reauthenicated against the router again before connecting to the line, can any one tell me how to stop this from happening.
Thanks for your time and effort in advance, I have enclosed a config below.
DDRAS01#sh running-config
Building configuration...
Current configuration : 6854 bytes
! Last configuration change at 10:28:49 AEST Sun Feb 21 2010 by <removed>
! NVRAM config last updated at 19:25:53 AEST Sat Feb 20 2010 by <removed>
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service linenumber
service sequence-numbers
hostname DDRAS01
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 informational
logging rate-limit all 10000
logging console critical
enable password 7 <removed>
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login if_needed local
aaa authentication enable default enable
aaa authentication ppp default local
aaa authorization exec default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
clock timezone AEST 10
clock summer-time AEST recurring last Sun Oct 2:00 last Sun Mar 3:00
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
ip domain list <removed>
ip domain list <removed>
ip domain name <removed>
ip host dd-cr-01e 2033 172.16.1.1
ip host ddsws01 2034 172.16.1.1
ip host ddsws04 2035 172.16.1.1
ip host ddce565 2040 172.16.1.1
ip name-server <removed>
ip name-server <removed>
username netops privilege 15 password 7 <removed>
ip ssh source-interface FastEthernet0/0
ip ssh logging events
ip ssh version 2
interface Loopback0
ip address 172.16.1.1 255.255.255.255
interface FastEthernet0/0
ip address <removed> 255.255.255.0
speed 100
full-duplex
interface Serial0/0
no ip address
shutdown
interface BRI0/0
no ip address
encapsulation hdlc
shutdown
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <removed>
ip http server
no ip http secure-server
ip tacacs source-interface FastEthernet0/0
ip radius source-interface FastEthernet0/0
logging facility local6
logging <removed>
snmp-server community <removed> RO
snmp-server community <removed> RW
snmp-server location <removed>
snmp-server contact NetOps
menu ddras01 title ^C
Cisco Terminal Server
Select the number from the list below
Use 'ctrl+shift+6' then 'x' to switch back to the menu
^C
menu ddras01 text 1 Connect to DD-CR-01
menu ddras01 command 1 resume dd-cr-01 /connect telnet dd-cr-01 2033
menu ddras01 text 2 Connect to DDSWS01
menu ddras01 command 2 resume ddsws01 /connect telnet ddsws01 2034
menu ddras01 text 3 Connect to DDSWS04
menu ddras01 command 3 resume ddsws04 /connect telnet ddsws04 2035
menu ddras01 text 8 Connect to DDCE565
menu ddras01 command 8 resume ddce565 /connect telnet ddce565 2040
menu ddras01 text 9 Exit
menu ddras01 command 9 menu-exit
menu ddras01 clear-screen
menu ddras01 status-line
menu ddras01 line-mode
tacacs-server host 10.2.0.50
tacacs-server directed-request
tacacs-server key 7 <removed>
control-plane
privilege exec level 15 write terminal
privilege exec level 15 write
privilege exec level 1 ping
privilege exec level 10 undebug ip icmp
privilege exec level 10 undebug ip
privilege exec level 10 undebug all
privilege exec level 10 undebug
privilege exec level 10 terminal monitor
privilege exec level 10 terminal
privilege exec level 15 show running-config
privilege exec level 5 show configuration
privilege exec level 5 show
privilege exec level 10 debug ip icmp
privilege exec level 10 debug ip
privilege exec level 10 debug all
privilege exec level 10 debug
privilege exec level 10 clear interface
privilege exec level 10 clear counters
privilege exec level 10 clear
line con 0
password 7 <removed>
logging synchronous
line 33 64
no exec-banner
exec-timeout 0 0
no activation-character
no exec
transport preferred telnet
transport input all
escape-character 27
stopbits 1
flowcontrol hardware
line aux 0
line vty 0 4
password 7 <removed>
logging synchronous
autocommand menu ddras01
line vty 5 181
password 7 <removed>
logging synchronous
autocommand menu ddras01
ntp clock-period 17208487
ntp source FastEthernet0/0
ntp server <removed>
end

Hi,
I'm trying to set up ACS on my 2611xm router, so far I have been able to do this, however when you login,
I have a autocommand setup to run a menu. My problem is when you select the option on the menu it
reauthenicated against the router again before connecting to the line, can any one tell me how to stop this from happening.
Thanks for your time and effort in advance, I have enclosed a config below.
DDRAS01#sh running-config
Building configuration...
Current configuration : 6854 bytes
! Last configuration change at 10:28:49 AEST Sun Feb 21 2010 by <removed>
! NVRAM config last updated at 19:25:53 AEST Sat Feb 20 2010 by <removed>
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service linenumber
service sequence-numbers
hostname DDRAS01
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 informational
logging rate-limit all 10000
logging console critical
enable password 7 <removed>
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login if_needed local
aaa authentication enable default enable
aaa authentication ppp default local
aaa authorization exec default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
clock timezone AEST 10
clock summer-time AEST recurring last Sun Oct 2:00 last Sun Mar 3:00
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
ip domain list <removed>
ip domain list <removed>
ip domain name <removed>
ip host dd-cr-01e 2033 172.16.1.1
ip host ddsws01 2034 172.16.1.1
ip host ddsws04 2035 172.16.1.1
ip host ddce565 2040 172.16.1.1
ip name-server <removed>
ip name-server <removed>
username netops privilege 15 password 7 <removed>
ip ssh source-interface FastEthernet0/0
ip ssh logging events
ip ssh version 2
interface Loopback0
ip address 172.16.1.1 255.255.255.255
interface FastEthernet0/0
ip address <removed> 255.255.255.0
speed 100
full-duplex
interface Serial0/0
no ip address
shutdown
interface BRI0/0
no ip address
encapsulation hdlc
shutdown
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <removed>
ip http server
no ip http secure-server
ip tacacs source-interface FastEthernet0/0
ip radius source-interface FastEthernet0/0
logging facility local6
logging <removed>
snmp-server community <removed> RO
snmp-server community <removed> RW
snmp-server location <removed>
snmp-server contact NetOps
menu ddras01 title ^C
Cisco Terminal Server
Select the number from the list below
Use 'ctrl+shift+6' then 'x' to switch back to the menu
^C
menu ddras01 text 1 Connect to DD-CR-01
menu ddras01 command 1 resume dd-cr-01 /connect telnet dd-cr-01 2033
menu ddras01 text 2 Connect to DDSWS01
menu ddras01 command 2 resume ddsws01 /connect telnet ddsws01 2034
menu ddras01 text 3 Connect to DDSWS04
menu ddras01 command 3 resume ddsws04 /connect telnet ddsws04 2035
menu ddras01 text 8 Connect to DDCE565
menu ddras01 command 8 resume ddce565 /connect telnet ddce565 2040
menu ddras01 text 9 Exit
menu ddras01 command 9 menu-exit
menu ddras01 clear-screen
menu ddras01 status-line
menu ddras01 line-mode
tacacs-server host 10.2.0.50
tacacs-server directed-request
tacacs-server key 7 <removed>
control-plane
privilege exec level 15 write terminal
privilege exec level 15 write
privilege exec level 1 ping
privilege exec level 10 undebug ip icmp
privilege exec level 10 undebug ip
privilege exec level 10 undebug all
privilege exec level 10 undebug
privilege exec level 10 terminal monitor
privilege exec level 10 terminal
privilege exec level 15 show running-config
privilege exec level 5 show configuration
privilege exec level 5 show
privilege exec level 10 debug ip icmp
privilege exec level 10 debug ip
privilege exec level 10 debug all
privilege exec level 10 debug
privilege exec level 10 clear interface
privilege exec level 10 clear counters
privilege exec level 10 clear
line con 0
password 7 <removed>
logging synchronous
line 33 64
no exec-banner
exec-timeout 0 0
no activation-character
no exec
transport preferred telnet
transport input all
escape-character 27
stopbits 1
flowcontrol hardware
line aux 0
line vty 0 4
password 7 <removed>
logging synchronous
autocommand menu ddras01
line vty 5 181
password 7 <removed>
logging synchronous
autocommand menu ddras01
ntp clock-period 17208487
ntp source FastEthernet0/0
ntp server <removed>
end

First ping probe timeout

Hello,
May be silly question but...
When I check connectivity between two neighbour Cisco devices (routers and switches) using standart ping command with default parameters, I frequently see, what first ping probe is timeout and next four are successfull
I suppose what on Ethernet links this is due ARP mechanism. But default ping timeout 2s, ARP Requst/Reply roundtrip on 100 Mbit/s Ethernet is ~ 100 us (I have observed with analyzer).
The same situation on serial point-to-point links, where no ARP exists.
Any Idea, why first ping probe is timeout?
Also I have found this question in Cisco BCMSN Course LAB Guide
On some pings, there was one lost packet (.) and then four good packets. You should know why that occurred.
Best Regards,
Tomas

Tomas
To understand this behavior I suggest that you start with show arp and look for the destination that you will ping. Then run debug arp and debug ip icmp. Then try the ping. This should help to clarify what the router does if the destination is not in the arp table and how that impacts the first ping.
HTH
Rick

MTU related issues with FRoMPLS

Hi Folks,
While using FRoMPLS I am experiencing limitations in the Edge MTU. The
edge MTU is limited to 1492 bytes above which the packets are droped. The MPLS MTU between PE routers has been changed to 1526 bytes. I understand AToM does not do fragmentation. I did see a workaround in he Web saying increasing the Core MTU to carry the Edge MTU of 1500. This does not seem to work. Any change in the core MTU does not reflect in the edge MTU. Can anyone help me isolae the issue.
thanks in advance
ashraf

the way i usually solves these kind of issues of mtu is:
if you suspect the problem is somwhere in your core between both pe routers
change the atom mpls implementation just for the diagnostic to be a layer3 vpn then from the ce do an extended ping where you set the df bit to 1 and the size to 1500 so routers in the core will not fragment the packet then do "debug ip icmp" on the ce and then ping the other ce
the result of this action is you will see with the debug the hop that cannot do fragmentation .(icmp cannot fragment)
and on these routers in your core you should concentrate and change the mtu with the t"ag-switching mtu 1526" command.
from my experience sometimes usually on ethernet interfaces (not giga)and regular serial if you enlarge the mtu it is not inuff you should also shut and unshut the interface and sometimes even reload the router.so i hope large part of your core is pos and giga.
also because atom does not support fragnentation make sure each link connecting the ce to pe on both sides have the same mtu
after you see that with a layer 3 vpn there is no fragmentation then switch back to atom.
good luck
guy

Tunnel vrf "vrf-name", when tunnel source interface in GRT

Hello!
Following configuration is working on Cisco 871 (c870-advipservicesk9-mz.124-15.T8.bin) but doesn’t working on Cisco 881 (c880data-universalk9-mz.151-4.M4.bin, License Level: advipservices). What I missed?
ip vrf vrf_tun
rd 1:3
interface Tunnel0
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip mtu 1472
ip nhrp authentication 1
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp server-only
no ip nhrp cache non-authoritative
ip tcp adjust-mss 1400
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel vrf vrf_tun
interface FastEthernet4 (interface does not participate in the VRF!)
ip address i.i.i.i m.m.m.m
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
ip route 0.0.0.0 0.0.0.0 g.g.g.g
ip route vrf vrf_tun 0.0.0.0 0.0.0.0 FastEthernet4 g.g.g.g global
sh ip nh bri (C 871):
   Target             Via            NBMA           Mode   Intfc   Claimed
172.16.0.2/32    172.16.0.2    i.i.i.i         dynamic Tu0    <   >
sh ip nh bri (C 881):
   Target             Via            NBMA           Mode   Intfc   Claimed
debug nhrp on 881 not show anything. Configuration without "tunnel vrf vrf_tun" works perfect.

Hello, Peter.
So, I dug deeper. I tested my configuration on brand new C881 and even on C2911. On C881 I used c880data-universalk9_npe-mz.152-3.T and then c880data-universalk9-mz.124-20.T4 (the most oldest release on cisco.com).
I found that the router on opposite side receives packets. Look:
C881#ping 10.150.12.1 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.150.12.1, timeout is 2 seconds:
Success rate is 0 percent (0/1)
RouterOnOppositeSide#debug ip icmp
ICMP packet debugging is on
001150: Jan 19 23:36:44: ICMP: echo reply sent, src 10.150.12.1, dst 10.200.10.1, topology BASE, dscp 0 topoid 0
I guess that the problem lies in the part where router (C881) receives packets and decides what to do with them. Somehow in this part G1 and G2 routers behaves different.

IP SLA TRACK issue

Hello,
I am facing problem with ip sla track mechanism.
I have two ISPs connected to my router C881.
ISP1 = primary (connected to FastEthernet4)
ISP2 = backup (connected to FastEterhet3/Vlan20)
I am using ISP1 as primary ISP and tracking reachability of IP address 8.8.4.4 through ip sla track 200:
ip sla 200
icmp-echo 8.8.4.4
request-data-size 200
timeout 3000
threshold 1000
owner SYSADMIN
frequency 5
history hours-of-statistics-kept 25
history distributions-of-statistics-kept 20
history lives-kept 2
history buckets-kept 60
history filter all
ip sla schedule 200 life forever start-time now
ip sla enable reaction-alerts
track 200 ip sla 200 reachability
delay down 30 up 180
Default-route to ISP1 is tracked and second default-route is configured with higher value of metric.
This is how my static routing looks like:
ip route 0.0.0.0 0.0.0.0 FastEthernet4 1.1.1.1 name ISP1 track 200
ip route 0.0.0.0 0.0.0.0 Vlan20 2.2.2.2 250 name ISP2
ip route 8.8.4.4 255.255.255.255 FastEthernet4 1.1.1.1 name force-ISP1
ip route 8.8.4.4 255.255.255.255 Null0 250 name deny-via-ISP2
It works almost as expected:
- when ISP1 is going down (i mean if 8.8.4.4 becomes unreachable via ISP1), after 30 seconds, default route is pointing to ISP2
- also when ISP1 is going up (8.8.4.4 becomes reachable again via ISP1), after 180 seconds, default route is pointing back to ISP1
*Mar 14 14:09:52.034: %TRACKING-5-STATE: 200 ip sla 200 reachability Up->Down
*Mar 14 14:12:57.039: %TRACKING-5-STATE: 200 ip sla 200 reachability Down->Up
...but
In some cases (I believe that it may be in situation, that ISP1 is down for longer time), ip sla/track is unable to detect that ISP1 becomes UP again and the default route is pointing to ISP2 forever (at least until FastEthernet4 is disconnected/connected again, or shut/no shut command is applied).
*Mar 17 14:18:13.019: %TRACKING-5-STATE: 200 ip sla 200 reachability Up->Down
This is how some show command outputs looks like:
ROUTER-MD#show ip route static
8.0.0.0/32 is subnetted, 2 subnets
S 8.8.4.4 [1/0] via 1.1.1.1, FastEthernet4
S* 0.0.0.0/0 [250/0] via 2.2.2.2, Vlan20
ROUTER-MD#show ip sla statistics 200 details
IPSLAs Latest Operation Statistics
IPSLA operation id: 200
Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: *12:17:51.494 MET Wed Mar 18 2015
Latest operation return code: Timeout
Over thresholds occurred: FALSE
Number of successes: 0
Number of failures: 31
Operation time to live: Forever
Operational state of entry: Active
Last time this entry was reset: Never
ROUTER-MD#show track 200
Track 200
IP SLA 200 reachability
Reachability is Down
42 changes, last change 22:00:06
Delay up 180 secs, down 30 secs
Latest operation return code: Timeout
Tracked by:
STATIC-IP-ROUTING 0
But as you can see here, 8.8.4.4 is reachable from the router:
ROUTER-MD#show ip route 8.8.4.4
Routing entry for 8.8.4.4/32
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 1.1.1.1, via FastEthernet4
Route metric is 0, traffic share count is 1
ROUTER-MD#ping 8.8.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.4.4, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/41/44 ms
During that behavior, I see no icmp traffic destined to 8.8.4.4 with "debug ip icmp" command enabled.
Debug IP sla & track results are here:
ROUTER-MD#show debug
Track debugging is on
IP SLAs:
TRACE debugging is on for entries:
200
ERROR debugging is on for entries:
200
*Mar 18 12:40:16.530: IP SLAs(200) Scheduler: saaSchedulerEventWakeup
*Mar 18 12:40:16.530: IP SLAs(200) Scheduler: Starting an operation
*Mar 18 12:40:16.530: IP SLAs(200) echo operation: Sending an echo operation - destAddr=8.8.4.4, sAddr=1.1.1.2
*Mar 18 12:40:16.530: IP SLAs(200) echo operation: Sending ID: 27
*Mar 18 12:40:19.530: IP SLAs(200) echo operation: Timeout - destAddr=8.8.4.4, sAddr=1.1.1.2
*Mar 18 12:40:19.530: IP SLAs(200) Scheduler: Updating result
*Mar 18 12:40:19.530: IP SLAs(200) Scheduler: start wakeup timer, delay = 2000
*Mar 18 12:40:21.530: IP SLAs(200) Scheduler: saaSchedulerEventWakeup
*Mar 18 12:40:21.530: IP SLAs(200) Scheduler: Starting an operation
*Mar 18 12:40:21.530: IP SLAs(200) echo operation: Sending an echo operation - destAddr=8.8.4.4, sAddr=1.1.1.2
*Mar 18 12:40:21.530: IP SLAs(200) echo operation: Sending ID: 27
*Mar 18 12:40:24.530: IP SLAs(200) echo operation: Timeout - destAddr=8.8.4.4, sAddr=1.1.1.2
*Mar 18 12:40:24.530: IP SLAs(200) Scheduler: Updating result
*Mar 18 12:40:24.530: IP SLAs(200) Scheduler: start wakeup timer, delay = 2000
...etc
I would appreciate any help.
Thank you,
MB

Hi,
>>when ISP 1 is down, is the static route to 8.8.4.4 via 1.1.1.1 still in the routing table?
Unfortunately I can not catch the situation, when ISP1 is down. Now the ISP1 is UP.
But there can be two situations regarding this configuration:
ip route 8.8.4.4 255.255.255.255 FastEthernet4 1.1.1.1 name force-ISP1
1. If FE4 goes down, static route is removed from the routing table.
2. If FE4 remains up (but connection to 8.8.4.4 is broken within ISP1 network), static route is still in the routing table.
As I can see in logs, FE4 was not down, so route to 8.8.4.4 via ISP1 was in RT all the time.
>> Are you sure that reach ability to 8.8.4.4 is actually going through ISP2?
No, reach ability to 8.8.4.4 is actually going through ISP1 as configured:
S 8.8.4.4 [1/0] via 1.1.1.1, FastEthernet4
ROUTER#ping 8.8.4.4 source fastEthernet 4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.4.4, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.2
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/44 ms
, my problem is that ip sla is somehow not seeing this:
ROUTER#show ip sla statistics
IPSLAs Latest Operation Statistics
IPSLA operation id: 200
Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: *09:48:42.553 METDST Mon Apr 27 2015
Latest operation return code: Timeout
Number of successes: 0
Number of failures: 42
Operation time to live: Forever
>> have you applied ACL denying ICMP destined to 8.8.4.4 through ISP2 to make sure that 8.8.4.4 is not pingable through ISP2?
No... I have applied more specific static route to 8.8.4.4 via ISP1.
Besides of that, I have applied source-ip command under the ip sla configuration:
ip sla 200
icmp-echo 8.8.4.4 source-ip 1.1.1.2
Sure, I can try to deny icmp to 8.8.4.4 through ISP2 as third action, and we will see...
What will be better from your point of view? To use ACL as you mentioned, or to use "ip local policy route-map" as pille1234 mentioned...? Maybe both, to be 100% sure?

MPLS , DF bit set

Hi everybody
According to my book, if an LSR can not fragment the labelled packet because of DF bit, following will occur:
Only if the IP header has the Don’t Fragment (DF) bit set does the LSR not fragment the IP packet, but it drops the packet and returns an ICMP error message “Fragmentation needed and do not fragment bit set” (ICMP type 3, code 4) to the originator of the IP packet. As with the ICMP message “time exceeded” (type 11, code 0), which is sent when the TTL expires of a labeled packet, the “Fragmentation needed and do not fragment bit set” ICMP message is sent, using a label stack that is the outgoing label stack for the packet that caused the ICMP message to be created. This means that the ICMP message travels further down the LSP until it reaches the egress LSR of that LSP. Then it is returned to the originator of the packet with the DF bit set.
However, when i put this claim to test, i do not see that behavior.
R5---R1 f0/1-----R2----R3---R4
Above R1 f0/1 mpls mtu 1400
On R5, i generated a ping of 1500 , DF bit set. R1 should send ICMP error towards R4 which then send it to R5.
R5#debug ip icmp
ICMP packet debugging is on
R5#ping
Protocol [ip]:
Target IP address: 4.4.4.4
Repeat count [5]:
Datagram size [100]: 1500
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]: y
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 1500-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with the DF bit set
Success rate is 0 percent (0/5)
I do not see such ICMP errors message being received. Wireshark capture between R1--R2, does not show that any ICMP error message from R1 either.
I suspect the packets with DF bit are silently discarded by LSR ( R1). If this is true, then my book is pretty wrong.
thanks

Thanks Nagendra
R4#show version
Cisco IOS Software, 2600 Software (C2691-ADVIPSERVICESK9-M), Version 12.4(15)T6, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Mon 07-Jul-08 04:30 by prod_rel_team
ROM: ROMMON Emulation Microcode
ROM: 2600 Software (C2691-ADVIPSERVICESK9-M), Version 12.4(15)T6, RELEASE SOFTWARE (fc2)
R4 uptime is 46 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://255.255.255.255/unknown"

Sun Cluster 3.2/Solaris 10 Excessive ICMP traffic

Hi all,
I have inherited a 2 node cluster with a 3510 san which I have upgraded to Cluster 3.2/Solaris 10. Apparently this was happening on Cluster 3.0/Solaris 8 as well.
The real interfaces on the two nodes seem to be sending excessive pings to the default gateway it is connected to. The configuration of the network adapters are the same - 2 NIC's on each are grouped for multi-home and 2 NIC's configured as private for cluster heartbeats.
The 2 NIC's that are grouped together on each of the servers are the cards generating the traffic.
23:27:52.402377 192.168.200.216 > 192.168.200.1: icmp: echo request [ttl 1]
23:27:52.402392 192.168.200.1 > 192.168.200.216: icmp: echo reply
23:27:52.588793 192.168.200.217 > 192.168.200.1: icmp: echo request [ttl 1]
23:27:52.588806 192.168.200.1 > 192.168.200.217: icmp: echo reply
23:27:52.818690 192.168.200.215 > 192.168.200.1: icmp: echo request [ttl 1]
23:27:52.818714 192.168.200.1 > 192.168.200.215: icmp: echo reply
23:27:53.072442 192.168.200.214 > 192.168.200.1: icmp: echo request [ttl 1]
23:27:53.072479 192.168.200.1 > 192.168.200.214: icmp: echo reply
Here is the setup to one of the servers:
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
ce0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 2
inet 192.168.200.214 netmask ffffff00 broadcast 192.168.200.255
groupname prod
ether 0:3:ba:43:f4:f4
ce0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 192.168.200.212 netmask ffffff00 broadcast 192.168.200.255
ce1: flags=1008843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 1500 index 5
inet 172.16.0.129 netmask ffffff80 broadcast 172.16.0.255
ether 0:3:ba:43:f4:f3
qfe0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 3
inet 192.168.200.216 netmask ffffff00 broadcast 192.168.200.255
groupname prod
ether 0:3:ba:34:95:4
qfe1: flags=1008843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 1500 index 4
inet 172.16.1.1 netmask ffffff80 broadcast 172.16.1.127
ether 0:3:ba:34:95:5
clprivnet0: flags=1009843<UP,BROADCAST,RUNNING,MULTICAST,MULTI_BCAST,PRIVATE,IPv4> mtu 1500 index 6
inet 172.16.193.1 netmask ffffff00 broadcast 172.16.193.255
ether 0:0:0:0:0:1
Any suggestions on why the excessive traffic?

I would guess these are the ipmp probes (man in.mpathd).
You can start in.mpathd in debug mode to find out.
HTH,
jono

Icmp poller on solaris 10: lot's of unexplained ping failed

Hello to everybody, and if someone can help me on the following problem...
I use the IBM tivoli netcool network manager icmp poller on a solaris sparc local zone server, and for a reason I don't understand, regularly, I have lot's of unexplained ping failed.
Note that the poller is configured to poll about 9000 Ip address every 4 minutes. And often, some of the IP address (but generally not the same) don't reply to the icmp request for 2-10 seconds max. And it seems that the tool is not the problem because, when I test myself with the ping command on concerned IP address, I have effectively the following message for only few seconds:
"icmp host unreacheable from gateway yvasl110" (yvasl110 is the name of the local zone server)
I notice that the ipOutNoRoutes increases very often on this specific server:
netstat -s -P ip
IPv4 ipForwarding = 2 ipDefaultTTL = 255
ipInReceives =3113915 ipInHdrErrors = 0
ipInAddrErrors = 0 ipInCksumErrs = 0
ipForwDatagrams = 0 ipForwProhibits = 187
ipInUnknownProtos = 3 ipInDiscards = 3495
ipInDelivers =4391757 ipOutRequests =3059887
ipOutDiscards = 0 ipOutNoRoutes =117387
ipReasmTimeout = 15 ipReasmReqds = 0
ipReasmOKs = 0 ipReasmFails = 0
ipReasmDuplicates = 0 ipReasmPartDups = 0
ipFragOKs = 0 ipFragFails = 0
ipFragCreates = 0 ipRoutingDiscards = 0
tcpInErrs = 0 udpNoPorts = 4495
udpInCksumErrs = 0 udpInOverflows = 0
rawipInOverflows = 0 ipsecInSucceeded = 0
ipsecInFailed = 0 ipInIPv6 = 0
ipOutIPv6 = 0 ipOutSwitchIPv6 = 0
Note that I have another same server with the same tool and same list of IP address, and I have no problem: no ping failed and ipOutNoRoutes = 0
I have already analyzed the network connexion (and already switched on another network connexion: network card+switch) = no effect.
I install the last Solaris patch = no effect.
And tcp solaris parameters are the same on the 2 servers.
So, I don't understand. :o(

Solaris ships with NTP code that is probably more than a decade old. xntpd is version 3 (probably with some patches by Sun), but ntp version 4 has been out for years.
That said, even the ancient version 3 stuff is usually functional, so the fact that yours isn't working seems somewhat odd.
But if you can't restart NTP, then it'll be difficult to debug. Looks like it's running, but has no servers configured. Possibly at the time the machine booted, the names could not be resolved? So NTPD came up with no servers listed. Just a guess.
Darren

Icmp redirect issue

hi guys:
We have firewall that connect to the internet.We also have a 6509 switch connect to the internal lan. The client PC,6509 interface and firewall are on the same subnet. Client's gateway is on 6509. When client try to access internet, the 6509 switch should send icmp redirect to client telling them to go to firewall for internet access. However,I've found that some client were not receiving icmp redirect,therefore internet traffic send to 6509 then to fireawll.From the 6509 debug we saw it sending icmp redirect once or twice per second.Is this a security feature to prevent msfc from DOS attack?If so is there any way yo override it?Thanks for help.
regards

do you just have the pix and pc connected to the same subnet and have the pc default gateway point to the MSFC and have the MSFC default gateway point to the pix??
this would allow for the pc to get to the internet and the icmp redirect sent to the pc to inform it of the better route.
how is your icmp redirect configured? can you post configuration of switch/msfc?
do you have 'no ip redirects' command configured on the MSFC SVI for the pc vlan? if so, use the 'ip redirects' command on the MSFC SVI (vlan) that the pc connects to.
this will allow the MSFC SVI to be able to send icmp redirects.
please see the following link for more info on icmp redirects:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml

Debug IP ICMP

Similar Messages

Maybe you are looking for