Default gateway arp lookup failed

Similar Messages

• VPN Clients getting different default gateways

  Hello,
       We have a new Cisco ASA 5520 and are trying to setup the VPN with split tunneling.  We mostly have clients running XP and the problem is that some of the clients connect (using Cisco Anyconnect 2.5) and the split tunneling works as expected --these clients keep their default gateway-- and then some clients connect and get a default gateway of 192.168.119.1 (our VPN addresses subnet) and of course these users cannot connect to the internet while connected to the VPN.
  Here is our config:
  ASA Version 9.1(1)
  hostname xxxxxx
  names
  name 178.239.80.0 Deny178.239.80.0 description 178.239.80.0
  name 74.82.64.0 Deny74.82.64.0 description 74.82.64.0
  name 173.247.32.0 Deny173.247.32.0 description 173.247.32.0
  name 193.109.81.0 Deny193.109.81.0 description 193.109.81.0
  name 204.187.87.0 Deny204.187.87.0 description 204.187.87.0
  name 206.51.26.0 Deny206.51.26.0 description 206.51.26.0
  name 206.53.144.0 Deny206.53.144.0 description 206.53.144.0
  name 67.223.64.0 Deny67.223.64.0 description 67.223.64.0
  name 93.186.16.0 Deny93.186.16.0 description 93.186.16.0
  name 216.9.240.0 Deny216.9.240.0 description 216.9.240.0
  name 68.171.224.0 Deny68.171.224.0 description 68.171.224.0
  ip local pool PAIUSERS 192.168.119.10-192.168.119.100 mask 255.255.255.0
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 63.86.112.194 255.255.255.192
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 192.168.129.5 255.255.255.192
  interface GigabitEthernet0/2
  nameif dmz
  security-level 10
  ip address 192.168.20.10 255.255.255.0
  interface GigabitEthernet0/3
  nameif vpn_dmz
  security-level 25
  ip address 192.168.30.10 255.255.255.0
  interface Management0/0
  management-only
  shutdown
  nameif management
  security-level 100
  ip address 192.168.102.4 255.255.255.0
  object network obj-192.168.119.0
  subnet 192.168.119.0 255.255.255.0
  access-list outside_access_in extended permit ip host 192.168.119.11 host 192.168.35.23
  access-list outside_access_in extended permit object-group TCPUDP any4 object-group DM_INLINE_NETWORK_3 object-group UDP_TCP_Domain inactive
  access-list outside_access_in extended permit udp any4 object obj-192.168.30.11 eq isakmp
  access-list outside_access_in extended permit ip any4 object obj-192.168.30.11
  access-list outside_access_in extended permit udp any4 object obj-192.168.30.11 object-group UDP10000
  access-list outside_access_in extended permit udp any4 object-group DM_INLINE_NETWORK_7 eq domain inactive
  access-list outside_access_in extended permit tcp any4 object-group DM_INLINE_NETWORK_8 eq domain inactive
  access-list outside_access_in extended permit tcp host 216.81.43.190 host 192.168.35.30 eq ssh inactive
  access-list outside_access_in extended permit tcp host 216.81.43.190 object obj-192.168.35.30 object-group DM_INLINE_TCP_6 inactive
  access-list outside_access_in extended permit tcp any4 object-group DM_INLINE_NETWORK_9 eq www inactive
  access-list outside_access_in extended permit tcp any4 object obj-192.168.30.11 eq www
  access-list outside_access_in extended permit esp any4 object obj-192.168.30.11
  access-list outside_access_in extended permit tcp any4 object obj-192.168.35.41 eq www
  access-list outside_access_in extended permit tcp any4 object obj-192.168.35.41 eq https
  access-list outside_access_in extended permit tcp any4 host 192.168.35.34 eq https
  access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.35.30 object-group Ports_UDpTCP
  access-list outside_access_in extended permit tcp any4 object obj-192.168.35.30 object-group DM_INLINE_TCP_7
  access-list outside_access_in extended permit tcp any4 object obj-192.168.35.30 eq ftp
  access-list outside_access_in extended permit object-group TCPUDP any4 host 63.86.112.248
  access-list outside_access_in extended permit udp any4 host 162.95.80.115 eq isakmp
  access-list outside_access_in extended permit tcp any4 host 162.95.80.115 object-group Ports_115
  access-list outside_access_in extended permit udp any4 host 162.95.80.115 object-group Ports_2746_259
  access-list outside_access_in extended permit object-group TCPUDP any4 host 63.86.112.245 object-group Service_Group_245 inactive
  access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.35.40 object-group UDP_TCP_Domain
  access-list outside_access_in extended permit tcp any4 object obj-192.168.35.40 object-group DM_INLINE_TCP_2
  access-list outside_access_in extended permit tcp any4 object obj-192.168.129.11 object-group DM_INLINE_TCP_1
  access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.129.11 object-group UDP_TCP_Domain
  access-list outside_access_in extended permit tcp any4 object obj-192.168.129.11 object-group Network_Service_2703_6277
  access-list outside_access_in extended permit udp any4 object obj-192.168.129.11 object-group UDP_443
  access-list outside_access_in extended permit ip any4 host 192.168.101.75 inactive
  access-list outside_access_in extended permit tcp any4 host 64.78.239.50 eq www
  access-list outside_access_in extended permit tcp any4 host 64.78.239.54 object-group TCP_4445
  access-list outside_access_in extended permit icmp any4 any4
  access-list outside_access_in extended permit udp any4 object obj-192.168.35.40 object-group UDP_443
  access-list outside_access_in extended permit tcp any4 host 63.86.112.204 object-group DM_INLINE_TCP_5
  access-list outside_access_in extended permit tcp any4 host 63.86.112.204
  access-list outside_access_in extended permit udp any4 host 63.86.112.204
  access-list outside_access_in extended permit object-group TCPUDP any4 host 192.168.102.12 object-group Network_Server_1194
  access-list outside_access_in extended permit tcp any4 host 192.168.102.12 eq www
  access-list outside_access_in extended permit tcp any4 host 192.168.102.12 eq https
  access-list outside_access_in extended permit object-group TCPUDP any4 object obj-192.168.35.41 object-group Network_Server_1194
  access-list outside_access_in extended permit tcp any4 object obj-192.168.35.12 eq www
  access-list outside_access_in extended permit tcp any4 object obj-192.168.35.12 object-group DM_INLINE_TCP_3
  access-list outside_access_in extended permit tcp any4 host 63.86.112.193 object-group Network_Service_TCP_1194
  access-list outside_access_in extended deny tcp object Deny206.51.26.0 object obj-192.168.35.40 eq https
  access-list outside_access_in extended deny tcp object Deny193.109.81.0 object obj-192.168.35.40 eq https
  access-list outside_access_in extended deny tcp object Deny204.187.87.0 object obj-192.168.35.40 eq https
  access-list outside_access_in extended deny tcp object Deny206.53.144.0 object obj-192.168.35.40 eq https
  access-list outside_access_in extended deny tcp object Deny216.9.240.0 object obj-192.168.35.40 eq https
  access-list outside_access_in extended deny tcp object Deny67.223.64.0 object obj-192.168.35.40 eq https
  access-list outside_access_in extended deny tcp object Deny93.186.16.0 object obj-192.168.35.40 eq https
  access-list outside_access_in extended deny tcp object Deny68.171.224.0 object obj-192.168.35.40 eq https
  access-list outside_access_in extended deny tcp object Deny74.82.64.0 object obj-192.168.35.40 eq https
  access-list outside_access_in extended deny tcp object Deny178.239.80.0 object obj-192.168.35.40 eq https
  access-list outside_access_in extended deny tcp object Deny173.247.32.0 object obj-192.168.35.40 eq https
  access-list vpn_dmz_access_in extended permit ip host 192.168.35.23 192.168.119.0 255.255.255.0
  access-list vpn_dmz_access_in extended permit gre host 192.168.30.11 any4
  access-list vpn_dmz_access_in extended permit tcp any4 host 23.0.214.60 eq https
  access-list vpn_dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_28 any4
  access-list vpn_dmz_access_in extended permit tcp any4 object obj-192.168.35.105 object-group DM_INLINE_TCP_4
  access-list vpn_dmz_access_in extended permit esp any4 object obj-192.168.35.105
  access-list vpn_dmz_access_in extended permit tcp any4 object obj-192.168.35.105
  access-list vpn_dmz_access_in extended permit icmp any4 object obj-192.168.35.105
  access-list vpn_dmz_access_in extended permit tcp any4 host 192.168.129.11
  access-list vpn_dmz_access_in remark RDP
  access-list vpn_dmz_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq 3389
  access-list vpn_dmz_access_in extended permit icmp any4 object obj-192.168.35.23
  access-list inside_nat0_outbound extended permit ip any4 192.168.119.0 255.255.255.0
  access-list ftp-timeout extended permit tcp host 216.81.43.190 host 63.86.112.248
  access-list ftp-timeout extended permit tcp host 63.86.112.248 host 216.81.43.190
  access-list ftp-timeout extended permit tcp host 192.168.35.30 host 216.81.43.190
  access-list ftp-timeout extended permit tcp host 216.81.43.190 host 192.168.35.30
  access-list Split_Tunnel_List remark northwoods
  access-list Split_Tunnel_List standard permit host 192.168.35.23
  access-list Split_Tunnel_List remark paits2
  access-list Split_Tunnel_List standard permit host 192.168.35.198
  access-list Split_Tunnel_List standard deny 192.168.102.0 255.255.255.0
  access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
  access-list IS_Split_Tunnel standard permit 192.168.102.0 255.255.255.0
  access-list IS_Split_Tunnel standard permit 192.168.82.0 255.255.255.0
  access-list IS_Split_Tunnel standard permit 192.168.35.0 255.255.255.0
  nat (inside,outside) source static object-192.168.35.0 object-192.168.35.0 destination static obj-192.168.119.0 obj-192.168.119.0 no-proxy-arp route-lookup
  nat (inside,outside) source static obj-192.168.82.0 obj-192.168.82.0 destination static obj-192.168.119.0 obj-192.168.119.0 no-proxy-arp route-lookup
  nat (inside,outside) source static obj-192.168.102.0 obj-192.168.102.0 destination static obj-192.168.119.0 obj-192.168.119.0 no-proxy-arp route-lookup
  webvpn
  enable outside
  enable inside
  enable dmz
  anyconnect-essentials
  anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
  anyconnect profiles pairemoteuser disk0:/pairemoteuser.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy PAIGroup internal
  group-policy PAIGroup attributes
  vpn-tunnel-protocol ssl-clientless
  webvpn
    url-list value PAI
  group-policy PAIUSERS internal
  group-policy PAIUSERS attributes
  wins-server value 192.168.35.57
  dns-server value 192.168.35.57
  vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Split_Tunnel_List
  default-domain none
  webvpn
    anyconnect firewall-rule client-interface private value vpn_dmz_access_in
    anyconnect profiles value pairemoteuser type user
  group-policy PAIIS internal
  group-policy PAIIS attributes
  wins-server value 192.168.35.57
  dns-server value 192.168.35.57
  vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value IS_Split_Tunnel
  default-domain none
  webvpn
    anyconnect firewall-rule client-interface private value vpn_dmz_access_in
    anyconnect profiles value pairemoteuser type user
  group-policy DfltGrpPolicy attributes
  banner value Welcome to PAI
  wins-server value 192.168.35.57
  dns-server value 192.168.35.57
  address-pools value PAIUSERS
  webvpn
    anyconnect firewall-rule client-interface public none
    anyconnect firewall-rule client-interface private value vpn_dmz_access_in
    anyconnect ask enable default anyconnect timeout 5
  group-policy Anyconnect internal
  : end

  Check is the users fall into DfltGrpPolicy because it has no split tunneling active.
  Michael
  Please rate all helpful posts

• Duplicate IP on a default gateway interface = Bad

  I just had an entire VLAN drop out due to a host being brought onto the network that had been erroneously configured with a static IP that happened to be in conflict with the HSRP default gateway IP of the core switch; fortunately, we were able to remove the offending host and reconfigure default gateways as a workaround until the core switch's ARP table updated.
  Is there any way to configure a 6500 running IOS to inhibit or block a conflicting IP (especially one with a gateway IP) by using a static ARP entry or other authoritative command?
  Thanks,
  Marc

  Hi,
  You may use the following.
  enable Unicast Reverse Path Forwarding on an interface. Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.
  Normally, the FWSM only looks at the destination address when determining where to forward the packet. Unicast RPF instructs the FWSM to also look at the source address; this is why it is called Reverse Path Forwarding. For any traffic that you want to allow through the FWSM, the FWSM routing table must include a route back to the source address. See RFC 2267 for more information.
  For outside traffic, for example, the FWSM can use the default route to satisfy the Unicast RPF protection. If traffic enters from an outside interface, and the source address is not known to the routing table, the FWSM uses the default route to correctly identify the outside interface as the source interface.
  If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the FWSM drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the FWSM drops the packet because the matching route (the default route) indicates the outside interface.
  Unicast RPF is implemented as follows:
  ?ICMP packets have no session, so each packet is checked.
  ?UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent packets arriving during the session are checked using an existing state maintained as part of the session. Non-initial packets are checked to ensure they arrived on the same interface used by the initial packet.
  To enable Unicast RPF, enter the following command:
  hostname(config)# ip verify reverse-path interface interface_name
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080577c66.html#wp1042625
  It may be useful..
  Rgrds
  Rajeev.S

• CSS 11503 One-arm Design and Server Default Gateway

  Our problem is determining the correct default gateway for our web servers. All IP addresses are in the same subnet (VIP, interfaces, and servers). Should the servers default gateway be the L3 switch, or the CSS?
  Thanks!
  Tom

  Hi Tom,
  If you have one arm mode, you might have problems with asymmetric flows, due that the CSS behaves similar to a firewall when it comes to flows, as it needs to see both sides of the flow ( client and server side ) in order to handle things correctly. Having this kind of setup, and even when the server pointing to the CSS as its default gateway, ICMP redirects might force the traffic to change dynamically.
  You can put as default gateway the L3 switch, but you need to force the traffic that has been load balanced by the CSS to go back to the CSS, otherwise the flow would fail. You can do this by using a group on the CSS, adding the service with the following command: 'add destination service xxxx'. This would NAT the client's IP address for the VIP that you use on the group and would force the flow to go back to the CSS.
  Another thing that you can do is to use the CSS as the server's DG, but you must make sure that all L3 devices, including the CSS have ICMP redirects turned off on this subnet. If you have a firewall on this subnet, you would need to turn off proxy ARP as well.
  I hope you find this helpful. Thanks!
  Regards,
  Jose Quesada.

• DVM lookup failing in soa 11g (11.1.1.3)

  Hi
  I have a strange problem. my dvm lookup fails in 11g if it does not has exact 1:1 mapping in the DVM. The same code is working in 10g fine.
  In 10g:
  -for '' (null) as source-value the dvm lookup function returns the default value
  orcl:lookup-dvm('LANGUAGECODE','EBIZ','','RETAIL','DEFAULT')_
  -for multiple values for COMMON column returns the correct value 'GB'
  orcl:lookup-dvm('ADDRESSCOUNTRYID','COMMON','United Kingdom','RETAIL','DEFAULT')_
  In 11g(PS2):
  -for '' value the dvm lookup function
  dvm:lookupValue("oramds:/apps/AIAMetaData/dvm/LANGUAGECODE.dvm","EBIZ","","RETAIL","")_
  Error:
  Error invoking 'lookupValue':'oracle.tip.dvm.exception.DVMException: *The source column "EBIZ" has already multiple occurences of source value "" in dvm "oramds:/apps/AIAMetaData/dvm/LANGUAGE_CODE.dvm".* Please ensure the source value is unique for a given source column.'.
  -for COMMON multiple values
  _dvm:lookupValue("oramds:/apps/AIAMetaData/dvm/'ADDRESS_COUNTRYID'.dvm","'COMMON'","","RETAIL","")_
  Error:
  Error invoking 'lookupValue':'oracle.tip.dvm.exception.DVMException: *The source column "COMMON" has already multiple occurences of source value "United Kingdom" in dvm "oramds:/apps/AIAMetaData/dvm/ADDRESS_COUNTRYID.dvm".* Please ensure the source value is unique for a given source column.'
  Anyone faced this issue?Am i Hitting a bug on ps2?
  Will Qualifiers help in any way?
  -debashis
  Edited by: debashis on 08-Apr-2011 02:53

  Thans for repsonse.
  I understand the duplicate rows dont work in 11g and simply removing it would not make our use case work.
  okay here is my requirement :
  My DVM:
  column A____value
  ============
  1_____________A
  2_____________B
  3_____________C
  1_____________D
  I want to get both the values A,D when provided 1 as search value. But I understand that this is not possible as duplicate rows are not permitted in dvm.
  However I could achieve it using a very slight simple workaround. as below
  Modified the dvm as below
  column A____value
  ============
  1_____________A,D
  2_____________B
  3_____________C
  Now I get A,D and in my code I do the parsing and seperating A and D by using some string functions to individually get A and D.
  Just one compromise to make is -- users entering values in dvm should enter in a specific way ie, A,D,....so on...so that i can use logic accordingly in my code to break them again.
  Hope this helps to any others looking for similar solution.
  Thanks,
  Sridhar.

• Default Gateway when connected to VPN

  Thanks for reading!
  This is probably a dump question so bear with me...
  I have set up a VPN connection with a Cisco ASA 5505 fronting internet, with the customers environment behind it (on the same subnet), When connected ot the VPN I can reach the inside Router fronting me and one switch behind the Router (every switch is connected to the router), but nothing else.
  My beet is that the Router is messing with my connection, but,, nevermind that!, the setup ain't complete anyway... my question is more related to the Gateway I'm missing when I'm, from the outside, is connected to the VPN on the ASA, could this mess it up? Shouldn't I have a Standard-Gateway in the ipconfig settings in windows?
  This is who it looks like now:
          Anslutningsspecifika DNS-suffix . : VPNOFFICE
          IP-adress . . . . . . . . . . . . : 10.10.10.1
          Nätmask . . . . . . . . . . . . . : 255.255.255.0
          Standard-gateway  . . . . . . . . :
  The internal network is :
  172.16.12.0 255.255.255.0
  Below is my config for the ASA, thanks a lot!!!!!!!
  !FlASH PÅ ROUTERN FRÅN BÖRJAN
  !asa841-k8.bin
  hostname DRAKENSBERG
  domain-name default.domain.invalid
  enable password XXXXXXX
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.16.12.4 255.255.255.0
  interface Vlan10
  nameif outside
  security-level 0
  ip address 97.XX.XX.20 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 10
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  clock timezone CEST 1
  clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  access-list nonat extended permit ip 172.16.12.0 255.255.255.0 10.10.10.0 255.255.255.0
  access-list MSS_EXCEEDED_ACL extended permit tcp any any
  access-list VPN-SPLIT-TUNNEL remark VPN SPLIT TUNNEL
  access-list VPN-SPLIT-TUNNEL standard permit 172.16.12.0 255.255.255.0
  tcp-map MSS-MAP
    exceed-mss allow
  pager lines 24
  logging enable
  logging timestamp
  logging buffer-size 8192
  logging console notifications
  logging buffered notifications
  logging asdm notifications
  mtu inside 1500
  mtu outside 1500
  ip local pool VPN 10.10.10.1-10.10.10.40 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any outside
  asdm image disk0:/asdm-625-53.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 172.16.12.0 255.255.255.0
  route outside 0.0.0.0 0.0.0.0 97.XX.XX.17 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 172.16.12.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 172.16.12.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  group-policy VPNOFFICE internal
  group-policy VPNOFFICE attributes
  dns-server value 215.122.145.18
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value VPN-SPLIT-TUNNEL
  default-domain value VPNOFFICE
  split-dns value 215.122.145.18
  msie-proxy method no-proxy
  username admin password XXXXXX privilege 15
  username Daniel password XXXXX privilege 0
  username Daniel attributes
  vpn-group-policy VPNOFFICE
  tunnel-group VPNOFFICE type remote-access
  tunnel-group VPNOFFICE general-attributes
  address-pool VPN
  default-group-policy VPNOFFICE
  tunnel-group VPNOFFICE ipsec-attributes
  pre-shared-key XXXXXXXXXX
  class-map MSS_EXCEEDED_MAP
  match access-list MSS_EXCEEDED_ACL
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
    inspect icmp error
    inspect pptp
    inspect ipsec-pass-thru
    inspect icmp
  class MSS_EXCEEDED_MAP
    set connection advanced-options MSS-MAP
  service-policy global_policy global
  privilege cmd level 3 mode exec command perfmon
  privilege cmd level 3 mode exec command ping
  privilege cmd level 3 mode exec command who
  privilege cmd level 3 mode exec command logging
  privilege cmd level 3 mode exec command failover
  privilege cmd level 3 mode exec command packet-tracer
  privilege show level 5 mode exec command import
  privilege show level 5 mode exec command running-config
  privilege show level 3 mode exec command reload
  privilege show level 3 mode exec command mode
  privilege show level 3 mode exec command firewall
  privilege show level 3 mode exec command asp
  privilege show level 3 mode exec command cpu
  privilege show level 3 mode exec command interface
  privilege show level 3 mode exec command clock
  privilege show level 3 mode exec command dns-hosts
  privilege show level 3 mode exec command access-list
  privilege show level 3 mode exec command logging
  privilege show level 3 mode exec command vlan
  privilege show level 3 mode exec command ip
  privilege show level 3 mode exec command ipv6
  privilege show level 3 mode exec command failover
  privilege show level 3 mode exec command asdm
  privilege show level 3 mode exec command arp
  privilege show level 3 mode exec command route
  privilege show level 3 mode exec command ospf
  privilege show level 3 mode exec command aaa-server
  privilege show level 3 mode exec command aaa
  privilege show level 3 mode exec command eigrp
  privilege show level 3 mode exec command crypto
  privilege show level 3 mode exec command vpn-sessiondb
  privilege show level 3 mode exec command ssh
  privilege show level 3 mode exec command dhcpd
  privilege show level 3 mode exec command vpnclient
  privilege show level 3 mode exec command vpn
  privilege show level 3 mode exec command blocks
  privilege show level 3 mode exec command wccp
  privilege show level 3 mode exec command webvpn
  privilege show level 3 mode exec command module
  privilege show level 3 mode exec command uauth
  privilege show level 3 mode exec command compression
  privilege show level 3 mode configure command interface
  privilege show level 3 mode configure command clock
  privilege show level 3 mode configure command access-list
  privilege show level 3 mode configure command logging
  privilege show level 3 mode configure command ip
  privilege show level 3 mode configure command failover
  privilege show level 5 mode configure command asdm
  privilege show level 3 mode configure command arp
  privilege show level 3 mode configure command route
  privilege show level 3 mode configure command aaa-server
  privilege show level 3 mode configure command aaa
  privilege show level 3 mode configure command crypto
  privilege show level 3 mode configure command ssh
  privilege show level 3 mode configure command dhcpd
  privilege show level 5 mode configure command privilege
  privilege clear level 3 mode exec command dns-hosts
  privilege clear level 3 mode exec command logging
  privilege clear level 3 mode exec command arp
  privilege clear level 3 mode exec command aaa-server
  privilege clear level 3 mode exec command crypto
  privilege cmd level 3 mode configure command failover
  privilege clear level 3 mode configure command logging
  privilege clear level 3 mode configure command arp
  privilege clear level 3 mode configure command crypto
  privilege clear level 3 mode configure command aaa-server
  prompt hostname context
  Cryptochecksum:aaa1f198bf3fbf223719e7920273dc2e
  : end

  I didn't realise I had that crypto settings on, thanks my bad!!!
  But... the 172.16.12.0 network is directly connected, the Router (that to be honest is a firewall) / switches is all on the same subnet (172.16.12.X/24), so sorry I didn't explain thoroughly, was more wondering about the GW and didn't want to overcomplicate things..
  The Firewall/Router dosen't do any routing, so it should work right (I you count out the firewalling in the firewall and so forth, there shouldn't be any problems accomplishing this with the ASA)? The Firewall is more a DHCP for the clients/Firwall for the clients.. this will change in the future.. it will be removed,
  the vpn network is staticly routed back to my ASA in that firewall...
  I don't like this solution.. but this is who it looks.. for now..
  (VPN network is 10.10.10.X/24)
  But... shouldn't I see a default gateway under ipconfig when I'm connected to the VPN from internet, on the vpn client that's vpned in, is this correct?
  THANKS for all the help!

• Default Gateway on CSS 11154

  Hello,
  I just set up my CSS 11154 and I assigned the IP address to the Mgmt interface. I can ping it if I'm on the same subnet, but if I'm across a routed interface, I can not. I didn't see anywhere to put in a "default-gateway" parameter like on at regular switch. So, I just put in the
  ip route 0.0.0.0 0.0.0.0 10.1.0.1
  statement, thinking that would do the trick. It doesn't work. Any suggestions. Here's my config:
  CSS11150# show run
  !Generated on 01/01/1981 00:00:34
  !Active version: ap0500033
  configure
  !*************************** GLOBAL ***************************
  bridge spanning-tree disabled
  ip route 0.0.0.0 0.0.0.0 10.1.0.1 1
  !************************* INTERFACE *************************
  interface e1
  phy 100Mbits-FD
  interface e2
  phy 100Mbits-FD
  interface e3
  phy 100Mbits-FD
  interface e4
  phy 100Mbits-FD
  interface e5
  phy 100Mbits-FD
  interface e6
  phy 100Mbits-FD
  interface e7
  phy 100Mbits-FD
  interface e8
  phy 100Mbits-FD
  interface e9
  phy 100Mbits-FD
  interface e10
  phy 100Mbits-FD
  interface e11
  phy 100Mbits-FD
  interface e12
  phy 100Mbits-FD
  !************************** CIRCUIT **************************
  circuit VLAN1
  ip address 20.33.33.33 255.255.255.0
  CSS11150#

  Hi Gilles,
  It doesn't appear as though the "ip management route" is a valid command. Here's my version and what I have as options when issuing the "ip" command:
  CSS11150(config)# version
  Version: ap0500033 (5.00 Build 33)
  Flash (Locked): 5.00 Build 33
  Flash (Operational): 5.00 Build 33
  Type: PRIMARY
  Licensed Cmd Set(s): Standard Feature Set
  CSS11150(config)# ip ?
  ecmp Set the equal-cost multipath selection algorithm
  firewall Configure firewall load-balancing route
  no-implicit-service Do not start an implicit service for the next hop of
  static routes
  opportunistic Set the IP opportunistic layer-3 forwarding mode
  record-route Enable processing of frames with a record-route option
  redundancy Enable box-to-box redundancy
  route Configure a static route
  source-route Enable processing of source-routed frames
  subnet-broadcast Enable forwarding of subnet broadcast addressed frames
  uncond-bridging Do not allow routing lookup to override bridging decision
  CSS11150(config)# ip
  Any suggestions?
  Also, your comment regarding "you can't have the same route pointing to a management interface and to a regula interface." What does that mean. I'm treating these things as basically the same as a regular 29xx/35xx switch, but there are definitely differences.
  Thanks,
  Dave

• E4200 default gateway help

  Hey all.... I'm really hoping someone can help me.
  I have a network setup between two houses, but only one internet connection. Each house has a router acting as a DHCP server handing out a limited range of addresses. It was done this way so that if the connection between the two houses fails, each individual network will still be running. (all addresses are 192.168.2.XYZ).
  At the house that does not have internet, I set the router to hand out a default gateway of the router at the house that does have internet. After replacing my old router with the new E4200, I realised that the new router does not allow me to specify which default gateway to hand out to DHCP clients (I dont see why it would hurt allowing users to do this, but anyways).
  I'm not entirely sure how to set this up now, from what I can tell after some reading up, I would have to have each house on a different network (192.168.2.xyz and 192.168.3.xyz) and set up static routes at each house to route traffic between the two networks.
  The house that does not have internet has the E4200, could I plug the connection from the house that does have internet into the wan port and still allow that house to see my network shares and such?
  I know this is quite complex, so any help would really be appreciated.
  Thanks
  Craig
  EDIT: Just to add to this, the two houses are connected via two Ubiquiti Nanostation loco M5's

  Are both routers connected to each other?
  Follow this link to connect Linksys router to another router.
  Try LAN to LAN connection type and see if that works.

• WRT54G2 V1 default gateway offline at seemingly random..

  I use a WRTG54G2 version 1 router and had some internet problems before after I started using Windows 7, but thought I had it fixed by uninstalling AVG Free and doing a dns flush.
  But just now twice in a row my internet connection failed again.
  Some facts:
  -Removing the internet cable in my PC and putting it back in fixes it.
  -Disabling and re enabling the Realtek Driver fixes it.
  -Windows 7 troubleshoot finds nothing, but Windows Live Messenger says my default gateway is offline.
  -The one other PC (with XP) in the home network is not affected.
  -I can not even access my router through my browser.
  -I don't see anything wrong when I use ipconfig in cmd.exe (could be wrong)
  -Screaming and crying does not fix it.
  -Network map feature in Windows 7 has never worked even when I have internet.
  -I have an Asus motherboard, so no Nvidia Nforce.
  -Powersave for the Realtek driver is turned off.
  It seems there are no driver or firmware upgrades for this router on this site, is this correct or did Cisco misplace them on the site?
  I also made a screenshot of the ipconfig /all command in command prompt when my internet failed.
  Message Edited by captain kid on 12-17-2009 02:34 PM

  1. It's an "ethernet cable" not an "internet cable".
  2. What you write sounds more like a computer problem. If you disconnect the connection either through the driver or by pulling the cable it reconnects again. You have another computer which works fine. You should try a different port on the WRT but I guess it makes no difference.
  As uninstalling antivirus helped somewhat it could be malware on your computer. Malware and antivirus usually don't place nicely together on a computer.
  Otherwise I would say it could be either the switch in the WRT or the port on your computer being slightly off the spec. Which one it really is is difficult to find out...
  3. There is firmware on the US server:
  07/08/2009
  Ver.1.0.04 (Build 5)
  Download 1.71 MB
  But it's for US models. It may or may not work well with your router. I also kind of doubt that it will fix your problem.

• JNDI lookup failing

  I have a small test program that gets a Context to our server and does a
  lookup for an EJB. The lookup fails with the following client-side
  trace...
  javax.naming.CommunicationException. Root exception is
  java.lang.ClassNotFoundException: class
  com.prismadata.appserv.session.series.TimeseriesSBBeanHomeImpl_ServiceStub
  previously not found
  at weblogic.rjvm.MsgAbbrev.read(MsgAbbrev.java:181)
  at
  weblogic.socket.JVMAbbrevSocket.readMsgAbbrevs(JVMAbbrevSocket.java:505)
  at
  weblogic.rjvm.MsgAbbrevInputStream.prime(MsgAbbrevInputStream.java:134)
  at weblogic.rjvm.RJVMImpl.dispatch(RJVMImpl.java:610)
  at
  weblogic.rjvm.ConnectionManagerClient.handleRJVM(ConnectionManagerClient.java:34)
  at
  weblogic.rjvm.ConnectionManager.dispatch(ConnectionManager.java:630)
  at
  weblogic.socket.JVMAbbrevSocket.dispatch(JVMAbbrevSocket.java:393)
  at weblogic.socket.JVMSocketT3.dispatch(JVMSocketT3.java:342)
  at
  weblogic.socket.JavaSocketMuxer.processSockets(JavaSocketMuxer.java:247)
  at
  weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:23)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  --------------- nested within: ------------------
  weblogic.rmi.UnmarshalException: Unmarshalling return
  - with nested exception:
  [java.lang.ClassNotFoundException: class
  com.prismadata.appserv.session.series.TimeseriesSBBeanHomeImpl_ServiceStub
  previously not found]
  at
  weblogic.jndi.toolkit.BasicWLContext_WLStub.lookup(BasicWLContext_WLStub.java:256)
  at
  weblogic.jndi.toolkit.WLContextStub.lookup(WLContextStub.java:545)
  at javax.naming.InitialContext.lookup(InitialContext.java:349)
  at
  com.prismadata.appserv.session.series.test.Client.main(Client.java:73)
  However, when I perform the same lookup in a servlet (admittedly running
  in the same JVM) I successfully get the home interface object back.
  Any ideas why ?
  Thanks,
  Gino

  In order to get a reference to you EJB Home interface from JNDI, your
  application has to have an access to the stub of this interface. This stub
  is generated by WL tools when you deploy your EJB. Because your servlet runs
  inside the server's VM, it has an access to this stub by default. So just
  include these stubs in CLASSPATH of your test program and you will see the
  difference.
  kesha
  "Gino Coccia" <[email protected]> wrote in message
  news:[email protected]...
  I have a small test program that gets a Context to our server and does a
  lookup for an EJB. The lookup fails with the following client-side
  trace...
  javax.naming.CommunicationException. Root exception is
  java.lang.ClassNotFoundException: class
  com.prismadata.appserv.session.series.TimeseriesSBBeanHomeImpl_ServiceStub
  previously not found
  at weblogic.rjvm.MsgAbbrev.read(MsgAbbrev.java:181)
  at
  weblogic.socket.JVMAbbrevSocket.readMsgAbbrevs(JVMAbbrevSocket.java:505)
  at
  weblogic.rjvm.MsgAbbrevInputStream.prime(MsgAbbrevInputStream.java:134)
  at weblogic.rjvm.RJVMImpl.dispatch(RJVMImpl.java:610)
  at
  weblogic.rjvm.ConnectionManagerClient.handleRJVM(ConnectionManagerClient.jav
  a:34)
  >
  at
  weblogic.rjvm.ConnectionManager.dispatch(ConnectionManager.java:630)
  at
  weblogic.socket.JVMAbbrevSocket.dispatch(JVMAbbrevSocket.java:393)
  at weblogic.socket.JVMSocketT3.dispatch(JVMSocketT3.java:342)
  at
  weblogic.socket.JavaSocketMuxer.processSockets(JavaSocketMuxer.java:247)
  at
  weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:23)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  --------------- nested within: ------------------
  weblogic.rmi.UnmarshalException: Unmarshalling return
  - with nested exception:
  [java.lang.ClassNotFoundException: class
  com.prismadata.appserv.session.series.TimeseriesSBBeanHomeImpl_ServiceStub
  previously not found]
  at
  weblogic.jndi.toolkit.BasicWLContext_WLStub.lookup(BasicWLContext_WLStub.jav
  a:256)
  >
  at
  weblogic.jndi.toolkit.WLContextStub.lookup(WLContextStub.java:545)
  at javax.naming.InitialContext.lookup(InitialContext.java:349)
  at
  com.prismadata.appserv.session.series.test.Client.main(Client.java:73)
  However, when I perform the same lookup in a servlet (admittedly running
  in the same JVM) I successfully get the home interface object back.
  Any ideas why ?
  Thanks,
  Gino

• Default Gateway Missing

  Hi Team,
  Good day.
  I do have a pair of nexus 5k that is connected via vpn and are running HSRP for our vlans.
  One of the Vlan is having issues where host connected to that vlan is not able to reach the HSRP ip address/the virtual ip.
  However the outage will last for 25 minutes, and I have figured it out that the arp table expires after 25 minutes and the Virtual ip is then pingable.
  The configuration is identical for all other vlans and the HSRP DOES NOT FLAP when this issue happen.
  The version we are running on is 5.1(3) N2 1.
  In short our host is not able to reach the HSRP IP Address. Please assist on this.
  Thanks
  Regards,
  Kanes.R

  Please forgive me for replying again; I had not thought at the time that replying to your own post might be more productive.
  My problem is similar (but static not DHCP addressing) and quite grievous since I am about 120 miles away; after reboot I cannot reach the server.
  I am running Windows Server 2008 R2 64 bit on a production server (web edition, Dell R300). This is a multi-homed server and each time I add an IP address (IPV4) to the machine all other (IPV4) IPs disappear after reboot (though they are visible in the network
  properties dialog). No IP responds even, even to pings, until I use the TCP/IP reset:
  netsh int ip reset resetlog.txt
  Then I have to manually type all the ips again in the TCP/IP advanced dialog. When I look at the
  'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{MY_ADAPTERS_GUID}\IPAddress'
  key, the only one present is the last one I typed. Thus when I reboot that will be the only IP on the machine (but the IP shown in the IPV4 network dialog will be completely blank).
  The default gateway is kept, however, so the machine actually can communicate if I remember the last IP I added. But so far this has happened 3 times and each time I have to hire an IP KVM device to work with the server.
  Would the changes you described above fix this problem? (or, at least, do you think they might _cause_ problems if I try them on this operating system?)
  I dread applying security patches because it will require a reboot and all sites will be down (except the last IP I added) until I reset the TCP/IP and re-enter the addresses (though now I have a script to do it more quickly, as long as I remember
  to keep my text list current).
  Thanks in advance for any help you can offer.

• Sudden Ping Drop from Default Gateway in VLAN

  Hi,
  We have a Layer3 Switch 3560 and we have configure multiple VLANs along with SVI on it. We have then cascade layer2 Switches (Cisco 2960) with 3560 by Trunk links. Now we are facing problem on one VLAN that users are in specific VLAN sudden get ping drop from their default gateway (SVI on Cisco 3560) and this problem is not come with all users in that VLAN as just few users in a single time face this problem. When we unplug the systems for few second and reconnect then problem get resolved for few minutes till hours.
  Kindly guide me to resolved this.
  Regards,
  Arshad

  I have also clean the arp cache on users systems by using "'netsh interface ipv4 delete arpcache" but in vain. Now i have perform the below steps and operation is working fine since last 20 hours approx.
  1- Change the First Casade Switch Cisco 2960.
  2- Remove EtherChannel and Change the Backbone port on Cisco 3560 and Cisco 2960.
  3- Connect both switches with single backbone Gig Port.
  4- IOS Version on previous Cisco 2960 switch was IOS 12.2(50)SE3 and the IOS Version on newly installed switch is IOS 12.2(50)SE5

• Registry's EnumKey Lookup Failing When Called By MSBuild?

  A MS-DOS script executes the VBScript below and it works fine. However, when using a MS Build master deployment file which calls the aforementioned MS-DOS script, the 2nd location lookup ("SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\")
  fails with a result code of 2. I have spent countless hours trying to figure out why the difference. Any ideas?
  Const HKLM = &H80000002 'HKEY_LOCAL_MACHINE
  Set oRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & node & "/root/default:StdRegProv")
  REM 1st location: "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\"
  sBaseKey = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\"
  iRC = oRegistry.EnumKey(HKLM, sBaseKey, arSubKeys)
  If iRC <> 0 THEN
  WScript.Echo "Registry lookup failed for " & sBaseKey
  ELSE
  For Each sKey In arSubKeys
  iRC = oRegistry.GetStringValue(HKLM, sBaseKey & sKey, "DisplayName", sValue)
  If sValue = Wscript.Arguments.Item(1) Then
  oRegistry.GetStringValue HKLM, sBaseKey & sKey, "UninstallString", sValue
  InstalledApplications = Replace(sValue, "/I{", "/X{")
  IF LEN(InstalledApplications) > 0 THEN
  InstalledApplications = InstalledApplications & " /qn /l*vx """ & sFile & ".Log"""  & Chr(13) & Chr(10) 
  END IF
  END IF
  NEXT
  END IF
  REM 2nd location: "SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\<GUID>\InstallProperties"
  arProducts = NULL
  sBaseKey = "SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\"
  iRC = oRegistry.EnumKey(HKLM, sBaseKey, arProducts)
  If iRC <> 0 THEN
  WScript.Echo "Registry lookup failed for " & sBaseKey
  ELSE
  For Each guid In arProducts
  sInnerKey = sBaseKey & guid & "\InstallProperties\"
  iRC = oRegistry.GetStringValue(HKLM, sInnerKey, "DisplayName", sValue)
  If sValue = Wscript.Arguments.Item(1) Then
  oRegistry.GetStringValue HKLM, sInnerKey, "UninstallString", sValue
  InstalledApplications = Replace(sValue, "/I{", "/X{")
  IF LEN(InstalledApplications) > 0 THEN
  InstalledApplications = InstalledApplications & " /qn /l*vx """ & sFile & ".Log""" & Chr(13) & Chr(10) 
  END IF
  END IF
  NEXT
  InstalledApplications = InstalledApplications & "GOTO:EOF"
  END IF
  Shawn ([email protected])

  Or try sysnative:
  https://msdn.microsoft.com/en-us/library/windows/desktop/aa384187%28v=vs.85%29.aspx
  Don't retire TechNet! -
  (Don't give up yet - 13,225+ strong and growing)
  But that is not a portable solution.  it does not apply to 32 bit platforms and will only work from a 64 bit session when calling intp a 32 bit session.
  If we are in a 32 bit session running VBScript then we cannot see the 64 bit registry without the help of WMI.  The correct solution is to build in the correct environment.  If you want to run in both environments then you will need to test the
  32 bit version on a 32 bit system assuming the applications being enumerated use the same keys on both architectures.
  ¯\_(ツ)_/¯
  This is correct. I totally forgot there are 32 bit and 64 bit versions of MSBuild. I made no changes except to execute the main deployment script with the 64 bit version of MS Build. Thank you for all of your help.
  -Shawn
  Shawn ([email protected])

• Why does my airport give wrong default gateway dhcp?

  I have a fancy AirPort Extreme Base Station running 7.7.3.
  It was recommended as a very good wireless access point, which it is, purely in terms of signal strength and connectivity.
  In terms of easy configuration, this thing is a nightmare. Someone once told me, "Get Apple products, they just WORK!" Not in this case. I am using the base station to provide access on my home network wirelessly and wired on the same layer 2. DHCP is assigning 192.168.1.250 as the default gateway, but the IP of the base station is 192.168.1.1, so none of my hosts on DHCP are able to get Internet. I cannot find or see a way to correct the DHCP gateway assignment.
  In addition, I have a single wired Windows host. It does not get the DHCP reservation I set up for it. I cannot for the life of me figure out why. MAC is right. ipconfig /release and /renew fails to assign the correct address every time tho.
  I have one Mac in the house. It too fails to obtain the right gateway IP. My question: why is the base station assigning 192.168.1.250 as a gateway when it's own internal IP is 192.168.1.1????
  I have owned many home access points. This is the first one I couldn't assign the internal IP to as a gateway address, and I can't assign a specific subnet mask to pair down the broadcast domain. Why are the options to configure my internal network so limited?

  LaPastenague wrote:
  Why are the options to configure my internal network so limited?
  So it will be easy to configure.
  Sadly this means there is no way to fix things when they go wrong.
  How did you manage to get 192.168.1.x .. as the default IP of the TC is 10.0.1.1 and it is well worth leaving it alone.
  Post a few screenshots and we can help you fix it up. Mostly.. probably.
  So the default is 10.0.1.1, but I didn't want an entire class A range wide open on my home network, so I chose the class C 192.168.X.X (why is Apple still doing classful networks?!?)
  Here's some helpful screenshots, starting with the opening screen.... note the router's IP:
  This is my AirPort's basic info, and the networks. There are two ethernet ports in back, one connected to the cable modem, the other to BADGER, my PC. BADGER will be the example in all my DHCP woes...:
  This is BADGER's manually assigned IP info. I would like to set up a reservation for it on the AirPort so I can just switch it to DHCP and be done.
  As you can see, my gateway is 192.168.1.1, which is the internal IP of the AirPort extreme. I use public DNS servers, so I add those manually on the PC. So, using this info, I create the reservation:
  Here you can see the DHCP scope I've assigned: .1.2-.1.50. I also set up a reservation for BADGER. No where on here is a way to specify the router's internal IP, which is 192.168.1.1 - it's the only gateway address that works.There's also no way to apply a more restrictive subnet mask to limit the number of hosts on my internal side, but that's another issue. Moving on...
  I apply the reservation. I click update. The AirPort extreme router updates itself. I switch BADGER to DHCP, and release/renew. Here's where it gets interesting:
  Here's what the router wants to assign me. The MAC address is the same as in the reservation, but the AirPort Extreme gives me 192.168.1.129? That's not even in the range I defined. Also, note the gateway address. It wants to assign 192.168.1.250 ... but that's wrong, as indicated by the lack of network connectivity in the system tray. If I configure my PC to use 192.168.1.1, then traffic routes off my home network just fine because that's the internal IP of the AirPort Extreme. So, without getting into this product's shortcomings as an actual configurable home router:
  - Why does it assign its gateway as 192.168.1.250 when it's really 192.168.1.1?
  - Why does it ignore my DHCP reservation and assign a completely out-of-scope IP?
  All of my devices are getting .250 as the gateway. Wireless and BADGER, even my lone Mac. Can anyone shed some light?

• Why should client PCs always know the default gateway?

  Considering that my home computer has only one connection and it is to my ISP,
  why does it need the default gateway to be configured (being DHCP client)?
  Where else my connection can be deviated from this unique connection cable?
  Is it possible to configure a router to which my PC is connected and, then,
  the client PCs would not need to be configured with default gateway?
  Or client PCs always have to know default gateway? 
  Why?

  How IP Packets are Routed on a Local Area Network
  http://www.anitkb.com/2010/06/how-ip-packets-are-routed-on-local-area.html
  Thanks, this helps but still confuses.
  The article tells:
  " Now that WK1 has WK2's MAC, it can send the packet directly to WK2"
  A)
  I do not understand what does it mean if computer has one outgoing network cable to switch.
  It is switch who has different connections and, thereafter, can commutate different communication circuits.
  So, I can only understand that WK1 somehow tells to switch to connect him directly to WK2 but not to router.
  How?
  B)
  Were  WK1 and WK2 connected directly to a hub, instead of switcher, would they be able to communicate directly?
  (The definition of a hub is that it takes a signal and broadcast it through all connections)
  C)
  Also, reading about switch-router-hub, I cannot understand which role is played by a client computer in communication
  (of a hub, of a switcher?)?  Neither of them? What? 
  A. I believe a fundamental understanding of what a switch and the differences and the similarities between a hubs, bridges and switches, as well as the OSI model, may be helpful at this time.
  First, the OSI model is an industry standard defining how hosts communicate with each other. There are 7 layers. THe bottom layer has no intelligence and is the physical connection. As you go up the ladder, the intelligence increases.
  7 Application (Application Gateways, Proxies, etc, operate at this level)
  6 Presentation
  5 Session
  4 Transport (TCP, UDP, SPX live here and operate at this layer, NAT overlaps 3 & 4)
  3 Network (IP & IPX live here. NetBEUI and DLC overlap 3 & 4. Routers operate at this layer)
  2 Datalink (MAC addresses live here. Bridges and Switches operate at this level)
  1 Physical (Hubs operate at this level)
  Hubs, Bridges and switches allow ethernet hosts to communicate with each other, no matter what protocol is being used, whether TCP/IP, IPX/SPX, NetBEUI, DLC, etc.  They transmit packets on the network.
  A hub is a Layer 1 device. It is a dumb device blatantly allowing all hosts to communicate to each other with no discerning source or destination addresses, whether MAC, IP, IPX or any other factor, in the packets.
  A bridge is a Layer 2 device. It bascially has two interfaces connecting two network segments together. If a host on one side of the bridge, we'll call that SegmentA, is trying to communicate to another host on the same SegmentA, the
  bridge will not allow the traffic to go to the other segment on its other interface, SegmentB. This helps reduce unnecessary traffic and reducing collisions, which slow down the network. If the host on SegmentA is communicating with a host on SegmentB, the
  bridge allows the traffic. This is because a bridge has enough intelligence to read the Link layer, which has the MAC address (the physical address) of the interface or network card. It can read the source and destination MAC and determines whether to allow
  that traffic across or not depending on where the source MAC is and where the destination MAC is.
  Switches are basically multi-port bridges. When a switch intializes, it reads the MAC addresses of all connected devices and creates a "destination table." Notice I didn't say "routing table" since that is associated with IP addresses.
  Therefore, if a host on port# 14 on a switch needs to communicate with a host on # 33 on the switch, the switch reads the source and destination MAC address in the Datalink Layer (Layer 2) and knows the destination is on port# 33 based on the destination
  lookup table it created of all connected devices. It will then only send this traffic between the two ports. This essentially reduces unnecessary traffic on other ports increasing efficiency.
  There are also Layer 3 Switches. They are combination switches and routers that can be managed where you can configure each port to either be switched or routed.
  So to answer your questions:
  A)
  I do not understand what does it mean if computer has one outgoing network cable to switch.
  It is switch who has different connections and, thereafter, can commutate different communication circuits.
  So, I can only understand that WK1 somehow tells to switch to connect him
  directly to WK2 but not to router.
  How?
  As explained, the switch simply discerns traffic by MAC address. The client side TCP/IP subsystem using the ANDING process, as I've explained earlier, and JM's blog explains, determines where the computer is sending the packets. A computer does not "Tell"
  the switch or hub anything. It simply dumps the packet on the wire and the switch reacts to what it finds in the Datalink layer, and if a hub, it simply sends the traffic on all ports.
  B)
  Were  WK1 and WK2 connected directly to a hub, instead of switcher, would they be able to communicate directly?
  (The definition of a hub is that it takes a signal and broadcast it through all connections)
  It's not called a 'switcher.' It's called a 'switch.' As explained, a hub blatantly broadcasts traffic on all ports. It is up to the sending host and receiving host to read all packets and figure out what belongs to it or not. If a destination address doesn't
  apply to a computer that hears the data, it simply ignores it.
  C)
  Also, reading about switch-router-hub, I cannot understand which role is played by a client computer in communication
  (of a hub, of a switcher?)?  Neither of them? What? 
  The computer is simply plugged into these devices. The devices have their job to do, and the computer has its own.
  I hope that explains this part of your networking questioning.
  Ace
  Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no
  rights.