H.323 q.sig tunneling
Hi,
I'm trying to workaround a bug I've got in my MGCP gateway configuration by swapping to h.323. In doing this i need to ensure I get calling name information passed between my PBX (NEC) and the callmanager phones. I can see that I have an option to tunnel q.sig on the h.323 gateway config but tried it and it didn't work. Calls to the pbx were dropped almost immediately and while the pbx could call ip phones I got no calling name information.
Has anyone tried this?
Cheers
Leigh
Hi Guys,
Anyone who can give a feedback if any PBR issues with H.323?
Thanks in advance!
Cheers,
Emmanuel
Similar Messages
-
Cisco ASA 5520 Site-to-site VPN TUNNELS disconnection problem
Hi,
i recently purchased a Cisco ASA 5520 and running firmware v. 8.4(2) and ASDM v. 6.4(5)106.
I have installed 50 Site-to-Site VPN tunnels, and they work fine.
but randomly the VPN Tunnels keep disconnecting and few seconds after it connects it self automaticly....
it happens when there is no TRAFIC on, i suspect.
in ASDM in Group Policies under DfltGrpPolicy (system default) i have "idle timeout" to "UNLMITED" but still they keep disconnecting and connecting again... i have also verified that all VPN TUNNELS are using this Group Policie. and all VPN tunnels have "Idle Timeout: 0"
this is very annoying as in my case i have customers having a RDP (remote dekstop client) open 24/7 and suddenly it gets disconnected due to no traffic ?
in ASDM under Monitoring -> VPN .. i can see all VPN tunnels recently disconnected in "Login Time Duration"... some 30minutes, 52minutes, 40minutes and some 12 minutes ago.. and so on... they dont DISCONNECT at SAME time.. all randomly..
i dont WANT the VPN TUNNELS to disconnect, i want them to RUN until we manually disconnect them.
Any idea?
Thanks,
DanielWhat is the lifetime value configured for in your crypto policies?
For example:
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400 -
The tale of two IPSec Tunnels...
I'm trying to set up an ipsec tunnel at a particular site, and I am just stumped at this point. I have two sites I'm working with, a test site on my bench and the other actual site at another location. Both are ASA 5510's, both are running ASA v8.2(5). The test site has a 3560 off of it, and the production site has a 3750 stack off it. I don't think that part should matter, though.
I used the wizard to create the ipsec configuration on both devices, test and prod, and used the same naming on both to help compare. The test site connects and I can ssh to the 3560 behind it just fine. The production site, however, cannot connect to that 3750 or ping it to save my life. I've poured through the configs on both, and although there are just a couple of differences, the two ASA's are pretty close in configs.
At first I thought it was an acl issue, but I've filtered the logs by syslog id 106023 to watch for denys by access group. When I try to connect to the 3750, I get absolutely no entry in the log that anything is being denied, so I figure that's not it.
Then I thought it may be a routing issue. The one difference between the two sites is that the test site is using eigrp to disperse routes between the asa and switch, while the production site is using static routes. But I also didn't think that would've mattered, because on the static route switch I even put a static route in there to the vpn network which didn't make a difference.
I've also run packet traces on the firewall when doing a ping, and on the test siteI see echo requests and replies. Oon the production site I only see requests, no replies. My encap counters don't increment during pings, but the decap counters do, which make sense.
Other things to note: The test site that works also has a site-to-site vpn up and runnning, so you'll see that in the config as well. Client is Mac OS X 10.6.8, using the Cisco IPSec Config.
I'm hoping someone can look at my configs and tell me if they see anything I'm missing on them that could help solve my problems. I'd appreciate it! Thanks
Test Site that works
Production Site that Doesn't
testasa01-5510# sh run
: Saved
ASA Version 8.2(5)
hostname testasa01-5510
names
interface Ethernet0/0
nameif outside
security-level 0
ip address <outsideif> 255.255.255.240
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.39.194.2 255.255.255.248
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
access-list inside_access_in extended permit ip 10.39.0.0 255.255.0.0 any log disable
access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.139.0 255.255.255.240
access-list outside_cryptomap extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list remoteaccess extended permit ip 172.16.139.0 255.255.255.240 any log disable
tcp-map WSOptions
tcp-options range 24 31 allow
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn_ip_pool 172.16.139.0-172.16.139.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
global (outside) 100 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 100 10.39.0.0 255.255.0.0
access-group inside_access_in in interface inside
router eigrp 100
network 10.0.0.0 255.0.0.0
passive-interface default
no passive-interface inside
route outside 0.0.0.0 0.0.0.0 <outsideif> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs group1
crypto map outside_map1 1 set peer 209.242.145.200
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 170
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server <server> source inside
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-filter value remoteaccess
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
split-tunnel-all-dns disable
vlan none
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
tunnel-group 111.222.333.444 type ipsec-l2l
tunnel-group 111.222.333.444
general-attributes
default-group-policy GroupPolicy1
tunnel-group 111.222.333.444
ipsec-attributes
pre-shared-key *****
class-map WSOptions-class
match any
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class WSOptions-class
set connection advanced-options WSOptions
policy-map type inspect ip-options ip-options-map
parameters
eool action allow
nop action allow
router-alert action allow
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
mp01-5510asa# sh run
: Saved
ASA Version 8.2(5)
hostname mp01-5510asa
names
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.29.194.2 255.255.255.252
interface Ethernet0/1
nameif dmz
security-level 50
ip address 172.16.29.1 255.255.255.0
interface Ethernet0/2
description
nameif backup
security-level 0
ip address <backupif> 255.255.255.252
interface Ethernet0/3
description
speed 100
duplex full
nameif outside
security-level 0
ip address <outsideif> 255.255.255.248
interface Management0/0
nameif management
security-level 100
ip address 10.29.199.11 255.255.255.0
management-only
banner login Authorized Use Only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group network DM_INLINE_NETWORK_1
network-object 10.29.1.0 255.255.255.0
network-object 10.29.15.0 255.255.255.0
network-object 10.29.199.0 255.255.255.0
network-object 10.29.200.0 255.255.255.0
network-object 10.29.31.0 255.255.255.0
access-list inside_access_in extended permit ip 10.29.0.0 255.255.0.0 any log warnings
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any log warnings
access-list inside_access_in extended permit ip 192.168.29.0 255.255.255.0 any log warnings
access-list inside_access_in extended permit ip 10.29.32.0 255.255.255.0 any log warnings
access-list outside_access_in extended permit ip any host 50.59.30.116 log warnings
access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.254.29.0 255.255.255.0 log warnings
access-list remoteaccess extended permit ip 10.254.29.0 255.255.255.0 any log warnings
access-list RemoteAccess2_splitTunnelAcl standard permit 10.29.0.0 255.255.0.0
pager lines 24
logging enable
logging list acl-messages message 106023
logging buffered acl-messages
logging asdm acl-messages
mtu inside 1500
mtu dmz 1500
mtu backup 1500
mtu outside 1500
mtu management 1500
ip local pool vpn_ip_pool3 10.254.29.0-10.254.29.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm history enable
arp timeout 14400
global (inside) 201 interface
global (dmz) 101 interface
global (backup) 101 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.29.1.0 255.255.255.0
nat (inside) 101 10.29.15.0 255.255.255.0
nat (inside) 101 10.29.31.0 255.255.255.0
nat (inside) 101 10.29.32.0 255.255.255.0
nat (inside) 101 10.29.199.0 255.255.255.0
nat (inside) 101 10.29.200.0 255.255.255.0
nat (inside) 101 192.168.29.0 255.255.255.0
static (inside,outside) <outsideif> 10.29.15.10 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.59.30.113 1 track 1
route backup 0.0.0.0 0.0.0.0 205.179.122.165 254
route management 10.0.0.0 255.0.0.0 10.29.199.1 1
route inside 10.29.0.0 255.255.0.0 10.29.194.1 1
route inside 192.168.29.0 255.255.255.0 10.29.194.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 74.125.239.16 interface outside
num-packets 3
frequency 10
sla monitor schedule 100 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 100 reachability
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.200.1.41 source inside
webvpn
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-filter value remoteaccess
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
split-tunnel-all-dns disable
vlan none
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool3
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
testasa01-5510# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.139.1/255.255.255.255/0/0)
current_peer: <peer ip>, username: blah
dynamic allocated peer ip: 172.16.139.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 0A7F396F
current inbound spi : E87AF806
inbound esp sas:
spi: 0xE87AF806 (3900372998)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3587
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x7FFFFFFF
outbound esp sas:
spi: 0x0A7F396F (176109935)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3587
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
mp01-5510asa# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.254.29.1/255.255.255.255/0/0)
current_peer: <peer ip>, username: blah
dynamic allocated peer ip: 10.254.29.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 096265D4
current inbound spi : F5E4780C
inbound esp sas:
spi: 0xF5E4780C (4125390860)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3576
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x001FFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x096265D4 (157443540)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3576
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Config (non working site) looks fine(unless I missed something:)) . You may want to add :
access-list RemoteAccess_splitTunnelAcl standard permit 192.168.29.0 255.255.255.0
Try by taking out vpnfilter : vpn-filter value remoteaccess
To further t-shoot, try using packet tracer from ASA to the client...
https://supportforums.cisco.com/docs/DOC-5796
Thx
MS -
Tunneling result unspecified/No available router to dest weblogic 10.0 MP1
Hi,
I have some problems with my weblogic installation. I would like to desploy via eclipse and get the following error messages.
Some configuration input:
-firewall is off
Eclipse
base directory: ${project_path}
Goals: install weblogic:deploy
weblogic.home .......bea\wlserver_10.0
Maven-Runtime: .......\apache-maven-2.1.0
Also I added some datasources. But in my opinion I did no further configurations.
[INFO] [weblogic:deploy]
[INFO] Weblogic Deployment beginning with parameters DeployMojoBase[adminServerHostName = 127.0.0.1, adminServerProtocol = http, adminServerPort = 7001, userId = weblogic, password = weblogic, artifactPath = ..........info_ear-0.0.1-SNAPSHOT, projectPackaging = ear, name = ..........info_ear, targetNames = AdminServer, remote = false]
[INFO] Weblogic Deployment parameters [-adminurl, http://127.0.0.1:7001, -username, weblogic, -password, weblogic, -name, ..........info_ear, -targets, AdminServer, -source, ..........info_ear-0.0.1-SNAPSHOT, -deploy]
weblogic.Deployer invoked with options: -adminurl http://127.0.0.1:7001 -username weblogic -name bs_country_info_ear -targets AdminServer -source ..........info_ear-0.0.1-SNAPSHOT -deploy
javax.enterprise.deploy.spi.exceptions.DeploymentManagerCreationException
at weblogic.deploy.api.spi.deploy.WebLogicDeploymentManagerImpl.<init>(WebLogicDeploymentManagerImpl.java:121)
at weblogic.deploy.api.spi.factories.internal.DeploymentFactoryImpl.getDeploymentManager(DeploymentFactoryImpl.java:84)
at weblogic.deploy.api.tools.SessionHelper.getDeploymentManager(SessionHelper.java:432)
at weblogic.deploy.api.tools.deployer.Jsr88Operation.connect(Jsr88Operation.java:304)
at weblogic.deploy.api.tools.deployer.Deployer.perform(Deployer.java:137)
at weblogic.deploy.api.tools.deployer.Deployer.runBody(Deployer.java:88)
at weblogic.utils.compiler.Tool.run(Tool.java:158)
at weblogic.utils.compiler.Tool.run(Tool.java:115)
at weblogic.Deployer.run(Deployer.java:70)
at org.codehaus.mojo.weblogic.DeployMojoBase.executeDeployer(DeployMojoBase.java:510)
at org.codehaus.mojo.weblogic.DeployMojo.execute(DeployMojo.java:49)
at org.apache.maven.plugin.DefaultPluginManager.executeMojo(DefaultPluginManager.java:483)
at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeGoals(DefaultLifecycleExecutor.java:678)
at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeStandaloneGoal(DefaultLifecycleExecutor.java:553)
at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeGoal(DefaultLifecycleExecutor.java:523)
at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeGoalAndHandleFailures(DefaultLifecycleExecutor.java:371)
at org.apache.maven.lifecycle.DefaultLifecycleExecutor.executeTaskSegments(DefaultLifecycleExecutor.java:332)
at org.apache.maven.lifecycle.DefaultLifecycleExecutor.execute(DefaultLifecycleExecutor.java:181)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:356)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:137)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:356)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:592)
at org.codehaus.classworlds.Launcher.launchEnhanced(Launcher.java:315)
at org.codehaus.classworlds.Launcher.launch(Launcher.java:255)
at org.codehaus.classworlds.Launcher.mainWithExitCode(Launcher.java:430)
at org.codehaus.classworlds.Launcher.main(Launcher.java:375)
Caused by: weblogic.deploy.api.spi.exceptions.ServerConnectionException
at weblogic.deploy.api.spi.deploy.internal.ServerConnectionImpl.init(ServerConnectionImpl.java:143)
at weblogic.deploy.api.spi.deploy.WebLogicDeploymentManagerImpl.getNewConnection(WebLogicDeploymentManagerImpl.java:148)
at weblogic.deploy.api.spi.deploy.WebLogicDeploymentManagerImpl.<init>(WebLogicDeploymentManagerImpl.java:118)
... 28 more
Caused by: javax.naming.CommunicationException [Root exception is java.net.ConnectException: http://127.0.0.1:7001: Destination unreachable; nested exception is:
java.net.ProtocolException: Tunneling result unspecified - is the HTTP server at host: 'localhost' and port: '7001' a WebLogic Server?; No available router to destination]
at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:40)
at weblogic.jndi.WLInitialContextFactoryDelegate.toNamingException(WLInitialContextFactoryDelegate.java:773)
at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:363)
at weblogic.jndi.Environment.getContext(Environment.java:307)
at weblogic.jndi.Environment.getContext(Environment.java:277)
at weblogic.jndi.Environment.createInitialContext(Environment.java:200)
at weblogic.jndi.Environment.getInitialContext(Environment.java:184)
at weblogic.jndi.Environment.getInitialContext(Environment.java:162)
at weblogic.deploy.api.spi.deploy.internal.ServerConnectionImpl.getContext(ServerConnectionImpl.java:330)
at weblogic.deploy.api.spi.deploy.internal.ServerConnectionImpl.getEnvironment(ServerConnectionImpl.java:302)
at weblogic.deploy.api.spi.deploy.internal.ServerConnectionImpl.init(ServerConnectionImpl.java:141)
... 30 more
Caused by: java.net.ConnectException: http://127.0.0.1:7001: Destination unreachable; nested exception is:
java.net.ProtocolException: Tunneling result unspecified - is the HTTP server at host: 'localhost' and port: '7001' a WebLogic Server?; No available router to destination
at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:204)
at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java:154)
at weblogic.jndi.WLInitialContextFactoryDelegate$1.run(WLInitialContextFactoryDelegate.java:342)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:337)
... 38 more
Caused by: java.rmi.ConnectException: Destination unreachable; nested exception is:
java.net.ProtocolException: Tunneling result unspecified - is the HTTP server at host: 'localhost' and port: '7001' a WebLogic Server?; No available router to destination
at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:472)
at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:323)
at weblogic.rjvm.RJVMManager.findOrCreateRemoteInternal(RJVMManager.java:263)
at weblogic.rjvm.RJVMManager.findOrCreate(RJVMManager.java:206)
at weblogic.rjvm.RJVMFinder.findOrCreateRemoteServer(RJVMFinder.java:226)
at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:189)
... 43 more
Unable to connect to 'http://127.0.0.1:7001': Destination unreachable; nested exception is:
java.net.ProtocolException: Tunneling result unspecified - is the HTTP server at host: 'localhost' and port: '7001' a WebLogic Server?; No available router to destination. Ensure the url represents a running admin server and that the credentials are correct. If using http protocol, tunneling must be enabled on the admin server.
The last lines are very confuse because I can connect to the web interface of the weblogic server. That's no problem.
Does anyone have some ideas to solve my problem?
Thanks!
Edited by: user3467436 on 07.08.2009 02:09I think you must enable HTTP tunneling in WebLogic Server, Go to Administration Console at Environment > Servers > AdminServer > Protocols > HTTP and set Enable Tunneling= true.
Alternatively you can change [http://localhost:7001] by [t3://localhost:7001] in Eclipse deployment tool. -
DMVPN - One Spoke VPN tunnel flap - deleting SA reason "IKMP_ERR_NO_RETRANS"
Dear All,
Please help to find the reason for below DMVPN IP sec tunnel flap.
#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
x.x.x.x y.y.y.y MM_NO_STATE 4983 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
#sh log | i 4984
04:58:47.155: ISAKMP:(4984): OU = DE_FRA_ASR1001_R2
Feb 12 04:58:47.155: ISAKMP:(4984): processing SIG payload. message ID = 0
Feb 12 04:58:47.159: ISAKMP:(4984):SA authentication status:
Feb 12 04:58:47.159: ISAKMP:(4984):SA has been authenticated with x.x.x.x
Feb 12 04:58:47.159: ISAKMP:(4984):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 12 04:58:47.159: ISAKMP:(4984):Old State = IKE_I_MM5 New State = IKE_I_MM6
Feb 12 04:58:47.159: ISAKMP:(4984):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 12 04:58:47.159: ISAKMP:(4984):Old State = IKE_I_MM6 New State = IKE_I_MM6
Feb 12 04:58:47.163: ISAKMP:(4984):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 12 04:58:47.163: ISAKMP:(4984):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Feb 12 04:58:47.163: ISAKMP:(4984):Need XAUTH
Feb 12 04:58:47.163: ISAKMP:(4984): initiating peer config to x.x.x.x 0. ID = -847734916
Feb 12 04:58:47.163: ISAKMP:(4984): sending packet to x.x.x.x my_port 500 peer_port 500 (I) CONF_XAUTH
Feb 12 04:58:47.163: ISAKMP:(4984):Sending an IKE IPv4 Packet.
Feb 12 04:58:47.167: ISAKMP:(4984):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Feb 12 04:58:47.167: ISAKMP:(4984):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
Feb 12 04:58:47.203: ISAKMP (4984): received packet from x.x.x.x dport 500 sport 500 Global (I) CONF_XAUTH
Feb 12 04:58:47.207: ISAKMP:(4984): processing HASH payload. message ID = -1617704027
Feb 12 04:58:47.207: ISAKMP:(4984):Processing delete with reason payload
Feb 12 04:58:47.207: ISAKMP:(4984):delete doi = 1
Feb 12 04:58:47.207: ISAKMP:(4984):delete protocol id = 1
Feb 12 04:58:47.207: ISAKMP:(4984):delete spi_size = 16
Feb 12 04:58:47.207: ISAKMP:(4984):delete num spis = 1
Feb 12 04:58:47.207: ISAKMP:(4984):delete_reason = 28
Feb 12 04:58:47.207: ISAKMP:(4984): processing DELETE_WITH_REASON payload, message ID = -1617704027, reason: Unknown delete reason!
Feb 12 04:58:47.207: ISAKMP:(4984):peer does not do paranoid keepalives.
Feb 12 04:58:47.207: ISAKMP:(4984):peer does not do paranoid keepalives.
Feb 12 04:58:47.207: ISAKMP:(4984):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) CONF_XAUTH (peer x.x.x.x)
Feb 12 04:58:47.207: ISAKMP:(4984):deleting node -1617704027 error FALSE reason "Informational (in) state 1"
Feb 12 04:58:47.211: ISAKMP:(4984): sending packet to x.x.x.x my_port 500 peer_port 500 (I) CONF_XAUTH
Feb 12 04:58:47.211: ISAKMP:(4984):Sending an IKE IPv4 Packet.
Feb 12 04:58:47.211: ISAKMP:(4984):purging node 20363770
Feb 12 04:58:47.211: ISAKMP:(4984):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Feb 12 04:58:47.211: ISAKMP:(4984):Old State = IKE_XAUTH_REQ_SENT New State = IKE_DEST_SA
Feb 12 04:58:47.211: ISAKMP:(4984):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) CONF_XAUTH (peer x.x.x.x)
Feb 12 04:58:47.215: ISAKMP:(4984):deleting node 1519432799 error FALSE reason "IKE deleted"
Feb 12 04:58:47.215: ISAKMP:(4984):deleting node -847734916 error FALSE reason "IKE deleted"
Feb 12 04:58:47.215: ISAKMP:(4984):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 12 04:58:47.215: ISAKMP:(4984):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Thanks for your kind responseI gave up on fixing what was there and rebuilt from scratch including regenerating the key with the same modulus. And now it works. I don't know what fixed it, could even have been curruption of the startup-config since I replaced that, but it's working and right now that's all I care about.
-
SIP - H.323 CPU Overload
Hello.
I work for a VOIP operator company which primarily uses Cisco VOIP routers (AS5300/AS5400 series) for TDM and VOIP trunks (H323/SIP). Recently we started using SIP in between our internal routers and we have noticed a huge spike in CPU Interrupts when using SIP instead of H.323. We've hit 90% CPU load and calls are being rejected due to this huge strain.
As far as I can tell the reason is the complexity of the INVITE messages but what I did notice is that when using SIP, CCSIP_SPI_CONTRO process goes up from 10% to 60% during peak hours.
Now, the architecture would be the following:
Telco (TDM/VOIP) ------> Cisco SBC (origination) ---------> CISCO core softswitch -----------> CISCO SBC (termination).
The problem is that the core routers are overloaded when the originating SBC units use SIP. 700 voice channels cause the CPUs to reach 90% load while using H.323 we can hit almost 1500 calls per unit and have 50% CPU load, which is strange to me because SIP should have a lower complexity than H323.
Would there be any reason for this increased load? Can we do something about it? we tried using TCP instead of UDP as it provides a congestion mechanism but it does not help and I believe it causes jitter and voice delay due to its inherent mechanism.
Our core voice routes are AS5350XM units running c5350-js_ivs-mz.151-3.T4 IOS.
sh proc cpu
CPU utilization for five seconds: 53%/1%; one minute: 62%; five minutes: 63%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
1 2532 45569 55 0.00% 0.00% 0.00% 0 Chunk Manager
2 20056 109608 182 0.00% 0.00% 0.00% 0 Load Meter
3 0 1 0 0.00% 0.00% 0.00% 0 LICENSE AGENT
4 0 1 0 0.00% 0.00% 0.00% 0 EDDRI_MAIN
5 0 1 0 0.00% 0.00% 0.00% 0 RO Notify Timers
6 3201712 171754 18641 0.00% 0.48% 0.59% 0 Check heaps
7 368 5724 64 0.00% 0.00% 0.00% 0 Pool Manager
8 0 1 0 0.00% 0.00% 0.00% 0 DiscardQ Backgro
9 0 2 0 0.00% 0.00% 0.00% 0 Timers
10 100 13755 7 0.00% 0.00% 0.00% 0 WATCH_AFS
11 0 1 0 0.00% 0.00% 0.00% 0 License Client N
12 0 2 0 0.00% 0.00% 0.00% 0 Serial Backgroun
13 0 2 0 0.00% 0.00% 0.00% 0 RM PROCESS
14 0 2 0 0.00% 0.00% 0.00% 0 RM PROCESS
15 0 2 0 0.00% 0.00% 0.00% 0 RM PROCESS
16 0 2 0 0.00% 0.00% 0.00% 0 RM PROCESS
17 0 2 0 0.00% 0.00% 0.00% 0 CAS Process
18 0 2 0 0.00% 0.00% 0.00% 0 RM-AUTH PROCESS
19 324 109507 2 0.00% 0.00% 0.00% 0 IPC Event Notifi
20 56 9134 6 0.00% 0.00% 0.00% 0 IPC Dynamic Cach
21 0 1 0 0.00% 0.00% 0.00% 0 IPC Session Serv
22 0 1 0 0.00% 0.00% 0.00% 0 IPC Zone Manager
23 1824 532667 3 0.00% 0.00% 0.00% 0 IPC Periodic Tim
24 1204 532667 2 0.00% 0.00% 0.00% 0 IPC Deferred Por
25 0 1 0 0.00% 0.00% 0.00% 0 IPC Process leve
26 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat Manager
27 80 31310 2 0.00% 0.00% 0.00% 0 IPC Check Queue
28 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat RX Cont
29 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat TX Cont
30 288 54809 5 0.00% 0.00% 0.00% 0 IPC Keep Alive M
31 696 109559 6 0.00% 0.00% 0.00% 0 IPC Loadometer
32 0 3 0 0.00% 0.00% 0.00% 0 AAA_SERVER_DEADT
33 0 1 0 0.00% 0.00% 0.00% 0 Policy Manager
34 0 1 0 0.00% 0.00% 0.00% 0 Crash writer
35 0 1 0 0.00% 0.00% 0.00% 0 Exception contro
36 0 1 0 0.00% 0.00% 0.00% 0 RMI RM Notify Wa
37 0 2 0 0.00% 0.00% 0.00% 0 PrstVbl
38 279844 3193378 87 0.00% 0.05% 0.06% 0 ARP Input
39 2856 568704 5 0.00% 0.00% 0.00% 0 ARP Background
40 0 2 0 0.00% 0.00% 0.00% 0 DDR Timers
41 0 2 0 0.00% 0.00% 0.00% 0 Entity MIB API
42 0 2 0 0.00% 0.00% 0.00% 0 ATM Idle Timer
43 0 1 0 0.00% 0.00% 0.00% 0 ATM ASYNC PROC
44 0 1 0 0.00% 0.00% 0.00% 0 SERIAL A'detect
45 2148 548035 3 0.00% 0.00% 0.00% 0 GraphIt
46 0 2 0 0.00% 0.00% 0.00% 0 Dialer event
47 0 2 0 0.00% 0.00% 0.00% 0 XML Proxy Client
48 0 2 0 0.00% 0.00% 0.00% 0 SMART
49 0 1 0 0.00% 0.00% 0.00% 0 Critical Bkgnd
50 256816 112214 2288 0.00% 0.05% 0.05% 0 Net Background
51 0 2 0 0.00% 0.00% 0.00% 0 IDB Work
52 1884 63103 29 0.00% 0.00% 0.00% 0 Logger
53 5688 545359 10 0.00% 0.00% 0.00% 0 TTY Background
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
54 1684 419 4019 0.00% 0.00% 0.00% 0 IF-MGR control p
55 0 10 0 0.00% 0.00% 0.00% 0 IF-MGR event pro
56 0 1 0 0.00% 0.00% 0.00% 0 Inode Table Dest
57 14712 1431283 10 0.00% 0.00% 0.00% 0 Transport Port A
58 2140 109507 19 0.00% 0.00% 0.00% 0 HC Counter Timer
59 0 1 0 0.00% 0.00% 0.00% 0 NP Module Up Pro
60 0 1 0 0.00% 0.00% 0.00% 0 OIR Removal Hand
61 0 1 0 0.00% 0.00% 0.00% 0 OIR Timer
62 0 1 0 0.00% 0.00% 0.00% 0 dev_device_inser
63 0 1 0 0.00% 0.00% 0.00% 0 dev_device_remov
64 0 12 0 0.00% 0.00% 0.00% 0 EEM ED ND
65 0 2 0 0.00% 0.00% 0.00% 0 EEM ED Identity
66 80 26099 3 0.00% 0.00% 0.00% 0 CSM periodical p
67 152 26100 5 0.00% 0.00% 0.00% 0 CSM timer proces
68 0 2 0 0.00% 0.00% 0.00% 0 modem to ISDN me
69 0 2 0 0.00% 0.00% 0.00% 0 CSM-TGRM Interfa
70 0 2 0 0.00% 0.00% 0.00% 0 CSM Tone process
71 0 2 0 0.00% 0.00% 0.00% 0 Signalling Timer
72 0 1 0 0.00% 0.00% 0.00% 0 SIGIF_TO_DSPLIB_
73 0 2 0 0.00% 0.00% 0.00% 0 PM SPE SM Proces
74 9116828 2842912 3206 1.51% 4.79% 5.17% 0 AFW_application_
75 0 2 0 0.00% 0.00% 0.00% 0 PM FW Process
76 24 18266 1 0.00% 0.00% 0.00% 0 Call Management
77 4 22 181 0.00% 0.00% 0.00% 0 Background Loade
78 0 1 0 0.00% 0.00% 0.00% 0 COT Timer proces
79 0 1 0 0.00% 0.00% 0.00% 0 COT Queue proces
80 0 2 0 0.00% 0.00% 0.00% 0 CALL DENIAL
81 0 1 0 0.00% 0.00% 0.00% 0 CRUSH PCM Captur
82 0 1 0 0.00% 0.00% 0.00% 0 Trunk timer moni
83 0 1 0 0.00% 0.00% 0.00% 0 Trunk signaling
84 4 8 500 0.00% 0.00% 0.00% 0 PM DOWNLOAD MAIN
85 0 2 0 0.00% 0.00% 0.00% 0 AAA Dictionary R
86 96 3602 26 0.00% 0.00% 0.00% 0 AAA Server
87 6821092 6679806 1021 1.51% 2.16% 2.24% 0 AAA ACCT Proc
88 32608 271539 120 0.00% 0.00% 0.00% 0 ACCT Periodic Pr
89 0 1 0 0.00% 0.00% 0.00% 0 AAA System Acct
90 0 35 0 0.00% 0.00% 0.00% 0 IP ARP Adjacency
91 4 1 4000 0.00% 0.00% 0.00% 0 IP ARP Retry Age
92 4175556 29253893 142 1.43% 1.41% 1.37% 0 IP Input
93 0 1 0 0.00% 0.00% 0.00% 0 ICMP event handl
94 624 70879 8 0.00% 0.00% 0.00% 0 CDP Protocol
95 0 2 0 0.00% 0.00% 0.00% 0 PPP SIP
96 0 2 0 0.00% 0.00% 0.00% 0 PPP Bind
97 0 2 0 0.00% 0.00% 0.00% 0 PPP IP Route
98 28 922 30 0.00% 0.00% 0.00% 0 MOP Protocols
99 0 1 0 0.00% 0.00% 0.00% 0 X.25 Encaps Mana
100 0 2 0 0.00% 0.00% 0.00% 0 Spanning Tree
101 0 2 0 0.00% 0.00% 0.00% 0 KRB5 AAA
102 332 7237 45 0.00% 0.00% 0.00% 0 TACACS+
103 0 2 0 0.00% 0.00% 0.00% 0 OCE punted Pkts
104 0 1 0 0.00% 0.00% 0.00% 0 LSP Tunnel FRR
105 0 1 0 0.00% 0.00% 0.00% 0 MPLS Auto-Tunnel
106 0 6 0 0.00% 0.00% 0.00% 0 SSM connection m
107 0 1 0 0.00% 0.00% 0.00% 0 IPv6 ping proces
108 0 2 0 0.00% 0.00% 0.00% 0 CEF switching ba
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
109 0 1 0 0.00% 0.00% 0.00% 0 ADJ NSF process
110 0 4 0 0.00% 0.00% 0.00% 0 ADJ resolve proc
111 0 3 0 0.00% 0.00% 0.00% 0 PIM register asy
112 0 1 0 0.00% 0.00% 0.00% 0 SSS Manager
113 0 1 0 0.00% 0.00% 0.00% 0 SSS Policy Manag
114 0 1 0 0.00% 0.00% 0.00% 0 SSS Feature Mana
115 10732 2140546 5 0.00% 0.00% 0.00% 0 SSS Feature Time
116 0 2 0 0.00% 0.00% 0.00% 0 IPAM/ODAP Events
117 53368 15299594 3 0.00% 0.00% 0.00% 0 IPAM Manager
118 0 2 0 0.00% 0.00% 0.00% 0 IPAM Events
119 0 1 0 0.00% 0.00% 0.00% 0 AC Switch
120 0 1 0 0.00% 0.00% 0.00% 0 FRR Background P
121 108 11012 9 0.00% 0.00% 0.00% 0 CEF background p
122 0 1 0 0.00% 0.00% 0.00% 0 fib_fib_bfd_sb e
123 2576 545363 4 0.00% 0.00% 0.00% 0 RUDP Main Proces
124 72140 9784098 7 0.00% 0.00% 0.00% 0 ss7_mtp2
125 0 1 0 0.00% 0.00% 0.00% 0 IP Traceroute
126 0 11 0 0.00% 0.00% 0.00% 0 IP RIB Update
127 52 9140 5 0.00% 0.00% 0.00% 0 IP Background
128 0 13 0 0.00% 0.00% 0.00% 0 IP Connected Rou
129 0 3 0 0.00% 0.00% 0.00% 0 Flow Exporter Ti
130 0 1 0 0.00% 0.00% 0.00% 0 MQC Flow Event B
131 0 2 0 0.00% 0.00% 0.00% 0 HQF Shaper Backg
132 0 1 0 0.00% 0.00% 0.00% 0 Async write proc
133 0 1 0 0.00% 0.00% 0.00% 0 Async write proc
134 0 1 0 0.00% 0.00% 0.00% 0 Async write proc
135 0 1 0 0.00% 0.00% 0.00% 0 Async write proc
136 100 9134 10 0.00% 0.00% 0.00% 0 DFS flush period
137 9988 9134 1093 0.00% 0.00% 0.00% 0 Licensing Auto U
138 27860 677574 41 0.07% 0.02% 0.00% 0 TCP Timer
139 680 2018 336 0.00% 0.00% 0.00% 0 TCP Protocols
140 12668 767219 16 0.00% 0.00% 0.00% 0 CEF: IPv4 proces
141 0 3 0 0.00% 0.00% 0.00% 0 ADJ background
142 0 1 0 0.00% 0.00% 0.00% 0 RARP Input
143 0 1 0 0.00% 0.00% 0.00% 0 Socket Timers
144 12 1827 6 0.00% 0.00% 0.00% 0 HTTP CORE
145 0 9 0 0.00% 0.00% 0.00% 0 static
146 0 1 0 0.00% 0.00% 0.00% 0 IP IRDP
147 0 2 0 0.00% 0.00% 0.00% 0 PPP Compress Inp
148 0 2 0 0.00% 0.00% 0.00% 0 PPP Compress Res
149 0 2 0 0.00% 0.00% 0.00% 0 Multicast Offloa
150 0 1 0 0.00% 0.00% 0.00% 0 COPS
151 0 1 0 0.00% 0.00% 0.00% 0 LAPB Process
152 0 1 0 0.00% 0.00% 0.00% 0 PAD InCall
153 0 2 0 0.00% 0.00% 0.00% 0 X.25 Background
154 0 2 0 0.00% 0.00% 0.00% 0 PPP NBF
155 0 2 0 0.00% 0.00% 0.00% 0 LFDp Input Proc
156 0 2 0 0.00% 0.00% 0.00% 0 Dialer Forwarder
157 0 3 0 0.00% 0.00% 0.00% 0 VPDN call manage
158 0 2 0 0.00% 0.00% 0.00% 0 L2X Switching Ev
159 0 3 0 0.00% 0.00% 0.00% 0 gk process
160 0 2 0 0.00% 0.00% 0.00% 0 Border Element p
161 2208 545368 4 0.00% 0.00% 0.00% 0 RUDPV1 Main Proc
162 0 1 0 0.00% 0.00% 0.00% 0 bsm_timers
163 796 545410 1 0.00% 0.00% 0.00% 0 bsm_xmt_proc
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
164 0 2 0 0.00% 0.00% 0.00% 0 RLM groups Proce
165 0 3 0 0.00% 0.00% 0.00% 0 MFIB Master back
166 416624 136653 3048 5.35% 5.43% 5.39% 0 AFW_application_
167 0 5 0 0.00% 0.00% 0.00% 0 Collection proce
168 10163500 2976132 3415 2.87% 4.21% 2.73% 0 AFW_application_
169 4 2 2000 0.00% 0.00% 0.00% 0 SCTP Main Proces
170 0 1 0 0.00% 0.00% 0.00% 0 IUA Main Process
171 39236 10405 3770 9.11% 7.01% 6.55% 0 AFW_application_
172 120 21925 5 0.00% 0.00% 0.00% 0 CRM_CALL_UPDATE_
173 0 2 0 0.00% 0.00% 0.00% 0 LOCAL AAA
174 0 2 0 0.00% 0.00% 0.00% 0 ENABLE AAA
175 0 2 0 0.00% 0.00% 0.00% 0 LINE AAA
176 17476 73505 237 0.00% 0.00% 0.00% 0 TPLUS
177 0 1 0 0.00% 0.00% 0.00% 0 Key chain liveke
178 0 3 0 0.00% 0.00% 0.00% 0 LDAP process
179 0 1 0 0.00% 0.00% 0.00% 0 MPLS Auto Mesh P
180 0 2 0 0.00% 0.00% 0.00% 0 VSP_MGR
181 0 1 0 0.00% 0.00% 0.00% 0 IDMGR CORE
182 0 1 0 0.00% 0.00% 0.00% 0 EM Background Pr
183 0 2 0 0.00% 0.00% 0.00% 0 AAA Cached Serve
184 0 2 0 0.00% 0.00% 0.00% 0 CSDB Timer proce
185 144 21287 6 0.00% 0.00% 0.00% 0 IP TRUST Registe
186 4 2 2000 0.00% 0.00% 0.00% 0 Proxy Session Ap
187 0 1 0 0.00% 0.00% 0.00% 0 VoIP AAA
188 0 1 0 0.00% 0.00% 0.00% 0 QOS_MODULE_MAIN
189 0 1 0 0.00% 0.00% 0.00% 0 RPMS_PROC_MAIN
190 560 5935 94 0.00% 0.00% 0.00% 0 script backgroun
191 1982320 7307154 271 0.47% 0.62% 0.61% 0 http client proc
192 4843732 1389708 3485 0.00% 0.03% 1.38% 0 AFW_application_
193 0 1 0 0.00% 0.00% 0.00% 0 EPHONE MWI Refre
194 4 609 6 0.00% 0.00% 0.00% 0 FB/KS Log HouseK
195 0 2 0 0.00% 0.00% 0.00% 0 EPHONE MWI BG Pr
196 0 1 0 0.00% 0.00% 0.00% 0 Skinny HW confer
197 481120 6481742 74 0.07% 0.15% 0.15% 0 AAA SEND STOP EV
198 0 1 0 0.00% 0.00% 0.00% 0 Test AAA Client
199 0 1 0 0.00% 0.00% 0.00% 0 Syslog Traps
200 164 54778 2 0.00% 0.00% 0.00% 0 RMON Recycle Pro
201 0 2 0 0.00% 0.00% 0.00% 0 RMON Deferred Se
202 0 1 0 0.00% 0.00% 0.00% 0 DATA Transfer Pr
203 0 1 0 0.00% 0.00% 0.00% 0 DATA Collector
204 0 2 0 0.00% 0.00% 0.00% 0 EEM ED Routing
205 2200 60112 36 0.00% 0.00% 0.00% 0 EEM ED Syslog
206 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Track
207 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Resource
208 0 1 0 0.00% 0.00% 0.00% 0 Licensing MIB pr
209 6204 34085 182 0.00% 0.00% 0.00% 0 Syslog
210 0 1 0 0.00% 0.00% 0.00% 0 IP SLAs Ethernet
211 0 1 0 0.00% 0.00% 0.00% 0 RMON Packets
212 424 109508 3 0.00% 0.00% 0.00% 0 VDC process
213 109424 531027 206 0.00% 0.02% 0.01% 0 trunk conditioni
214 0 1 0 0.00% 0.00% 0.00% 0 trunk conditioni
215 0 50 0 0.00% 0.00% 0.00% 0 EEM Server
216 0 3 0 0.00% 0.00% 0.00% 0 EEM ED CLI
217 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Counter
218 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Interface
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
219 0 3 0 0.00% 0.00% 0.00% 0 EEM ED IOSWD
220 0 3 0 0.00% 0.00% 0.00% 0 EEM ED None
221 0 3 0 0.00% 0.00% 0.00% 0 EEM ED OIR
222 8691920 26422289 328 2.15% 2.75% 2.77% 0 RADIUS
223 0 3 0 0.00% 0.00% 0.00% 0 EEM ED SNMP
224 0 3 0 0.00% 0.00% 0.00% 0 EEM ED SNMP Obje
225 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Ipsla
226 4 2 2000 0.00% 0.00% 0.00% 0 EEM ED SNMP Noti
227 144 14408 9 0.00% 0.00% 0.00% 0 EEM ED Timer
228 0 2 0 0.00% 0.00% 0.00% 0 EEM Policy Direc
229 0 1 0 0.00% 0.00% 0.00% 0 SNMP Timers
230 0 3 0 0.00% 0.00% 0.00% 0 EM ED GOLD
231 0 2 0 0.00% 0.00% 0.00% 0 EEM ED Nf
232 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Test
233 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Config
234 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Env
235 0 3 0 0.00% 0.00% 0.00% 0 EEM ED RPC
236 1581128 557279 2837 4.47% 4.86% 5.11% 0 AFW_application_
237 0 1 0 0.00% 0.00% 0.00% 0 Net Input
238 3412 109609 31 0.00% 0.00% 0.00% 0 Compute load avg
239 172148 14555 11827 0.00% 0.01% 0.00% 0 Per-minute Jobs
240 2556480 548082 4664 0.47% 0.54% 0.53% 0 Per-Second Jobs
241 0 2 0 0.00% 0.00% 0.00% 0 MRIB Process
242 9825336 2626902 3740 3.51% 3.31% 3.28% 0 CC-API_VCM
243 33548 5249197 6 0.00% 0.00% 0.00% 0 CCPROXY_CT
244 200172 2088689 95 0.00% 0.00% 0.00% 0 IP SNMP
245 55344 1041354 53 0.00% 0.00% 0.00% 0 PDU DISPATCHER
246 780684 1041357 749 0.00% 0.00% 0.00% 0 SNMP ENGINE
247 0 2 0 0.00% 0.00% 0.00% 0 IP SNMPV6
248 0 1 0 0.00% 0.00% 0.00% 0 SNMP ConfCopyPro
249 0 2 0 0.00% 0.00% 0.00% 0 SNMP Traps
250 2560 652828 3 0.00% 0.00% 0.00% 0 RSCCAC CALL DENI
251 1968 548043 3 0.00% 0.00% 0.00% 0 TRP_PSEUDOTIMER
252 0 2 0 0.00% 0.00% 0.00% 0 Resource Monitor
253 0 2 0 0.00% 0.00% 0.00% 0 Resource Availab
254 0 2 0 0.00% 0.00% 0.00% 0 DSMP
255 0 2 0 0.00% 0.00% 0.00% 0 VTSP
256 4 1 4000 0.00% 0.00% 0.00% 0 TSP
257 0 4 0 0.00% 0.00% 0.00% 0 Session Applicat
258 0 1 0 0.00% 0.00% 0.00% 0 Resource Measure
259 191836 1466588 130 0.15% 0.04% 0.04% 0 VOIP_RTCP
260 0 2 0 0.00% 0.00% 0.00% 0 Voice Player
261 0 1 0 0.00% 0.00% 0.00% 0 Media Record
262 0 1 0 0.00% 0.00% 0.00% 0 lib_off_app
263 11120260 8595942 1293 4.47% 4.76% 4.73% 0 CCH323_CT
264 0 1 0 0.00% 0.00% 0.00% 0 CCH323_DNS
265 59476160 14393391 4132 13.91% 16.73% 17.26% 0 CCSIP_SPI_CONTRO
266 0 1 0 0.00% 0.00% 0.00% 0 CCSIP_DNS
267 4826628 16499588 292 0.87% 1.46% 1.56% 0 CCSIP_UDP_SOCKET
268 23944 98379 243 0.00% 0.00% 0.00% 0 CCSIP_TCP_SOCKET
269 52 9134 5 0.00% 0.00% 0.00% 0 RTPSPI
270 9316 549228 16 0.00% 0.00% 0.00% 0 NTP
271 392 18727 20 0.00% 0.00% 0.00% 0 ss7_timers
272 150636 41102739 3 0.00% 0.03% 0.02% 0 ss7_mtp2_timerba
274 24 72 333 0.07% 0.00% 0.00% 2 Virtual Exec
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
275 192 9129 21 0.00% 0.00% 0.00% 0 RADIUS IO STATS
276 18684 2191694 8 0.00% 0.00% 0.00% 0 MLD
277 0 3 0 0.00% 0.00% 0.00% 0 IPv6 RIB Event H
CPU utilization for five seconds: 53%/1%; one minute: 62%; five minutes: 63%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
1 2532 45569 55 0.00% 0.00% 0.00% 0 Chunk Manager
2 20056 109608 182 0.00% 0.00% 0.00% 0 Load Meter
3 0 1 0 0.00% 0.00% 0.00% 0 LICENSE AGENT
4 0 1 0 0.00% 0.00% 0.00% 0 EDDRI_MAIN
5 0 1 0 0.00% 0.00% 0.00% 0 RO Notify Timers
6 3201712 171754 18641 0.00% 0.48% 0.59% 0 Check heaps
7 368 5724 64 0.00% 0.00% 0.00% 0 Pool Manager
8 0 1 0 0.00% 0.00% 0.00% 0 DiscardQ Backgro
9 0 2 0 0.00% 0.00% 0.00% 0 Timers
10 100 13755 7 0.00% 0.00% 0.00% 0 WATCH_AFS
11 0 1 0 0.00% 0.00% 0.00% 0 License Client N
12 0 2 0 0.00% 0.00% 0.00% 0 Serial Backgroun
13 0 2 0 0.00% 0.00% 0.00% 0 RM PROCESS
14 0 2 0 0.00% 0.00% 0.00% 0 RM PROCESS
15 0 2 0 0.00% 0.00% 0.00% 0 RM PROCESS
16 0 2 0 0.00% 0.00% 0.00% 0 RM PROCESS
17 0 2 0 0.00% 0.00% 0.00% 0 CAS Process
18 0 2 0 0.00% 0.00% 0.00% 0 RM-AUTH PROCESS
19 324 109507 2 0.00% 0.00% 0.00% 0 IPC Event Notifi
20 56 9134 6 0.00% 0.00% 0.00% 0 IPC Dynamic Cach
21 0 1 0 0.00% 0.00% 0.00% 0 IPC Session Serv
22 0 1 0 0.00% 0.00% 0.00% 0 IPC Zone Manager
23 1824 532667 3 0.00% 0.00% 0.00% 0 IPC Periodic Tim
24 1204 532667 2 0.00% 0.00% 0.00% 0 IPC Deferred Por
25 0 1 0 0.00% 0.00% 0.00% 0 IPC Process leve
26 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat Manager
27 80 31310 2 0.00% 0.00% 0.00% 0 IPC Check Queue
28 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat RX Cont
29 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat TX Cont
30 288 54809 5 0.00% 0.00% 0.00% 0 IPC Keep Alive M
31 696 109559 6 0.00% 0.00% 0.00% 0 IPC Loadometer
32 0 3 0 0.00% 0.00% 0.00% 0 AAA_SERVER_DEADT
33 0 1 0 0.00% 0.00% 0.00% 0 Policy Manager
34 0 1 0 0.00% 0.00% 0.00% 0 Crash writer
35 0 1 0 0.00% 0.00% 0.00% 0 Exception contro
36 0 1 0 0.00% 0.00% 0.00% 0 RMI RM Notify Wa
37 0 2 0 0.00% 0.00% 0.00% 0 PrstVbl
38 279844 3193378 87 0.00% 0.05% 0.06% 0 ARP Input
39 2856 568704 5 0.00% 0.00% 0.00% 0 ARP Background
40 0 2 0 0.00% 0.00% 0.00% 0 DDR Timers
41 0 2 0 0.00% 0.00% 0.00% 0 Entity MIB API
42 0 2 0 0.00% 0.00% 0.00% 0 ATM Idle Timer
43 0 1 0 0.00% 0.00% 0.00% 0 ATM ASYNC PROC
44 0 1 0 0.00% 0.00% 0.00% 0 SERIAL A'detect
45 2148 548035 3 0.00% 0.00% 0.00% 0 GraphIt
46 0 2 0 0.00% 0.00% 0.00% 0 Dialer event
47 0 2 0 0.00% 0.00% 0.00% 0 XML Proxy Client
48 0 2 0 0.00% 0.00% 0.00% 0 SMART
49 0 1 0 0.00% 0.00% 0.00% 0 Critical Bkgnd
50 256816 112214 2288 0.00% 0.05% 0.05% 0 Net Background
51 0 2 0 0.00% 0.00% 0.00% 0 IDB Work
52 1884 63103 29 0.00% 0.00% 0.00% 0 Logger
53 5688 545359 10 0.00% 0.00% 0.00% 0 TTY Background
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
54 1684 419 4019 0.00% 0.00% 0.00% 0 IF-MGR control p
55 0 10 0 0.00% 0.00% 0.00% 0 IF-MGR event pro
56 0 1 0 0.00% 0.00% 0.00% 0 Inode Table Dest
57 14712 1431283 10 0.00% 0.00% 0.00% 0 Transport Port A
58 2140 109507 19 0.00% 0.00% 0.00% 0 HC Counter Timer
59 0 1 0 0.00% 0.00% 0.00% 0 NP Module Up Pro
60 0 1 0 0.00% 0.00% 0.00% 0 OIR Removal Hand
61 0 1 0 0.00% 0.00% 0.00% 0 OIR Timer
62 0 1 0 0.00% 0.00% 0.00% 0 dev_device_inser
63 0 1 0 0.00% 0.00% 0.00% 0 dev_device_remov
64 0 12 0 0.00% 0.00% 0.00% 0 EEM ED ND
65 0 2 0 0.00% 0.00% 0.00% 0 EEM ED Identity
66 80 26099 3 0.00% 0.00% 0.00% 0 CSM periodical p
67 152 26100 5 0.00% 0.00% 0.00% 0 CSM timer proces
68 0 2 0 0.00% 0.00% 0.00% 0 modem to ISDN me
69 0 2 0 0.00% 0.00% 0.00% 0 CSM-TGRM Interfa
70 0 2 0 0.00% 0.00% 0.00% 0 CSM Tone process
71 0 2 0 0.00% 0.00% 0.00% 0 Signalling Timer
72 0 1 0 0.00% 0.00% 0.00% 0 SIGIF_TO_DSPLIB_
73 0 2 0 0.00% 0.00% 0.00% 0 PM SPE SM Proces
74 9116828 2842912 3206 1.51% 4.79% 5.17% 0 AFW_application_
75 0 2 0 0.00% 0.00% 0.00% 0 PM FW Process
76 24 18266 1 0.00% 0.00% 0.00% 0 Call Management
77 4 22 181 0.00% 0.00% 0.00% 0 Background Loade
78 0 1 0 0.00% 0.00% 0.00% 0 COT Timer proces
79 0 1 0 0.00% 0.00% 0.00% 0 COT Queue proces
80 0 2 0 0.00% 0.00% 0.00% 0 CALL DENIAL
81 0 1 0 0.00% 0.00% 0.00% 0 CRUSH PCM Captur
82 0 1 0 0.00% 0.00% 0.00% 0 Trunk timer moni
83 0 1 0 0.00% 0.00% 0.00% 0 Trunk signaling
84 4 8 500 0.00% 0.00% 0.00% 0 PM DOWNLOAD MAIN
85 0 2 0 0.00% 0.00% 0.00% 0 AAA Dictionary R
86 96 3602 26 0.00% 0.00% 0.00% 0 AAA Server
87 6821092 6679806 1021 1.51% 2.16% 2.24% 0 AAA ACCT Proc
88 32608 271539 120 0.00% 0.00% 0.00% 0 ACCT Periodic Pr
89 0 1 0 0.00% 0.00% 0.00% 0 AAA System Acct
90 0 35 0 0.00% 0.00% 0.00% 0 IP ARP Adjacency
91 4 1 4000 0.00% 0.00% 0.00% 0 IP ARP Retry Age
92 4175556 29253893 142 1.43% 1.41% 1.37% 0 IP Input
93 0 1 0 0.00% 0.00% 0.00% 0 ICMP event handl
94 624 70879 8 0.00% 0.00% 0.00% 0 CDP Protocol
95 0 2 0 0.00% 0.00% 0.00% 0 PPP SIP
96 0 2 0 0.00% 0.00% 0.00% 0 PPP Bind
97 0 2 0 0.00% 0.00% 0.00% 0 PPP IP Route
98 28 922 30 0.00% 0.00% 0.00% 0 MOP Protocols
99 0 1 0 0.00% 0.00% 0.00% 0 X.25 Encaps Mana
100 0 2 0 0.00% 0.00% 0.00% 0 Spanning Tree
101 0 2 0 0.00% 0.00% 0.00% 0 KRB5 AAA
102 332 7237 45 0.00% 0.00% 0.00% 0 TACACS+
103 0 2 0 0.00% 0.00% 0.00% 0 OCE punted Pkts
104 0 1 0 0.00% 0.00% 0.00% 0 LSP Tunnel FRR
105 0 1 0 0.00% 0.00% 0.00% 0 MPLS Auto-Tunnel
106 0 6 0 0.00% 0.00% 0.00% 0 SSM connection m
107 0 1 0 0.00% 0.00% 0.00% 0 IPv6 ping proces
108 0 2 0 0.00% 0.00% 0.00% 0 CEF switching ba
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
109 0 1 0 0.00% 0.00% 0.00% 0 ADJ NSF process
110 0 4 0 0.00% 0.00% 0.00% 0 ADJ resolve proc
111 0 3 0 0.00% 0.00% 0.00% 0 PIM register asy
112 0 1 0 0.00% 0.00% 0.00% 0 SSS Manager
113 0 1 0 0.00% 0.00% 0.00% 0 SSS Policy Manag
114 0 1 0 0.00% 0.00% 0.00% 0 SSS Feature Mana
115 10732 2140546 5 0.00% 0.00% 0.00% 0 SSS Feature Time
116 0 2 0 0.00% 0.00% 0.00% 0 IPAM/ODAP Events
117 53368 15299594 3 0.00% 0.00% 0.00% 0 IPAM Manager
118 0 2 0 0.00% 0.00% 0.00% 0 IPAM Events
119 0 1 0 0.00% 0.00% 0.00% 0 AC Switch
120 0 1 0 0.00% 0.00% 0.00% 0 FRR Background P
121 108 11012 9 0.00% 0.00% 0.00% 0 CEF background p
122 0 1 0 0.00% 0.00% 0.00% 0 fib_fib_bfd_sb e
123 2576 545363 4 0.00% 0.00% 0.00% 0 RUDP Main Proces
124 72140 9784098 7 0.00% 0.00% 0.00% 0 ss7_mtp2
125 0 1 0 0.00% 0.00% 0.00% 0 IP Traceroute
126 0 11 0 0.00% 0.00% 0.00% 0 IP RIB Update
127 52 9140 5 0.00% 0.00% 0.00% 0 IP Background
128 0 13 0 0.00% 0.00% 0.00% 0 IP Connected Rou
129 0 3 0 0.00% 0.00% 0.00% 0 Flow Exporter Ti
130 0 1 0 0.00% 0.00% 0.00% 0 MQC Flow Event B
131 0 2 0 0.00% 0.00% 0.00% 0 HQF Shaper Backg
132 0 1 0 0.00% 0.00% 0.00% 0 Async write proc
133 0 1 0 0.00% 0.00% 0.00% 0 Async write proc
134 0 1 0 0.00% 0.00% 0.00% 0 Async write proc
135 0 1 0 0.00% 0.00% 0.00% 0 Async write proc
136 100 9134 10 0.00% 0.00% 0.00% 0 DFS flush period
137 9988 9134 1093 0.00% 0.00% 0.00% 0 Licensing Auto U
138 27860 677574 41 0.07% 0.02% 0.00% 0 TCP Timer
139 680 2018 336 0.00% 0.00% 0.00% 0 TCP Protocols
140 12668 767219 16 0.00% 0.00% 0.00% 0 CEF: IPv4 proces
141 0 3 0 0.00% 0.00% 0.00% 0 ADJ background
142 0 1 0 0.00% 0.00% 0.00% 0 RARP Input
143 0 1 0 0.00% 0.00% 0.00% 0 Socket Timers
144 12 1827 6 0.00% 0.00% 0.00% 0 HTTP CORE
145 0 9 0 0.00% 0.00% 0.00% 0 static
146 0 1 0 0.00% 0.00% 0.00% 0 IP IRDP
147 0 2 0 0.00% 0.00% 0.00% 0 PPP Compress Inp
148 0 2 0 0.00% 0.00% 0.00% 0 PPP Compress Res
149 0 2 0 0.00% 0.00% 0.00% 0 Multicast Offloa
150 0 1 0 0.00% 0.00% 0.00% 0 COPS
151 0 1 0 0.00% 0.00% 0.00% 0 LAPB Process
152 0 1 0 0.00% 0.00% 0.00% 0 PAD InCall
153 0 2 0 0.00% 0.00% 0.00% 0 X.25 Background
154 0 2 0 0.00% 0.00% 0.00% 0 PPP NBF
155 0 2 0 0.00% 0.00% 0.00% 0 LFDp Input Proc
156 0 2 0 0.00% 0.00% 0.00% 0 Dialer Forwarder
157 0 3 0 0.00% 0.00% 0.00% 0 VPDN call manage
158 0 2 0 0.00% 0.00% 0.00% 0 L2X Switching Ev
159 0 3 0 0.00% 0.00% 0.00% 0 gk process
160 0 2 0 0.00% 0.00% 0.00% 0 Border Element p
161 2208 545368 4 0.00% 0.00% 0.00% 0 RUDPV1 Main Proc
162 0 1 0 0.00% 0.00% 0.00% 0 bsm_timers
163 796 545410 1 0.00% 0.00% 0.00% 0 bsm_xmt_proc
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
164 0 2 0 0.00% 0.00% 0.00% 0 RLM groups Proce
165 0 3 0 0.00% 0.00% 0.00% 0 MFIB Master back
166 416624 136653 3048 5.35% 5.43% 5.39% 0 AFW_application_
167 0 5 0 0.00% 0.00% 0.00% 0 Collection proce
168 10163500 2976132 3415 2.87% 4.21% 2.73% 0 AFW_application_
169 4 2 2000 0.00% 0.00% 0.00% 0 SCTP Main Proces
170 0 1 0 0.00% 0.00% 0.00% 0 IUA Main Process
171 39236 10405 3770 9.11% 7.01% 6.55% 0 AFW_application_
172 120 21925 5 0.00% 0.00% 0.00% 0 CRM_CALL_UPDATE_
173 0 2 0 0.00% 0.00% 0.00% 0 LOCAL AAA
174 0 2 0 0.00% 0.00% 0.00% 0 ENABLE AAA
175 0 2 0 0.00% 0.00% 0.00% 0 LINE AAA
176 17476 73505 237 0.00% 0.00% 0.00% 0 TPLUS
177 0 1 0 0.00% 0.00% 0.00% 0 Key chain liveke
178 0 3 0 0.00% 0.00% 0.00% 0 LDAP process
179 0 1 0 0.00% 0.00% 0.00% 0 MPLS Auto Mesh P
180 0 2 0 0.00% 0.00% 0.00% 0 VSP_MGR
181 0 1 0 0.00% 0.00% 0.00% 0 IDMGR CORE
182 0 1 0 0.00% 0.00% 0.00% 0 EM Background Pr
183 0 2 0 0.00% 0.00% 0.00% 0 AAA Cached Serve
184 0 2 0 0.00% 0.00% 0.00% 0 CSDB Timer proce
185 144 21287 6 0.00% 0.00% 0.00% 0 IP TRUST Registe
186 4 2 2000 0.00% 0.00% 0.00% 0 Proxy Session Ap
187 0 1 0 0.00% 0.00% 0.00% 0 VoIP AAA
188 0 1 0 0.00% 0.00% 0.00% 0 QOS_MODULE_MAIN
189 0 1 0 0.00% 0.00% 0.00% 0 RPMS_PROC_MAIN
190 560 5935 94 0.00% 0.00% 0.00% 0 script backgroun
191 1982320 7307154 271 0.47% 0.62% 0.61% 0 http client proc
192 4843732 1389708 3485 0.00% 0.03% 1.38% 0 AFW_application_
193 0 1 0 0.00% 0.00% 0.00% 0 EPHONE MWI Refre
194 4 609 6 0.00% 0.00% 0.00% 0 FB/KS Log HouseK
195 0 2 0 0.00% 0.00% 0.00% 0 EPHONE MWI BG Pr
196 0 1 0 0.00% 0.00% 0.00% 0 Skinny HW confer
197 481120 6481742 74 0.07% 0.15% 0.15% 0 AAA SEND STOP EV
198 0 1 0 0.00% 0.00% 0.00% 0 Test AAA Client
199 0 1 0 0.00% 0.00% 0.00% 0 Syslog Traps
200 164 54778 2 0.00% 0.00% 0.00% 0 RMON Recycle Pro
201 0 2 0 0.00% 0.00% 0.00% 0 RMON Deferred Se
202 0 1 0 0.00% 0.00% 0.00% 0 DATA Transfer Pr
203 0 1 0 0.00% 0.00% 0.00% 0 DATA Collector
204 0 2 0 0.00% 0.00% 0.00% 0 EEM ED Routing
205 2200 60112 36 0.00% 0.00% 0.00% 0 EEM ED Syslog
206 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Track
207 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Resource
208 0 1 0 0.00% 0.00% 0.00% 0 Licensing MIB pr
209 6204 34085 182 0.00% 0.00% 0.00% 0 Syslog
210 0 1 0 0.00% 0.00% 0.00% 0 IP SLAs Ethernet
211 0 1 0 0.00% 0.00% 0.00% 0 RMON Packets
212 424 109508 3 0.00% 0.00% 0.00% 0 VDC process
213 109424 531027 206 0.00% 0.02% 0.01% 0 trunk conditioni
214 0 1 0 0.00% 0.00% 0.00% 0 trunk conditioni
215 0 50 0 0.00% 0.00% 0.00% 0 EEM Server
216 0 3 0 0.00% 0.00% 0.00% 0 EEM ED CLI
217 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Counter
218 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Interface
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
219 0 3 0 0.00% 0.00% 0.00% 0 EEM ED IOSWD
220 0 3 0 0.00% 0.00% 0.00% 0 EEM ED None
221 0 3 0 0.00% 0.00% 0.00% 0 EEM ED OIR
222 8691920 26422289 328 2.15% 2.75% 2.77% 0 RADIUS
223 0 3 0 0.00% 0.00% 0.00% 0 EEM ED SNMP
224 0 3 0 0.00% 0.00% 0.00% 0 EEM ED SNMP Obje
225 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Ipsla
226 4 2 2000 0.00% 0.00% 0.00% 0 EEM ED SNMP Noti
227 144 14408 9 0.00% 0.00% 0.00% 0 EEM ED Timer
228 0 2 0 0.00% 0.00% 0.00% 0 EEM Policy Direc
229 0 1 0 0.00% 0.00% 0.00% 0 SNMP Timers
230 0 3 0 0.00% 0.00% 0.00% 0 EM ED GOLD
231 0 2 0 0.00% 0.00% 0.00% 0 EEM ED Nf
232 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Test
233 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Config
234 0 3 0 0.00% 0.00% 0.00% 0 EEM ED Env
235 0 3 0 0.00% 0.00% 0.00% 0 EEM ED RPC
236 1581128 557279 2837 4.47% 4.86% 5.11% 0 AFW_application_
237 0 1 0 0.00% 0.00% 0.00% 0 Net Input
238 3412 109609 31 0.00% 0.00% 0.00% 0 Compute load avg
239 172148 14555 11827 0.00% 0.01% 0.00% 0 Per-minute Jobs
240 2556480 548082 4664 0.47% 0.54% 0.53% 0 Per-Second Jobs
241 0 2 0 0.00% 0.00% 0.00% 0 MRIB Process
242 9825336 2626902 3740 3.51% 3.31% 3.28% 0 CC-API_VCM
243 33548 5249197 6 0.00% 0.00% 0.00% 0 CCPROXY_CT
244 200172 2088689 95 0.00% 0.00% 0.00% 0 IP SNMP
245 55344 1041354 53 0.00% 0.00% 0.00% 0 PDU DISPATCHER
246 780684 1041357 749 0.00% 0.00% 0.00% 0 SNMP ENGINE
247 0 2 0 0.00% 0.00% 0.00% 0 IP SNMPV6
248 0 1 0 0.00% 0.00% 0.00% 0 SNMP ConfCopyPro
249 0 2 0 0.00% 0.00% 0.00% 0 SNMP Traps
250 2560 652828 3 0.00% 0.00% 0.00% 0 RSCCAC CALL DENI
251 1968 548043 3 0.00% 0.00% 0.00% 0 TRP_PSEUDOTIMER
252 0 2 0 0.00% 0.00% 0.00% 0 Resource Monitor
253 0 2 0 0.00% 0.00% 0.00% 0 Resource Availab
254 0 2 0 0.00% 0.00% 0.00% 0 DSMP
255 0 2 0 0.00% 0.00% 0.00% 0 VTSP
256 4 1 4000 0.00% 0.00% 0.00% 0 TSP
257 0 4 0 0.00% 0.00% 0.00% 0 Session Applicat
258 0 1 0 0.00% 0.00% 0.00% 0 Resource Measure
259 191836 1466588 130 0.15% 0.04% 0.04% 0 VOIP_RTCP
260 0 2 0 0.00% 0.00% 0.00% 0 Voice Player
261 0 1 0 0.00% 0.00% 0.00% 0 Media Record
262 0 1 0 0.00% 0.00% 0.00% 0 lib_off_app
263 11120260 8595942 1293 4.47% 4.76% 4.73% 0 CCH323_CT
264 0 1 0 0.00% 0.00% 0.00% 0 CCH323_DNS
265 59476160 14393391 4132 13.91% 16.73% 17.26% 0 CCSIP_SPI_CONTRO
266 0 1 0 0.00% 0.00% 0.00% 0 CCSIP_DNS
267 4826628 16499588 292 0.87% 1.46% 1.56% 0 CCSIP_UDP_SOCKET
268 23944 98379 243 0.00% 0.00% 0.00% 0 CCSIP_TCP_SOCKET
269 52 9134 5 0.00% 0.00% 0.00% 0 RTPSPI
270 9316 549228 16 0.00% 0.00% 0.00% 0 NTP
271 392 18727 20 0.00% 0.00% 0.00% 0 ss7_timers
272 150636 41102739 3 0.00% 0.03% 0.02% 0 ss7_mtp2_timerba
274 24 72 333 0.07% 0.00% 0.00% 2 Virtual Exec
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
275 192 9129 21 0.00% 0.00% 0.00% 0 RADIUS IO STATS
276 18684 2191694 8 0.00% 0.00% 0.00% 0 MLD
277 0 3 0 0.00% 0.00% 0.00% 0 IPv6 RIB Event H
sh proc cpu monitor
CPU utilization for five seconds: 66%/1%; one minute: 63%; five minutes: 63%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
265 59477424 14393666 4132 19.88% 17.15% 17.33% 0 CCSIP_SPI_CONTRO
168 10163976 2976249 3415 7.10% 4.36% 2.82% 0 AFW_application_
74 9117296 2843017 3206 6.54% 4.95% 5.20% 0 AFW_application_
166 417072 136792 3048 6.14% 5.57% 5.43% 0 AFW_application_
263 11120552 8596157 1293 4.55% 4.70% 4.71% 0 CCH323_CT
236 1581408 557372 2837 4.23% 4.97% 5.13% 0 AFW_application_
242 9825592 2626967 3740 3.75% 3.35% 3.29% 0 CC-API_VCM
171 39436 10493 3758 2.71% 6.33% 6.42% 0 AFW_application_
87 6821284 6679972 1021 2.55% 2.16% 2.23% 0 AAA ACCT Proc
222 8692088 26422794 328 2.39% 2.78% 2.78% 0 RADIUS
92 4175692 29254631 142 1.67% 1.42% 1.37% 0 IP Input
267 4826712 16499890 292 1.43% 1.48% 1.56% 0 CCSIP_UDP_SOCKET
246 780728 1041430 749 0.63% 0.09% 0.02% 0 SNMP ENGINE
240 2556528 548089 4664 0.63% 0.54% 0.53% 0 Per-Second Jobs
191 1982360 7307350 271 0.47% 0.63% 0.61% 0 http client proc
244 200180 2088835 95 0.15% 0.02% 0.00% 0 IP SNMP
245 55348 1041428 53 0.07% 0.01% 0.00% 0 PDU DISPATCHER
197 481128 6481861 74 0.07% 0.15% 0.15% 0 AAA SEND STOP EV
270 9320 549235 16 0.07% 0.00% 0.00% 0 NTP
213 109428 531033 206 0.07% 0.03% 0.01% 0 trunk conditioni
124 72144 9784212 7 0.07% 0.01% 0.00% 0 ss7_mtp2
272 150644 41103173 3 0.07% 0.03% 0.02% 0 ss7_mtp2_timerba
22 0 1 0 0.00% 0.00% 0.00% 0 IPC Zone Manager
24 1204 532675 2 0.00% 0.00% 0.00% 0 IPC Deferred Por
23 1824 532675 3 0.00% 0.00% 0.00% 0 IPC Periodic Tim
21 0 1 0 0.00% 0.00% 0.00% 0 IPC Session Serv
27 80 31311 2 0.00% 0.00% 0.00% 0 IPC Check Queue
28 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat RX Cont
20 56 9135 6 0.00% 0.00% 0.00% 0 IPC Dynamic Cach
19 324 109509 2 0.00% 0.00% 0.00% 0 IPC Event Notifi
25 0 1 0 0.00% 0.00% 0.00% 0 IPC Process leve
26 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat Manager
29 0 1Hi
The SIP/H.323 trunk is used to make/receive voice and video calls to/from MeetingPlace.
I'm not aware of it using any particular presence functionality.... it's just voice and video telephony to get access to the meetings.
Regards
Aaron
Please rate helpful posts... -
Does asa 5505 support h.323 v6?
we've been told that our firewall must support version 6 to connect to a newer unit. more precisely, we've been told that that we're currently doing intelligent packet inspecting which is part of the problem
This feature allows you to change the default configuration values used for H.323 application inspection.
H.323 inspection supports RAS, H.225, and H.245, and its functionality translates all embedded IP addresses and ports. It performs state tracking and filtering and can do a cascade of inspect function activation. H.323 inspection supports phone number filtering, dynamic T.120 control, H.245 tunneling control, protocol state tracking, H.323 call duration enforcement, and audio and video control. -
Unified Communcation SSH Tunnel failure
HI ,
I have the following problem and maybe anyone could help me .
My Unified Communications traversal zone is still up but I did get this error message
Unified Communications SSH tunnel failure This system cannot communicate with one or more remote hosts Raised Warning Review the Event Log and check that the Zone between the Expressway-C and the Expressway-E is active 2015-03-06 18:35:54 2015-03-06 18:35:54 35013 Unified Communications SSH tunnel notification failure This system cannot communicate with one or more remote hosts Raised Warning Ensure that your firewall allows traffic from the Expressway-C ephemeral ports to 2222 TCP on the Expressway-E 2015-03-06 18:35:55 2015-03-06 18:35:55 35014
didn't find a solution right now .Customer told me firewall port 2222 is open
Thanks for your help
JosefHello Josef!
I could picture that the zone might show up even if this part of the tunnel fails.
You could ssh into the box as root and do a tcpdump to see if whats send is received.
the command would look like that:
tcpdump -nl -s0 -i any port 2222
if you run it at the same time on both boxes you should see the same, if you see a lot of
syn packets on the expressway-c you have some proof that there is some communication issue.
Customers believe a lot of things, also that ports are open. Better check and verify it.
If its ok you should see someting like this, this is bi directional packets:
01:18:24.364118 IP 192.168.5.6.40096 > 192.168.2.1.2222: Flags [P.], seq 1292729699:1292729811, ack 3008678290, win 1384, options [nop,nop,TS val 577228689 ecr 576350739], length 112
01:18:24.364156 IP 192.168.2.1.2222 > 192.168.5.6.40096: Flags [.], ack 112, win 1392, options [nop,nop,TS val 576380725 ecr 577228689], length 0
01:18:24.364203 IP 192.168.2.1.2222 > 192.168.5.6.40096: Flags [P.], seq 1:81, ack 112, win 1392, options [nop,nop,TS val 576380725 ecr 577228689], length 80
01:18:24.438240 IP 192.168.5.6.40096 > 192.168.2.1.2222: Flags [.], ack 81, win 1384, options [nop,nop,TS val 577228764 ecr 576380725], length 0
01:18:30.071667 IP 192.168.5.6.41834 > 192.168.2.1.2222: Flags [S], seq 2215504417, win 29200, options [mss 1380,sackOK,TS val 577234397 ecr 0,nop,wscale 7], length 0
01:18:30.071723 IP 192.168.2.1.2222 > 192.168.5.6.41834: Flags [S.], seq 169555520, ack 2215504418, win 28960, options [mss 1460,sackOK,TS val 576386433 ecr 577234397,nop,wscale 7], length 0
01:18:30.105959 IP 192.168.5.6.41834 > 192.168.2.1.2222: Flags [.], ack 1, win 229, options [nop,nop,TS val 577234431 ecr 576386433], length 0
01:18:30.106205 IP 192.168.5.6.41834 > 192.168.2.1.2222: Flags [P.], seq 1:27, ack 1, win 229, options [nop,nop,TS val 577234431 ecr 576386433], length 26
01:18:30.106220 IP 192.168.2.1.2222 > 192.168.5.6.41834: Flags [.], ack 27, win 227, options [nop,nop,TS val 576386467 ecr 577234431], length 0
01:18:30.117569 IP 192.168.2.1.2222 > 192.168.5.6.41834: Flags [P.], seq 1:27, ack 27, win 227, options [nop,nop,TS val 576386478 ecr 577234431], length 26
01:18:30.151886 IP 192.168.5.6.41834 > 192.168.2.1.2222: Flags [.], ack 27, win 229, options [nop,nop,TS val 577234477 ecr 576386478], length 0
01:18:30.151913 IP 192.168.2.1.2222 > 192.168.5.6.41834: Flags [P.], seq 27:323, ack 27, win 227, options [nop,nop,TS val 576386513 ecr 577234477], length
if its not ok, nothing on the expressway-e and something like this on the expressway-c, just sending syn packets but no response:
01:21:31.236284 IP 192.168.5.6.41911 > 192.168.2.1.2222: Flags [S], seq 49033653, win 29200, options [mss 1380,sackOK,TS val 577415562 ecr 0,nop,wscale 7], length 0
01:21:33.242267 IP 192.168.5.6.41911 > 192.168.2.1.2222: Flags [S], seq 49033653, win 29200, options [mss 1380,sackOK,TS val 577417568 ecr 0,nop,wscale 7], length 0
01:21:37.250276 IP 192.168.5.6.41911 > 192.168.2.1.2222: Flags [S], seq 49033653, win 29200, options [mss 1380,sackOK,TS val 577421576 ecr 0,nop,wscale 7], length 0
01:21:41.244422 IP 192.168.5.6.41914 > 192.168.2.1.2222: Flags [S], seq 2401170684, win 29200, options [mss 1380,sackOK,TS val 577425569 ecr 0,nop,wscale 7], length 0
01:21:42.246285 IP 192.168.5.6.41914 > 192.168.2.1.2222: Flags [S], seq 2401170684, win 29200, options [mss 1380,sackOK,TS val 577426572 ecr 0,nop,wscale 7], length 0
01:21:44.250278 IP 192.168.5.6.41914 > 192.168.2.1.2222: Flags [S], seq 2401170684, win 29200, options [mss 1380,sackOK,TS val 577428576 ecr 0,nop,wscale 7], length 0
01:21:48.258294 IP 192.168.5.6.41914 > 192.168.2.1.2222: Flags [S], seq 2401170684, win 29200, options [mss 1380,sackOK,TS val 577432584 ecr 0,nop,wscale 7], length 0
01:21:52.252784 IP 192.168.5.6.41915 > 192.168.2.1.2222: Flags [S], seq 3654669449, win 29200, options [mss 1380,sackOK,TS val 577436578 ecr 0,nop,wscale 7], length 0
01:21:53.254253 IP 192.168.5.6.41915 > 192.168.2.1.2222: Flags [S], seq 3654669449, win 29200, options [mss 1380,sackOK,TS val 577437580 ecr 0,nop,wscale 7 -
IP Phone SSL VPN and Split tunneling
Hi Team,
I went throught the following document which is very useful:
https://supportforums.cisco.com/docs/DOC-9124
The only things i'm not sure about split-tunneling point:
Group-policy must not be configured with split tunnel or split exclude. Only tunnel all is the supported tunneling policy
I could see many implementation when they used split-tunneling, like one of my customer:
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
banner value This system is only for Authorized users.
dns-server value 10.64.10.13 10.64.10.14
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value prod.mobily.lan
address-pools value SSLClientPool
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask none default anyconnect
username manager-max password XTEsn4mfYvPwC5af encrypted privilege 15
username manager-max attributes
vpn-group-policy GroupPolicy1
tunnel-group PhoneVPN type remote-access
tunnel-group PhoneVPN general-attributes
address-pool SSLClientPool
authentication-server-group AD
default-group-policy GroupPolicy1
tunnel-group PhoneVPN webvpn-attributes
group-url https://84.23.107.10 enable
ip local pool SSLClientPool 10.200.18.1-10.200.18.254 mask 255.255.254.0
access-list split-tunnel remark split-tunnel network list
access-list split-tunnel standard permit 10.0.0.0 255.0.0.0
It is working for them w/o any issue.
My question would be
- is the limitation about split-tunneling still valid? If yes, why it is not recommended?
Thanks!
EvaHi,
If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password. If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided). Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server. If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure. The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'. If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
Did this answer your question? If so, please mark it Answered! -
IPSec tunnel on sub-interface on ASA 5510
Hello All,
I working on a security solution using ASA firewall and need some technical advice on ASA. Is it possible to setup a IPSec tunnels on each subinterface of a physical interface on ASA 5510?
I would be greatul if someone please reply post this with some details.
Regards,
MudsHi Jennifer,
Thanks very much for your reply. I understand where you coming from, but the reason of using sub-interfaces is that, we have only one physical interface on the firewall connected to the MPLS cloud, and we need to setup a seperate IPSec tunnels for each client for security and integrity. In the current scenario, I have static peers and we can easily setup a static route to peer address.
Many thanks for your assistance, please feel free to to advise if you have any other suggestion.
Regards,
Muds -
Unable to see logs while using split tunnel for RA
hi everyone,
I have config RA VPN at my home lab using split tunnel.
I can connect fine and able to browse the internet.
When i go to internet sites i do not see logs generated on the VPN ASA?
Need to understand whats the reason behind this?
ASA1# sh conn all
5 in use, 12 most used
UDP outside 10.0.0.51:138 inside 10.0.0.255:138, idle 0:01:38, bytes 201, flags -
TCP outside 192.168.98.2:49509 NP Identity Ifc 192.168.1.171:443, idle 0:00:07, bytes 1067370, flags UOB
TCP outside 192.168.98.2:49507 NP Identity Ifc 192.168.1.171:443, idle 0:00:03, bytes 137779, flags UOB
UDP outside 192.168.98.2:49903 NP Identity Ifc 192.168.1.171:500, idle 0:00:01, bytes 40927, flags -
TCP outside 192.168.99.2:35902 NP Identity Ifc 192.168.1.171:22, idle 0:00:00, bytes 179887, flags UOB
Where 192.168.98.2 is IP of PC.
10.0.0.51 is IP assigned from VPN pool to PC.
Regards
MaheshHi Mahesh,
You are using Split Tunnel VPN. This means that you have configured the VPN Client connection to only tunnel specific networks through the VPN Connection while its active. You have probably configured an ACL that contains your LAN network behind the ASA.
This means that only traffic destined to that LAN network mentioned in the ACL reaches your ASA through the VPN Connection.
The Internet traffic of the user or any traffic that is NOT destined to that network in the ACL will simply use the VPN Client users PCs local Internet connection or local network.
This is the reason you are not seeing any of the Internet connections from the VPN Client on the ASA. The VPN Client connection is only configured to forward traffic to the LAN network and pass all other traffic past the VPN Connection through the users local network connection.
If you were to configure Full Tunnel VPN for the user this would mean that ALL traffic would be forwarded from the VPN Client through the ASA and the ASA would control where that traffic would be forwarded and if that traffic would be allowed.
If you want to look at the current configuration on the CLI you would first have to issue
show run tunnel-group
And find the connection that you are using at the moment. Then you would have to check what "group-policy" is configured under that "tunnel-group"
Then you could issue the command
show run group-policy
This would list you the Group Policy configuration for the VPN connection and would show something like this under it
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
The above configuration would show you the ACL that the VPN Client configuration is using to tell the VPN Client what traffic to send through the VPN Connection.
Hope this helps
- Jouni -
EZVPN public internet split tunnel with dialer interface
I have a job on where I need to be able to use EZVPN with split tunnel but still have access to an external server from the corporate network as the external server will only accept connections from the corporate public IP address.
So I have not only included the corporate C class in the interesting traffic but also the IP address of the external server.
So all good so far, traffic for the corporate network goes down the tunnel as well as the IP address for the external server.
Now comes the problem, I am trying to send the public IP traffic for the external server out of the corporate network into the public internet but it just drops and does not get back out the same interface into the internet.
I checked out this procedure and it did not help as the route map counters do not increase with my attempt to reach the external router.
http://www.cisco.com/c/en/us/support/docs/security/vpn-client/71461-router-vpnclient-pi-stick.html
And to just test the process, I removed the split tunnel and just have everything going down the tunnel so I can test with any web site. I also have a home server on the network that is reached so I can definitly reach into the network at home which is the test for the corporate network I am trying to reach.
Its a cisco 870 router and here is the config
Router#sh run
Building configuration...
Current configuration : 4617 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
logging message-counter syslog
enable secret 5 *************************
enable password *************************
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.3
ip dhcp excluded-address 192.168.1.4
ip dhcp excluded-address 192.168.1.5
ip dhcp excluded-address 192.168.1.6
ip dhcp excluded-address 192.168.1.7
ip dhcp excluded-address 192.168.1.8
ip dhcp excluded-address 192.168.1.9
ip dhcp excluded-address 192.168.1.111
ip dhcp pool myDhcp
network 192.168.1.0 255.255.255.0
dns-server 139.130.4.4
default-router 192.168.1.1
ip cef
ip inspect name myfw http
ip inspect name myfw https
ip inspect name myfw pop3
ip inspect name myfw esmtp
ip inspect name myfw imap
ip inspect name myfw ssh
ip inspect name myfw dns
ip inspect name myfw ftp
ip inspect name myfw icmp
ip inspect name myfw h323
ip inspect name myfw udp
ip inspect name myfw realaudio
ip inspect name myfw tftp
ip inspect name myfw vdolive
ip inspect name myfw streamworks
ip inspect name myfw rcmd
ip inspect name myfw isakmp
ip inspect name myfw tcp
ip name-server 139.130.4.4
username ************************* privilege 15 password 0 *************************
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group HomeFull
key *************************
dns 8.8.8.8 8.8.8.4
pool SDM_POOL_1
include-local-lan
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group HomeFull
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 3
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 1740
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
crypto ctcp port 10000
archive
log config
hidekeys
interface Loopback10
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0.1 point-to-point
description TimsInternet
ip flow ingress
ip policy route-map VPN-Client
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 3
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Virtual-Template3 type tunnel
ip unnumbered Dialer3
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect myfw in
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1372
no ip mroute-cache
hold-queue 100 out
interface Dialer0
no ip address
interface Dialer3
ip address negotiated
ip access-group blockall in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression
ip policy route-map VPN-Client
no ip mroute-cache
dialer pool 3
dialer-group 1
no cdp enable
ppp chap hostname *************************@direct.telstra.net
ppp chap password 0 *************************
ip local pool SDM_POOL_1 10.0.0.10 10.0.0.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer3
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 101 interface Dialer3 overload
ip access-list extended VPN-OUT
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended blockall
remark CCP_ACL Category=17
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit ahp any any
permit tcp any any eq 10000
deny ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map VPN-Client permit 10
match ip address VPN-OUT
set ip next-hop 10.0.0.2
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
password cisco
scheduler max-task-time 5000
end
Router#exit
Connection closed by foreign host.Thanks for the response.
Not sure how that would help as I can connect into the internal network just fine, but I want to hairpin back out the interface and surf the internet from the VPN client. The policy route map makes the L10 the next hop and it has NAT. -
Cisco ASA 5505 - IPsec Tunnel issue
Issue with IPsec Child SA
Hi,
I have a site to site VPN tunnel setup with a Cisco ASA5505 and a Checkpoint Firewall. The version of software is 9.22. I am using IKEv2 for Phase 1 encryption. The following is my cisco asa configuration:
hostname GARPR-COM1-WF01
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
description Failover Link
switchport access vlan 950
interface Ethernet0/1
description Outside FW Link
switchport access vlan 999
interface Ethernet0/2
description Inside FW Link
switchport access vlan 998
interface Ethernet0/3
description Management Link
switchport access vlan 6
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan6
nameif management
security-level 100
ip address 10.65.1.20 255.255.255.240
interface Vlan950
description LAN Failover Interface
interface Vlan998
nameif inside
security-level 100
ip address 10.65.1.5 255.255.255.252
interface Vlan999
nameif outside
security-level 0
ip address ************* 255.255.255.248
boot system disk0:/asa922-4-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ***************
object network North_American_LAN
subnet 10.73.0.0 255.255.0.0
description North American LAN
object network Queretaro_LAN
subnet 10.74.0.0 255.255.0.0
description Queretaro_LAN
object network Tor_LAN
subnet 10.75.0.0 255.255.0.0
description Tor LAN
object network Mor_LAN
subnet 10.76.0.0 255.255.0.0
description Mor LAN
object network Tus_LAN
subnet 10.79.128.0 255.255.128.0
description North American LAN
object network Mtl_LAN
subnet 10.88.0.0 255.255.0.0
description Mtl LAN
object network Wic_LAN
subnet 10.90.0.0 255.254.0.0
description Wic LAN
object network Wic_LAN_172
subnet 172.18.0.0 255.255.0.0
description Wic Servers/Legacy Client LAN
object network Mtl_LAN_172
subnet 172.19.0.0 255.255.0.0
description Mtl Servers/Legacy Client LAN
object network Tor_LAN_172
subnet 172.20.0.0 255.255.0.0
description Tor Servers/Legacy Client LAN
object network Bridge_LAN_172
subnet 172.23.0.0 255.255.0.0
description Bridge Servers/Legacy Client LAN
object network Mtl_WLAN
subnet 10.114.0.0 255.255.0.0
description Mtl Wireless LAN
object network Bel_WLAN
subnet 10.115.0.0 255.255.0.0
description Bel Wireless LAN
object network Wic_WLAN
subnet 10.116.0.0 255.255.0.0
description Wic Wireless LAN
object network Mtl_Infrastructure_10
subnet 10.96.0.0 255.255.0.0
description Mtl Infrastructre LAN
object network BA_Small_Site_Blocks
subnet 10.68.0.0 255.255.0.0
description BA Small Sites Blocks
object network Bel_LAN
subnet 10.92.0.0 255.255.0.0
description Bel LAN 10 Network
object network LAN_172
subnet 172.25.0.0 255.255.0.0
description LAN 172 Network
object network Gar_LAN
subnet 10.65.1.0 255.255.255.0
description Gar LAN
object network garpr-com1-wf01.net.aero.bombardier.net
host **************
description Garching Firewall
object-group network BA_Sites
description Internal Networks
network-object object BA_Small_Site_Blocks
network-object object Bel_LAN
network-object object Bel_LAN_172
network-object object Bel_WLAN
network-object object Bridge_LAN_172
network-object object Mtl_Infrastructure_10
network-object object Mtl_LAN
network-object object Mtl_LAN_172
network-object object Mtl_WLAN
network-object object Mor_LAN
network-object object North_American_LAN
network-object object Queretaro_LAN
network-object object Tor_LAN
network-object object Tor_LAN_172
network-object object Tus_LAN
network-object object Wic_LAN
network-object object Wic_LAN_172
network-object object Wic_WLAN
access-list 101 extended permit ip object garpr-com1-wf01.net.aero.bombardier.net object Bel_LAN_172
access-list 101 extended permit ip object Garching_LAN object-group BA_Sites
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap informational
logging asdm informational
logging host outside 172.25.5.102
mtu management 1500
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface Failover_Link Vlan950
failover polltime interface msec 500 holdtime 5
failover key *****
failover interface ip Failover_Link 192.168.124.1 255.255.255.0 standby 192.168.124.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Gar_LAN Gar_LAN destination static BA_Sites BA_Sites no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 ************* 1
route inside 10.65.1.0 255.255.255.255 10.65.1.6 1
route inside 10.65.1.16 255.255.255.240 10.65.1.6 1
route inside 10.65.1.32 255.255.255.240 10.65.1.6 1
route inside 10.65.1.48 255.255.255.240 10.65.1.6 1
route inside 10.65.1.64 255.255.255.240 10.65.1.6 1
route inside 10.65.1.128 255.255.255.128 10.65.1.6 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.65.1.0 255.255.255.0 inside
http 172.25.5.0 255.255.255.0 inside
http 10.65.1.21 255.255.255.255 management
snmp-server host inside 172.25.49.0 community ***** udp-port 161
snmp-server host outside 172.25.49.0 community *****
snmp-server host inside 172.25.5.101 community ***** udp-port 161
snmp-server host outside 172.25.5.101 community *****
snmp-server host inside 172.25.81.88 poll community *****
snmp-server host outside 172.25.81.88 poll community *****
snmp-server location:
snmp-server contact
snmp-server community *****
snmp-server enable traps syslog
crypto ipsec ikev2 ipsec-proposal aes256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto map GARCH 10 match address 101
crypto map GARCH 10 set pfs group19
crypto map GARCH 10 set peer *******************
crypto map GARCH 10 set ikev2 ipsec-proposal aes256
crypto map GARCH 10 set security-association lifetime seconds 3600
crypto map GARCH interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
telnet 10.65.1.6 255.255.255.255 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 172.25.5.0 255.255.255.0 inside
ssh 172.19.9.49 255.255.255.255 inside
ssh 172.25.5.0 255.255.255.0 outside
ssh 172.19.9.49 255.255.255.255 outside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 30
management-access inside
dhcprelay server 172.25.81.1 outside
dhcprelay server 172.25.49.1 outside
dhcprelay enable inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.19.109.41
ntp server 172.19.109.42
ntp server 172.19.9.49 source outside
tunnel-group ********* type ipsec-l2l
tunnel-group ********* ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:25ad9bf6db66a31e840ad96f49cd7e37
: end
I believe when a VPN tunnel is setup there should be one Child sa per subnet. The internal network of 10.65.1.0/24 should be setup with a child sa to the networks that were specified above depending on if there is traffic destined for them. What I am seeing is multiple child sa setup for the same subnet like the example below:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 172.19
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
remote selector 172.19.0.0/0 - 172.19.255.255/65535
where for destination network 10.92.0.0/16 there is only one child sa:
GARPR-COM1-WF01# sh crypto ikev2 sa | i 10.92
remote selector 10.92.0.0/0 - 10.92.255.255/6553
Should this be the case or does anyone have any idea why there is multiple child sa setup for the same subnet?
Thanks
JonathanHi there,
I had same issue with PIX 506E and it was not even a circuit issue and I got ride of it and problem got fixed with PIX515E
I don't know, the device is too old to stay alive.
thanks -
CISCO ASA 5505 Split Tunnel DNS with Site to Site VPN
I have a working configuration for Site to Site VPN between our head office and a private AWS VPC instance.
The tunnel is active and I can ping the IP address of the remote network and connect to the remote machines using the IP address, but we need to use the FQDN and not the IP. We have a DNS server set up in AWS for any DNS queries for the remote domain name.
My question is whether or not the ASA 5505 supports a DNS split tunnel for Site to Site VPN and how it can be configured.
I can not find where I can interogate the DNS query to be redirected to the VPN tunnel when our domain name is used in a DNS query. Thus, any pings I try with the FQDN of our servers in AWS are failing as they are going to the default DNS, which is the internet.
Can any one point me in the right direction on how to configure this DNS rewrite so that we can access our AWS private cloud using FQDN from our AWS domain rather than an IP address?Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface. Try to be more restrictive than an '...ip any any' rule for outside_in connections. For instance, this is what I have for incoming VOIP (access list and nat rules):
access list rule:
access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
nat rule:
nat (inside,outside) source static server interface service voip-range voip-range
- 'server' is a network object *
- 'voip-range' is a service group range
I'd assume you can do something similar here in combination with my earlier comment:
access-list incoming extended permit tcp any any eq 5900
Can you explain your forwarding methodology a little more? I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to. Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ? -
VPN Client Tunnel Connection Pix506E
Situation: Trying to connect to PiX 506e for vpn client tunnel. The tunnel shows the following when using the sho isa sa command:
qm_idle 0 0
then after about 3-4 minutes the client workstaiton is receiving error: Reason 412: the remote peer is no longer responding
The same workstation on the same internet connection from the home office is able to connect to an ASA 5505 vpn client with no problems.
I have enabled: nat traversal on the pix506e and tried serveral options on the client side.
The Pix506E also has site to site vpn tunnels that are working without any problems.
Pix Software version: 6.3.5
Any ideas?Try to connect from a different internet connection and see if you are having the same issue.
Also, turn on the logs on the vpn client and see why it's failing.
Maybe you are looking for
-
Can you have two iphone accounts on one computer
I have a new iphone and I want to give my other phone to my girlfriend can I set up 2 accounts on 1 computer
-
ITunes is only playing one song at a time. What gives?
I just installed iTunes on new laptop and it won't play more than one song in a row. Suggestions?
-
Embarrassed to ask but need help. I just set up my new Iphone 5 but I still can't make calls. I upgraded from another Iphone with the same AT&T account. Do I have to call AT&T to activate or do I need to redo something with ITunes? Thanks- F
-
my iphone 3g keypad is not working. Letter "R" and numbers 7,8,9 not working. Can someone help me, please? Idia
-
Slow performance when running non-swing Application?
I created a very simple GUI Application with some buttons. The App is sitting on a UNIX box and I am running it from my local PC. I have Hmmingbird Exceed running. It seems to come up very slowly. I am specifically not using any swing components. Is