DHCP issue on Cisco IOS router
Hi experts,
I recently got complaints that some clients can't get IP address through the DHCP server configured on a Cisco IOS router. I turned on debugging on DHCP events and packets and I see the following logs.
Mar 22 15:33:41: DHCPD: DHCPREQUEST received from client 0100.1b63.f246.8c.
Mar 22 15:33:41: DHCPD: Finding a relay for client 0100.1b63.f246.8c on interface FastEthernet1/0.10.
Mar 22 15:33:41: DHCPD: Seeing if there is an internally specified pool class:
Mar 22 15:33:41: DHCPD: htype 1 chaddr 001b.63f2.468c
Mar 22 15:33:41: DHCPD: remote id 020a0000cf6050011000000a
Mar 22 15:33:41: DHCPD: circuit id 00000000
Mar 22 15:34:02: DHCPD: DHCPREQUEST received from client 0100.1b63.f246.8c.
Mar 22 15:34:02: DHCPD: Finding a relay for client 0100.1b63.f246.8c on interface FastEthernet1/0.10.
Mar 22 15:34:02: DHCPD: Seeing if there is an internally specified pool class:
Mar 22 15:34:02: DHCPD: htype 1 chaddr 001b.63f2.468c
Mar 22 15:34:02: DHCPD: remote id 020a0000cf6050011000000a
Mar 22 15:34:02: DHCPD: circuit id 00000000
Then it will repeat and repeat for this MAC. Any reason why the router is not assigning an IP to it? It actually happens to some other MACs as well... They are from different vendors and located on different switches... I can't really find a pattern for this problem... The DHCP pool hasn't run out and it still has available IPs in it.
Thanks
Hi Alain, thanks for quick reply. The followings contain the output that you required. I hided the prefix of the IP with a.b.c. Thanks!
interface FastEthernet1/0.10
description : DHCP for EXHIBITION VLAN
encapsulation dot1Q 10
ip address a.b.c.1 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
end
r#sh ip dhcp pool
Pool EXHIBIT :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 126
Leased addresses : 47
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
a.b.c.118 a.b.c.1 - a.b.c.126 47
#sh run | in/be dhcp
no ip dhcp use vrf connected
ip dhcp excluded-address a.b.c.1 a.b.c.11
ip dhcp excluded-address a.b.c.126
ip dhcp excluded-address a.b.c.100 a.b.c.101
ip dhcp excluded-address a.b.c.51
ip dhcp pool EXHIBIT
network a.b.c.0 255.255.255.128
default-router a.b.c.1
dns-server 207.172.3.8 207.172.3.9
domain-name xyz.com
#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
a.b.c.19 0168.7f74.6260.9b Mar 23 2011 01:56 PM Automatic
a.b.c.52 0100.4854.897d.17 Mar 23 2011 12:53 PM Automatic
a.b.c.56 0100.4063.e7b5.b2 Mar 23 2011 03:33 PM Automatic
a.b.c.57 0100.1b63.f246.8c Mar 23 2011 03:34 PM Automatic
a.b.c.68 015c.5948.0b97.d6 Mar 22 2011 05:59 PM Automatic
a.b.c.69 0168.7f74.626d.67 Mar 23 2011 07:07 AM Automatic
a.b.c.70 0198.fc11.5027.1d Mar 22 2011 07:04 PM Automatic
a.b.c.71 01dc.2b61.04ba.af Mar 22 2011 10:26 PM Automatic
a.b.c.72 017c.c537.58e6.64 Mar 22 2011 08:37 PM Automatic
a.b.c.73 017c.6d62.3303.57 Mar 23 2011 03:54 AM Automatic
a.b.c.74 0124.ab81.cda4.68 Mar 23 2011 05:01 AM Automatic
a.b.c.75 0100.1e52.8f11.a5 Mar 23 2011 02:47 PM Automatic
a.b.c.76 0100.264a.5fc8.e3 Mar 23 2011 07:13 AM Automatic
a.b.c.77 017c.6d62.38cd.40 Mar 23 2011 02:06 PM Automatic
a.b.c.78 0100.1d4f.f647.79 Mar 23 2011 02:37 PM Automatic
a.b.c.79 0100.26b0.8637.3d Mar 23 2011 01:16 PM Automatic
a.b.c.81 0130.694b.e9de.82 Mar 23 2011 03:19 PM Automatic
a.b.c.82 0100.21e9.6864.80 Mar 23 2011 12:04 PM Automatic
a.b.c.83 0124.ab81.63e6.b5 Mar 23 2011 09:38 AM Automatic
a.b.c.84 0100.16b6.0455.c2 Mar 23 2011 09:42 AM Automatic
a.b.c.85 0100.1302.4c96.9e Mar 23 2011 09:49 AM Automatic
a.b.c.86 0140.a6d9.741c.e0 Mar 23 2011 12:12 PM Automatic
a.b.c.87 0100.264a.b8e9.50 Mar 23 2011 10:16 AM Automatic
a.b.c.88 0140.a6d9.4911.67 Mar 23 2011 03:19 PM Automatic
a.b.c.89 013c.7437.1e32.96 Mar 23 2011 10:27 AM Automatic
a.b.c.90 01d8.3062.689c.4b Mar 23 2011 11:55 AM Automatic
a.b.c.91 0158.946b.4df8.bc Mar 23 2011 10:49 AM Automatic
a.b.c.92 0100.2215.7368.26 Mar 23 2011 10:23 AM Automatic
a.b.c.93 0100.23df.76ea.90 Mar 23 2011 02:33 PM Automatic
a.b.c.94 0124.ab81.708d.83 Mar 23 2011 03:58 PM Automatic
a.b.c.95 0100.1cb3.163d.5a Mar 23 2011 03:13 PM Automatic
a.b.c.96 01cc.08e0.2aeb.96 Mar 23 2011 01:27 PM Automatic
a.b.c.97 0188.c663.d0d0.55 Mar 23 2011 01:57 PM Automatic
a.b.c.98 0100.1b77.08bb.89 Mar 23 2011 01:15 PM Automatic
a.b.c.99 0100.1ec2.47d7.19 Mar 23 2011 12:43 PM Automatic
a.b.c.102 0100.1310.8e74.78 Mar 23 2011 12:41 PM Automatic
a.b.c.103 0100.24d6.58b0.82 Mar 23 2011 01:44 PM Automatic
a.b.c.104 0100.2608.7df2.68 Mar 23 2011 03:23 PM Automatic
a.b.c.106 01c8.bcc8.1a86.41 Mar 23 2011 03:56 PM Automatic
a.b.c.107 01a4.6706.1e54.94 Mar 23 2011 04:08 PM Automatic
a.b.c.108 017c.c537.46ac.0e Mar 23 2011 02:41 PM Automatic
a.b.c.111 0100.037f.0ea2.19 Mar 23 2011 02:47 PM Automatic
a.b.c.112 01d8.3062.75c5.9c Mar 23 2011 03:33 PM Automatic
a.b.c.113 0021.9116.449e Mar 23 2011 03:36 PM Automatic
a.b.c.114 0100.1ff3.46d9.a9 Mar 23 2011 03:40 PM Automatic
a.b.c.116 0104.1e64.4a0d.a3 Mar 23 2011 04:21 PM Automatic
a.b.c.117 0190.27e4.4ae8.94 Mar 23 2011 04:24 PM Automatic
Thanks!
Similar Messages
-
Cisco IOS Router to PIX VPN Issues
Hi Everyone,
I have a small issue here which someone may be able to shed some light on.
I have a Cisco IOS router which is terminating a site-to-site VPN connection on the dialer interface. The PIX on the other end is behind a NAT router. The tunnel is being established and one subnet is able to see another when the tunnel is up. The thing we are having an issue is both networks on each side of the VPN contain multiple subnets and i cannot connect to all the subnets over the same tunnel.
Any ideas.Yes all this is setup.
I have just found out that Cisco IOS can only make connections from 1 network per crypt map unless multiple connections are made from server to host. This is quite disturbing because i have not seen this in any documentation.
Does anyone know of IOS to PIX IPsec with multiple subnets on each side of the network. -
SSLVPN with iPhone Anyconnect and Cisco IOS Router, Certificate Authentication failed
Hello,
i have a problem regarding the authentication with a certificate from the iPhone Anyconnect 2.5 Client to a 1802 Cisco Router.
Cisco 1802 Router:
Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.1(1)T, RELEASE SOFTWARE (fc1)
First i configured SSLVPN with username and password, in this configuration the Anyconnect Client of my iPhone works.
then i enrolled a certificate from my Windows 2008 R2 CA to the Router with the Attributes: Server Authentication and IPSEC
and i enrolled a certificate for my iPhone with Client Authentication and IPSEC
after a bunch of time ( i realy could not find a really good documentation on how to do this) i got it done, in the webvpn context configuration i made this changes here:
no aaa authentication list default
authentication certificate
ca trustpoint CA
as the "SSL VPN Configuration Guide, Cisco IOS Release 15.1M&T" says: if i want only certificate authentication i had to user the "authentication certificate" command and thats it.
as i look into the debugs it seems to me that the Router accepts the certificate of the iPhone, but then i receive a window on the iphone that wants an additional username and password authentication, and no matter what i enter there's always the same dialog coming back..
any ideas what the problem could be???
here is the configuration:
webvpn gateway WEBVPN_GW_OFFICE2
ip interface Dialer0 port 1444
ssl trustpoint CA
inservice
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 1
webvpn install svc flash:/webvpn/anyconnect-win-3.0.4235-k9.pkg sequence 2
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 3
webvpn context WEBVPN_CONTEXT2
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
policy group WEBVPN_POLICY2
functions svc-enabled
mask-urls
svc address-pool "SSLVPN_OFFICE1"
svc default-domain "domain.internal"
svc keep-client-installed
svc split include 192.168.0.0 255.255.0.0
svc dns-server primary 192.168.53.33
svc dns-server secondary 192.168.53.35
virtual-template 3
default-group-policy WEBVPN_POLICY2
gateway WEBVPN_GW_OFFICE2
authentication certificate
ca trustpoint CA
inservice
here is the debug:
OfficeRouter1# PASSING appctx is [0x89FAFFCC]
Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.607: WV: Entering APPL with Context: 0x86529380,
Data buffer(buffer: 0x86543A40, data: 0x15A07AB8, len: 469,
offset: 0, domain: 0)
Nov 19 22:39:53.607: WV: http request: / with no cookie
Nov 19 22:39:53.607: WV: validated_tp : CA cert_username : matched_ctx :
Nov 19 22:39:53.607: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:39:53.607: WV: Trustpoint match successful
Nov 19 22:39:53.607: WV: Extracted username: pass: ?
Nov 19 22:39:53.607: WV: Client side Chunk data written..
buffer=0x86543640 total_len=661 bytes=661 tcb=0x8811FE60
Nov 19 22:39:53.607: WV: Appl. processing Failed : 2
Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
BueroRouter1# PASSING appctx is [0x89FAEEC4]
Nov 19 22:40:24.028: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.032: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.132: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.132: WV: Entering APPL with Context: 0x86529380,
Data buffer(buffer: 0x86543A40, data: 0x160C4038, len: 469,
offset: 0, domain: 0)
Nov 19 22:40:24.132: WV: http request: / with no cookie
Nov 19 22:40:24.132: WV: validated_tp : CA cert_username : matched_ctx :
Nov 19 22:40:24.132: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:40:24.132: WV: Trustpoint match successful
Nov 19 22:40:24.132: WV: Extracted username: pass: ?
Nov 19 22:40:24.132: WV: Client side Chunk data written..
buffer=0x86543640 total_len=661 bytes=661 tcb=0x88D11EEC
Nov 19 22:40:24.136: WV: Appl. processing Failed : 2
Nov 19 22:40:24.136: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.764: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.880: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.892: WV: Entering APPL with Context: 0x86529380,
Data buffer(buffer: 0x86543A40, data: 0x1616FD38, len: 610,
offset: 0, domain: 0)
Nov 19 22:40:39.892: WV: http request: /webvpn.html with domain cookie
Nov 19 22:40:39.892: WV: validated_tp : cert_username : matched_ctx :
Nov 19 22:40:39.892: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:40:39.892: WV: Trustpoint match successful
Nov 19 22:40:39.892: WV: Client side Chunk data written..
buffer=0x86543640 total_len=607 bytes=607 tcb=0x88D11EEC
Nov 19 22:40:39.892: WV: Appl. processing Failed : 2
Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue eventhttp://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml
HI,
Refer to
AnyConnect VPN Client FAQ
Q. Is it possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router?
A. No. It is not possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router. AnyConnect on iPad/iPhone can connect only to an ASA that runs version 8.0(3).1 or later. Cisco IOS is not supported by the AnyConnect VPN Client for Apple iOS. For more information, refer to the Security Appliances and Software Supported section of the Release Notes for Cisco AnyConnect Secure Mobility Client 2.4, Apple iOS 4.2 and 4.3. -
Possible interface issues on cisco 3725 router
I have a router that has been working great for almost 2 years now, has had the occisonal reset due to power failures but, I have not adjusted the configuration for a long time, until today trying to diagnose the issue thats occuring.
Here is the setup, a Cisco 3725, with three network interfaces, FE 0/0 connected to cable modem, FE 0/1 connected to the 10.0.1.x and FE0/1.10 vlan for call manager express ip phones. I then have a third interface FE 1/0 that acts as my DMZ where I keep servers. Both FE 0/0 and FE 1/0 are behind the NAT. Just yesterday I noticed that the internet traffic stops on the FE 0/1 interface after a few hours local VLAN routing works from FE0/1 to FE 1/0 and I can ssh into the router just no web traffic, I reset and it starts working again, odd thing is the DMZ still has internet during this entire time, which makes me think the interface is faling. Is there any logs or commands I can do when the interface fails again to see if its a bad interface on the router?
I isolated the switch out of the question, hooked a non managed switch up while the internet was not working and tried to connect and got nothing as well.Try the below and see whether that works
The inside interface of the PIX cannot be pinged from the other end of the tunnel unless the management-access command is configured in the global configuration mode.
PIX-02(config)#management-access inside
PIX-02(config)#show management-access
management-access inside -
DHCP issues with Cisco WAP 321
I have 4 Cisco WAP 321's in my office connected to our Cisco 2911 ISR for DHCP, everything is fine on the office wifi on vlan 1 but vlan 3 with the guest wifi network it fails to obtain an IP address. I have tried under each of the WAPs to make sure it wasnt just the one nearest my desk. I was on the phone yesterday with Cisco about this and we turned on debugging and watched the DHCP requests and no requests even hit the ISR (only thing I have smartnet support on). I noticed our firmware was a few versions old so updated that this morning but still have the same issues so now I am turning to you all to help me figure this out.
Thanks
Jake
This topic first appeared in the Spiceworks CommunityI have 4 Cisco WAP 321's in my office connected to our Cisco 2911 ISR for DHCP, everything is fine on the office wifi on vlan 1 but vlan 3 with the guest wifi network it fails to obtain an IP address. I have tried under each of the WAPs to make sure it wasnt just the one nearest my desk. I was on the phone yesterday with Cisco about this and we turned on debugging and watched the DHCP requests and no requests even hit the ISR (only thing I have smartnet support on). I noticed our firmware was a few versions old so updated that this morning but still have the same issues so now I am turning to you all to help me figure this out.
Thanks
Jake
This topic first appeared in the Spiceworks Community -
I have an device that use Multicast and is unable to aquire an ip address when connected to a 2960 switch. I have a 3560 switch that is configured with the DHCP scope. We have DHCP pool configured. layer 2, and layer 3 switch's.
Basically what’s happing is that if we connect the device to the switch it does not get a DHCP address however if we apply a static address it works. Now I have duplicated this in the lab and the everything works fine, the only difference is that I have a different IOS on my Lab switch. The only thing i can think of is the IOS.
Any help would be appreciated.
The IOS on the 2960 is flash:c2960-lanbasek9-mz.122-55.SE7.Hi Anil,
I need to know the mac-address of the client as i see two different DHCP Requests from:
0100.237d.14b5
and
0198.fe94.dcd6
Moreover i see only one DHCP pool on the layer 3 switch:
ip dhcp pool
network 10.65.117.0 255.255.255.0
dns-server 198.6.1.122 198.6.1.142 8.8.8.8
default-router 10.65.117.1
And as you said that it should pick IP address from vlan2, but i dont see any pool for vlan2 on the contrary you did mention that if you connect your laptop on that port it does pick IP address from vlan 2. its actually very weird.
If possible collect the wireshark captures from machine interface for more debugging. i want to see the DHCP process. and let me know if you need any help in collecting captures
Regards,
RS -
DHCP Server Configuration - Cisco 1750 router
Good Day All,
can anybody give me a step by step procedure on how to configure my 1750 router as a DHCP server?
Thank you,
LesterHello Moses,
You do InterVlan routing with your router, Fa0/1 and Fa0/0 is on your router, two different subnets with two different pools. From the router you have two uplinks - access links. These links are terminated on two different Layer 2 vlan on the switch. If Fa0/0 is terminated on vlan 100, hosts in vlan 100 will get IP address from Fa0/0's dhcp pool, if Fa0/1 is terminated on vlan 200 on the switch all hosts will get ip from Fa0/1's address space.
Fa0/0 dhcp pool: address of the interface is in the pool
Fa0/1 dhcp pool: address of the interface is in the pool, interface address is member of the subnet (that's will be the GW)
bye
FCS
Please rate me if I helped. -
The following topic describes how to do L2TP/IPSec on Windows 8.
https://supportforums.cisco.com/document/9878401/l2tp-over-ipsec-cisco-ios-router-using-windows-8
However, I am trying to use the same template for Chrome OS clients and it does not work. Has it ever been set up successfully? Any ideas would be greatly appreciated.
Thank you,
Aram.Randy, I understand now!
What I would do in this case is couple of things, but this still needs some minor configuration on the router, it depends on the router managed provider but.. you should be able to ask the provider know that you want to get syslog traps from the router to your syslog server, and they should be able to provide this to you and they should provide that, after all, you are paying for services even though is a managed router by provider.
On the router thye would configure a secondary logging server.
e.i
say your syslog server is 20.20.20.20
router(config)#logging 20.20.20.20
router(config)#logging trap informational
the above informational is facility #6 out of the 7 levels of facility, 0 being emergencies 1 alerts 2 critical and so on..I believe with this facility# you will see tunnel info on the syslog.
additionally, on the access-lists pertaining to the L2L Ipsec tunnel add the keyword log at the end of each of its access-list, with the keywork log the router will send traps pertaining to the access-list to your syslog thus providing you that the connection is stablihed or not.
Rgds
-Jorge -
Configuration Issue with my Cisco 871 Router
Hi all,
I am a newbie to the Cisco IOS.
I got a Cisco 871 Router that I'd like to use for internet connection. My LAN network is 192.168.1.0/24 and the ISP has assigned us the IP 41.212.79.108/24 and gateway 41.212.79.1.
With my current configuration, I can hit the router - 192.168.1.1 - and it's WAN port - 41.212.79.108 - but not the gateway.
Below is my current config:
Hoggers#show config
Using 4414 out of 131072 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Hoggers
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable secret 5 **********************.
no aaa new-model
crypto pki trustpoint TP-self-signed-568493463
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-568493463
revocation-check none
rsakeypair TP-self-signed-568493463
crypto pki certificate chain TP-self-signed-568493463
certificate self-signed 01 nvram:IOS-Self-Sig#7.cer
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.3
ip dhcp excluded-address 192.168.1.4
ip dhcp excluded-address 192.168.1.5
ip dhcp excluded-address 192.168.1.6
ip dhcp excluded-address 192.168.1.7
ip dhcp excluded-address 192.168.1.8
ip dhcp excluded-address 192.168.1.9
ip dhcp excluded-address 192.168.1.10
ip dhcp excluded-address 192.168.1.100
ip dhcp excluded-address 192.168.1.90
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
ip dhcp pool LANPOOL
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 41.212.3.2 41.212.3.253
ip domain name yourdomain.com
ip name-server 41.212.3.2
ip name-server 41.212.3.253
archive
log config
hidekeys
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description Wan to Outside World
ip address 41.212.79.108 255.255.255.0
duplex auto
speed auto
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.1 255.255.255.0
ip tcp adjust-mss 1452
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 41.212.79.1
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source static tcp 192.168.1.31 80 interface FastEthernet4 80
access-list 23 permit 10.10.10.0 0.0.0.7
no cdp run
control-plane
scheduler max-task-time 5000
end
I'll appreciate any light you can shed on what am missing.2 wireless routers can not communicate wirelessly with each other.
You need to connect cable between 2 routers and use the second wireless router as access point.
Follow this link to connect Linksys router to another router.
Some of your devices are getting same IP address. This might be the issue with DHCP server of the router. You can try DHCP reservation on the router so that each device will get unique IP address. -
IPhone 2.1 now supports Cisco VPN Client to IOS router
Just tested it. The Cisco VPN Client in iPhone 2.1 now connects to my IOS router. Excellent.
I have a Cisco 1812 with 12.4(20)T. I know that 12.4(6)T and some other versions have an issue with the negotiation of IPSec policies which basically means that only the first proposal is considered. If the first proposal matches you have a connection. If it does not match, the connection is refused even though other proposals would be O.K.
The relevant isakmp/ipsec config should be:
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group myvpn
key mysecretkey
dns 10.0.0.2 10.0.0.3
wins 10.0.0.2
domain mydomain.example.com
pool ippool
acl 150
split-dns mydomain.example.com
netmask 255.255.255.0
crypto isakmp profile ike-myvpn-profile
match identity group myvpn
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
virtual-template 2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile myvpn
set transform-set ESP-3DES-SHA
set isakmp-profile ike-myvpn-profile
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet1
ip nat inside
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile myvpn
See also http://www.cisco.com/en/US/docs/ios/security/configuration/guide/secipsec_virt_tunnl_ps6441_TSD_Products_Configuration_GuideChapter.html
If you have IOS 12.4(6)T or similar which has the bug I have mentioned you have to use aes instead of 3des for the transform set. The first proposal of the iPhone is aes. Be sure to check the "debug crypto ipsec" and "debug crypto isakmp" output for troubleshooting. -
Issue when update ios for 7206 router
hi all ,
the ios on router was 12.4
i put the ios
c7200p-adventerprisek9-mz.152-4.M5.bin
in disk2 , of router
and added
boot system flash disk2:/c7200p-adventerprisek9-mz.152-4.M5.bin
after that ,
i restarted the router
i have the followign logs :
7200Gateway#reload
Proceed with reload? [confirm]
*Jan 11 15:24:11.469: %SYS-5-RELOAD: Reload requested by m0ulngateway on console. Reload Reason: Reload Command.
*Jan 11 15:24:11.681: %BGP-5-ADJCHANGE: neighbor 213.244.66.77 Down Peer closed the session
System Bootstrap, Version 12.4(12.2r)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
Socket jumper: not present Failsafe jumper: present = normal
FPGA revision 0x00000026
C7200 platform with 2095104 Kbytes of main memory
Readonly ROMMON initialized
Self decompressing the image : ################################################################################################################################# [OK]
%SYS-6-CLOCKUPDATE: System clock has been updated from 15:26:31 UTC Sat Jan 11 2014 to 17:26:31 Israel Sat Jan 11 2014, configured from console by console.
% No interface specified for interface_command
X121 address and queued type can not be configured on the same rotary group 1
%SYS-3-IMAGE_TOO_BIG: 'disk2:/c7200p-adventerprisek9-mz.152-4.M5.bin' is too large for available memory (46143512 bytes).
%SYS-6-READ_BOOTFILE_FAIL: disk2:/c7200p-adventerprisek9-mz.152-4.M5.bin File read failed -- Not enough space.
%SYS-6-BOOT_MESSAGES: Messages above this line are from the boot loader.
boot of "cisco2-C7200" using boot helper "bootflash:c7200p-kboot-mz.124-4.XD5.bin" failed
error returned: File read failed -- Not enough space
loadprog: error - on file open
boot: cannot load "cisco2-C7200"
System Bootstrap, Version 12.4(12.2r)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
Socket jumper: not present Failsafe jumper: present = normal
FPGA revision 0x00000026
C7200 platform with 2095104 Kbytes of main memory
Readonly ROMMON initialized
Self decompressing the image : ########################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################### [OK]
*** No sreloc section
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 15.2(4)M5, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Fri 13-Sep-13 19:12 by prod_rel_team
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Installed image archive
Cisco 7206VXR (NPE-G2) processor (revision A) with 1966080K/65536K bytes of memory.
Processor board ID 13252317
MPC7448 CPU at 1666Mhz, Implementation 0, Rev 2.2
6 slot VXR midplane, Version 2.0
Last reset from power-on
PCI bus mb1 (Slots 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb1 has a total of 0 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
PCI bus mb2 (Slots 2, 4 and 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 0 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.
1 FastEthernet interface
3 Gigabit Ethernet interfaces
2045K bytes of NVRAM.
250880K bytes of ATA PCMCIA card at slot 2 (Sector size 512 bytes).
65536K bytes of Flash internal SIMM (Sector size 512K).
Warning: The CLI will be deprecated soon
'enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Please move to 'enable secret <password>' CLI
max-reserved-bandwidth 95
^
% Invalid input detected at '^' marker.
Press RETURN to get started!
============================
focusing on the red lines above .
is there ANY THING WRONG ?????
AFTER THat i have sh ver :
7200Gateway#sh version
Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 15.2(4)M5, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Fri 13-Sep-13 19:12 by prod_rel_team
ROM: System Bootstrap, Version 12.4(12.2r)T, RELEASE SOFTWARE (fc1)
7200Gateway uptime is 10 minutes
System returned to ROM by reload at 17:24:07 Israel Sat Jan 11 2014
System image file is "disk2:/c7200p-adventerprisek9-mz.152-4.M5.bin"
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 7206VXR (NPE-G2) processor (revision A) with 1966080K/65536K bytes of memory.
Processor board ID 13252317
MPC7448 CPU at 1666Mhz, Implementation 0, Rev 2.2
6 slot VXR midplane, Version 2.0
Last reset from power-on
PCI bus mb1 (Slots 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb1 has a total of 0 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
PCI bus mb2 (Slots 2, 4 and 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 0 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.
1 FastEthernet interface
3 Gigabit Ethernet interfaces
2045K bytes of NVRAM.
250880K bytes of ATA PCMCIA card at slot 2 (Sector size 512 bytes).
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
=====================
focus on bold line ,
did the router get the new iso without problems ????
wish to clarify
regardsYou are right, whenever Cisco device boots, the IOS files gets loaded on the DRAM.
But in this process, some temporary files are also generated which gets saved in the flash/Disk, that’s the only reason you got these error messages. It’s not recommended at all to have less space in the Flash than what is recommended on Cisco.com. I would say please remove some files from Disk and have minimum 256 MB flash otherwise your router may drop into rommon mode at the time of next reload.
Well, it’s good to upgrade the bootstarp image too. Currently you are running 15.X IOS code, I would say run 15.X bootstarp image on the box.
You may download bootstarp image for 7206VRX NPEG2 from the link below:-
http://software.cisco.com/download/release.html?mdfid=282188585&flowid=1380&softwareid=280805685&release=15.2.4S4&relind=AVAILABLE&rellifecycle=ED&reltype=latest
If you want to know the procedure of the upgrade, click the link mentioned below:-
http://www.cisco.com/en/US/docs/ios/12_2/configfun/command/reference/frf010.html#wp1017654
-Amant -
Cisco 3825 router boot ios from usb
HI All
I got a Cisco 3825 Router CF card failure, can I boot IOS from USB?
Physically I found 2 usb ports but nothing I can see in ROMMON mode, may I know how to boot from USB?
rommon 1 > dev
Devices in device table:
id name
flash: compact flash
bootflash: boot flash
eprom: eprom
rommon 2 >
HugoHi Hugo,
The only time you can get an ISR G1 (except 870) to boot from USB is when you have upgraded the bootstrap to 12.4(13r)T15.
The command to boot from USB is a hidden command. From ROMmon the command is "boot usbflash0:IOS_filename.bin". -
Cisco IOS IPS in Cisco 2921/k9 router
Hi All,
I have a router of Cisco 2921 series (C2921/K9) basic box with IP BAse IOS image (SL-29-IPB-K9 IOS). I would like to enable IOS Level IPS feature on this Router now. Based on the Cisco Document i have found i need to purchase an additonal subscripton license to enale the IPS feature. My querry is-
Will it support on the Basic IP Base IOS or do i need to change the IOS?
If i need to purchase the Subscription Licesne, how can i get the part number and cost for the same?
Do i need to buy any addtional module for this like (NME-IPS-K9) ?
Thanks in advance for your quick support
regards
SunnyHi Sunny
1. Yes you can enable IPS on IOS with the security license, without buying a subscription, but this would make little sense - new signatures are being released all the time so you would not be protected from recently discovered vulnerabilities/attacks.
2. Correct, the modules and appliances run a different kind of software and are much more powerful
3. If you add the module, you do NOT need the security license. It would still be advised to get a subscription license to get signature updates for the module.
I hope this helps, let us know.
regards
Herbert
jacob.samuel wrote:Dear Herbert,Thanks alot for the wonderful post. It clear most of my doubts. Still i kindly need to know few more points-1) Cant we enable IPS Feature on 2921/K9 router (with Sec license or 2921Sec/K9 bundle) without signature subscription license (is it a must? it is for getting updates of signatures and for support only, right?)2) I came to know from a distributor pre-sales engineer that the Cisco IOS Level Intrusion Protection is not going to provide the full feature of IPS like NME module or IPS Applinace. Is that right?3) If i add NME-IPS-K9 Module to my 2921 Router, without enabling Sec License, can i enable IPS feature on the Router. Or is it a must that i need to buy Sec License (SL-29-SEC-K9)?Attaching the Datasheet of NME-IPS-K9 module (Page num 5 above Table 3) mentione as follows-Cisco IOS Software Feature Sets and ReleaseTable 3 lists the required Cisco IOS feature sets and releases for Cisco IPS AIM and IPS NME on the Cisco 1841,
2800 and 3800 series Integrated Services Routers Note that, IPS NME on the Cisco 2900 and 3900 Integrated
Services Routers does not require a Security Feature license.
In that case if i buy a module i can install it on the 2921K9 box directly and can enable the IPS feature right? I dont need any License and additonal signature subscription here to enable the IPS feature (if i dont need signature updates and support) right?
thanks alot for the support.
regards
Sunny -
Cisco 3620 Router IOS CCIE lab
Dear Sir,
I procured one Cisco 3620 Router for CCIE R&S Lab.
Which IOS should I download from www.cisco.com to support 12.2T and IPV6.
Waiting for reply..
Thanks/Regards
AtulHi Atul,
This link may help you with the same
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
Regards,
Ankur -
Routing issue between Cisco Nexus and Cisco 4510 R+E Chassis
We have configured Cisco Nexus 7K9 as core and Cisco 4510 R+E as access switches for Server connectivity.
We are experiencing problem in terms of ARP learning and Ping issues between Cisco Nexus and end hosts.Hi,
So you have N7k acting as L3 with servers connected to 4510?.
Do you see the MAC associated with failing ARP in 4510?. Is it happening with all or few servers?. Just to verify if it is connectivity issue between N7k and 4510, you can configure an SVI on 4510 and assign address from same raneg (server/core range) and perform a ping.
This will help narrow down if issue is between server to 4510 or 4510 to N7k.
Thanks,
Nagendra
Maybe you are looking for
-
Issues while installing ORACLE 10g R2 RAC on RHEL 5.3
i am installing oracle 10g R2 RAC on RHEL 5.3 in a test environment. my aim was to install using ASM. i went through the pre-requisites ok before beginning with the installation. since RHEL 5.3 doesnt support raw devices i used http://www.idevelopmen
-
- Hello, i'm preparing an presentation in KN 2.0.2 and i want to import 2 QT files. These are movies recorded from TV with Avid Cinema, one is 4 min = 228 MB, the other is 22 min. = 1,18 GB. I tried these files in KN and everything works fine. My que
-
Broken link to iPod Touch Manual
The following link does not work: http://manuals.info.apple.com/enUS/iPod_touch_iOS4_UserGuide.pdf Please advise on the best way to obtain a manual for my new iPod Touch.
-
Returning Non Serializable Objects
Is it possible in anyway to return non serializable objects from the remote method of an EJB, for instance return a result set. Everytime i try, i get a CORBA marshalling exception, i tried to put the resultset in a serilized object such as an enumer
-
Ahh ...Entering other partitions trough file-manager [SOLVED]
Hi, I have Ubuntu, Windows and now Arch installed on my pc. Through Ubuntu I can detect all partitions and write to them. I just go to Computer in the Nautilus file manager and I see the other partitions. In Arch however my file-manager is pcmanfm an