Flapping between CSS and router
We sat CSS bellow ;
e0 : connected to SW(Cat4006)
e2 : connected to WEB Svr #1 (w/ IP 172.31.6.41)
e3 : connected to WEB Svr #2 (w/ IP 172.31.6.42)
load-balancing WEB#1 and WEB#2 (w/Virtural IP 172.31.6.43)
VLAN 1 : IP 172.31.6.5 (mng access IP)
We also linked another VPN device at the same SW (172.31.6.0 network).
The VPN device was reboot, then we can see the flapping event log.
Help me!!
what type of CSS ?
What software version ?
What is flapping exactly ?
How often ?
What the interface config of the CSS and the SW ?
Gilles.
Similar Messages
-
Establishing Link between Order and Routing
Hi
When I am creating an order (e.g. production order from CO01) by default itu2019s getting Routing and BOM. I want to know from where my order is populating BOM and Routing?
I want to know how the link between Order and BOM and Order and Routing are established
ThanksIf you want to see how the tables are linked you can see this in table CAUFV (order header). Fields PLNTY, PLNNR, & PLNAL define the task list type, group, and group counter. These can be used to look up the routing information in tables PLKO and PLPO. The BOM link is in field STLTY, STLST, & STLNR (bom category, status, and BOM). Use these values to find the the BOM details in tables STKO and STPO.
If you want to know how the system knows which BOM and routing to bring in, that is done in configuration under Order plant dependent parameters (t-code OPL8). Also, once the boms and routings are copied into the order you can make changes to the operations and components within the order. The operation and component details that are stored in the order can be found in tables AFVC and RESB.
thanks, -
Communication between CSS and CVP
can any one tell me how CVP and CSS communcate.
Hi Neeraj,
Considering the communication between VXML Server and CSS, please find below;
From the gateway the call will go to CSS and in the CSS we have a virtual IP configured for a pool of VXML Servers. the CSS chooses a server from the pool and it sends to the VXML Server. Once the HTTP request is sent to the VXML Server, the VXML Server will send the HTTP acknowledgement to the VXML Gateway via CSS. Now the VXML gateway will come to know the IP address of the VXML Server it has to communicate from there on the communication will be directly between VXML Gateway and VXML Server (not Via CSS)
Thanks,
Dass
Please rate useful posts -
Switching between ap# and router#
Hi
I have configured my Cisco 887VAMW with ADSL and Wifi but the only way I can configure the ap and router separately is to be connected to the router by ssh and the ap via console cable.
When at the ap# prompt, how do I get back to the router#?
I have tried the instructions on cisco.com:
Closing the Session
To close the session between the wireless device and the router’s console, perform both of the following steps.
Wireless Device
1. Control-Shift-6 x
Router
2. disconnect
3. Press Enter twice.
But it doesnt work....help!!!
ThanksWhen you are in router# mode in order to enter ap# mode:
cmd: #service-module wlan-ap 0 session -of course Im sure you have convered this
from ap# to router#
PRESS: CTRL+SHIFT+6, let go, then just press X
-A line should appear on the cmd you did
-Press enter once! -
How to use the private subnet between ASA and Router
Guys,
Here is the context:
I am connecting to 2 ISPs for load sharing traffic coming from my private network.
The 2 links from the ISPs terminate in the router which connects to an ASA via a private subnet, back to my private network.
I have configured PBR in the router, to prefer ISP1 for trafic coming from my internal servers X, Y, Z (public addresses, no need for the ASA to translate). The router should send any other traffic coming from the rest of my private address space, servers W, V, U (after translation by ASA) to ISP2.
So far so good. The default route defined on ASA points to the internal LAN interface of the Router (private ip address). How can I route this subnet used between the ASA and Router? Being a private address I have to translate it to something (public) before the router can send it out. But translate to what?
Alternatively I could use a public subnet. But I do not have any.How do I get aroung this?
Regards
NdaungweYou have IP addresses on the direct interface links to the ISP's?? You ccould use those IP addresses with NAT overload.
-
Connection dropped between ASA and router
Hi,
Last night Internet traffic was going from my 2811 router to the Internet via my ASA 5510 (as it should do and in accordance with my route-map policy) but, when I came in this morning, traffic wasn't going via my ASA as my route-map policy specified, it was going straight to the Internet via my Gateway of Last Resort (an SDSL router). When I did a ping between the ASA and the 2811 router, traffic started to be routed via the ASA again, as specified by the Route-Map policy. Does anyone know what caused this to happen?
Thanks,
JaimeEnsure your ACL configured properly in your device or may be you did any changes recently.
-
Custom Logical Disk monitor incorrectly flapping between healthy and unhealthy
One of the clients Ops Mgr 2012 SP1 UR8 environments I am supporting has had some custom logical disk monitoring setup; there are 5 groups dynamically populated by logical drives depending on their size (1st group has small drives up to the last group with
very large drives). There is a 'Warning' and 'Critical' Monitor setup per server OS version, the Monitors are not Enabled. There are Overrides applied to each group to enable the Monitor and apply a threshold - different threshold for each group.
During some BAU tuning I could see that some of the above Monitors were appearing as Top-Talking alerts. Further investigation showed that alerts were being triggered by drives that momentarily dropped below the applied threshold. I re-created the Monitors
from 'Simple Threshold' to 'Consecutive Samples' and set the 'Number of Samples' to 6 @ 3 minute intervals.
What I am seeing is that alerts from the above Monitors are still appearing as Top Talkers. When I check the Health Explorer of repeating alerts I can see the disk space is staying the same, below the applied threshold but the health is turning healthy then
back to unhealthy. I have confirmed each noisy Object has the expected threshold as per its dynamic group allocation and have also confirmed the drives are not fluctuating above and below the threshold. One thing I have noticed is that some drives Performance
View is patchy - lots of dotted lines between the coloured lines.
Its almost like the Monitor moves a Logical Disk Object into unhealthy state in the correct (and expected) manner, then it somehow picks up an incorrect threshold which is below the current usage level. This moves it into a healthy state only for the
whole process to repeat. For example: Drive X: on a server is very large, the Group that it sits in has a threshold of 102400MB, its current usage is ~stable at 45500MB. Looking in Health Explorer I can see 3:01pm green state/ 45573 last sampled value/ # of
samples 1 | 3:16pm yellow state/ 45573/ 6 samples | 3:34pm green state/ 45572/ 1 samples | 3:49pm yellow state/ 45571/ 6 samples | 4:01pm green state/ 45425/ 1 sample etc etc.
I'm scratching my head on this one and would appreciate any suggestions or assistance.
Thanks
BTThanks for the reply. It is not just one server / drive this is happening on. I am seeing it on everything; once they go into an unhealthy state they periodically go healthy and back again with no change in disk free space. Just to elaborate on how it is
setup; a Monitor has been created for each OS version (2003, 2008 and 2012) and a separate Monitor for Warning and Critical so 6 Monitors in total. Looking at the Warning Monitors; they are created with a threshold of 5120MB for 6 samples and set to disabled.
The following groups have been created and the following thresholds added:
Group 1 (less than 60GB size): override added to enable. This group will then pick up the 5120MB threshold.
Group 2 (60 – 250GB size): override added to enable and override added for 10240MB threshold
Group 3 (250 – 500GB size): override added to enable and override added for 20480MB threshold
Group 4 (500 – 1TB size): override added to enable and override added for 51200MB threshold
Group 5 (>1TB size): override added to enable and override added for 102400MB threshold
One drive I was looking at was in Group 2 (threshold of 10240MB), it was staying at approx. 8500MB but periodically going into healthy state then after 10mins (6 polls @ 2min intervals) back to unhealthy. This process repeats once or twice per day.
I am wondering if the Object is somehow picking up the threshold of the Monitor (5120MB) then going back to its correct overridden threshold. I have setup some test groups and monitors in a lab and will review the results over the coming days.
When the monitors were setup as 'Simple Threshold' this worked fine but were noisy due to drives spiking downwards. It was only when I re-wrote them as 'Consecutive Samples over Threshold' Monitors that this issue has started occurring.
Thanks -
Difference between Firewall and Router
I can do VPN remote access configuration by using cisco firewall also I can do it using the cisco router by using the SDM program so what is the benefits from using the firewall or all of them are the same?
I mean it's recommended to use the firewill? if yes, why ?Answer-
1) WE can make Security-Level on Firewall,but router can't
2) We can make firewall in multiple context(Virtual Firewall) but router can't
3) We can create SSL VPN on Firewall,but router can't
4) Whenever a packet inspected by Firewall and another packet comes with same contents then firewall didn't check that packet,
but router checks all packets.(show connections)
5) Firewall works as L2 and L3 both, but router only on L3.
6) Firewall inspects packets on L3 to L7 but router works on L3.
7) Firewall have Failover,router can't
8) Whenever we take trace,then firewall cannot comes on picture,but router always shows as a Hop Count. -
My router is connected directly to the ODN via Ethernet. ODN is in garage. I need ethernet in the garage (new internet-enabled irrigation control). Can I put a hub in garage, and plug the ODN into the hub, and then from the hub to the router?
No. You can't mix WAN and LAN on the same cat5 cable.
BTW, it's ONT (Optical Network Terminal), not ODN -
RV042 - What's a practical difference between gateway and router mode
That´s my scenario, I have a RV042 as gateway on subnet 192.168.254.0,subnet 192.168.0.0 on the same LAN and 3 vpn tunnels connected GATEWAY TO GATEWAY on subnet 192.168.1.0,192.168.2.0 and 192.168.4.0. I setup 192.168.0.0 as Multiple Subnet on RV042 so now i can ping 192.168.0.0 from RV042 but i can´t do this from clients. What i want to know is What will happen if i change RV042 mode from gateway to router and What do i do to make clients (workstations) on subnet 192.168.254.0 reach clients in subnet 192.168.0.0 .
Thx
EveryoneGateway mode = RV042 does NAPT (network address & port translation);
Router mode = RV042 does not do NAPT -
Site-to-Site VPN btw Pix535 and Router 2811, can't get it work
Hi, every one, I spent couple of days trying to make a site-to-site VPN between PIX535 and router 2811 work but come up empty handed, I followed instructions here:
http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml
#1: PIX config:
: Saved
: Written by enable_15 at 18:05:33.678 EDT Sat Oct 20 2012
PIX Version 8.0(4)
hostname pix535
interface GigabitEthernet0
description to-cable-modem
nameif outside
security-level 0
ip address X.X.138.132 255.255.255.0
ospf cost 10
interface GigabitEthernet1
description inside 10/16
nameif inside
security-level 100
ip address 10.1.1.254 255.255.0.0
ospf cost 10
access-list outside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any 10.1.1.192 255.255.255.248
access-list outside_cryptomap_dyn_60 extended permit ip any 10.1.1.192 255.255.255.248
access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
pager lines 24
ip local pool cnf-8-ip 10.1.1.192-10.1.1.199 mask 255.255.0.0
global (outside) 10 interface
global (outside) 15 1.2.4.5
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 15 10.1.0.0 255.255.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.138.1 1
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer X.X.21.29
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
group-policy GroupPolicy1 internal
group-policy cnf-vpn-cls internal
group-policy cnf-vpn-cls attributes
wins-server value 10.1.1.7
dns-server value 10.1.1.7 10.1.1.205
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value x.com
username sean password U/h5bFVjXlIDx8BtqPFrQw== nt-encrypted
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key secret1
radius-sdi-xauth
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group cnf-vpn-cls type remote-access
tunnel-group cnf-vpn-cls general-attributes
address-pool cnf-8-ip
default-group-policy cnf-vpn-cls
tunnel-group cnf-vpn-cls ipsec-attributes
pre-shared-key secret2
isakmp ikev1-user-authentication none
tunnel-group cnf-vpn-cls ppp-attributes
authentication ms-chap-v2
tunnel-group X.X.21.29 type ipsec-l2l
tunnel-group X.X.21.29 ipsec-attributes
pre-shared-key SECRET
class-map inspection_default
match default-inspection-traffic
service-policy global_policy global
prompt hostname context
Cryptochecksum:9780edb09bc7debe147db1e7d52ec39c
: end
#2: Router 2811 config:
! Last configuration change at 09:15:32 PST Fri Oct 19 2012 by cnfla
! NVRAM config last updated at 13:45:03 PST Tue Oct 16 2012
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname LA-2800
crypto pki trustpoint TP-self-signed-1411740556
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1411740556
revocation-check none
rsakeypair TP-self-signed-1411740556
crypto pki certificate chain TP-self-signed-1411740556
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343131 37343035 3536301E 170D3132 31303136 32303435
30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34313137
34303535 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100F75F F1BDAD9B DE9381FD 165B5188 7EAF9685 CF15A317 1B424825 9C66AA28
C990B2D3 D69A2F0F D745DB0E 2BB4995D 73415AC4 F01B2019 84373199 C4BCF9E0
E599B86C 17DBDCE6 47EBE0E3 8DBC90B2 9B4E217A 87F04BF7 A182501E 24381019
A61D2C05 5404DE88 DA2A1ADC A81B7F65 C318B697 7ED69DF1 2769E4C8 F3449B33
35AF0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 074C412D 32383030 301F0603 551D2304 18301680 14B56EEB
88054CCA BB8CF8E8 F44BFE2C B77954E1 52301D06 03551D0E 04160414 B56EEB88
054CCABB 8CF8E8F4 4BFE2CB7 7954E152 300D0609 2A864886 F70D0101 04050003
81810056 58755C56 331294F8 BEC4FEBC 54879FF5 0FCC73D4 B964BA7A 07D20452
E7F40F42 8B355015 77156C9F AAA45F9F 59CDD27F 89FE7560 F08D953B FC19FD2D
310DA96E A5F3E83B 52D515F8 7B4C99CF 4CECC3F7 1A0D4909 BD08C373 50BB53CC
659C4246 2CB7B79F 43D94D96 586F9103 9B4659B6 5C8DDE4F 7CC5FC68 C4AD197A 4EC322
quit
crypto isakmp policy 1
authentication pre-share
crypto isakmp key SECRET address X.X.138.132 no-xauth
crypto ipsec transform-set la-2800-trans-set esp-des esp-sha-hmac
crypto map la-2800-ipsec-policy 1 ipsec-isakmp
description vpn ipsec policy
set peer X.X.138.132
set transform-set la-2800-trans-set
match address 101
interface FastEthernet0/0
description WAN Side
ip address X.X.216.29 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map la-2800-ipsec-policy
interface FastEthernet0/1
description LAN Side
ip address 10.20.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed auto
no mop enabled
ip nat inside source route-map nonat interface FastEthernet0/0 overload
access-list 10 permit X.X.138.132
access-list 99 permit 64.236.96.53
access-list 99 permit 98.82.1.202
access-list 101 remark vpn tunnerl acl
access-list 101 remark SDM_ACL Category=4
access-list 101 remark tunnel policy
access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 permit ip 10.20.0.0 0.0.0.255 any
snmp-server community public RO
route-map nonat permit 10
match ip address 110
webvpn gateway gateway_1
ip address X.X.216.29 port 443
ssl trustpoint TP-self-signed-1411740556
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn context gateway-1
title "b"
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
policy group policy_1
functions svc-enabled
svc address-pool "WebVPN-Pool"
svc keep-client-installed
svc split include 10.20.0.0 255.255.0.0
default-group-policy policy_1
gateway gateway_1
inservice
end
#3: Test from Pix to router:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: X.X.21.29
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
>>DEBUG:
Oct 22 12:07:14 pix535:Oct 22 12:20:28 EDT: %PIX-vpn-3-713902: IP = X.X.21.29, Removing peer from peer table failed, no match!
Oct 22 12:07:14 pix535 :Oct 22 12:20:28 EDT: %PIX-vpn-4-713903: IP = X.X.21.29, Error: Unable to remove PeerTblEntry
#4: test from router to pix:
LA-2800#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
X.X.138.132 X.X.216.29 MM_KEY_EXCH 1017 0 ACTIVE
>>debug
LA-2800#ping 10.1.1.7 source 10.20.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.7, timeout is 2 seconds:
Packet sent with a source address of 10.20.1.1
Oct 22 16:24:33.945: ISAKMP:(0): SA request profile is (NULL)
Oct 22 16:24:33.945: ISAKMP: Created a peer struct for X.X.138.132, peer port 500
Oct 22 16:24:33.945: ISAKMP: New peer created peer = 0x488B25C8 peer_handle = 0x80000013
Oct 22 16:24:33.945: ISAKMP: Locking peer struct 0x488B25C8, refcount 1 for isakmp_initiator
Oct 22 16:24:33.945: ISAKMP: local port 500, remote port 500
Oct 22 16:24:33.945: ISAKMP: set new node 0 to QM_IDLE
Oct 22 16:24:33.945: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 487720A0
Oct 22 16:24:33.945: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Oct 22 16:24:33.945: ISAKMP:(0):found peer pre-shared key matching 70.169.138.132
Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-07 ID
Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-03 ID
Oct 22 16:24:33.945: ISAKMP:(0): constructed NAT-T vendor-02 ID
Oct 22 16:24:33.945: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 22 16:24:33.945: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Oct 22 16:24:33.945: ISAKMP:(0): beginning Main Mode exchange
Oct 22 16:24:33.945: ISAKMP:(0): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 22 16:24:33.945: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 22 16:24:34.049: ISAKMP (0:0): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_NO_STATE
Oct 22 16:24:34.049: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 16:24:34.049: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Oct 22 16:24:34.049: ISAKMP:(0): processing SA payload. message ID = 0
Oct 22 16:24:34.049: ISAKMP:(0): processing vendor id payload
Oct 22 16:24:34.049: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 22 16:24:34.049: ISAKMP:(0): vendor ID is NAT-T v2
Oct 22 16:24:34.049: ISAKMP:(0): processing vendor id payload
Oct 22 16:24:34.049: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
Oct 22 16:24:34.053: ISAKMP:(0):found peer pre-shared key matching 70.169.138.132
Oct 22 16:24:34.053: ISAKMP:(0): local preshared key found
Oct 22 16:24:34.053: ISAKMP : Scanning profiles for xauth ...
Oct 22 16:24:34.053: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Oct 22 16:24:34.053: ISAKMP: encryption DES-CBC
Oct 22 16:24:34.053: ISAKMP: hash SHA
Oct 22 16:24:34.053: ISAKMP: default group 1
Oct 22 16:24:34.053: ISAKMP: auth pre-share
Oct 22 16:24:34.053: ISAKMP: life type in seconds
Oct 22 16:24:34.053: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Oct 22 16:24:34.053: ISAKMP:(0):atts are acceptable. Next payload is 0
Oct 22 16:24:34.053: ISAKMP:(0):Acceptable atts:actual life: 0
Oct 22 16:24:34.053: ISAKMP:(0):Acceptable atts:life: 0
Oct 22 16:24:34.053: ISAKMP:(0):Fill atts in sa vpi_length:4
Oct 22 16:24:34.053: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Oct 22 16:24:34.053: ISAKMP:(0):Returning Actual lifetime: 86400
Oct 22 16:24:34.053: ISAKMP:(0)::Started lifetime timer: 86400.
Oct 22 16:24:34.053: ISAKMP:(0): processing vendor id payload
Oct 22 16:24:34.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Oct 22 16:24:34.053: ISAKMP:(0): vendor ID is NAT-T v2
Oct 22 16:24:34.053: ISAKMP:(0): processing vendor id payload
Oct 22 16:24:34.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
Oct 22 16:24:34.053: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 16:24:34.053: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Oct 22 16:24:34.057: ISAKMP:(0): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_SA_SETUP
Oct 22 16:24:34.057: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 22 16:24:34.057: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 16:24:34.057: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Oct 22 16:24:34.181: ISAKMP (0:0): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_SA_SETUP
Oct 22 16:24:34.181: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 22 16:24:34.181: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Oct 22 16:24:34.181: ISAKMP:(0): processing KE payload. message ID = 0
Oct 22 16:24:34.217: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 22 16:24:34.217: ISAKMP:(0):found peer pre-shared key matching X.X.138.132
Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID is Unity
Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID seems Unity/DPD but major 55 mismatch
Oct 22 16:24:34.217: ISAKMP:(1018): vendor ID is XAUTH
Oct 22 16:24:34.217: ISAKMP:(1018): processing vendor id payload
Oct 22 16:24:34.217: ISAKMP:(1018): speaking to another IOS box!
Oct 22 16:24:34.221: ISAKMP:(1018): processing vendor id payload
Oct 22 16:24:34.221: ISAKMP:(1018):vendor ID seems Unity/DPD but hash mismatch
Oct 22 16:24:34.221: ISAKMP:received payload type 20
Oct 22 16:24:34.221: ISAKMP:received payload type 20
Oct 22 16:24:34.221: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 22 16:24:34.221: ISAKMP:(1018):Old State = IKE_I_MM4 New State = IKE_I_MM4
Oct 22 16:24:34.221: ISAKMP:(1018):Send initial contact
Oct 22 16:24:34.221: ISAKMP:(1018):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Oct 22 16:24:34.221: ISAKMP (0:1018): ID payload
next-payload : 8
type : 1
address : X.X.216.29
protocol : 17
port : 500
length : 12
Oct 22 16:24:34.221: ISAKMP:(1018):Total payload length: 12
Oct 22 16:24:34.221: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 16:24:34.221: ISAKMP:(1018):Sending an IKE IPv4 Packet.
Oct 22 16:24:34.225: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 22 16:24:34.225: ISAKMP:(1018):Old State = IKE_I_MM4 New State = IKE_I_MM5
Oct 22 16:24:38.849: ISAKMP:(1017):purging node 198554740
Oct 22 16:24:38.849: ISAKMP:(1017):purging node 812380002
Oct 22 16:24:38.849: ISAKMP:(1017):purging node 773209335..
Success rate is 0 percent (0/5)
LA-2800#
Oct 22 16:24:44.221: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
Oct 22 16:24:44.221: ISAKMP (0:1018): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct 22 16:24:44.221: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
Oct 22 16:24:44.221: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 16:24:44.221: ISAKMP:(1018):Sending an IKE IPv4 Packet.
Oct 22 16:24:44.317: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 22 16:24:44.317: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
Oct 22 16:24:44.321: ISAKMP:(1018): retransmission skipped for phase 1 (time since last transmission 96)
Oct 22 16:24:48.849: ISAKMP:(1017):purging SA., sa=469BAD60, delme=469BAD60
Oct 22 16:24:52.313: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 22 16:24:52.313: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
Oct 22 16:24:52.313: ISAKMP:(1018): retransmitting due to retransmit phase 1
Oct 22 16:24:52.813: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
Oct 22 16:24:52.813: ISAKMP (0:1018): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct 22 16:24:52.813: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
Oct 22 16:24:52.813: ISAKMP:(1018): sending packet to X.X138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 16:24:52.813: ISAKMP:(1018):Sending an IKE IPv4 Packet.
Oct 22 16:24:52.913: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
Oct 22 16:24:52.913: ISAKMP:(1018): retransmission skipped for phase 1 (time since last transmission 100)
Oct 22 16:25:00.905: ISAKMP (0:1018): received packet from X.X.138.132 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 22 16:25:00.905: ISAKMP: set new node 422447177 to QM_IDLE
Oct 22 16:25:03.941: ISAKMP:(1018):SA is still budding. Attached new ipsec request to it. (local 1X.X.216.29, remote X.X.138.132)
Oct 22 16:25:03.941: ISAKMP: Error while processing SA request: Failed to initialize SA
Oct 22 16:25:03.941: ISAKMP: Error while processing KMI message 0, error 2.
Oct 22 16:25:12.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
Oct 22 16:25:12.814: ISAKMP (0:1018): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct 22 16:25:12.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
Oct 22 16:25:12.814: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 16:25:12.814: ISAKMP:(1018):Sending an IKE IPv4 Packet.
Oct 22 16:25:22.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
Oct 22 16:25:22.814: ISAKMP (0:1018): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct 22 16:25:22.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH
Oct 22 16:25:22.814: ISAKMP:(1018): sending packet to X.X.138.132 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 22 16:25:22.814: ISAKMP:(1018):Sending an IKE IPv4 Packet.
Oct 22 16:25:32.814: ISAKMP:(1018): retransmitting phase 1 MM_KEY_EXCH...
Oct 22 16:25:32.814: ISAKMP:(1018):peer does not do paranoid keepalives.
Oct 22 16:25:32.814: ISAKMP:(1018):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 70.169.138.132)
Oct 22 16:25:32.814: ISAKMP:(1018):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 70.169.138.132)
Oct 22 16:25:32.814: ISAKMP: Unlocking peer struct 0x488B25C8 for isadb_mark_sa_deleted(), count 0
Oct 22 16:25:32.814: ISAKMP: Deleting peer node by peer_reap for X.X.138.132: 488B25C8
Oct 22 16:25:32.814: ISAKMP:(1018):deleting node 1112432180 error FALSE reason "IKE deleted"
Oct 22 16:25:32.814: ISAKMP:(1018):deleting node 422447177 error FALSE reason "IKE deleted"
Oct 22 16:25:32.814: ISAKMP:(1018):deleting node -278980615 error FALSE reason "IKE deleted"
Oct 22 16:25:32.814: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct 22 16:25:32.814: ISAKMP:(1018):Old State = IKE_I_MM5 New State = IKE_DEST_SA
Oct 22 16:26:22.816: ISAKMP:(1018):purging node 1112432180
Oct 22 16:26:22.816: ISAKMP:(1018):purging node 422447177
Oct 22 16:26:22.816: ISAKMP:(1018):purging node -278980615
Oct 22 16:26:32.816: ISAKMP:(1018):purging SA., sa=487720A0, delme=487720A0
****** The PIX is also used VPN client access , such as Cicso VPN client 5.0, working fine ; Router is used as SSL VPN server, working too
I know there are lots of data here, hopefully these data may be useful for diagnosis purpose.
Any suggestions and advices are greatly appreciated.
SeanHi Sean,
Current configuration:
On the PIX:
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer X.X.21.29
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
tunnel-group X.X.21.29 type ipsec-l2l
tunnel-group X.X.21.29 ipsec-attributes
pre-shared-key SECRET
On the Router:
crypto isakmp policy 1
authentication pre-share
crypto map la-2800-ipsec-policy 1 ipsec-isakmp
description vpn ipsec policy
set peer X.X.138.132
set transform-set la-2800-trans-set
match address 101
access-list 101 permit ip 10.20.0.0 0.0.0.255 10.1.0.0 0.0.255.255
crypto ipsec transform-set la-2800-trans-set esp-des esp-sha-hmac
crypto isakmp key SECRET address X.X.138.132 no-xauth
Portu.
Please rate any helpful posts
Message was edited by: Javier Portuguez -
Hye guys i have some quries please update me if anyone knows about it
There is my scenario.
In my CCM 5.1 i have around 10 to 15 Partitions and CSS and Route Pattern accordingly. I have around 2 PRIs for calling.
I just want to know how we restrict channels accordingly to CSS and PRT in other words I want to know how we configure
restricted PRT and CSS. Like I want at a time one partition use only 10 channels not more than 10 calls and if someone
try to dial 11th calls and all 10 channels are utilizing they should get busy tone or any message.
And I also have one little question. If I add one phone with SIP protocol and I want to forward that phone calls on any URL how can I do it.
I hope you guys give me a solution soon. I am really thankful to you.
I really appreciate your quick reply.
Thanks in advance.
Best regards,
FahadEnabling Call Display Restrictions
The basis for the functionality of the Call Display Restrictions feature is calls being routed through different translation patterns before the calls are extended to the actual device. Users then dial the appropriate translation pattern numbers to achieve the display restrictions.
Translation Pattern Configuration
To enable Call Display Restrictions, configure translation patterns with different levels of display restrictions by choosing the appropriate option for the calling line ID presentation and the connected line ID presentation parameters.
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/5_1_3/ccmfeat/fshosp.html -
Hi Guys,
Iam seeing above issue on two of my switches connected to core switch ....i know there are quite of few discussion open on same issue but mine is diff....
i see same issue on two switches connected via core swicth on same vlan ( 112)....when i do mac address lookup it says the mac thats generating this error is invalid so cant track the source of this mac....also just saw on topoogy change notification on core traced it back to originating switch which is also generating this error but dnt see any change on the switch that is generated topology change notification....prob is vlan 112 all interface on both switches conected via core are generating this message so five interfaces each .....any expert advise on how to approach it as i cant get to source port generating this as nearly five ports in vlan 112 on bloth switches generating this error. thanks
Apr 15 15:56:08: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa3/0/46 and port Gi3/0/1
Apr 15 15:56:50: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa2/0/46 and port Gi3/0/1
Apr 15 15:56:51: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa3/0/46 and port Gi3/0/1
Apr 15 15:58:29: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa2/0/46 and port Gi3/0/1
Apr 15 15:59:27: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Gi3/0/1 and port Fa2/0/46
Apr 15 15:59:45: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa2/0/46 and port Gi3/0/1
Apr 15 16:00:14: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Gi3/0/1 and port Fa3/0/46
Apr 15 16:00:36: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa2/0/46 and port Gi3/0/1
Apr 15 16:02:40: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa3/0/46 and port Gi3/0/1
Apr 15 16:03:22: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa3/0/46 and port Gi3/0/1
Apr 15 16:03:31: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Gi3/0/1 and port Fa2/0/46
Apr 15 16:04:03: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa3/0/46 and port Gi3/0/1
Apr 15 16:04:34: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa2/0/46 and port Gi3/0/1
Apr 15 16:04:41: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Gi3/0/1 and port Fa2/0/46
Apr 15 16:05:05: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Fa2/0/46 and port Gi3/0/1
Apr 15 16:05:13: %SW_MATM-4-MACFLAP_NOTIF: Host 00ff.ffff.ffff in vlan 112 is flapping between port Gi3/0/1 and port Fa3/0/46
sh spanning-tree vlan 112
VLAN0112
Spanning tree enabled protocol rstp
Root ID Priority 8192
Address 001e.13c1.5a70
Cost 3004
Port 109 (GigabitEthernet3/0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 49264 (priority 49152 sys-id-ext 112)
Address 001f.261c.1d80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
UplinkFast enabled but inactive in rapid-pvst mode
Interface Role Sts Cost Prio.Nbr Type
Fa2/0/46 Desg FWD 3019 128.104 P2p
Fa1/0/46 Desg FWD 3019 128.50 P2p
Gi3/0/1 Root FWD 3004 128.109 P2p
Fa3/0/46 Desg FWD 3019 128.158 P2p
Fa3/0/47 Desg FWD 3100 128.159 P2p
Fa3/0/48 Desg FWD 3019 128.160 P2pASAK Mohammed,
There are lots of thread discussing about this, you should do a search before creating a new post.
Anyway, this is how you approach these types of flapping:
1. Is the the given MAC flapping in the log flapping only 1 time or you see it multiple times over a reasonobly short time?
If you see it only once or once every 2-3 hours this might be not an issue worth being investigated. Sporadic one time flapping are expected in L2 broadcast domain.
If you see it often continue to step 2.
2. Identify and locate the flapping mac in vlan 125: 3270.990a.a504
Is the mac of a dual-homes server using some kind of load balancing algorithm (active/active) for which the same address is used from both NICs?
If yes, the message is not and issue but just an indication. Fix this type of LB (make it active/standby or make sure the server uses 2 different mac addresses, one per NIC) or if it is not possible leave it like this.
3. Is the MAC a the wireless NIC of a PC?
Make sure that the user was not moving from one AP to another (flapping is normal in this case)
4.
See if you have increasing TCN's and check if they are coming from the same interface.
From this point on you keep on troubleshooting STP until you find the offending link (likely going up and down) or the switch. You also need to check if STP in vlan112 is coherent with the actual L2 topology you have.
=====================================================
2- Some more details information which might be helpfull to you.
http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a
00801434de.shtml#subtopic1k
Problem
The switch generates %SYS-3-P2_ERROR: Host xx:xx:xx:xx:xx:xx is flapping
between ports? messages, where xx:xx:xx:xx:xx:xx is a MAC address.
Description
This example shows the console output that you see when this error occurs:
%SYS-4-P2_WARN: 1/Host 00:50:0f:20:08:00 is flapping between port 1/2 and port
4/39
Use the steps and guidelines in this section in order to understand and
troubleshoot the cause of this error message.
The message indicates that your Catalyst 4500/4000 switch has learned a MAC
address that already exists in the content-addressable memory (CAM) table, on
a port other than the original one. This behavior repeatedly occurs over short
periods of time, which means that there is address flapping between ports..
If the message appears for multiple MAC addresses, the behavior is not normal.
This behavior indicates a possible network problem because the MAC addresses
move quickly from one port to another port before the default aging time. The
problem can be looping traffic on the network. Typical symptoms include:
· High CPU utilization
· Slow traffic throughout the network
· High backplane utilization on the switch
For information on how to identify and troubleshoot issues with spanning tree,
refer to Spanning Tree Protocol Problems and Related Design Considerations
<http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800
951ac.shtml> .
If the error message appears for one or two MAC addresses, locate these MAC
addresses in order to determine the cause. Issue the show cam mac_addr command
in order to identify from where these MAC addresses have been learned. In this
command, mac_addr is the MAC address that the error reports as flapping.
After you determine between which ports this MAC address is flapping, track
down the MAC address. Connect to the intermediate devices between your
Catalyst 4500/4000 and the device that has the problem MAC address. Do this
until you are able to identify the source and how this device connects to the
network.
Note: Because the MAC address is flapping between two ports, track down both
of the paths.
This example shows how to track both of the paths from which this MAC address
has been learned:
Note: Assume that you have received this message and you have begun to
investigate it.
%SYS-4-P2_WARN: 1/Host 00:50:0f:20:08:00 is flapping between port 1/2 and port
4/39
In order to track down how this MAC address was learned from both ports,
complete these steps:
1. Consider port 1/2 first, and issue the show cam dynamic 1/2 command.
If you see the MAC address 00:50:0f:20:08:00 in the list of the MAC addresses
that have been learned on this port, determine if this is a single host that
is connected or if there are multiple hosts that are registered on that port.
2. On the basis of whether there is a single or multiple hosts,
investigate the device:
o If there is a single host (00:50:0f:20:08:00) that is connected, check the
other port that is registered and see if the host is dually attached to the
switch.
In this example, the other port is port 4/39.
o If the host has connections to other devices that can eventually lead back
to this switch, try to track down the intermediate devices.
With Cisco devices, issue the show cdp neighbors mod/port detail command. The
output provides information about intermediate devices.
Here is sample output:
Cat4K> (enable) show cdp neighbors 1/2 detail
Port (Our Port): 1/2
Device-ID: brigitte
Device Addresses:
IP Address: 172.16.1.1
Novell address: aa.0
Holdtime: 171 sec
Capabilities: ROUTER
Version:
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-JS-L), Version 12.0(7)T, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Mon 06-DEC-99 17:10 by phanguye
Platform: cisco 2500
Port-ID (Port on Neighbors's Device): Ethernet0
VTP Management Domain: unknown
Native VLAN: unknown
Duplex: half
System Name: unknown
System Object ID: unknown
Management Addresses: unknown
Physical Location: unknown
Cat4K> (enable)
3. Establish a Telnet session with the device and follow the path of the
MAC address.
In this example, the IP address is 172.16.1.1.
Repeat the procedure for all MAC addresses that the error message reports as
flapping.
4. Create a simple diagram of the source device with that MAC address and
of the physical connections (the Catalyst 4500/4000 ports) from which and to
which this MAC address is flapping.
The diagram enables you to determine if this is a valid port and path for your
network layout.
If you verify that both ports on which the MAC address is flapping provide a
path toward that network node, there is a possibility that you have a
spanning-tree failure issue. Refer to Spanning Tree Protocol Problems and
Related Design Considerations
<http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800
951ac.shtml> in order to isolate and troubleshoot this loop.
In large networks in which multiple hosts from multiple vendors are
interconnected, difficulty arises as you try to track down the host with use
of just the MAC address. Use the search utility for the IEEE OUI and
Company_id Assignments <http://standards.ieee.org/regauth/oui/index.shtml> in
order to track down these MAC addresses. This list is the front end of the
database where IEEE has registered all MAC addresses that have been assigned
to all vendors. Enter the first three octets of the MAC address in the Search
for: field of this page in order to find the vendor that is associated with
this device. The first three octets in the example are 00:50:0f.
These are other issues that can cause this message to appear:
· Server NIC redundancy problem?There is a server with a dual-attached
NIC that misbehaves and does not follow the standards. The server uses the
same MAC address for both ports that connect to the same switch.
· Hot Standby Router Protocol (HSRP) flapping?Flapping HSRP can cause
these messages to appear in the Supervisor Engine console. If you notice that
HSRP implementation in your network is unstable, refer to Understanding and
Troubleshooting HSRP Problems in Catalyst Switch Networks
<http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00800
94afd.shtml> in order to resolve the problem.
· EtherChannel misconfiguration?A misconfigured EtherChannel connection
can also cause these symptoms. If ports that the flapping message reports are
members of the same channel group, check your EtherChannel configuration and
refer to Understanding EtherChannel Load Balancing and Redundancy on Catalyst
Switches
<http://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a00800
94714.shtml> in order to troubleshoot the configuration.
· Host reflects packets back onto the network?The reflection of packets
back onto the network by a host can also cause flapping. Typically, the root
cause of this packet reflection is a broken NIC or any failure of the physical
interface of the host that is connected to the port.
If the reflection of packets by the host is your root cause, obtain a sniffer
trace and examine the traffic that goes to and from the ports on which the
messages have appeared. If a host reflects packets, you typically see
duplicate packets in the trace. The duplicate packets are a possible symptom
of this flapping of the MAC address.
Refer to Configuring SPAN and RSPAN
<http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/6.3and6.4/configura
tion/guide/span.html> for details on how to configure a port for use with a
sniffer.
· Software or hardware defect?If you have tried to troubleshoot the
flapping message with the instructions in this section but you still notice
the issue, seek further assistance from Cisco Technical Support
<http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html> . Be
sure to mention and provide documentation of the information that you have
collected while you followed the steps. This information makes further
troubleshooting quicker and more efficient.
HTH
REgards
Inayath
*Plz rate all usefull posts. -
Hi all ,
we have a network with CORE4507 access 2960x24port+4portSFP
CORE configured to allowed vlan all till access switch SFP interface Gi1/0/27 when i show log to switch i found error below.
\%SW_MATM-4-MACFLAP_NOTIF: Host 4025.c225.d9f0 in vlan 16 is flapping between port Gi1/0/27 and port Gi1/0/12
In access switch port Gi1/0/12 and port Gi1/0/24 is configured as trunk and WAP121 wirelessAP is connected tow SSID,s are configured SSID1=VLAN 10 SSID2=VLAN16
interface GigabitEthernet1/0/12
switchport trunk allowed vlan 10,16
switchport mode trunk
interface GigabitEthernet1/0/24
switchport trunk allowed vlan 10,16
switchport mode trunk
Any Help
RegardsHello Akash,
Thanks for repley port 1/0/27 is configured as trunk and allowed Vlan All
interface GigabitEthernet1/0/27
switchport mode trunk
this is sh cdp ne
V35#sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
CORE1 Gig 1/0/27 176 R S I WS-C4507R Gig 1/23
Regards -
Problem of routing between inside and outside on ASA5505
I have a ASA5505 with mostly factory default configuration. Its license allows only two vlan interfaces (vlan 1 and vlan 2). The default config has interface vlan 1 as inside (security level 100), and interface vlan 2 as outside (security level 0 and using DHCP).
I only changed interface vlan 1 to IP 10.10.10.1/24. After I plugged in a few hosts to vlan 1 ports and connect port Ethernet0/0 (default in vlan 2) to a live network, here are a couple of issues I found:
a) One host I plugged in is a PC, and another host is a WAAS WAE device. Both are in vlan 1 ports. I hard coded their IP to 10.10.10.250 and 10.10.10.101, /24 subnet mask, and gateway of 10.10.10.1. I can ping from the PC to WAE but not from WAE to the PC, although the WAE has 10.10.10.250 in its ARP table. They are in the same vlan and same subnet, how could it be? Here are the ping and WAE ARP table.
WAE#ping 10.10.10.250
PING 10.10.10.250 (10.10.10.250) from 10.10.10.101 : 56(84) bytes of data.
--- 10.10.10.250 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
WAE#sh arp
Protocol Address Flags Hardware Addr Type Interface
Internet 10.10.10.250 Adj 00:1E:37:84:C9:CE ARPA GigabitEthernet1/0
Internet 10.10.10.10 Adj 00:14:5E:85:50:01 ARPA GigabitEthernet1/0
Internet 10.10.10.1 Adj 00:1E:F7:7F:6E:7E ARPA GigabitEthernet1/0
b) None of the hosts in vlan 1 in 10.10.10.0/24 can ping interface vlan 2 (address in 172.26.18.0/24 obtained via DHCP). But on ASA routing table, it has both 10.10.10.0/24 and 172.26.18.0/24, and also a default route learned via DHCP. Is ASA able to route between vlan 1 and vlan 2? (inside and outside). Any changes I can try?
Here are ASA routing table and config of vlan 1 and vlan 2 (mostly its default).
ASA# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 172.26.18.1 to network 0.0.0.0
C 172.26.18.0 255.255.255.0 is directly connected, outside
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C 10.10.10.0 255.255.255.0 is directly connected, inside
d* 0.0.0.0 0.0.0.0 [1/0] via 172.26.18.1, outside
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
All other ports are in vlan 1 by default.I should have made the config easier to read. So here is what's on the ASA and the problems I have. The ASA only allows two VLAN interfaces configured (default to Int VLAN 1 - nameif inside, and Int VLAN 2 - nameif outside)
port 0: in VLAN 2 (outside). DHCP configured. VLAN 2 pulled IP in 172.26.18.0/24, default gateway 172.26.18.1
port 1-7: in VLAN 1 (inside). VLAN 1 IP is 10.10.10.1. I set all devices IP in VLAN 1 to 10.10.10.0/24, default gateway 10.10.10.1
I have one PC in port 1 and one WAE device in port 2. PC IP set to 10.10.10.250 and WAE set to 10.10.10.101. PC can ping WAE but WAE can't ping PC. Both can ping default gateway.
If I can't ping from inside interface to outside interface on ASA, how can I verify inside hosts can get to outside addresses and vise versa? I looked at ASA docs, but didn't find out how to set the routing between inside and outside. They are both connected interfaces, should they route between each other already?
Thanks a lot
Maybe you are looking for
-
Solaris 6 binary on Solaris 8 ( Multithreaded application.)
I have to explore further, but I like to know whether any of you have faced similar problem. We have multithreaded server. A thread in detached mode will be created to serve each new connection. The binary was compiled on 32bit solaris environment an
-
Total Tax and Non-Deductible column in Tax report
Hi all, My client is using AU/NZ localization. We need to customise a Tax report based on existing Tax Report in Financal Report-> Accounting> Tax> Tax Report. Does anyone know where to pull the information for colum "Total Tax" and "Non-Deductible"
-
Mail's dock icon is "badged" with 300 "unread" messages?
Hello, I'm having an issue in Apple Mail wherein every time I open the app, it badges the dock icon with 300 unread messages.... but the app itself (i.e. Main window) shows NO new messages. Anyone have any clue what's going on? Any and all help is gr
-
Deactivating Elements 11 re:again!!
I have tried to deactivate my elements 11 from program files and by opening it but cannot access editor, now what. I have uninstalled and installed but it will not allow me to access the editor to get to the deactivation. Arrg!
-
HI all My problem is this that my trash bin indicate always full. When I open the thrash bin it shows no items. I have tried several option and with no results. I hope someone has answer it sure got me stumped. Thanks in advance